Security Issue: Sensitive Uploads not deletable

Good evening, Ladies and Gentlemen!

While I very much enjoy Gitter since 3 days now, I have to open this Issue because it appeared that a user uploaded sensitive data to the public chat of our security-project, the Android IMSI-Catcher Detector. Talking to the developers of Gitter in their own chat, I was presented with not being able to delete anything that is being published there. It will be visible for everyone (even unregistered users) and forever. Great!

Being the owner of the main repository and creator of the corresponding chat room, I consider this to be a huge security Issue. Of course, I can edit my own posts until 4 minutes have passed - but what about sensitive content other people post, even if not intended? Don't I have the right to delete as an admin?

If this is not going to be resolved as desired, I'm afraid I'll have to fully delete our Gitter account (which I really don't want to do since Gitter is awesome). Especially security-related projects such as ours rely on the possibility of defending the anonymity of contributors and, at the very least, delete sensitive content.

Hi there,

Unfortunately the ethos behind our product and building online communities is at odds with your requirements. We will act on abuse and spam, but we do not want to create communities where administrators have powers to effectively control conversation by deleting messages.

Good luck with your project and finding a service that will facilitate what you are looking for.

Mike

What about deleting porn pictures from spam-bots? Just one or two spam-bots manage to overcrowd whole chat with disgusting porn images and even after banning bots we cannot delete those pictures :(

Created by: sudodoki

+1 on what @antonkulaga said, had single spam bot overflow several rooms with gore/porn images in matter of minutes. After banning the person, message are still there.

Created by: lividgreen

+1, some images go under law restrictions that may lead to unpredictable consequences without the possibility to remove them

Created by: mr-mig

I think one of the options could be automatically removing all the posts made by the banned user. I have opened a separate issue: https://github.com/gitterHQ/gitter/issues/620

Created by: rodrigolece

And what about my own posts?! I should have the right to remove them if I think they are no longer useful right?

I'm a TA in a course, and I posted a link to download an exam. I didn't know I couldn't edit or delete after four minutes. I don't want it to be permanently there, since I don't want the exam to be passing around (the course is given once a year, generally). I could delete the original file we shared, but it would be so much easier to just delete the post.

Created by: alexweissman

+1, this is an important feature.

we do not want to create communities where administrators have powers to effectively control conversation by deleting messages.

TBH, this is a lame response. Any Github user has the ability to update/delete the content they post at any time (for example, in Github Issues), regardless of how old it is or whose project they created it under. I don't see why the the fact that Gitter is a "chat" format should be any different, especially when Gitter conversations are indexed by search engines.

Created by: wbelk

@mydigitalself I'm seeing the same issue with this. I want the ability to edit messages indefinitely. My use-case is team productivity and collaboration

Unfortunately the ethos behind our product and building online communities is at odds with your requirements.

So let's say that my team is using things for research and adding style that helps communicate information, a link might need to be changed, or someone wants to change the style of something. Yours is a design decision that seems more emotional than practical

This bit me in the ass today. +1

Created by: Kryptos-FR

I recently wanted to delete one of my own message. I couldn't since more than 4 minutes had passed. Fortunately it was not sensitive information or offensive comment.

But let's think a bit about what this lazy answer by @mydigitalself implies:

Unfortunately the ethos behind our product and building online communities is at odds with your requirements.

I'm French. As a creator of a public room, any content is of my responsibility (and I mean legally speaking). So if a user says something offensive and reprehensible on my chat room, the offended individual can sue me: in French law if the content is not moderated it means that the owner 100% agrees on it. Then I will plea that I can't remove any content because of a lack of a moderating tool and I will sue in turn Gitter. And I will certainly win.

So my question to @mydigitalself is simple: are you ready to face multiple trials (and potentially big fines, and also prison time: let's talk about crime apology) because you are too lazy to implement a simple moderating tool?

Let's also assume someone uploads a pile of copyright works. I can't delete them. Chances are, you will be nailed for enabling piracy - Sounds fun, right? Hello MEGAUPLOAD 2.0. Seriously, this whole issue is fucking stupid, and your answer is not one that a business should give, given these circumstances. This is literally a terrible idea, not providing these tools.

