Deletion policy

On the topic Nvidia driver installation is related to this discussion. A user repeatedly deleted their posts (2 in total) replacing them with a new one with their current step. I guess this is just a matter of the user not being familiar with forum etiquette, but disabling the delete button would avoid this.

Since there hasn’t been any movement here. Given there was a majority movement towards not allowing people to delete their posts, I’ll go ahead with disabling deletion in a few days.

For now the edit history will be public (as has been). Let’s see how this goes and in there are no complaints. Otherwise we might need to review that policy.

Implemented this today. Let’s see how it goes.

For the record, I changes the settings on the following image (in case in the future we need to revert it for some reason)

max_post_deletions824×430 29.3 KB

Per someone’s suggestion, I’ve added a disclaimer that posts cannot be deleted. This will show up when the users start typing their fist two posts.

(reference: I’ve changed the “education.new-topic” string)

It should look like this for a new user:

can-i-delete1086×495 47.1 KB

Hopefully, it’s visible enough.

A FAQ was added about the policy. Read it in full on the policy change announcement.

This has broken the advanced discobot tutorial as the user would be guided to deleted the posts (something that is now impossible).

For this reason, I’ve changed the default text on the discourse string (for documentation purposes):

• https://forum.qubes-os.org/admin/customize/site_texts/discourse_narrative_bot.advanced_user_narrative.delete.instructions?locale=en

It now reads:

On the forum we’ve collectively decided not to allow deletion of posts. You can always ask for your full account to be anonymised (understanding the consequences of that, of course).

Please skip this and the following step by typing two replies:

1. @discobot skip ← notice the space after ‘skip’
2. @discobot skip 2

The above is kind of a hack because discourse doesn’t like repeated replies.

I encountered that myself during the tutorial and eventually figured out the workaround you suggested on my own @deeplow. Glad to see it was addressed sitewide now.

Since this thread has been revived, I might as well add my two cents to it: I oppose disabling deletion because I think that control over the status of one’s posts is a fundamental necessity derived from first principles such as privacy and autonomy. I do not consider the arguments provided here to be persuasive, especially when considering the surveillance ideology that I recognize in them. The only question that ultimately needs consideration on matters such as this is “Who controls my data?”, since the answer to that determines who determines its fate. By deciding to disable post deletion, the tacit answer here has become “Not me.”

I can expand upon this, such as by criticizing the insufficiency and false security of account “anonymization” as an alternative; or raising the specter of stylometric analysis to deanonymize users through their writeprints, which is now no longer possible to defend against for those who just now realize this attack vector and wish to scrub their text from this forum. But these attempt to explore practical considerations and specific consequences that a user-hostile decision like prohibiting post deletion will have on user privacy and autonomy, rather than addressing the root of this problem: data sovereignty.

This is not meant to appeal the decision or relitigate the discussion; it is just an addendum of my thoughts after the fact (my fault for missing this topic when the decision was still being discussed). While I understand the rationales involved and the apparent popularity of preventing post deletion in forums both here and elsewhere, they have never sat well with me for the reasons stated above.

Regards,
John

This is probably the core of our disagreement. Once you said something, it no longer belongs to you but to everyone who heard/read it. If you wish to take it back/correct or amend it you ought to do so explicitly instead of invoking a magic spell that pretends it never happened.

… and in case of accidental publication of private data, the mods here will jump in and remove that data as far as that is technically possible (exception is everyone who automatically received it by email).

The core problem from a purely technical perspective is this: with delete enabled forum users can remove threads which will be unknown to everyone who interacts by email. It happened more than once to me that I spend some time and effort to formulate an answer, only to get an automated answer back that the thread I am replying to does not exist.

Hey @Sven,

Apologies in advance for the length, but there is much ground to cover and I have a bad habit of not being selective in what I am responding to. I hope that I have adequately addressed the points you raised, however verbosely.

