[3.0.0 beta 5] Read your members Private Messages
 

* Users tested this on beta 5,6,7,gamma,rc1 and didn't complain about errors *

/*================================================= =====================*\
|| This IS the First vB3 Hack (PM.PHP)
|| Description: Allow Super Administrators to read Private Messages
||
|| Author : Scott (scott@vbulletin.com) (version 1.0 for beta 3)
|| SideKick : Xiphoid (info@vBulletin.nl) (version 1.1 for beta 5)
||
|| Install : Upload to admincp/ folder and in browser run as
|| http://www.yoursite.com/forum/admincp/pm.php?userid=x
\*================================================ ======================*/

ENJOY
(and thank you Scott)

Oh the chaos this hack will cause. Not only will people scream about the privacy bull++++, but now you're releasing a beta 5 hack at vB.org? Oh the humanity...

agreed, i saw this at vb.nl but didnt install it :p

nice hack though

MGM out

He does say it's compatible with Betas 5, 6, 7, Gamma, and RC1...

Nice hack, but unless my members are secretly organizing a rebellion through PMs I don't really have a need for it right now.

Oh, my. I find that almost too powerful to the administrator, for the privacy issues. Nevertheless, I installed it, just to try it out. Don't know if I'll keep it; I may consider un-installing... but either way, nice hacking.

Well nobody will know you have it installed, but you could have it there just incase.

Great hack floris. :D

Well truth be known, you can just view the PMs in the database, but this just makes it much easier to do. Also some people say you should/need to include this fact in the signup so that they can not say they have not been warned.

Though personally people should never ever think that once they type something out on the net in any way should be thought of as "private" in any way. I would suggest changing the name from "Private Message" to "Message" or something else that does not lead people to think "Private" :)

I have had need of this before on my forum, a user was sending requests for warez and other less than desirable things. I was able to see messages and was able to take actions needed.

Just a side note to remind everyone that you have to be Super Administrators to get this hack working which means that any old administrator will not be able to view the PMs only the ones defined inside the config.php file will be able to view.

I will never use this hack for evil ;)

Hi there everybody:

Beta hack:
Because it works with rc1, I think I can post it. Also, who cares for which version I release a hack.

Privacy:
This has been discussed, if you don't need it: Don't use it!
I personally think none of the messages on a forum are private, because they are stored plain text in the database. I really like it how IPB calls them Personal Messages.

Having said that, it is up to the administrator of each individual forum to process the data from their members as they see fit. I don't think it requires a warning prior to registration. If a user decides to abuse the services / priveledges of a site by using the PM system to spam. The admin can use all means (tools) through the admin control panel to avoid this. They can prune pm's too, why not check up first to see if the user is really spamming and then removing the msgs. It becomes a privacy issue when the admin starts to use it to read all the msgs for personal enlightment. But either way, doing through by pulling them manually from the database in a less clear overview, or through a handy tool. I'd like to save time and use a handy tool (when I check up on spammers).

Regardless;
Thank you for the feedback and enjoy the hack.

Thats nice to know :)

Word of caution for US site owners: Using this hack unless you have already warned your users that their PMs are subject to monitoring and can confirm through some type of checkbox that you timestamp and save in the database indicate that they are aware and agree to the monitoring would be a violation of Federal Law under the Electronic Security Act.

Just the act of reading their PMs alone opens you up to both criminal and civil litigation. Under the criminal code, you can go to prision for up to 5 years. If you run your forums on your own hardware, it will be confiscated. On the civil litigation, you can be held liable for up to $50,000 per PM you read.

Is it worth it?

You should probably point out if you are not a lawyer and your occupation has nothing to do with law.

Well this is something that is up for debate and as for me I will be installing this hack as it is just making what I can do already easier to do.

I will say this again, if anyone actually thinks anything they type that is not encrypted is private than they are smart enough to give out their credit card numbers to everyone and still feel protected.

I feel the same way as Floris and will be installing this hack.

I have been an IT tech and manager for over 20 years and have had to design systems to comply with the law.

(3)(a) Except as provided in paragraph (b) of this subsection,
a person or entity providing an electronic communication service
to the public shall not intentionally divulge the contents of any
communication other than one to such person or entity, or an
agent thereof) while in transmission on that service to any
person or entity other than an addressee or intended recipient of
such communication or an agent of such addressee or intended
recipient.

(b) A person or entity providing electronic communication
service to the public may divulge the contents of any such
communication -

(i) as otherwise authorized in section 2511(2)(a)
or 2517 of this title;

(ii) with the lawful consent of the originator or
any addressee or intended recipient of such communication;

(iii) to a person employed or authorized, or whose
facilities are used, to forward such communication to its
destination; or

(iv) which were inadvertently obtained by the
service provider and which appear to pertain to the commission of
a crime, if such divulgence is made to a law enforcement agency.

(4)(a) Except as provided in paragraph (b) of this subsection
or in subsection (5), whoever violates subsection (1) of this
section shall be fined under this title or imprisoned not more
than five years, or both.

