How to solve the abuse problem on Disroot.org platform

Here we wanted to concentrate all the discussions and ideas about the future of user registration. Few days ago we have closed down registrations for new users on Disroot because of overwhelming presence of all kind of abusers on the platform that got out of hand. Since the announcement we are getting a lot of comments and suggestions, we are also brainstorming and thinking internally what the best approach is. We thought creating a central point where we post our thoughts, as well as ideas and suggestions coming in, is needed both for transparency and to have a complete overview on the options that are being considered.

The first post will be updated with a summary on current discussions if TL;DR

1 Like

In the past I’ve been members of sites that require an actual human-to-human phone call before they would enable the account. Obviously this is inconvenient for the administrators, but it is a thing.

Some form of 2FA using phone verification is another alternative. Although I’m not sure that those systems can’t be gamed using some clever telephony.

I mentioned this in the xmpp room but I’ll mention it here as well:

Could disroot registration require a symbolic amount of $1 to register. Users could be given an option to contribute more to enable those that don’t have the means to also use the service. People that want access but can’t afford it would contact the admins to make their case.

3 Likes

Perhaps allowing invitation codes from existing users as another option in addition to some of the other ideas. I think there will need to be multiple solutions in place at the same time of admins are going to keep their sanity.

1 Like

There are a couple communities I’ve seen that have some novel ideas.

1 Like

My thought (from what I seen from other email services) is that people registering would have to email the staff to sign up, of course it can be undermined, but personally I think it would deterrent most abusers. (I’ve been told in the past by staff that they have a no-invite stand, a thought for future commenters)

First things first, congratulations for this great Disroot platform I’ve been using a few months now. What a shame I didn’t know about this forum. Please let your users have a simple way to contribute. My suggestion is free subscriptions should only be limited accounts (in time, storage, features…) Let us regular users pay a reasonable amount, one euro per month, 12 € /year should be a minimum. I don’t think donations is the way to go, Disroot deserves to be a regular and reliable service. Thank you!

I see what you mean. But the staff has a “no invite-only policy” (which was something similar I recommended).

Now thinking about it, perhaps ads? Create a webpage (sub-domain of disroot.org , like https://www.disroot.org/ads ) where it’s simply an page of 100% ads. So someone can contribute to the development simply by viewing that page (and disroot receives revenue, so those unable to directly contribute now can indirectly).

I do think you (disroot team/staff) should seriously consider mandating a support ticket in order to allow email registering (contradictory, but do reconsider).
Check this link for reference: Solution To Email Abuse, 7th Sep 2018 [Solved]

1 Like

Hi there,

We would like to share our thoughts that came out of the series of brainstorming sessions we have had the last days.

Possible solutions we have considered and our opinion about them.

  1. Invite only - where new accounts can be created only when invited by other users.
    We have quite a strong position on that one. We started Disroot with the intention of being accessible to a wide audience. Invite only solution creates a barrier where only certain circles of people are allowed in. We want to be as open as possible for anyone seeking better solutions for their digital realm. By allowing invite only account we would’ve exclude a big portion of our current disrooters, supporters and contributors.

  2. Paid accounts.
    Money is the solution to everything… It’s seems like the perfect tool to get all the abusers, scammers and spammers out of the platform. Paid accounts seems to solve the financial situation too. However, money also means another set of complications. First of, it closes the doors to those that can’t afford to pay. It changes the whole nature of the project and creates a different relationship between disrooters (users) and admins, where certain expectations are held. It also asks for a whole set of new administrative tools and financial obligations which we would rather avoid. Such change to the project’s nature is too drastic so that we feel it would be more honest to start a new separate platform based on paid accounts rather then change Disroot into such.

  3. Aproval based user creation.
    This is the solution we are leaning towards. Originally we thought it to be too labor intensive, but after giving it some further thought we start to think approving account after a short delay will prevent most obvious abuse from happening. And with the help of some good automation backstage, we hope the extra work will be minimal.
    The idea would be to ask new signups for a confirmation email address. After confirming the request (which will prevent automatic bot account creation and thus render re-captcha obsolete) we, the admins, will still have to approve the account based on a specific criteria we will develop, this will take up to 24 or 48 hours (to be decided). The waiting time will prevent spammers that need immediate access, our approval criteria will prevent other obvious abuse cases. Users could afterwards remove the verification email address or keep it as another possibility to reset password. We would like to try this method and see what the results are. How much abuse we can prevent, how much work will it impose on us and what other consequences it will bring.

8 Likes

Well option 3 seems to me the best to maintain disroot as a free access project to everyones, as it does not imply to previously know someone (invite system) or have money or an online payment system setup (option 2).