With that armchair philosophizing out of the way, the “technical” matter of post deletion being an annoyance and inconvenience remains. I understand that frustration and agree that it is unacceptable behavior. It should not happen and those who delete their posts without due consideration for how it affects others, and without a very good cause that outweighs those considerations (like privacy concerns or a double-post, unlike those above) are doing a disservice to the community and should stop.

However, I think the appropriate response to this poor “netiquette” should be to inform the problem user through a message or conversation or (at worst) temporary sanctions, not to disable post deletion entirely. A rule or guideline can be added that spells this out, so that it is clear what the expectation is and where we can point to when it is violated. The first approach acknowledges and attempts to address the problem while still respecting the fundamental autonomy and sovereignty of users, including the problem user, up to (but not including) the point of malicious disruption. The second just strips everyone of their power over the public availability of their own posts. Only one of them preserves freedom.

Of course it is more time-consuming and demands more effort than flipping a bit in an administrative panel, but so are many worthwhile things we do and laud in contrast to more repugnant alternatives, whether that be in relationships or parenting or even in governance. We prefer democracies because they respect our rights and enable our autonomy, not because they are easier to live in than an opaque dictatorship.

I do not think the “technical” problem here is ultimately separable from its social and political dimensions, as most technical problems are not, so I do not attempt to discuss this matter at a purely technical level. I also do not think this is really a technical problem, but a social problem that produces technically frustrating results. Therefore, I think the solution to the real problem—disruptive use of the deletion function (by a minority of users) where editing, additional posts, or nothing should be done instead—is not technical, but social, and involves how we deal with this problem as one of mutual consideration. Attempting a technical fix for an social problem is technocratic and brings along with it all the baggage and problems that technocratic regimes always do.

On the technical side however, our disagreement frankly may just stem from the fact that you typically use mailing-list mode (half of the “anti-deletionist” camp are either very frequent or exclusive email users), which lacks the mutability that forum software like Discourse provides. So, you want the posting standards on the forum to resemble the capabilities of email users rather than suffer the interoperability problems of using email to participate, of which replying to deleted topics and not seeing edits are among the biggest. That is basically what this problem is at a technical level, after all: the lack of features, rapid feedback, and editability of email mode.

While I do not think that email users should be relegated to a second-class status, I do not think that handicapping site users is the appropriate response either. This will also need to be negotiated at a social level, so that interoperability can be improved through social conventions (such as “no deletion abuse”) where technical “fixes” do not and may just privilege one group over another, reducing the feature set of the forum to the least feature-available users. Or not, in which case mere technical “fixes” will do just that.

So, if no one here has any interest in addressing this problem with a more interactive solution that allots the same mutual consideration and respect that such disruptive deletions violate, by approaching it at the same social level at which it is operating, then disabling the ability to delete posts is a heavy-handed alternative to that. I consider this to be a failure at the social level however, and there is no technical fix for that.

Respectfully,
John

P. S. I also disagree that account “anonymization” and administrator intervention are sufficient remedies to privacy concerns. For example, they do not address a desire to mitigate stylometric attacks after the fact, as I mentioned above. But I have already typed more than enough, so I will end this rant here.

This is not a simple yes/no situation. When you post something, it gradually distributes over the Internet and is gradually read by readers and robots. If you try to delete what you said, it drastically depends on the timing. Doing it early results in low chance of it getting spread, which I think is good enough, as opposite to “it no longer belongs to you” as you are suggesting. AFAIK 99% of removals happen within 1 hour after posting.

Involving moderators automatically makes everything much longer and harms the goal of removing something from the Internet.

I think this is the strongest pragmatic argument. The decision has now been made but I agree with @JTeller3 in principle (I’ve stated so in the beginning of this thread) but that has the assumption that information erasure is not dependent on time after posting – something which @fsflover’s point highlights. Anything other than this is just contributing to a false sense of security.

I’ll add the following from my moderation experience since this change went into effect.

• If users regret their comment, they have a 5 minute grace period to edit it without the revisions being made public. I think these are even only sent to mailinglist subscribers after those 5 minutes in whatever state that is.

