How to solve the abuse problem on Disroot.org platform

First things first, congratulations for this great Disroot platform I’ve been using a few months now. What a shame I didn’t know about this forum. Please let your users have a simple way to contribute. My suggestion is free subscriptions should only be limited accounts (in time, storage, features…) Let us regular users pay a reasonable amount, one euro per month, 12 € /year should be a minimum. I don’t think donations is the way to go, Disroot deserves to be a regular and reliable service. Thank you!

I see what you mean. But the staff has a “no invite-only policy” (which was something similar I recommended).

Now thinking about it, perhaps ads? Create a webpage (sub-domain of disroot.org , like https://www.disroot.org/ads ) where it’s simply an page of 100% ads. So someone can contribute to the development simply by viewing that page (and disroot receives revenue, so those unable to directly contribute now can indirectly).

I do think you (disroot team/staff) should seriously consider mandating a support ticket in order to allow email registering (contradictory, but do reconsider).
Check this link for reference: Solution To Email Abuse, 7th Sep 2018 [Solved]

1 Like

Hi there,

We would like to share our thoughts that came out of the series of brainstorming sessions we have had the last days.

Possible solutions we have considered and our opinion about them.

  1. Invite only - where new accounts can be created only when invited by other users.
    We have quite a strong position on that one. We started Disroot with the intention of being accessible to a wide audience. Invite only solution creates a barrier where only certain circles of people are allowed in. We want to be as open as possible for anyone seeking better solutions for their digital realm. By allowing invite only account we would’ve exclude a big portion of our current disrooters, supporters and contributors.

  2. Paid accounts.
    Money is the solution to everything… It’s seems like the perfect tool to get all the abusers, scammers and spammers out of the platform. Paid accounts seems to solve the financial situation too. However, money also means another set of complications. First of, it closes the doors to those that can’t afford to pay. It changes the whole nature of the project and creates a different relationship between disrooters (users) and admins, where certain expectations are held. It also asks for a whole set of new administrative tools and financial obligations which we would rather avoid. Such change to the project’s nature is too drastic so that we feel it would be more honest to start a new separate platform based on paid accounts rather then change Disroot into such.

  3. Aproval based user creation.
    This is the solution we are leaning towards. Originally we thought it to be too labor intensive, but after giving it some further thought we start to think approving account after a short delay will prevent most obvious abuse from happening. And with the help of some good automation backstage, we hope the extra work will be minimal.
    The idea would be to ask new signups for a confirmation email address. After confirming the request (which will prevent automatic bot account creation and thus render re-captcha obsolete) we, the admins, will still have to approve the account based on a specific criteria we will develop, this will take up to 24 or 48 hours (to be decided). The waiting time will prevent spammers that need immediate access, our approval criteria will prevent other obvious abuse cases. Users could afterwards remove the verification email address or keep it as another possibility to reset password. We would like to try this method and see what the results are. How much abuse we can prevent, how much work will it impose on us and what other consequences it will bring.

8 Likes

Well option 3 seems to me the best to maintain disroot as a free access project to everyones, as it does not imply to previously know someone (invite system) or have money or an online payment system setup (option 2).

My only doubt is how to deal with people who use systems like 10minute mail to create accounts (like me :slight_smile: )

1 Like

Thats not an issue. The verification email should be sent right away, that means once you reply to that email your account will be verified and will wait for admin verification. The only thing you will loose is:

  • you wont get email saying your account has been verified and ready to use, so you will have to check manually whether we approved it or not and if not you wont know why
  • You wont be able to use the reset password via email option

Thats all true, but that all comes with accepting to use such services, those who use it should be aware of that. My doubt is that those services generate emails addresses that are random strings, making it more difficult to see if the confirmation email looks from something “legit” or not. Unless that is not one of the criteria to approve an account

If you want my opinion i think option 3 is the one that looks more inline with the Disroot principes. Seeing further discussion here it seems that even that option have its flaws, but i don’t think tere ever could be an alternative without disadvantages. So if maybe a combination of options could be possible i would go for that. (Of course not if too time intensive)

1 Like

True that. No option will be perfect. It’s all about balances. But just to be clear im in favor of option 3 if it’s doable without overworking the admins

2 Likes

Option 3: An absolutely Disroot’s flavour solution, compliant with Disroot ethical choices, and more imaginative than money involved solutions. The other two are well explained enough to not be considered, at least between the options I think are more user friendly, ethical and technically manageable.

1 Like

Ok I can understand the Disroot ethical choices, option 3 seems the most “inline”, no money involved, open doors to everyone… Great! but hey guys, at the end of the day you will have your bills to pay, unless you’re billionaire who don’t care about the time and money you spend. And what about ‘serious’ users who want to use Disroot as their ‘main’ platform? Who can seriously rely on a platform only funded by benevolent members? I still think that a small contribution is the way to go, at least for new comers. Then if you really want to behave as a charity you could grant free accounts to (3- 6 months) active members who ask for it. And for the “whole set of new administrative and financial obligations” you should only register as a non-profit. In France we have “La Mère Zaclys”, they’ve been around for many years now and have the same principles and ethic of the Disroot project.