Also, if I may inquire, what is your policy on "Right-to-be-forgotten" Requests from the UK?

Basically, listen to your damn users. I agree 100% with @Krytos-FR

FYI, I pointed out that this could cause legal issues in #975 (closed)

Edit: Oh, and let not forget the things that will (It's not an if, or a maybe, it WILL happen at some point) be uploaded that are illegal to possess basically anywhere in the world - which contains your servers, by the way.

@Kryptos-FR Let's be perfectly clear on one thing here, the issue has absolutely nothing to do with laziness and any insinuation otherwise is pretty disrespectful to a small team who work exceptionally long hours trying to build a great service.

Secondly, we're constantly listening to our users and have and will continue to act on individual requests for the deletion of content. We have helped people to remove spam and abuse as well as sensitive information erroneously posted.

There's a very fine balance here to be struck that has multiple competing pressures and I'll be the first to admit that we haven't always got it right, but rest assured we're always listening. By way of example, I've seen communities where owners have requested the deletion of messages that, quite literally, just strongly disagree with a position or an action and are in no ways abusive or infringing on copyright and such. This is an environment that we've strongly been opposed to creating and have perhaps taken decisions that sway towards this position at the cost of other scenarios. We've also wanted to create an environment where people can't just be abusive, knowing that they can inflict emotional damage at a point in time and then delete it thereafter as if it never happened.

Finally, we are right now in the process of defining improved moderation capability and will be revisiting some of our previous decision making around the matter. This includes not only the amount of time given to edit or remove a message as well as giving administrators the ability to delete messages and for the community to flag messages..

Created by: alexweissman

In defense of @mydigitalself, I'd like to mention that he has been extremely responsive to my email conversations with him regarding this issue. It is clear that Mike and the entire Gitter team have been working very hard, and they've produced a great product (otherwise we wouldn't be having this discussion!) So, I doubt that this is an issue of laziness - if it were, this would be a lot easier to solve.

I think this is an ideological difference. To Mike, accountability (so, being able to access evidence of abuse and illegal activity) trumps privacy and right-to-forget. The rest of us believe that each Gitter community should be self-moderating, and that administrators/owners should be responsible for banning abusive users, and that individual users should have autonomy over their own content.

I propose a compromise. How about "soft deleting"? Users can soft-delete their own comments from chat at any time. Soft-deleted messages will not be visible in chat, and they will not be given/traded/sold to third parties. However, the messages will be logged and available to the Gitter team, but only for reviewing complaints about abusive users. Entries in this log would be safeguarded in compliance with a Safe Harbor policy, and finally be hard-deleted after a certain period of time.

@alexweissman So your saying that in order to avoid doing less work, they have been doing more work?

In any case, that sounds more reasonable than the current system. The time limit would need to be extended though, imo up to 48 hours.

The way this is set up now is not good for anyone. You guys legally, nor anyone else running a chatroom.

Created by: alexweissman

@PFCKrutonium what I'm saying is, this issue isn't about avoiding work. The issue is a belief (IMO, a misguided one) about how to effectively promote constructive conversations in Gitter.

Everyone wants a polite, respectful community. But this "set-in-stone", authoritarian policy is not the way to go about making that happen.

Mike is basically saying that the intention of the deletion time limit is to encourage self-censorship. A certain modicum of self-censorship is important, but Gitter's policy can easily lead to self-censorship in the extreme. When that happens, content becomes watered down (a very real effect in the case of Facebook), and communities fall apart.

Created by: darth62969

i think that the way it is set up now is done pretty well, now deleting any data period is bad. i agree with the soft delete, but the content should be kept indefinitely preferably on an archival system. but the soft delete methodology should be limited, you can't delete anything and everything. after lets say 48hours the ability to delete or edit posts should be removed. they can only and should only be removed by request of the moderators of that thread.

@alexweissman I understand that, but what I meant was more of "If the moderators could moderate, they would have to do less work".

In any case though, what they are doing now, while effective, is not a good way to go about it.

@gitterHQ, any news about this or is Gitter still not an option for security related projects?

