• Activity
  • Votes
  • Comments
  • New
  • All activity
  • Showing only topics in ~tildes with the tag "privacy". Back to normal view / Search all groups
    1. Feature suggestion - tildes only content

      It would be nice if there was an extra box that allows you to add info that is private to the people on tildes. For example I would like to share creds to a game account, but I only want people on...

      It would be nice if there was an extra box that allows you to add info that is private to the people on tildes. For example I would like to share creds to a game account, but I only want people on tildes to get that info, not the public who aren't users and just visit.

      10 votes
    2. I'm planning to enable the "mark new comments" feature for everyone - any major concerns?

      Something that's come up in discussions a few times recently is how important it is to have good default settings. Even users who are quite technical and involved don't always explore which...

      Something that's come up in discussions a few times recently is how important it is to have good default settings. Even users who are quite technical and involved don't always explore which settings are available, and that's totally fine—they shouldn't need to. The default setup should be as good as possible, with changing settings mostly for specialized cases.

      One particular place on Tildes where this isn't currently being done well is for the "mark new comments" feature, which has always been disabled by default. I think it's one of the best features on the site and makes it much easier to follow ongoing discussions here than on other sites with similar comment systems, but overall, not many users have enabled it.

      For example, Tildes got some attention on Hacker News again yesterday, and about 80 new users have registered so far from that. Only 9 of them enabled "mark new comments", even though the welcome message strongly encourages it. Looking at longer periods of time, this seems typical: only about 10% of users ever enable it.

      As it says on the settings page for the feature, my reason for disabling it by default was out of privacy concerns. However, I've been doing some review of the data that Tildes stores lately and realized that this was kind of misleading and inaccurate. Because I have HTTP request server logs and some other related data (which is all only kept for 30 days), I effectively have topic visit records from the last 30 days for all users anyway, whether they have the feature enabled or not. The data is more convenient to access for users with the feature enabled, but it's available either way.

      Because of that, and because the data will be very useful to combine with some of the upcoming changes I mentioned in the last ~tildes.official post, I'm planning to enable this feature for everyone. Here are the general plans:

      • Data about which topics' comments pages a user visits will be stored (for 30 days), along with when and how many comments were there at the time. This enables displaying which topics have new comments since your last visit, and marking those new comments.
      • There will no longer be a setting to disable this, but you can still choose whether previously-seen comments are collapsed when you return - the same as the existing checkbox on that page for "Collapse old comments when I return to a topic".
      • I will probably implement some sort of "stop informing me of new comments in this topic" feature (separate from the new Ignore one) to stop having the info about new comments in a topic showing up for you.

      Please let me know if you have any thoughts or concerns about this. If nothing major comes up, I intend to make this change later this week.

      82 votes
    3. The voting on topics and comments now ends when they're 30 days old and all individual vote records are deleted, retaining only the count

      This is a privacy-related update that I've always intended to implement on Tildes, and I finally spent some time on it this week. Keeping eternal records of everything that every user ever voted...

      This is a privacy-related update that I've always intended to implement on Tildes, and I finally spent some time on it this week.

      Keeping eternal records of everything that every user ever voted on is some of the most sensitive data that sites with a voting system have. Your voting history says a huge amount about you, your interests and opinions, and can even serve as a decent proxy for showing what times you were active on the site, what posts you were reading, and how long you spent reading the comments on each of them. In exchange for these major privacy implications, you get the tiny benefit of being able to tell which old posts you voted on (if you even go back to old posts).

      So now, to match up with Tildes's general approach of deleting as much sensitive data as possible after 30 days, the voting on posts closes when they're 30 days old. After a post's voting is closed, the records of which individual users voted on that post are deleted, but the count of how many votes there were is kept. So old posts will continue showing their same "scores" exactly the same as before, but there will be no record of which individual users cast those votes.

      However, this isn't a purely positive update: the main downside is that the voting does need to be closed (otherwise there would be no way to prevent people from voting again after their first vote is deleted), which prevents the occasionally useful ability to vote on old topics or comments. Overall though, voting on older posts is extremely rare, with less than 1% of the votes on Tildes ever made on something that was over 30 days old at the time of voting.

      When the "delete old sensitive data" job runs for the first time after this update later today, 97% of the voting data in the database will be deleted. That's a massive decrease in the amount of sensitive data the site is retaining, and something that most sites would never consider doing, because of the value of that data for behavior analysis and ad-targeting.

