💾 Archived View for gemi.dev › gemini-mailing-list › 000610.gmi captured on 2023-11-04 at 12:58:57. Gemini links have been rewritten to link to archived content

View Raw

More Information

➡️ Next capture (2023-12-28)

-=-=-=-=-=-=-

[tech] Managing un-moderated account creation and it's side-effects

Mansfield Mansfield <mansfield (a) ondollo.com>

Hello!

I've been enjoying the gemini-space and I'm excited that this email signals
my attempt to join more vocally. Hopefully my attempts to support Gemini
end up being acceptable or at the least agreeable. :-)

I've been working on a server and client for Gemini and I'm nearing the end
of what I wanted to explore in my implementations... but I have a few
questions that I'd love some help thinking through. I'd like to cover one
of those questions in this email.

One of my goals has been to have a client / server pairing that
supports helping non-technical users go from downloading a client to
posting content as quickly and painlessly as possible. In my mind this
means allowing new accounts to be created *without* moderating their
creation... which leaves me wondering how I might respond to side-effects
like any unwelcome content (illegal, offensive, spam, etc.).

I understand that walking down a path that allows un-moderated account
creation is asking for trouble. I'm still interested in exploring
the possibilities to see if a compromise might be found for
my implementations.

One of the options I'm considering is to restrict the number of posts a new
account can make. Say, only "one page"? This wouldn't remove *all* negative
side-effects, but seems to discourage some abuse and facilitate any
clean-up since there'd only be one 'thing' to remove.

Another option is to limit the *kind* of content that a new account can
provide. Say, no links? This could curtail a type of side-effect
(facilitating access to external content through my domain/server), but not
entirely, since text/gemini *without* explicit links could just as easily
be a link-in-plain-text that is copied and used somewhere else.

A third option I'm considering is to limit the visibility of the content
that a new account can provide. I've written an HTTP server that provides
access to the Gemini content, so, maybe I disallow any content from
accounts less than say, 1 month old? If a new account were showing promise
as a positive contributor I could manually enable it sooner than a month...
a sort of default-deny with a manual-allow. Content could of course still
be viewed through a Gemini-specific client, just not through a web browser.

The last option I've been mulling over is to just accept the side-effects,
but that feels too much like an ends-justify-means approach which I find
weak as a motivation... but... I *almost* prefer encouraging communication
and creation enough to endure negative side-effects.

I guess one way to sum up the sharp corner I'm trying to round-off is that
I have two goals that seem to oppose each other: encourage creation of
content *and* discourage creation of 'wrong' content. I'm very sensitive to
this concept of 'wrong' content too... (I'm *very* uninterested in limits
to agency, but there's the swinging fists and noses point in the middle of
that)... but that's a different discussion.

I have memories of some server implementations simply requiring manual
account creation approvals, which, as mentioned, is what I'm hoping to
avoid... I *know* this is a tough complication. As some additional
information, all I have set up as required for account creation is to
provide a certificate. I plan on using the subject-common-name and first
few characters from the generated fingerprint as the account name... so...
no email verification, and no way to know if some spammer is just creating
a bunch of new accounts for similar purposes.

There's more thought I've had, but I'll stop rambling there.

Thanks for reading this far. :-D

Thoughts?

Link to individual message.

Emma Humphries <ech (a) emmah.net>

Comments inline.

My background on this is my work helping moderate Mozilla's 
Bugzilla bug tracker from 2015 to last year. 

On Wed, Jan 6, 2021, at 20:38, Mansfield Mansfield wrote:

> One of the options I'm considering is to restrict the number of posts a 
> new account can make. Say, only "one page"? This wouldn't remove *all* 
> negative side-effects, but seems to discourage some abuse and 
> facilitate any clean-up since there'd only be one 'thing' to remove.

You'd have drive-by abusers, but in my experience those sort of users 
post will do a burst of posts and either leave or they are banned. Making it
easy to tag those sorts of posts so a moderator can clean them up is key. 

Also, remember that some days a reasonable person of good intent will
have a bad community day. 

Sometimes you don't need a ban, but just a takedown and a, "hey, don't
do that" backed up with bans for people who don't get the message.

You could also do invites so you can do controlled growth. 

> Another option is to limit the *kind* of content that a new account can 
> provide. Say, no links? This could curtail a type of side-effect 
> (facilitating access to external content through my domain/server), but 
> not entirely, since text/gemini *without* explicit links could just as 
> easily be a link-in-plain-text that is copied and used somewhere else.