I'd certainly like to have the powers, as the owner of a room, to delete spammy messages (e.g. huge log dumps) or really offensive messages.

Once again I am saying this is Somthing that needs to happen.

@gitterHQ does not seem to care. And that makes me wonder why. Maybe the're the NSA? /tinfoil I strongly advise to reconsider using Gitter and read their privacy policy while especially noting this:

Disclosure of your information

We may disclose your personal information to any partner of Gitter and/or a member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.

• We may disclose your personal information to third parties:
• in the event that we sell or buy any business or assets;
• if Gitter or substantially all of its assets are acquired by a third party;
• or if we are under a duty to disclose or share your personal data in order to comply with any legal obligation or to protect the rights, property, or safety of Gitter, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection.

Here's my other (probably better) idea: Go public, people! Ask them on Twitter something like this:

Dear @gitchat, why do you #break our #security by ignoring https://git.io/vwMT0?

Created by: alexweissman

I've heard through the grapevine that moderation capabilities are coming soon. Clearly it hasn't been a priority, but that doesn't mean there is a conspiracy going on.

If Gitter were a secret project of the Five Eyes, allowing or disallowing users to delete messages wouldn't make a difference as far as data collection is involved. Once you've submitted something to someone's server they can log it indefinitely, regardless of whether they let you "delete" it in the public-facing interface.

I've heard through the grapevine that moderation capabilities are coming soon.

Thanks. We'd like to hear an official statement of the gitter developers here.

Clearly it hasn't been a priority, but that doesn't mean there is a conspiracy going on.

Might be. But simply closing this Issue and telling me that it conflicts with their ethos really is strange:

Unfortunately the ethos behind our product and building online communities is at odds with your requirements. We will act on abuse and spam, but we do not want to create communities where administrators have powers to effectively control conversation by deleting messages.

Created by: darth62969

i get where they are coming from, they don't want "censorship" which i agree, you shouldn't have the power to do, but i also see the communities perspective. where they want control and management of things like spam bots or inappropriate/unlawful posts. there is a fine line, i do think a time out for editing/deleting is nice, however, i don't think the way this system is implemented right now is the exact way it needs to be done. i'm not sure of the best solution, that would satisfy the creators wish to de-censor conversation, and the communities that want to make sure things stay appropriate/on track. in the end gitter is more or a sophisticated IRC chat than something like a forum or reddit. that needs these controls to make sure things stay on topic and constructive. using it for anything more is kinda stupid irc chat is kinda stupid. however even if this is so, their do need to be controls in place to make sure that the wishes of the "moderators" of the chat are met. I personally am fine with the way things are now, vs. what @PFCKrutonium thinks when i or someone else slips up and posts something slightly inappropriate in chat (also only mentioning him cause i know he is paying attention). the sad thing is that we are both mods, and can't go back and delete our own posts, if our lord and master demands it... :P anyway just a thought.

(: Jonathan :)

On Sat, Apr 30, 2016 at 5:49 PM, Security: PWNED notifications@github.com wrote:

I've heard through the grapevine that moderation capabilities are coming soon.

Thanks. We'd like to hear an official statement of the gitter developers here.

Clearly it hasn't been a priority, but that doesn't mean there is a conspiracy going on.

Might be. But simply closing this Issue and telling me that it conflicts with their ethos really is strange:

Unfortunately the ethos behind our product and building online communities is at odds with your requirements. We will act on abuse and spam, but we do not want to create communities where administrators have powers to effectively control conversation by deleting messages.

— You are receiving this because you commented. Reply to this email directly or view it on GitHub https://github.com/gitterHQ/gitter/issues/332#issuecomment-215997386

@darth62969, any further discussion is senseless. The creator of the chat should have admin rights! And by admin rights I really mean full access, full control. Not just a creepy "Hey Pseudo-Admin, you can delete stuff within 4 minutes and then see private data float around in public chat rooms"... /anger

Let's see if they answer on Twitter: https://twitter.com/AIMSICD/status/726754648162455553

Being the owner of the main repository and creator of the corresponding chat room, I consider this to be a huge security Issue. Of course, I can edit my own posts until 4 minutes have passed - but what about sensitive content other people post, even if not intended? Don't I have the right to delete as an admin?