  My experience is very anecdotal, but I’ve seen this happening (see here) and I think it’s perfectly fine. Email users will see only “deleted” and thus not reply in vain.

@JTeller3, looking forward to reading your dissertation on the subject (will do it later)

5 minutes is pretty harsh though. I wish it could be 10-20 minutes at least (I personally was caught by this short time). And yes, 5 minutes period indeed works as you described.

Just checked on the settings and also from this discussion. The current settings are as follows:

• editing grace period - 5 mins
  For (n) minutes after posting, editing will not create a new version in the post history.

• reply notifications - immediate (not actually a setting)
  If on discourse’s web interface, a user will immediately see a notification for their reply.

• send emails only after - 10 mins
  Wait (n) minutes before sending any notification emails, to give users a chance to edit and finalize their posts. (personal messages have 20s delay only).

I could see us increasing the editing grace period to 10 mins.

After sleeping on it, I realize that I have inadvertently attempted to relitigate this topic, which I explicitly said was not my intention. I apologize to everyone for that.

I just feel strongly about this because I find this notion of textual permanence (especially publicly and online and outside of professional settings) to burden everyone with the dread and terror of having our words recorded, retained, and reused by strangers without our consent; this is something that average people do not expect with their every spoken word, and in fact consider it an affront to their persons. This threat looming over everyone’s online text chills our “speech” in exactly the same ways that mass surveillance does. This is because the indefinite retention of all text on the Internet is the modus operandi of mass surveillance, which weaponizes our communication against us through the increasingly necessary tools of our daily lives.

So as far as I am concerned, the popular “wisdom” that “when it’s online, it’s there forever” is as repugnant and false a logic as “I have nothing to hide”, and both derive from the same surveillance ideology. They are not true, and they should not be true, and we should be committed to fighting their realization, for otherwise they are proof that the Panopticon is real and we are all living in it.

But regardless, even if this decision were to be seriously reconsidered, it is no longer a matter of sitewide deletion policy, but of project-wide deletion policy. Any attempts at restoring user control over post availability will thus need to justify disaggregating it from the new unified project standard, which involves overcoming much more inertia than before the decision was made. I frankly don’t think that my philosophical musings are going to do that, if only because they are too long and abstract to be immediately persuasive.

There are also problems with all of the alternatives, some of which are not readily available due to the limitations of Discourse. So even if alternatives were considered, such as a conduct policy prohibiting deletion abuse or a stronger account “anonymization” feature that blanks the user’s posts as well (but not delete them), or limiting deletions to only being of replies and not topics, they will also need to be discussed and explored as adequate drop-in replacements for the current decision.

So practically speaking, the decision is likely here to stay unless we can somehow choose an alternative solution and come to a new agreement that project-wide user data retention should err on the side of user consent and data sovereignty, with data management being limited by the capabilities of the context and not by those of the least capable one (mailing lists), as opposed to the “unified” no-deletion policy we now have. (Technically even public mailing list archives can be modified and its entries expunged, but it’s rare.) I could argue that this would be a change back to a more “Qubic” direction, since it is context-based, user-controlled, and differentially limited in its access to user data (in contrast to the monolithic and system-controlled posture this decision establishes), but I think that is too unfair an appeal.

I have much more I can say on this topic, since it has been a thorn in my side for longer than I can remember, but I have already said more than enough. At least for the time being, it seems this decision will stay, at least so long as only a few are criticizing it.

It is disheartening, too, since I joined this forum with the comfort of knowing that I had the power to erase myself from here whenever I wished, something that distinguished it from the mailing lists, but that is no longer the case. That is a troubling change of tone for me, and causes me to be much more hesitant to post, since I now have no sovereignty over my own contributions. I can only wonder if others might quietly feel the same.

Regards,
John

I agree with @fsflover’s practical point on timing, though I do think that increased time only diminishes the returns, but does not foreclose any privacy or security benefit. A simple scenario illustrating this is scrubbing one’s content (including very old content) from the Internet in the hopes of frustrating future deanonymization attacks, based on the reasonable conclusion that eliminating searchable and public access can alone be sufficient for most threat scenarios. This is all the more salient for data indexed by search engines and those not yet preserved by an online archival service, both of which apply to threads on this forum.