Limiting new account privileges is a one way to start, in terms of 
no-links, no-attachments, no tagging other users, no direct replies.

One of the issues I dealt with, was too many permissions for new posts 
which caused confusion or missing steps in process. That's less likely for 
people just making posts. 

> A third option I'm considering is to limit the visibility of the 
> content that a new account can provide. I've written an HTTP server 
> that provides access to the Gemini content, so, maybe I disallow any 
> content from accounts less than say, 1 month old? 

A friend has given a lot of though to the onboarding problem, 
https://gist.github.com/aredridel/470d6d186f3d848b3a7eeb6f8fa8dcf9,
and one of the suggestions is about getting people into community. 

So you could ask someone joining "what content you want to find? Cooking, 
Rust, anime, crochet, axe throwing, etc.." and plug them into that community
to start, then broaden the scope as they make connections.

You will have to do some bootstrapping of community, but expectations
are a lot easier to build out of a group of people invested in making
community.

> The last option I've been mulling over is to just accept the 
> side-effects, but that feels too much like an ends-justify-means 
> approach which I find weak as a motivation... but... I *almost* prefer 
> encouraging communication and creation enough to endure negative 
> side-effects.

Creating community and creation are good, and don't get in the the way 
of people doing that, but doing things in the way that someone can't
wreck the place either intentionally or not. 

Emma H
gemini://gemini.djinn.party/

Link to individual message.

Sean Conner <sean (a) conman.org>

It was thus said that the Great Mansfield Mansfield once stated:
> Hello!
> 
> One of my goals has been to have a client / server pairing that
> supports helping non-technical users go from downloading a client to
> posting content as quickly and painlessly as possible. In my mind this
> means allowing new accounts to be created *without* moderating their
> creation... which leaves me wondering how I might respond to side-effects
> like any unwelcome content (illegal, offensive, spam, etc.).
> 
> I understand that walking down a path that allows un-moderated account
> creation is asking for trouble. I'm still interested in exploring
> the possibilities to see if a compromise might be found for
> my implementations.

  I am not a lawyer, so take what I say with a few bolders of salt.

  How concerned are you?  I can see where you might be subject to:

	* laws where you live
	* laws of the domain you register (for instance, the purely
	  fictional .fd top level domain (Freedonia) might  subjects you to
	  its punative libel and copyright laws despite where you or the
	  server or your users are located)
	* laws where the server resides
	* laws where the user lives

All of those might be the same country; it might not.  The US has strong
freedom of speech codes and thus libel cases are harder to prosecute (to a
degree); the UK has less free speech and very strong libel laws (compared to
the US) so you might be liable for something a user said.  Again, it
depends upon jurisdiction.

  I know the US (since I live there) tries to make a distinction between a
"publisher" and a "platform" and one of the differences comes down to
moderation---do too much and you can fall into the "publisher" category
which makes you more liable for what is said than if you are in the
"platform" category.  Too little moderation and, as you say, is also
troublesome.

  Okay, ignoring legal liabilities, one way might be to use an "invite-only"
system.  The website Lobsters (https://lobste.rs/) uses an invite system. 
Users can invite new users (even ones they don't know) but they then become
liable for the new users behavior.  I'm checking the current moderation
queue for users [1], and while most are userid changes (foo changed username
to bar), some users have been banned (mostly for spamming; one for
"repeatedly trying to use Lobsters to whip up an online outrage mob against
organizations they don't care for"), some have had invites disabled for
inviting too many other people who have been banned.  That seems to work for
Lobsters.

  Also, trying to invoke a community spirit can help.

  -spc 

[1]	https://lobste.rs/moderations?moderator=%28All%29&what%5Busers%5D=users\

	I'm not sure if you can read the link if you aren't a member.

Link to individual message.

Mansfield <mansfield (a) ondollo.com>

Thanks for the response - I've inlined as well.

On Wed, Jan 6, 2021 at 11:46 PM Emma Humphries <ech at emmah.net> wrote:

> Comments inline.
>
> My background on this is my work helping moderate Mozilla's
> Bugzilla bug tracker from 2015 to last year.
>
> On Wed, Jan 6, 2021, at 20:38, Mansfield Mansfield wrote:
>
> > One of the options I'm considering is to restrict the number of posts a
> > new account can make. Say, only "one page"? This wouldn't remove *all*
> > negative side-effects, but seems to discourage some abuse and
> > facilitate any clean-up since there'd only be one 'thing' to remove.
>
> You'd have drive-by abusers, but in my experience those sort of users
> post will do a burst of posts and either leave or they are banned. Making
> it
> easy to tag those sorts of posts so a moderator can clean them up is key.
>

I hadn't given much thought to implementing specific mechanisms to make
moderation easier. I think I just thought, "It won't be difficult".
Implementing specific tools to help moderate is a good suggestion. I'll
look into it.


