Are Private Messages (PMs) really private?

Discussion in 'Site and Forum Feedback' started by MacDawg, Jan 17, 2010.

  1. MacDawg macrumors P6

    MacDawg

    Joined:
    Mar 20, 2004
    Location:
    "Between the Hedges"
    #1
    I am just wondering, are Private Messages (PMs) really private here?

    I know nothing is truly private when posted, transmitted, etc. on the internet, but I was just wondering about the actual privacy of "private messages" on MR

    Do moderators or site administrators (or arn or WildCowboy) have any form of access to PMs sent between members on the Forum in any way?

    Exactly how "private" and secure are PMs?


    Woof, Woof - Dawg [​IMG]
     
  2. thegoldenmackid macrumors 604

    thegoldenmackid

    Joined:
    Dec 29, 2006
    Location:
    dallas, texas
    #2
    Doctor Q seemed unable to read mine when I was once having an issue. I had to forward the contents of a PM to him at his request.
     
  3. redwarrior macrumors 603

    redwarrior

    Joined:
    Apr 7, 2008
    Location:
    in the Dawg house
    #3
    I would think that anyone with access to the database would be able to get to the messages. It's easier to just have them forwarded, of course, but if they really wanted/needed to see PM's, they are stored somewhere.
     
  4. kainjow Moderator emeritus

    kainjow

    Joined:
    Jun 15, 2000
    #4
    I don't think vBulletin provides a way out of the box to read PMs. Mods certainly don't have access to the database. If an admin really wanted to read a PM, I'm sure they could just scan the database directly, but that would probably only happen in very extreme cases.
     
  5. MacDawg thread starter macrumors P6

    MacDawg

    Joined:
    Mar 20, 2004
    Location:
    "Between the Hedges"
    #5
    That is what I am really asking...

    First can a moderator/administrator see them as an option?

    Or, can the site owner dig them out if they wanted to?

    What level of privacy/security is actually given to the PM's

    And if they can be read or viewed somehow or some way, shouldn't that be disclosed somewhere?

    What would qualify as an extreme case?
    Are there guidelines anywhere for that?

    Woof, Woof - Dawg [​IMG]
     
  6. rdowns macrumors Penryn

    rdowns

    Joined:
    Jul 11, 2003
    #6
    Maybe they should be called Semi-Private Messages. :D
     
  7. redwarrior macrumors 603

    redwarrior

    Joined:
    Apr 7, 2008
    Location:
    in the Dawg house
    #7
    That's a good question. I'm trying to remember, but with SMF forums, I don't think that even the site owners can see the PM's as an option.

    The only way to keep them from being read in the database would be for the data to be encrypted, like passwords. However, even that can be cracked, rather easily. I've done it, and I'm not a hacker. :eek:
     
  8. kainjow Moderator emeritus

    kainjow

    Joined:
    Jun 15, 2000
    #8
    Don't think there are, but arn/Q/WC could probably give you a better answer.


    I just tested this with my own private vB forum, and using any simple MySQL database reader (such as phpMyAdmin), it's really easy to read PMs. But I would imagine only arn has access to something like that.

    Deleting a PM is really all you need to do if you don't want the chance of someone reading it. As soon as it's deleted, it's cleared from the database.
     
  9. UngratefulNinja macrumors 68000

    UngratefulNinja

    Joined:
    May 9, 2009
    Location:
    Pennsylvania
    #9
    I'm the owner/admin on another vbulletin site. I just went into the admin section to see if I could view anyone's pm's and I don't see a section anywhere for that. I COULD, however, change the password, then log in to their account to view their pm's, then reset the password. I wouldn't CHOOSE to do that, but technically I could :eek:
     
  10. MacDawg thread starter macrumors P6

    MacDawg

    Joined:
    Mar 20, 2004
    Location:
    "Between the Hedges"
    #10
    Ah, so deleting them eliminates them from the database
    Interesting

    Good info

    Woof, Woof - Dawg [​IMG]
     
  11. redwarrior macrumors 603

    redwarrior

    Joined:
    Apr 7, 2008
    Location:
    in the Dawg house
    #11
    That's what I thought. But remember, things are backed up. The backups will have the PM's. If backups are done daily, then it wouldn't be too hard to go back and find them. Who knows what the retention policy is on the backups for this place though. I wouldn't think they'd keep much for long at a time.

    Yep, that would be a rather quick and easy way to get to the messages.
     
  12. Shaun.P macrumors 68000

    Shaun.P

    Joined:
    Jul 14, 2003
    Location:
    Omicron Persei 8
    #12
    An interesting question. One that I've wondered on similar lines is that is there a way for our password information to be retrieved?
     
  13. redwarrior macrumors 603

    redwarrior

    Joined:
    Apr 7, 2008
    Location:
    in the Dawg house
    #13
    There is always a way.
     
  14. MacDawg thread starter macrumors P6

    MacDawg

    Joined:
    Mar 20, 2004
    Location:
    "Between the Hedges"
    #14
    You said you weren't a hacker

    Wait, haven't I seen you hanging around outside 4chan?

    Woof, Woof - Dawg [​IMG]
     
  15. kainjow Moderator emeritus

    kainjow

    Joined:
    Jun 15, 2000
    #15
  16. redwarrior macrumors 603

    redwarrior

    Joined:
    Apr 7, 2008
    Location:
    in the Dawg house
    #16
    Being knowledgeable of such things automatically makes one a hacker, I suppose. I recant my statement. :D

    Hmmmm, I was trying to keep from being seen. Guess I'm a hacker who will never make it as a spy. :cool:
     
  17. RedTomato macrumors 68040

    RedTomato

    Joined:
    Mar 4, 2005
    Location:
    .. London ..
    #17
    I'm a newbie sysadmin at work (50-user deployment). I don't have access at an easy level to user passwords, so if someone forgets their password, I can't tell them what it is. (I'm sure it's possible, just I haven't bothered to find out how yet.)