It doesn't get any clearer than that, folks. In the US, installing and using this hack is a federal offense that can earn you prison time.

Here's the law: UNITED STATES CODE TITLE 18. CRIMES AND CRIMINAL PROCEDURE PART I--CRIMES CHAPTER 119--WIRE AND ELECTRONIC COMMUNICATIONS INTERCEPTION AND INTERCEPTION OF ORAL COMMUNICATIONS

It also bears mentioning that individual states also have privacy laws that may or many not be violated by reading your users' private messages. One would also be subject to prosecution under state laws as well.

Given the privacy concerns relative to the Patriot Act, this is an extremely sensitive issue to many people.

I have no further need to continue to try to convince anyone further. I've given you the best advice I can. If you choose to do something stupid and put yourself at risk, thats your business.

He may not be a lawyer, but I am. Of course this requires me to say we are not in an attorney client relationship, I am offering generalized advice, it is worth what you paid for it, yadda yadda.

I've actually been watching this debate for a while. Find it pretty interesting.

All I can say is this, and you'll pardon me if my tone is blunt.

There are some recent cases that might suggest that this could be a violation of the act in question. Normally the cases involve reading other people's emails or putting key caps programs on people's computers without their permission or knowledge. If people believe, reasonably, that their private messages are private, you could have a problem.

Now a lot of you will say they don't reasonably believe that, nothing on the Internet is private. My response is you need to take a look at the type of people who use your site. Are they aware enough to appreciate this fact? A court will look at what is reasonable based upon the knowledge base of the people. So if you have a hacking board or something your argument is a good one. Not so good for a board where the people don't know the first thing about vbulletin, how it works, what can be read, so on and so forth.

Yes, we can view the PMs by going through the databases. Sysadmins can also view emails easily. And without proper cause, if a sysadmin for an email provider started reading your email, he'd be liable for all sorts of things. It's a definite no no. Once you place something out there for people to use it becomes more complicated then it is my property so tough to you. And if you had a problem and you went into court and said hey, it is my board, it is my property I can do what I want, I promise you that answer won't cut it.

On the other hand, if you can say, I had a problem with a stalker or with someone trading warez, and I had a note on my sign up page that said you are consenting to being monitored with just cause, then you have a very good argument. Is it a winnable argument? Honestly, I don't know. Any more then I know for certain you would be found liable for violating the Act(s).

In the end, I'd suggest that if you want to install this hack and you want to protect yourselves, it probably wouldn't hurt to put something in your TOS noting that they are consenting to monitoring or that nothing posted through the board is private or what have you. It is not a difficult thing to put in your TOS and it is better to be safe. I would also be very careful to limit your reading of pms to when it is a necessity.

Of course, this only applies to US law. The EU has even more stringent privacy laws. Your mileage my vary.

By the way, if you are wondering if I, as an attorney, would ever install this hack, the answer is no. I think it is unwise, and I think, as our IT person thinks, that it could get you in a lot of trouble, even with warnings to the users.


L

^ I Agree. i wont be installing... but:

It's not "stupid" for people to want to do that. A lot of people may have valid reasons, who knows.

THAT ^ is what everyone that installs this hack should do to protect themselves. If the person signing up doesn't bother to read it. Tuff for them. They should also change "private" to just plain ol "messages". :rolleyes: :ermm:

Let me ask you a question - realizing that the answer falls under the heading of freindly advice, not a legal advice.

The problem I see with someone installing this hack is removing the reasonable expectation of the users that their messages are indeed private.

You correctly point out that all users would need to be informed that messages are monitored and usage constitutes agreement to monitoring and you suggest this via a TOS.

How does a sysadmin protect himself in such a way that he can PROVE that a user consented to monitoring. As I understand it, the courts always side with the person whose privacy has been invaded in cases of ambiguity, the right to privacy being paramount.

For users from the hack install date on, one should edit their sign-up templates to warn of monitoring and the fact that they continued with the sign-up process is proof enough.

But what about existing users? Users who:

1. Signed up before monitoring was the norm
2. Sent private messages before monitoring was initiated under the expectation of privacy that can now be read.

The only way I see this being possible is that, at the time the hack is installed, all existing users have PMs turned off and all existing PMs deleted. Then, the user has to provide some positive consent to monitoring - maybe just a customized user field.

The reason all existing PMs need to be deleted is every PM involves two people: the person who sent it and the one that received it. If the receiver consents but the sender does not, the sysadmin still can't read that PM without being in violation of the law.

What are your thoughts? Assuming you HAD to install this hack, how would you protect yourself?

Hmmm. Interesting, very interesting. Let me think about this.

Your original TOS, does it have anything about modifications to the TOS? Mine does, says we will try to let people know of any major changes, they consent to them by using the site, etc etc. Yours should say something like that.