> Also, remember that some days a reasonable person of good intent will
> have a bad community day.
>
> Sometimes you don't need a ban, but just a takedown and a, "hey, don't
> do that" backed up with bans for people who don't get the message.
>

Too true. I like your suggestion of levels of response... I'll have to
think about that... maybe a pause button on new content? Rate limit... I
like it.


> You could also do invites so you can do controlled growth.
>

I hadn't considered invites for general posts, but was starting to think
along those lines for facilitating community generation. A sort of ability
to make invite-only groups. Feels like an OK way to share moderation
ability. Maybe provide community managers with invite-only ability and a
pause button with eventual ban.


> > Another option is to limit the *kind* of content that a new account can
> > provide. Say, no links? This could curtail a type of side-effect
> > (facilitating access to external content through my domain/server), but
> > not entirely, since text/gemini *without* explicit links could just as
> > easily be a link-in-plain-text that is copied and used somewhere else.
>
> Limiting new account privileges is a one way to start, in terms of
> no-links, no-attachments, no tagging other users, no direct replies.
>
> One of the issues I dealt with, was too many permissions for new posts
> which caused confusion or missing steps in process. That's less likely for
> people just making posts.
>

I think I agree. One of the points about text/gemini that I've enjoyed is
that there's so little there to begin with - not much to remove if a more
limited format is what's wanted.


> > A third option I'm considering is to limit the visibility of the
> > content that a new account can provide. I've written an HTTP server
> > that provides access to the Gemini content, so, maybe I disallow any
> > content from accounts less than say, 1 month old?
>
> A friend has given a lot of though to the onboarding problem,
> https://gist.github.com/aredridel/470d6d186f3d848b3a7eeb6f8fa8dcf9,
> and one of the suggestions is about getting people into community.
>
> So you could ask someone joining "what content you want to find? Cooking,
> Rust, anime, crochet, axe throwing, etc.." and plug them into that
> community
> to start, then broaden the scope as they make connections.
>
> You will have to do some bootstrapping of community, but expectations
> are a lot easier to build out of a group of people invested in making
> community.
>

Thanks for the link!

I think I'll have to spend some time thinking through flipping the problem
away from being about privacy... it's a different take...

I like the exploration of onboarding communities as a unit... not one-off
as individuals. Something like... you can start a community if you can get
5 others to join you in the waiting room and agree together to start a
community... or something...


> > The last option I've been mulling over is to just accept the
> > side-effects, but that feels too much like an ends-justify-means
> > approach which I find weak as a motivation... but... I *almost* prefer
> > encouraging communication and creation enough to endure negative
> > side-effects.
>
> Creating community and creation are good, and don't get in the the way
> of people doing that, but doing things in the way that someone can't
> wreck the place either intentionally or not.
>

That's what I'm dreaming of - I feel heard and helped - thanks!


>
> Emma H
> gemini://gemini.djinn.party/
>

Link to individual message.

Mansfield <mansfield (a) ondollo.com>

I've been 'thus said'ed!! :-D Thank you.

On Thu, Jan 7, 2021 at 1:03 AM Sean Conner <sean at conman.org> wrote:

> It was thus said that the Great Mansfield Mansfield once stated:
> > Hello!
> >
> > One of my goals has been to have a client / server pairing that
> > supports helping non-technical users go from downloading a client to
> > posting content as quickly and painlessly as possible. In my mind this
> > means allowing new accounts to be created *without* moderating their
> > creation... which leaves me wondering how I might respond to side-effects
> > like any unwelcome content (illegal, offensive, spam, etc.).
> >
> > I understand that walking down a path that allows un-moderated account
> > creation is asking for trouble. I'm still interested in exploring
> > the possibilities to see if a compromise might be found for
> > my implementations.
>
>   I am not a lawyer, so take what I say with a few bolders of salt.
>
>   How concerned are you?  I can see where you might be subject to:
>
>         * laws where you live
>         * laws of the domain you register (for instance, the purely
>           fictional .fd top level domain (Freedonia) might  subjects you to
>           its punative libel and copyright laws despite where you or the
>           server or your users are located)
>         * laws where the server resides
>         * laws where the user lives
>
> All of those might be the same country; it might not.  The US has strong
> freedom of speech codes and thus libel cases are harder to prosecute (to a
> degree); the UK has less free speech and very strong libel laws (compared
> to
> the US) so you might be liable for something a user said.  Again, it
> depends upon jurisdiction.
>
>   I know the US (since I live there) tries to make a distinction between a
> "publisher" and a "platform" and one of the differences comes down to
> moderation---do too much and you can fall into the "publisher" category
> which makes you more liable for what is said than if you are in the
> "platform" category.  Too little moderation and, as you say, is also
> troublesome.
>