Created by: darth62969

I said, that this is an issue, i said i agree with what they are trying to do, however i do think it is isn't put into practice very well. 4 minutes is a too short a time, i would give it a day at least for admins (for their posts and others) while regular uses can stay at 4 minutes. that is what i am thinking is the best solution though i don't know what the compromise should be. if you paid attention to what i posted, i never said i was completely ok with the way things are now, i more or less said i was unsure about the best way to implement what GitterHQ wants, and what the admins need, and that the way things are now arn't the best way to do things.

i also said that gitter isn't for very sensitive conversation. it is an more sophisticated IRC for open source projects, it isn't Slack or some other form of private collaboration/development platform. it is more of a chat room than a anything for actual development. it is a place to discus changes and ideas, not to plan out the entire road map. that being said, you still should be able to control certain content that is posted.

If we got Mod tools I would be happy tbh. What we have now is too little.

What about a compromise? I would love to be able to delete posts, especially the bad ones. But I understand how you guys want self censorship. I had issues in my github repos of people being abusive in comments and then deleting them. Thankfully, I have a log so I can call out them and ban them for doing it.

1. Allow to delete posts even after the time frame
2. Allow to edit own posts after timeframe, not others
3. When editing posts, have it say edited and when you click on it, it shows the edit history
4. Deleting posts take 12 hours and shows on the deletion queue on the top
5. Anyone who was invlolved in the chat can have a log of the chat of everything that happened after they joined (ex: if I joined a chat, then someone said something and deleted it, I can recover it, but if another person joins afterwords, they cant see it)

@mydigitalself please review this

Created by: ljharb

My repo-based gitter channel is based on my repository - where I have utter control to edit and delete anything I want, for any reason I choose. Why would I want a repo-based channel where I don't have identical control? (Not objecting to any internal preservation of history for moderation purposes, but objecting to the idea that anyone but the repo owners gets to decide what's an acceptable reason to delete or edit a comment)

Created by: alexweissman

@ljharb I just ended up setting up my own chat server with Rocket Chat. I spend $10/mo to run a server, but IMO it's worth it.

It is really horrible that I had to discover this AFTER moving my school of mostly teens to using Gitter and having to move them back to slack. I really hope you consider making these changes. There are so many valid use cases for allowing moderation and control of posts. The article about why FreeCodeCamp changed back to Gitter is completely misleading in ignoring this monumentally huge flaw in the Gitter approach.

Created by: emk

I've hosted and moderated several different kinds of online discussions over the years. Once a community passes a certain size, I've usually found it necessary to publish and enforce a set of community rules. These rules generally cover harassment, combative attitudes towards other users, copyright violations, and so on. In the case of forums associated with a company, I would also need to enforce corporate policy as dictated by the legal department. Good moderation can be difficult work at times, but it can make the difference between vibrant communities and communities filled with a constant background level of bad behavior that's not quite abuse.

So thinking about this, I realize that at as a moderator, my own ethos is in direct conflict with Gitter's.

We will act on abuse and spam, but we do not want to create communities where administrators have powers to effectively control conversation by deleting messages.

Good luck with your project and finding a service that will facilitate what you are looking for.

Understood. I will continue to use Gitter for one or two projects now, but if any moderation becomes necessary, I will moderate by deleting the entire chat room and moving to a new service. If moderation tools do become available before this becomes necessary, I will stay.

Any room admin can now delete messages from other users. See https://github.com/gitterHQ/gitter/issues/620#issuecomment-255780405.

Created by: csarven

@jdalton How about images which were uploaded through private chats? I'm seeing that they end up at AmazonS3. Can't tell if there is a cache expiry.

@csarven 🤷 I'm not a core maintainer, just an interested user.

Created by: csarven

I drag/dropped an image in a private chat. It was uploaded and had its own URL. I deleted the message. However, I can still fetch the image using curl. Is there any way to delete this image? It is under https://files.gitter.im/csarven/ . Some headers:

Server: AmazonS3
Age: 5342
X-Cache: Hit from cloudfront