      121 votes
    4. What’s the status on anonymous comments?

      A long time ago, there was a discussion about anonymous comment posting. I’d link it if I wasn’t typing at mobile, but it shouldn’t be too hard to find. How did things about anonymous posting...

      A long time ago, there was a discussion about anonymous comment posting. I’d link it if I wasn’t typing at mobile, but it shouldn’t be too hard to find.

      How did things about anonymous posting evolve, @Deimos? Do you plan to eventually make something like this?

      There are plenty of topics such as this one which would IMO strongly benefit from anonymous comments - I can definitely see much higher participation if that was the case.

      Regarding the abuse, I won’t reiterate all the points made in the thread [todo: link] and purposed solutions, but what about turning anonymous posting on only in some topics, perhaps where the topic author manually turned them on? We could have them for sensitive topics while holding people accountable for their words in all the political topics.

      14 votes
    5. Longer (or configurable) duration for topic read comment tracking

      Comment Visits Setting This data is retained for 30 days. After not visiting a particular topic for 30 days, the data about your last visit to it will be deleted. We've had discussions before...

      Comment Visits Setting

      This data is retained for 30 days. After not visiting a particular topic for 30 days, the data about your last visit to it will be deleted.

      We've had discussions before about long-lived topics, resurrecting old topics, etc. and the general consensus is that they were good and encouraged. Unfortunately, with the limited 30-day memory for topic read-vs-new comments, resurrected posts become a real pain. The current activity-sorted all-time front page has three topics from 2018, each with over a hundred comments. It'd be nice to read the new activity, but that takes either some tedious Ctrl+F with various terms ("minutes", "days", etc.) to find newish comments or re-reading everything.

      I'd like to avoid relying on a third-party extension to handle this (browser and device support, issues with syncing multiple devices, etc.), and I understand the privacy goals. What are people's thoughts on making read-comment memory user-configurable, even if it's just "default 30-days" and "all-time"?

      10 votes
    6. Tildes code of conduct

      Tildes code of conduct says Do not post anyone's sensitive personal information (related to either their real world or online identity) with malicious intent. Can you change that to just say don't...

      Tildes code of conduct says

      Do not post anyone's sensitive personal information (related to either their real world or online identity) with malicious intent.

      Can you change that to just say don't post personal info? Even if it's not done with malicious intent it should still be removed to protect people's privacy.

      Also while it does say to not post spam on tildes terms of service I think It should say that on the code of conduct.

      Edit: I mean posting personal info without consent and not public information.

      Telling someone how to contact a company would be fine but not posting someone's address.

      12 votes
    7. Anonymity on Tildes

      I had a thought, which I'm not sure I agree with, but figured it would be a good conversation. So much of our social discourse, and exploitation of our social platforms, can be associated with...

      I had a thought, which I'm not sure I agree with, but figured it would be a good conversation.

      So much of our social discourse, and exploitation of our social platforms, can be associated with anonymity. Given the divisiveness of our times, it feels like it's almost a pre-req for a platform like this (this has already been discussed in other threads).

      A slightly different question: Is there ever a place for folks that want to announce their identity, and go through something like a Twitter verification process? This could feed into the future trust/reputation feature.

      24 votes
    8. Would you pay for access to Tildes?

      Tildes is 100% donation-supported. It sounds great but I'm doubtful it's a sustainable model. Countless sites have started this way but ended up seeking other ways to monetize, including......

      Tildes is 100% donation-supported. It sounds great but I'm doubtful it's a sustainable model. Countless sites have started this way but ended up seeking other ways to monetize, including...

      1. Showing ads on the site
      2. Intermingling "sponsored posts" or "promoted posts" with regular posts, basically giving preferential treatment to content from users who paid for extra visibility (native advertising)
      3. Selling user data
      4. Cryptocurrency mining (either with user permission or on the sly)
      5. Opening a store for selling branded merch
      6. Periodic "pledge drive" fundraising campaigns
      7. Enacting paywalls

      I've been thinking a lot about site monetization in the abstract lately. Some of these options are better than others. Personally, I'd draw a hard line against 1-4 on Tildes. I think all of those are in direct opposition to what this site is all about.