    However, it's a 5-second job for me to *change* their password to a new password, and tell them what it is. I don't need to know the old password to do that. (The user can then change the new password to something else if they want.)

    So on MR, anybody with admin access to vbulletin (Arn, Wild Cowboy, maybe a couple others, and whoever MR's webhost provider) can change a user password and go into their account.
     
  18. yg17 macrumors G5

    yg17

    Joined:
    Aug 1, 2004
    Location:
    St. Louis, MO
    #18
    I'm an admin on a vBulletin forum:

    Can admins read PMs on an "out-of-the-box" vB install? No
    Are there 3rd party plugins for vB that allow admins to easily read PMs from the Admin Control Panel? Yes
    Can someone with access to the database read PMs? Yes

    Regarding the password issue, no, it's not possible for an admin to view your password since it's saved as an md5 hash in the database.
     
  19. MacDawg thread starter macrumors P6

    MacDawg

    Joined:
    Mar 20, 2004
    Location:
    "Between the Hedges"
    #19
    Interesting information to be sure
    Thanks for the insights

    Since it seems like it is certainly possible for MR admins to access and read PMs, either by 3rd party plug-ins or by accessing the database, I would like to hear from arn, Wild Cowboy or another administrator on the actual and definitive policies in place for MR concerning Private Messages as well as their retention policy.

    Woof, Woof - Dawg [​IMG]
     
  20. WildCowboy Administrator/Editor

    WildCowboy

    Staff Member

    Joined:
    Jan 20, 2005
    #20
    As others have noted, there are ways that private messages could be read by people behind the scenes, but it would involve directly accessing the forum database to see them. There may be vBulletin plug-ins that would allow admins/mods to read them, but we do not have any installed and I can't imagine a circumstance in which we'd want to install one.

    Access to the database is extremely limited. To my knowledge, only arn and Knox have access to it. I don't. I'm 99% sure that Doctor Q doesn't. (We'd probably be too tempted to try to change something and just muck everything up.)

    Also to my knowledge, we have never gone digging into the database for PMs, and the only case I can think of in which arn would would be at the request of law enforcement should such circumstances warrant.

    Not having access to the database, I can only surmise that PMs are deleted from the database when they are deleted by the users. But as others have mentioned, the site is backed up regularly, so they could in theory be retrievable even after deletion.

    Also keep in mind that there are two parties to every private message. There have been situations where people have passed along private messages to us for one reason or another, as they could pass them along to any other forum member or copy and paste them to e-mails or anywhere available on the Internet. So in that respect, they're only as private as the parties involved in the conversation.

    Hope that helps.
     
  21. MacDawg thread starter macrumors P6

    MacDawg

    Joined:
    Mar 20, 2004
    Location:
    "Between the Hedges"
    #21
    Excellent summary!

    Thanks for taking the time to clarify!
    It is greatly appreciated

    Woof, Woof - Dawg [​IMG]
     
  22. RedTomato macrumors 68040

    RedTomato

    Joined:
    Mar 4, 2005
    Location:
    .. London ..
    #22
    Look, MR is just Arn's pet blog, now slightly overgrown its kennel. It was only a few months ago that he started working on it full-time.

    Things like 'data retention policies' are merely topics that get discussed in the OSX Server Forum, without any relevance to MR.

    You know what 4chan is, places like that need data and privacy policies. MR is a family-friendly site, and the mods enforce that quite strongly.

    If you're worried about your own PMs, best delete them or assume that nothing is private here. But hey, you donated to MR, you deserve a reply.
     
  23. Doctor Q Administrator

    Doctor Q

    Staff Member

    Joined:
    Sep 19, 2002
    Location:
    Los Angeles
    #23
    Make that 100%. I could, in theory, access a user's Private Messages by resetting their password, logging in under their account, and looking in their mailboxes. I have never done so because it would be improper and not in keeping with policy. Forum users have the reasonable expectation of privacy and we take privacy seriously. I suppose there could be some circumstance where a user asked us to access their messages for them and we'd agree to do so, but I can't think what it would be and it has never happened.

    Deleting your Private Message from your own mailbox isn't 100% foolproof in making it absolutely certain that nobody could ever read it because the other party has a copy they can share with anyone else. Also, there are two technical reasons: First, there could be a backup copy of the database from the time your message was in your mailbox so MacRumors would technically still have a copy. Second, although vBulletin hasn't been known to leak Private Message data, we know that ALL software can have bugs or can develop bugs, so we can't say for certain that vBulletin won't ever have a glitch in the handling of Private Messages. None of these concerns have ever been an issue in practice.

    My advice: Don't take chances anywhere on the Internet with information that absolutely must be protected at all costs e.g., financial account information. You should not put this type of information anywhere on the Internet or transmit it without encryption or other protection. For routine private information (e.g., identity and contact information, very personal communications, etc.) you can choose whether to send it via Private Messages with our assurance that the MacRumors staff will not read through your messages or access them directly in the underlying database unless it's in cooperation with law enforcement.
     
  24. r6girl Administrator/Editor

    r6girl

    Staff Member

    Joined:
    Sep 6, 2003
    Location:
    Massachusetts
    #24
    Actually, it was July 2008. :)
     
  25. MacDawg thread starter macrumors P6

    MacDawg

    Joined:
    Mar 20, 2004
    Location:
    "Between the Hedges"
    #25
    I appreciate Wild Cowboy and Doctor Q taking the time to give a definitive answer on the MR policy

    I just thought it was an interesting question and I had never seen it addressed here

    Woof, Woof - Dawg [​IMG]
     

Share This Page