So, a hypothetical political dissident who is setting up Qubes OS and comes here for help troubleshooting their installation and configuration, and who wishes to erase their existence from this forum to the extent they can afterward to avoid leaving a public trail that can become a liability used by future adversaries, has no actual recourse to do so because edits are public (which I think is generally good) and deletions are disabled (which I think is not). This is particularly relevant if they did not obfuscate their writeprint, which almost nobody does because the few tools that attempt to automate it (like Anonymouth) are technically complex and unmaintained, and trying to do it oneself by hand is likely a bad idea (and a slow, arduous process) for the same reasons one should not be used as a source of randomness during password generation. So, if stylometric attacks are in their threat model, or even if general deanonymization attacks from future adversaries through public online data are, their only safe option is to not even participate at all.

This is why the permanence of text can be a real and practical privacy and security threat regardless of its age: it’s much harder to find copies of data that have been scrubbed from the Internet than it is to find those indexed on Google. Naturally, @fsflover’s timing variable is what mainly determines the extent of the spread and duration of its indexing, but it does not determine its capacity to spread further or its survival as a copy; the deletion variable is what determines that.

Anyway, thank you for sharing your experiences and clarifying the technical status of this decision and its related settings, @deeplow. I appreciate your willingness to abide by a decision established through majority consensus despite your own reservations about it. Hopefully, these “dissertations” are not too disruptive.

All the best,
John

Hi @JTeller3,

I too feel strongly about this and do very much respect both your
arguments and your way of sharing them.

         We are in a forum having a discourse.

By giving the ability to each participant to alter or remove their
contribution to the shared conversation after others have read and
possibly responded creates a nightmarish scenario in which each
participant now needs to monitor this recorded conversation forever to
ensure that their own words are not twisted after the fact.

Claiming ones right to delete or edit after the fact automatically
infringes upon the rights of everyone else who shares this conversation.

Participating in this forum can be done anonymously.

It appears to me that – aside from the freedom fighter using her real
name for some reason – the need of the individual to remove a minor
embarrassment like a thoughtless question, a moody reply or maybe even
just a spelling mistake is being treated as more weighty than the needs
of all participants trusting their words will remain in context.

It would be wonderful if we could trust that everyone will edit only
when completely harmless (spelling) or delete when absolutely necessary
(harm to a person) and otherwise have the character, integrity and
respect for their fellow participants to correct their meaning in a
public reply. But how do we get there?

I am not a native speaker and not sure the above is correct grammar. In my mind “discourse” stands for “civilized discussion”, but it may be more correct to write:

     We discourse in a forum

This looks like the main disagreement between us. We don’t get there, we are there. I have to give Purism forums as example, again: You can edit you post at any time there, there is no edit history saved and the community thrives. You feel in power there, which encourages you to help other people without potentially revealing your typical unintentional mistakes or shameful beliefs of old. Nobody abuses that on Purism forums, because why would they do that? Most people are good people and you don’t need to restrict everything in the world to prevent abuse. If you really care to have the original/old version of the posts, this is your right to save them somewhere. Internet is not a frozen place and should not be.

There is a good parallel with airport security theater here. At some point in the history, you could just come to the flight 10 minutes before take off with you baggade, sit and fly. No checks and queues. Now, after the government spread the fear among people, we have to come to the airport 2 hours before the take off and spend almost all these two hours for infinite checks, where some people have huge power over you. There are (almost) no benefits in this security, this is security theater. Real terrorists still can bring to the plane bombs if they try. You can make a sizable explosion with a laptop battery.

If you continue the argument in the same way, you can come to the conclusion that encryption should be abolished, because terrorists and organized crime are using it and everyone would be more safe if no one had privacy or security. Everything giving some power ordinary people should be forbidden to save the society from abuse. This is of course wrong and by removing control and privacy from people you introduce chilling effects and remove incentive to be different from others and be innovative.

