[3.0.0 beta 5] Read your members Private Messages

* Users tested this on beta 5,6,7,gamma,rc1 and didn't complain about errors *

/*================================================= =====================*\
|| This IS the First vB3 Hack (PM.PHP)
|| Description: Allow Super Administrators to read Private Messages
||
|| Author : Scott (scott@vbulletin.com) (version 1.0 for beta 3)
|| SideKick : Xiphoid (info@vBulletin.nl) (version 1.1 for beta 5)
||
|| Install : Upload to admincp/ folder and in browser run as
|| http://www.yoursite.com/forum/admincp/pm.php?userid=x
\*================================================ ======================*/

ENJOY
(and thank you Scott)

[wolfman]

Quote:

Originally Posted by Serge

Just a side note to remind everyone that you have to be Super Administrators to get this hack working which means that any old administrator will not be able to view the PMs only the ones defined inside the config.php file will be able to view.

Thats nice to know

[FASherman]

Word of caution for US site owners: Using this hack unless you have already warned your users that their PMs are subject to monitoring and can confirm through some type of checkbox that you timestamp and save in the database indicate that they are aware and agree to the monitoring would be a violation of Federal Law under the Electronic Security Act.

Just the act of reading their PMs alone opens you up to both criminal and civil litigation. Under the criminal code, you can go to prision for up to 5 years. If you run your forums on your own hardware, it will be confiscated. On the civil litigation, you can be held liable for up to $50,000 per PM you read.

Is it worth it?

[Weasel]

Quote:

Originally Posted by FASherman

Word of caution for US site owners: Using this hack unless you have already warned your users that their PMs are subject to monitoring and can confirm through some type of checkbox that you timestamp and save in the database indicate that they are aware and agree to the monitoring would be a violation of Federal Law under the Electronic Security Act.

Just the act of reading their PMs alone opens you up to both criminal and civil litigation. Under the criminal code, you can go to prision for up to 5 years. If you run your forums on your own hardware, it will be confiscated. On the civil litigation, you can be held liable for up to $50,000 per PM you read.

Is it worth it?

You should probably point out if you are not a lawyer and your occupation has nothing to do with law.

[wolfman]

Quote:

Originally Posted by FASherman

Word of caution for US site owners: Using this hack unless you have already warned your users that their PMs are subject to monitoring and can confirm through some type of checkbox that you timestamp and save in the database indicate that they are aware and agree to the monitoring would be a violation of Federal Law under the Electronic Security Act.

Just the act of reading their PMs alone opens you up to both criminal and civil litigation. Under the criminal code, you can go to prision for up to 5 years. If you run your forums on your own hardware, it will be confiscated. On the civil litigation, you can be held liable for up to $50,000 per PM you read.

Is it worth it?

Well this is something that is up for debate and as for me I will be installing this hack as it is just making what I can do already easier to do.

I will say this again, if anyone actually thinks anything they type that is not encrypted is private than they are smart enough to give out their credit card numbers to everyone and still feel protected.

[MLBCenter]

I feel the same way as Floris and will be installing this hack.

[FASherman]

Quote:

Originally Posted by Weasel

You should probably point out if you are not a lawyer and your occupation has nothing to do with law.

I have been an IT tech and manager for over 20 years and have had to design systems to comply with the law.

(3)(a) Except as provided in paragraph (b) of this subsection,
a person or entity providing an electronic communication service
to the public shall not intentionally divulge the contents of any
communication other than one to such person or entity, or an
agent thereof) while in transmission on that service to any
person or entity other than an addressee or intended recipient of
such communication or an agent of such addressee or intended
recipient.

(b) A person or entity providing electronic communication
service to the public may divulge the contents of any such
communication -

(i) as otherwise authorized in section 2511(2)(a)
or 2517 of this title;

(ii) with the lawful consent of the originator or
any addressee or intended recipient of such communication;

(iii) to a person employed or authorized, or whose
facilities are used, to forward such communication to its
destination; or

(iv) which were inadvertently obtained by the
service provider and which appear to pertain to the commission of
a crime, if such divulgence is made to a law enforcement agency.

(4)(a) Except as provided in paragraph (b) of this subsection
or in subsection (5), whoever violates subsection (1) of this
section shall be fined under this title or imprisoned not more
than five years, or both.