My only doubt is how to deal with people who use systems like 10minute mail to create accounts (like me :slight_smile: )

1 Like

Thats not an issue. The verification email should be sent right away, that means once you reply to that email your account will be verified and will wait for admin verification. The only thing you will loose is:

  • you wont get email saying your account has been verified and ready to use, so you will have to check manually whether we approved it or not and if not you wont know why
  • You wont be able to use the reset password via email option

Thats all true, but that all comes with accepting to use such services, those who use it should be aware of that. My doubt is that those services generate emails addresses that are random strings, making it more difficult to see if the confirmation email looks from something “legit” or not. Unless that is not one of the criteria to approve an account

If you want my opinion i think option 3 is the one that looks more inline with the Disroot principes. Seeing further discussion here it seems that even that option have its flaws, but i don’t think tere ever could be an alternative without disadvantages. So if maybe a combination of options could be possible i would go for that. (Of course not if too time intensive)

1 Like

True that. No option will be perfect. It’s all about balances. But just to be clear im in favor of option 3 if it’s doable without overworking the admins

2 Likes

Option 3: An absolutely Disroot’s flavour solution, compliant with Disroot ethical choices, and more imaginative than money involved solutions. The other two are well explained enough to not be considered, at least between the options I think are more user friendly, ethical and technically manageable.

1 Like

Ok I can understand the Disroot ethical choices, option 3 seems the most “inline”, no money involved, open doors to everyone… Great! but hey guys, at the end of the day you will have your bills to pay, unless you’re billionaire who don’t care about the time and money you spend. And what about ‘serious’ users who want to use Disroot as their ‘main’ platform? Who can seriously rely on a platform only funded by benevolent members? I still think that a small contribution is the way to go, at least for new comers. Then if you really want to behave as a charity you could grant free accounts to (3- 6 months) active members who ask for it. And for the “whole set of new administrative and financial obligations” you should only register as a non-profit. In France we have “La Mère Zaclys”, they’ve been around for many years now and have the same principles and ethic of the Disroot project.

2 Likes

I like the third idea too: I would never have known Disroot in the first place if it wouln’t have been free.

However, I also understand bobzr pointof view: you guys need at least a little bif of money to run Disroot. You could dissociate email and other services: everything is free, but for email, you could asked for a small donation like 1€ a month or even less, like 5€ a year? And you could even set email free for like a year, and if people like it, then, they need to give that donation to keep it.

1 Like

@bobzr I understand your view on this. In fact this is something we keep discussing internally ever since we gained some popularity and working on disroot became somewhat our dayjob (about a year ago) already.

This is not an easy decision. Since Disroot operates globally, the price value is different between countries not to mention individuals, their financial situation and how they perceive money and its value. We believe people should be more conscious, responsible and aware of how internet services operate and how much it costs (we hope that though our campaigning, reporting, we will make this more prominent). Putting price tag from the perspective of west-europeans is very exclusive, privileged and discriminating towards the rest of the world. We operate in numbers like 1euro as if it’s peanuts, while few thousand kilometres east, 1euro is already quite some money and we are still talking about europe. We want disroot users to decide themself how much they value our work and do think of contributing amount they think they can afford and think is worth donating. If every disrooter would donate whatever (buy us a coffee each month) they think is right, we not only could invest in better equipment, donate money further to developers of all those awesome open source/libre software we use, but probably also quit our dayjobs and focus 100% on disroot. We want this to be a conscious, educated choice of people rather then forcing people to pay certain amount per month. Of course not everyone will donate but we think there is enough people that are willing to donate not only the bare minimum but also a bit extra that will allow people less financially fortunate to enjoy disroot as free (as in beer) platform

Disroot is and always been our (admins) main service provider, and I think it does not matter whether the accounts are free or paid. Paid-for business model is not guarantee of stability. Recent openmailbox situation is a good example (website went down without prior notice leaving tens of thousands email users without access). We want to try and experiment with different approach where it’s the people (users) who pay for the service voluntarily with the best intentions for the future of the project in mind without being forced. just like us when spending another sleepless night on the project.

3 Likes

@muppeth
It’s surprises me how noble your - and your fellow staff members - intentions are.

After seeing this, I’m going to start donating monthly (I was going to wait until I saw the email registers open, but your words and @bobzr’s shows the true light of the situation).

I wish Disroot luck on the crusade :wink:

Edit: I understand how expensive it is. I tried once creating a website solo on behalf of a group of peers. It was unsuccessful and consumed a bit from myself. So I do understand.

Objective

Do keep on the path of free (freedom).

2 Likes

Have you seen how autistici/inventati solves this problem?

https://www.autistici.org/u/services/

Something like that could be an interesting addition/alternative to option 3. Just require the registering users to write a short text about themselves and why they want to use disroot. That would make it much harder for bots, I guess. You would also notice if one absolutely didn’t read TOS at first sight, e.g. if they write something like “I want to use it for my work”.

1 Like