      I think 5 is a "good in theory, but not in practice" idea. A merch store might generate enough revenue for the first few months but would see rapidly diminishing returns. It would have to resort to increasingly gimmicky promotions just to reach eyeballs and meet its goals.

      I think 6 could be a popular option but I personally recoil from the annual hard-sell guilt trip. The recurring drama of "THIS COULD BE OUR LAST YEAR IF YOU DO NOTHING" is exhausting and paints the site's future as constantly in turmoil.

      Finally we come to 7, the paywall. Traditionally I hate these too, especially when they block content like news that is available for free elsewhere. Sometimes they are "soft" paywalls that give you free access to an article (or the first few paragraphs of one) before they ask you to pony up. I feel that these are the worst form of paywall because they tease and frustrate users, and are often easily circumventable anyway.

      That said, I think a "hard" paywall might actually be a good choice for Tildes. For starters, this is already a walled garden. We're actively trying to cultivate a community by not exposing the site to the wider world. That would at least make the transition to a paywall easier to swallow than if the site had been open the whole time.

      It's 2018. By now it's evident to me that TANSTAAFL online. If you're not paying for something, you are the product. I'm a dyed in the wool cheapskate and I don't like opening my wallet to use a website, but at this point I'm even more tired of being treated like a commodity. If I'm going to invest in an online community, I'd much rather pay a small subscription for access than be jerked around in shady ways. I feel it's the most honest and straightforward solution for a site like this.

      Caveats are that it would need to be cheap. Really cheap, like $1 a month. I don't know what the site's operating expenses are, but I would hope something in that ballpark would cover them, at scale. Also @Deimos would face the temptation to implement multiple options from the list as time goes on. Like, after we're used to the paywall, he might want to add "unobtrusive" ads too, or start selling "non-identifiable" user information. I think it's vital that the site never compromise like that. Raise the price if it comes to that, but don't get greedy. A page in the docs formalizing some promises about respecting users would be a nice thing to put on the record.

      What are your thoughts? I should say that I'm talking about the future here, I think it's way too early to put up a paywall now. The community would have to be large and mature enough to justify a paid subscription to it, and we're not there yet.

      12 votes
    9. Invite code privacy

      ~ takes privacy pretty seriously, which I’m a big fan of. Can’t say I’ve seen any other sites where even your email is hashed, but I like it. What I’m curious about are the invite codes. Don’t get...

      ~ takes privacy pretty seriously, which I’m a big fan of. Can’t say I’ve seen any other sites where even your email is hashed, but I like it.

      What I’m curious about are the invite codes. Don’t get me wrong, I don’t think Deimos is going to do anything nefarious, but I did use one of my personal (albeit secondary) emails to request my invite code. Thus, would it be possible to trace the invite code used to create my account back to that email in any way? Or is the code not stored anywhere once it’s used?

      Edit: yes, I realize this account uses my real name, and I’ve linked to my personal gitlab before. For the time being in a community this small, I don’t mind. I may end up creating a new account when the website opens the floodgates, but that’s neither here nor there.

      14 votes
    10. Discussing anonymity on ~

      So one of the things I really liked about the project is point 1 of the privacy section of the Mechanics (Future). Proactive not reactive; preventative not remedial: When creating new features,...

      So one of the things I really liked about the project is point 1 of the privacy section of the Mechanics (Future).

      Proactive not reactive; preventative not remedial: When creating new features, think about what data will need to be stored, and consider how harmful it might be if that data was to be leaked in the future. Is it possible to reduce the amount of data being stored to lower the potential harm? Can the data eventually be aggregated or anonymized so that we're only storing recent data instead of a full history?

      I think a good first step would be to not have a public comment/submission history. Users should evaluate other users contributions based on the conversation the are having/reading, not past submissions.

      This doesn't make you anonymous, but at least it can prevent nosy people from knowing too much. (I get there are valid reasons to want to find other posts by the same user, but I think individual privacy is more important). At least, if not enforced for everyone, this should be an option, making your profile not display your history to others.

      Now, one of my biggest problems with reddit is that it doesn't make it easy for you to stay anonymous and also keep your content on the site.

      Let me explain. I don't like people being able to see my submission/comment history, because I don't want to give the chance for people to identify me if I don't choose to do so personally. It's not about reddit knowing what I like or do (I mean, I use Google, they know everything I do), it's about individuals, about other users knowing things I'm not happy sharing with them for whatever reason.