It doesn't get any clearer than that, folks. In the US, installing and using this hack is a federal offense that can earn you prison time.

Here's the law: UNITED STATES CODE TITLE 18. CRIMES AND CRIMINAL PROCEDURE PART I--CRIMES CHAPTER 119--WIRE AND ELECTRONIC COMMUNICATIONS INTERCEPTION AND INTERCEPTION OF ORAL COMMUNICATIONS

It also bears mentioning that individual states also have privacy laws that may or many not be violated by reading your users' private messages. One would also be subject to prosecution under state laws as well.

Given the privacy concerns relative to the Patriot Act, this is an extremely sensitive issue to many people.

I have no further need to continue to try to convince anyone further. I've given you the best advice I can. If you choose to do something stupid and put yourself at risk, thats your business.

[leagleaze]

He may not be a lawyer, but I am. Of course this requires me to say we are not in an attorney client relationship, I am offering generalized advice, it is worth what you paid for it, yadda yadda.

I've actually been watching this debate for a while. Find it pretty interesting.

All I can say is this, and you'll pardon me if my tone is blunt.

There are some recent cases that might suggest that this could be a violation of the act in question. Normally the cases involve reading other people's emails or putting key caps programs on people's computers without their permission or knowledge. If people believe, reasonably, that their private messages are private, you could have a problem.

Now a lot of you will say they don't reasonably believe that, nothing on the Internet is private. My response is you need to take a look at the type of people who use your site. Are they aware enough to appreciate this fact? A court will look at what is reasonable based upon the knowledge base of the people. So if you have a hacking board or something your argument is a good one. Not so good for a board where the people don't know the first thing about vbulletin, how it works, what can be read, so on and so forth.

Yes, we can view the PMs by going through the databases. Sysadmins can also view emails easily. And without proper cause, if a sysadmin for an email provider started reading your email, he'd be liable for all sorts of things. It's a definite no no. Once you place something out there for people to use it becomes more complicated then it is my property so tough to you. And if you had a problem and you went into court and said hey, it is my board, it is my property I can do what I want, I promise you that answer won't cut it.

On the other hand, if you can say, I had a problem with a stalker or with someone trading warez, and I had a note on my sign up page that said you are consenting to being monitored with just cause, then you have a very good argument. Is it a winnable argument? Honestly, I don't know. Any more then I know for certain you would be found liable for violating the Act(s).

In the end, I'd suggest that if you want to install this hack and you want to protect yourselves, it probably wouldn't hurt to put something in your TOS noting that they are consenting to monitoring or that nothing posted through the board is private or what have you. It is not a difficult thing to put in your TOS and it is better to be safe. I would also be very careful to limit your reading of pms to when it is a necessity.

Of course, this only applies to US law. The EU has even more stringent privacy laws. Your mileage my vary.

By the way, if you are wondering if I, as an attorney, would ever install this hack, the answer is no. I think it is unwise, and I think, as our IT person thinks, that it could get you in a lot of trouble, even with warnings to the users.


L

^ I Agree. i wont be installing... but:

It's not "stupid" for people to want to do that. A lot of people may have valid reasons, who knows.

Quote:

Originally Posted by leagleaze

it probably wouldn't hurt to put something in your TOS noting that they are consenting to monitoring or that nothing posted through the board is private or what have you. It is not a difficult thing to put in your TOS and it is better to be safe. I would also be very careful to limit your reading of pms to when it is a necessity.

THAT ^ is what everyone that installs this hack should do to protect themselves. If the person signing up doesn't bother to read it. Tuff for them. They should also change "private" to just plain ol "messages". :ermm:

[FASherman]

Quote:

Originally Posted by leagleaze

He may not be a lawyer, but I am. Of course this requires me to say we are not in an attorney client relationship, I am offering generalized advice, it is worth what you paid for it, yadda yadda.

I've actually been watching this debate for a while. Find it pretty interesting.

All I can say is this, and you'll pardon me if my tone is blunt.

There are some recent cases that might suggest that this could be a violation of the act in question. Normally the cases involve reading other people's emails or putting key caps programs on people's computers without their permission or knowledge. If people believe, reasonably, that their private messages are private, you could have a problem.