I think I'm following your walk through the legal aspect... I guess that
was part of my thought process too... not too dominant, but part.

I'm not too worried - and now I can see how attempts to find a desirable
outcome from constricting and controlling too much might lead to an
undesirable outcome anyway if the situation is seen as more-like-publisher.
Good food for thought. I get the sense that you would lean more toward
little to no moderation, which can make sense. From the little that I've
seen, I *think* that if I wanted an 'account' on your gemini server I would
need to email you. Are you able to keep up with the invites, or, said
another way, do you sometimes wish you weren't in the middle?


>   Okay, ignoring legal liabilities, one way might be to use an
> "invite-only"
> system.  The website Lobsters (https://lobste.rs/) uses an invite system.
> Users can invite new users (even ones they don't know) but they then become
> liable for the new users behavior.  I'm checking the current moderation
> queue for users [1], and while most are userid changes (foo changed
> username
> to bar), some users have been banned (mostly for spamming; one for
> "repeatedly trying to use Lobsters to whip up an online outrage mob against
> organizations they don't care for"), some have had invites disabled for
> inviting too many other people who have been banned.  That seems to work
> for
> Lobsters.
>

This idea of invites becoming some form of responsibility appeals to me
quite a bit.


>
>   Also, trying to invoke a community spirit can help.
>
>   -spc
>
> [1]
> https://lobste.rs/moderations?moderator=%28All%29&what%5Busers%5D=users\
> <https://lobste.rs/moderations?moderator=%28All%29&what%5Busers%5D=users%5C>
>
>         I'm not sure if you can read the link if you aren't a member.
>

The link worked fine for me and I'm not a member. Interesting that there
seem to be a dozen to a few dozen 'moderation actions' a week.

Link to individual message.

Sean Conner <sean (a) conman.org>

It was thus said that the Great Mansfield once stated:
> I've been 'thus said'ed!! :-D Thank you.

  You're welcome.

> On Thu, Jan 7, 2021 at 1:03 AM Sean Conner <sean at conman.org> wrote:
> 
> >   I know the US (since I live there) tries to make a distinction between a
> > "publisher" and a "platform" and one of the differences comes down to
> > moderation---do too much and you can fall into the "publisher" category
> > which makes you more liable for what is said than if you are in the
> > "platform" category.  Too little moderation and, as you say, is also
> > troublesome.
> 
> I'm not too worried - and now I can see how attempts to find a desirable
> outcome from constricting and controlling too much might lead to an
> undesirable outcome anyway if the situation is seen as more-like-publisher.
> Good food for thought. I get the sense that you would lean more toward
> little to no moderation, which can make sense. From the little that I've
> seen, I *think* that if I wanted an 'account' on your gemini server I would
> need to email you. Are you able to keep up with the invites, or, said
> another way, do you sometimes wish you weren't in the middle?

  If you are talking about this link:

	gemini://gemini.conman.org/conman-labs-private/

then no one has ever asked for access.  So in that sense, yes, I've been
able to keep up with the subscription rate.  It was more of a way for me to
test client certificates than anything else.

> > [1]
> > https://lobste.rs/moderations?moderator=%28All%29&what%5Busers%5D=users\
> > <https://lobste.rs/moderations?moderator=%28All%29&what%5Busers%5D=users%5C>
> >
> >         I'm not sure if you can read the link if you aren't a member.
> >
> 
> The link worked fine for me and I'm not a member. Interesting that there
> seem to be a dozen to a few dozen 'moderation actions' a week.

  Cool.  So you can get an idea for how that works then.  

  -spc

Link to individual message.

---

Previous Thread: [tech] A '.well-known/' path for contact information?

Next Thread: [Tech] Gemini at FOSDEM