Hi @fsflover,

I am not sure what you seek to accomplish with this reply.

You haven’t addressed my argument but rather compare the non-deletion
policy to security theater and the assault on encryption – both of
which are ill-fitting to say the least.

It sounds like removing the ability to delete ones post is infringing on
civil freedom?

Consider this scenario: I see a question posted to the forum in my email
and spend 10 minutes writing a detailed reply. When sending it the
system replies to me that the topic does not exists. This happened,
multiple times.

So what if I now simply post my reply as a new topic quoting the post
that was deleted which might even contain the user or real name of the
original poster?

Can the original poster then request a moderator to delete my post?

What about this: the original post gets deleted after I posted a
reply… now the whole thread with all replies (mine and others) is
gone. So effectively that user had not only the power to delete their
own post but those of other as well.

I’m sorry if I was unclear. Let me try to explain how I addressed your arguments in my previous post and expand them.

It really doesn’t. Everyone can save all previous posts for themselves if they wish. Nobody owns you anything in the Internet. In other words:

Nobody can edit your own posts and it should be hard to twist your words by changing my words in the conversation, unless your words are ambiguous, which you should try to avoid anyway.

Anonymity is not a boolean (yes/no). The more you write, the less anonymous you are, even if you hide your personal data. This is because one could reveal a lot of details about you from your writing style, typical mistakes or used lexicon. Are you suggesting us to register a new account every week/month? This discourages people from contributing, because you loose all the advantages of Discourse forums (likes, statistics, trust levels (which you yourself are forcing people to have to get into certain kinds of conversations), notifications, badges and so on - everything which shows how trustful users are). This is why I make a parallel with social cooling, when surveillance discourages people from being different, i.e. from contributing to the society in non-trivial way. This is very much true for this forum as @JTeller3 mentioned earlier. In other words:

Again, this is not as much about removing embarrassments and mistakes as about trying to control what I am saying in the Internet while minimizing possible fingerprint which I leave (but removing embarassements is also nice!). Nobody is perfect and everyone makes mistakes; it’s often hard to notice them within 5-10 minutes after writing. I feel powerless here and it discourages me from contributing, because I do not want to reveal my identity. It’s dangerous to be an activist today, and by activism I mean anything which does not align with what (a chosen) government considers “safe for the people”. It’s not you who defines what activism is. This is exactly how social cooling works.

Now you are suggesting that we should not trust anyone by default as opposite to the other approach, when you trust a stranger until they loose your trust. Your approach is very pessimistic and often results in bad decisions for the society. Exactly like the decision to create current airport security, which is why I gave that example. You should trust people to create a friendly community. Lack of trust by default makes everyone have no trust, isn’t it logical? I recommend to play with the corresponding computer simulation indicating that: The Evolution of Trust. Purism forums example proves that it can work; it always works unless the community is too diverse and large, which is not the case for Qubes forums.

Yes, in the same way as having the ability to delete posts is infringing on your freedom to keep your conversation going without interruptions. It’s like two contradicting freedoms which should be carefully understood before deciding which one to remove. What is more important for the Qubes forum? Community where everyone trusts one another and feels confidence, or safety from (rare) abuse and keeping 100% precise history of every word?

I’m sorry for this situation and it indeed does not sound encouraging. As @deeplow mentioned, there is a delay before sending emails, which may be increased to avoid such problems. I don’t expect that even 1 hour delay would harm your participation or this forum’s users.

This really sounds like an essential difference between mailing lists and forums. On a forum, users have different expectations for privacy and possibilities of editing. I don’t know how to combine these two very different approaches to Internet communications into one thing;this forum is apparently trying to do that. Perhaps one hour delay would make it better. I would understand if I cannot edit/delete post after that, it’s long enough for me. Not sure about others though.

The whole thread should never be gone after removing just one post, even the first one. Is this really how Discourse forums work?