Now a lot of you will say they don't reasonably believe that, nothing on the Internet is private. My response is you need to take a look at the type of people who use your site. Are they aware enough to appreciate this fact? A court will look at what is reasonable based upon the knowledge base of the people. So if you have a hacking board or something your argument is a good one. Not so good for a board where the people don't know the first thing about vbulletin, how it works, what can be read, so on and so forth.

Yes, we can view the PMs by going through the databases. Sysadmins can also view emails easily. And without proper cause, if a sysadmin for an email provider started reading your email, he'd be liable for all sorts of things. It's a definite no no. Once you place something out there for people to use it becomes more complicated then it is my property so tough to you. And if you had a problem and you went into court and said hey, it is my board, it is my property I can do what I want, I promise you that answer won't cut it.

On the other hand, if you can say, I had a problem with a stalker or with someone trading warez, and I had a note on my sign up page that said you are consenting to being monitored with just cause, then you have a very good argument. Is it a winnable argument? Honestly, I don't know. Any more then I know for certain you would be found liable for violating the Act(s).

In the end, I'd suggest that if you want to install this hack and you want to protect yourselves, it probably wouldn't hurt to put something in your TOS noting that they are consenting to monitoring or that nothing posted through the board is private or what have you. It is not a difficult thing to put in your TOS and it is better to be safe. I would also be very careful to limit your reading of pms to when it is a necessity.

Of course, this only applies to US law. The EU has even more stringent privacy laws. Your mileage my vary.

By the way, if you are wondering if I, as an attorney, would ever install this hack, the answer is no. I think it is unwise, and I think, as our IT person thinks, that it could get you in a lot of trouble, even with warnings to the users.


L

Let me ask you a question - realizing that the answer falls under the heading of freindly advice, not a legal advice.

The problem I see with someone installing this hack is removing the reasonable expectation of the users that their messages are indeed private.

You correctly point out that all users would need to be informed that messages are monitored and usage constitutes agreement to monitoring and you suggest this via a TOS.

How does a sysadmin protect himself in such a way that he can PROVE that a user consented to monitoring. As I understand it, the courts always side with the person whose privacy has been invaded in cases of ambiguity, the right to privacy being paramount.

For users from the hack install date on, one should edit their sign-up templates to warn of monitoring and the fact that they continued with the sign-up process is proof enough.

But what about existing users? Users who:

1. Signed up before monitoring was the norm
2. Sent private messages before monitoring was initiated under the expectation of privacy that can now be read.

The only way I see this being possible is that, at the time the hack is installed, all existing users have PMs turned off and all existing PMs deleted. Then, the user has to provide some positive consent to monitoring - maybe just a customized user field.

The reason all existing PMs need to be deleted is every PM involves two people: the person who sent it and the one that received it. If the receiver consents but the sender does not, the sysadmin still can't read that PM without being in violation of the law.

What are your thoughts? Assuming you HAD to install this hack, how would you protect yourself?

[leagleaze]

Hmmm. Interesting, very interesting. Let me think about this.

Your original TOS, does it have anything about modifications to the TOS? Mine does, says we will try to let people know of any major changes, they consent to them by using the site, etc etc. Yours should say something like that.

If I had to add this, I would do an announcement on the site, and I would document the fact I had done this in whatever records I kept. That announcement would say something like:

We have recently had a problem that requires us, in order to keep the site and its users safe and secure, to begin monitoring private messages. Please understand we will only monitor your messages should the necessity arise based upon improper use of the Message service. Improper use would include, but is not limited to illegal behaviors such as stalking, spamming or exchanging of copyrighted software.

Your continued use of the Private Message system acknowledges your understanding that these messages may be monitored. If you do not wish your messages to be monitored please delete all previous messages and halt your use of the private message system.

I would make it a lot less legalistic and a lot more polite, but you get the idea.

By doing this I don't have to take the step of doing the deletions, the person can do it him or herself. As far as the other party to any PMs sent, I wouldn't worry too much about old PMs, but if I was concerned, I would add something about asking individuals you have written to to delete the PMs if you are concerned.

By the way please don't copy this language and use it on your sites folks, it is off the top of my head and not quite right. If you use it and you get angry people or get in trouble that is your problem. I'll also be irritated with you. And we know you don't want an irritated lawyer hunting you down.


Edited to say

Sorry AG, didn't mean to get off on a tangent. I think if anyone else wants to talk about this we should probably take it off board or to a more appropriate thread, if there is one.