      There are only two options on reddit: deleting my content (using a script or whatever or going one by one) or deleting my account. This results in me deleting all my comments and submissions on reddit every few weeks.

      Now, I would love to be able to leave most of what I post on reddit online, because sometimes I have really interesting conversations and I try to be detailed and clear and other people might find (some of) my posts useful. But I don't want anyone who knows my username or anyone who sees a comment of mine going through my history. There's too many crazy people. Also, I haven't suffered doxxing, but that's just not nice.

      There are many reasons why someone could prefer to not be identifiable. Just to give some examples that come to mind: people might have an ideology that other users don't like/respect, people might post pictures of themselves (think fitness groups, for example), people might post in local groups revealing their location, people might look for counsel and talk about their personal problems, etc. Putting all of that together might make it easy to identify someone.

      So, what I would like to propose is a way to leave my content online if I wish to and giving other people the option to read it in the future, without it being publicly tied to my username.

      How could this be done? Well, I think users should be able to anonymize their participation in a thread individually and throughout the site. There could be an button (on every thread for thread only anonymization and on your profile for full site anonymization) that you tap and your username is replaced all through each thread with a randomly generated username (it'd be great if the username is consistent within the thread, so people reading would know its the same person).

      These usernames should be words, ideally, not difficult to parse by humans. Of course this would generate a great number of usernames, but there are some solutions.

      One could be using something like Google Docs uses when several anonymous viewers are watching a document. Each gets a name (RedFox, whatever) which is consistently used throughout the thread. The same username (RedFox) can then be reused in another thread for any other anonymous user. (So RedFox wouldn't be referring to the same person in different threads, but to two random, anonymized persons).

      I'm sure it wouldn't be difficult to generate these (similarly to how reddit gives you suggestions to new usernames when you open an account).

      Also, in order to avoid the admins having to reserve many usernames in advance, these usernames could have a special mark (like *RedFox or °RedFox, or ~RedFox~, for example). This way, a new user can register any available name without interfering with these anonymous usernames. A thread could have some non-anonymized user called RedFox and an anonymized user called °RedFox (or whatever mark is used).

      In any case, the user should be able to access all of their submissions and comments on their profile even after anonymizing, being able to edit or delete them if they wish to.

      Ok, I think that's it, I hope I was clear. I'm also not gonna be able to log in again until tomorrow. So please, go ahead and discuss and tell me what you think and I'll come back when I can.

      EDIT: User karma should not be public either. I can make an argument for it tomorrow if needed or we can discus it on another thread.

      42 votes
    11. Password reset

      I don't need to reset my password, and I really appreciate the way that it is done to maximize anonymity. However, I think there is a bit of a problem with how it is done in terms of users getting...

      I don't need to reset my password, and I really appreciate the way that it is done to maximize anonymity. However, I think there is a bit of a problem with how it is done in terms of users getting locked out.

      If you're locked out, as far as I can tell, there is no way to view the email hint associated with your account. It seems a bit counter intuitive to me that in order to see the hint for how to regain access to your account, you have to already have that access! I also think that it won't work in the case that someone has been away for a few months and has forgotten their password. I'm not sure what a good way of displaying the hint would be, however, since if it is done by username anyone who has seen your posts can look at your password hint.

      Hopefully with a bit of discussion we can cook something up that can solve this catch 22!

      11 votes
    12. Warrant Canary

      Hey, Just a thought. I'm not sure what the legal standing of warrant canaries (i.e. being compelled to lie) are in Canada, but given the privacy level afforded by the site the key component to...

      Hey, Just a thought. I'm not sure what the legal standing of warrant canaries (i.e. being compelled to lie) are in Canada, but given the privacy level afforded by the site the key component to that privacy is trust.

      You're doing a lot to make sure private data is treated as harmful, and with the open source code being visible, but that's still not a guarantee that the server is actually running the code that will be open sourced.

      Tildes could probably benefit from a warrant canary given that it's a platform for user generated content and if it gets prominent enough it may be subject to LEO scrutiny. Compliance with LEO is a given since the website operates under Canadian Jurisdiction, but given the... nature of some requests (Gag Orders / Etc...) a canary could be a privacy positive move for users of Tildes.

      7 votes