80
New User Monitoring
(programming.dev)
Hi All,
Tldr:
- We are monitoring publically available information (posts, comments and DMs).
- Monitoring is turned off as soon as the admin team are satisfied the user is legitimate.
- will only temporary remove, no bans or deletion without a human being involved in the decision.
- No user data is sent off to 3rd party tools, all processing is done on the instance server. No LLMs are involved.
Due to some ongoing issues with harassment campaigns, we've had to setup a rudimentary monitoring system for all new users.
- When a user's signup is accepted, they will be automatically enrolled into the monitoring system. The admins team may also add accounts manually if they have been given a strike.
- The system will monitor all posts, comments and DMs sent by new users, and bring them to the attention of the admin team if it appears suspicious. In egregious cases, it will auto-remove posts and comments if required, but a human admin will always review and reverse any false positives as soon as required.
- Once we have validated that the user is not a harasser, they will be removed from the system.
We don’t want to go into too much detail on how it all works to prevent bad actors from bypassing it, but we can say that all the processing is being done locally on the instance server. For most of you, this wont have any impact, but some of you have been impacted by the systems false positives. It is also a good time to point out that DM messages are not private, and should not be used for anything that requires strong privacy.
There will likely be teething problems, but we are actively working on improving the bot to minimize impact and we are always open to feedback.
The problem is that we can't rely on reports of DMs since lemmy doesn't federate them to us.
E.g.
-> troll@programming.dev makes a new account and sends harassment to victim@lemmy.instance
-> victim@lemmy.instance reports the DMs from troll@programming.dev
-> We, the admins of programming.dev, do not see this report because lemmy does not federate the DM report and troll@programming.dev can continue harassing others because we never find out about it.
This isn't just a theoretical, it happened just last month that one of our users (1 day old account) sent rape and death threats (which were reported), and we found out about it by pure chance when talking to admins from the other instance.
And just to clarify, the tool only automatically monitors new accounts, i.e. accounts that are being registered today. If you account is more than a few weeks old, the tool doesn't monitor any of your activity.
I see, that sucks. Is it being discussed/adressed on the protocol level? This sounds like something that should be adressed in general, federation of reports, because it is a serious issue.
I can imagine a solution in upstream Lemmy repo, where report button also sends the report to the lemmy instance of the account instance outside of ActivityPub.
Yeah, not federating reports is a bug-level missing feature.
But having some kind of probation period also seems like an obvious feature to me (that should be optional, not mandatory). It was not uncommon in the past (on BBSes and old forums) to have new members' posts require approval before anyone could see them. I suspect it partially went away because big platforms needed to "growth hack" and anything that slows down the influx of new users is bad.
It's an open issue on github from 2024, it doesn't seem to be a priority. This tool allows us to react faster than reports though, and hopefully remove some problematic content before it's seen by others.
I've bumped the issue, since it already had an PR ready for review, and there seem to be some activity going on, so hopefully it will be merged soon.
It sounds like a really important thing to me.