If I had to add this, I would do an announcement on the site, and I would document the fact I had done this in whatever records I kept. That announcement would say something like:

We have recently had a problem that requires us, in order to keep the site and its users safe and secure, to begin monitoring private messages. Please understand we will only monitor your messages should the necessity arise based upon improper use of the Message service. Improper use would include, but is not limited to illegal behaviors such as stalking, spamming or exchanging of copyrighted software.

Your continued use of the Private Message system acknowledges your understanding that these messages may be monitored. If you do not wish your messages to be monitored please delete all previous messages and halt your use of the private message system.

I would make it a lot less legalistic and a lot more polite, but you get the idea.

By doing this I don't have to take the step of doing the deletions, the person can do it him or herself. As far as the other party to any PMs sent, I wouldn't worry too much about old PMs, but if I was concerned, I would add something about asking individuals you have written to to delete the PMs if you are concerned.

By the way please don't copy this language and use it on your sites folks, it is off the top of my head and not quite right. If you use it and you get angry people or get in trouble that is your problem. I'll also be irritated with you. And we know you don't want an irritated lawyer hunting you down.


Edited to say

Sorry AG, didn't mean to get off on a tangent. I think if anyone else wants to talk about this we should probably take it off board or to a more appropriate thread, if there is one.

i see no real need for this
if i had concerns over PM activity, it temporarily shut down the PM system until i was sure enough that the PM activity had declined

Please keep on topic guys.

First, prove I read your private message. Secondly, I'm the administrator, I'll just delete the logs if someone starts a ruckus over it. Third, when I read PM's, I don't tell anyone.

The administrators of a forum have responsibility over how the forum operates. I feel have the ability to see everything that is ahppening with the board, including the ability to see private messages, go along with that, it will allow administrators to confirm that their forums is not being used as a message base for persons carrying on illegal / criminal activity. Having said that , administrators should never give out (except by court order) any info read in the private message area, and should include in the registration rules and faq the fact that the owners / administrators do have the ability to monitor / read private message sent on the forum, and the reasons for this as well as a privacy statement.

does it work with RC 2?

For me is very usefull believe me, I had some problems with some mods attempting to use their access for bad intentions.

See Ya

I have no true interest in my member's pm's or their content. However I was subjected to some truly nasty shutdowns and server hacks over the last few months. As I later found out...much of this was being discussed by 2 or 3 members who were in on the whole thing. So I will install the hack, and, while those particular members are gone...as least as far as I can tell :)..., if I notice a particular poster or member acting in a particular way, I will check out to whom he is pm'ing and if necessary find out what he's up to. There's too much time and money and trust involved in my board for it to be hijacked again.

You have no responsibility; responsibility is mandated by law. Your users have do have rights upheld in law. Unless you take the actions suggested above, you open yourself up to a lawsuit that can result in loosing everything you own, not to mention the posibility of criminal prosecution.

Here's the bottom line. Regardless of what you think, your forum is not your own. You are entitled to the software, but not the contents of the database. Those belong to the individual users. Believe it or not, even their own paswords are considered intellectual property. You should read about how one of the pioneers of Perl, Tom Christiansen, nearly went to jail.

ill add something about this in the terms of service section, noone reads that anyways ;)
i had a problem with a user advertising like crazy through pm's and thanks to this hack on vb2.3 i got it taken care of, so this will be useful

Well here is something that I think might help. Have a click through page that has a disclaimer about PMs not really being private and can be monitored for the general safely of the board and the users on the board.

Yes this could be a real pain for those that spend more time using the PMs than the board itself. It can even be an option that each user can turn off in their profile, but also by doing that they agree to the use of the PM system.

I think "private" in the PM leads many people to think they are truely private.

Nice hack. I'll be adding this for sure.

Hi,
i think there is a lot of modification to make this hack perfect.

1. show all recent pn`s over acp
2. show users pn by listing user in recent pn?s list and not over manually id typing :)


When it?s work with the VB 2 Hack then there is great :)

I installed the Hack OK and it works great!

Thanks!

Now I would like to post a "WARNING" on the page, where users would CLICK to "Send Private Message" so that it will say something to the effect of:

"Send Private Message: - (WARNING: These messages are Monitored by the Administrators)"

Where exactly would I go to edit the current words: "Send Private Message"

So that right after these words I can ad the text of: "- (WARNING: These messages are Monitored by the Administrators)"

The only thing which I found so far, is from within the AdminCP, to do a Global search and replace of the text and this DID work.

However, since the text of "Send Private Message" appears twice on the same page, this makes it the "warning" redundant (twice on the same page).

Is there any easy way to change just one out of the above 2?

To insert a direct access in the user manager:

I don't understand what the result of the above would be, since what I want is for a few words of text to be displayed for every ordinary user when he wants to POST his private message (so he will be for-warned that it can be read by the Admin).

I for one like this hack cause I get members who sign up and then PM other members who talk $hit about me and I dont like that.

I have put it in case to somebody she went it well, nobody is forced to install it.

How can I change my usergroup from Administrator to Super Administrator on a forum that is already running?

I'm looking for a hack like this for vB 2.3.3...anyone know where i can get it?

yes i also haven't been able to figure this out.