2 Likes

I like the third idea too: I would never have known Disroot in the first place if it wouln’t have been free.

However, I also understand bobzr pointof view: you guys need at least a little bif of money to run Disroot. You could dissociate email and other services: everything is free, but for email, you could asked for a small donation like 1€ a month or even less, like 5€ a year? And you could even set email free for like a year, and if people like it, then, they need to give that donation to keep it.

1 Like

@bobzr I understand your view on this. In fact this is something we keep discussing internally ever since we gained some popularity and working on disroot became somewhat our dayjob (about a year ago) already.

This is not an easy decision. Since Disroot operates globally, the price value is different between countries not to mention individuals, their financial situation and how they perceive money and its value. We believe people should be more conscious, responsible and aware of how internet services operate and how much it costs (we hope that though our campaigning, reporting, we will make this more prominent). Putting price tag from the perspective of west-europeans is very exclusive, privileged and discriminating towards the rest of the world. We operate in numbers like 1euro as if it’s peanuts, while few thousand kilometres east, 1euro is already quite some money and we are still talking about europe. We want disroot users to decide themself how much they value our work and do think of contributing amount they think they can afford and think is worth donating. If every disrooter would donate whatever (buy us a coffee each month) they think is right, we not only could invest in better equipment, donate money further to developers of all those awesome open source/libre software we use, but probably also quit our dayjobs and focus 100% on disroot. We want this to be a conscious, educated choice of people rather then forcing people to pay certain amount per month. Of course not everyone will donate but we think there is enough people that are willing to donate not only the bare minimum but also a bit extra that will allow people less financially fortunate to enjoy disroot as free (as in beer) platform

Disroot is and always been our (admins) main service provider, and I think it does not matter whether the accounts are free or paid. Paid-for business model is not guarantee of stability. Recent openmailbox situation is a good example (website went down without prior notice leaving tens of thousands email users without access). We want to try and experiment with different approach where it’s the people (users) who pay for the service voluntarily with the best intentions for the future of the project in mind without being forced. just like us when spending another sleepless night on the project.

3 Likes

@muppeth
It’s surprises me how noble your - and your fellow staff members - intentions are.

After seeing this, I’m going to start donating monthly (I was going to wait until I saw the email registers open, but your words and @bobzr’s shows the true light of the situation).

I wish Disroot luck on the crusade :wink:

Edit: I understand how expensive it is. I tried once creating a website solo on behalf of a group of peers. It was unsuccessful and consumed a bit from myself. So I do understand.

Objective

Do keep on the path of free (freedom).

2 Likes

Have you seen how autistici/inventati solves this problem?

https://www.autistici.org/u/services/

Something like that could be an interesting addition/alternative to option 3. Just require the registering users to write a short text about themselves and why they want to use disroot. That would make it much harder for bots, I guess. You would also notice if one absolutely didn’t read TOS at first sight, e.g. if they write something like “I want to use it for my work”.

1 Like

Damn. This is awesome! Thanks I dont know why I never checked their registration method. I always thought its invite based.
We have made a decission about it already, but this is really worth looking into. Thanks. I run to the other admin to consult about it. :smile:

OK Guys I’ve set up a monthy donation via Patreon. Can I get full access? I have to make a decison to cancel my
Google paid storage and need to know if I should renew it for another month …

I’m not wanting to use this account for malicious intent - I’m a frigging retiree, and just want a service that I can use in place of Google cloud and email. I just tried to login into chat with Jabber and it won’t take my login credentials. I understood by a post on Diaspora, that chat should work for those of us with disroot login. Is that correct? Thank-you.

Yes as we state on the website email, cloud, chat, forum, and (still early beta) hubzilla works with same credentials.

As for your request. We are planning to implement new registration in coming two weeks. Therefore we won’t do any personal requests. Just be patient and keep your fingers crossed that everything will work fine.

1 Like

May I add that you can ask for internet proof for the ownership of (social media) accounts? (or domains)
Proof of a public profile (because it takes work and time to have one and keep it updated) can be used to keep responsible people on disroot and unresponsible out.

I am thinking about the method keybase uses. A scammer or a bot does not want or can not prove the ownership of such accounts. Like a 2nd factor auth as registration step.

You could suggest a “2nd factor” method (twitter, mastodon, github, own domain, dns record …) and give a secret. In return the newbie proofs the ownership of the public profile. After verifying the newbie can delete the post.

this is preferable with social media accounts with history. Newly created once can not be used to verify a person.

1 Like

Thanks for the suggestion. However current system of approval and ‘the story’ works pretty well and we’re happy with it so far. Requiring people to share their private social media accounts is in our eyes violation of privacy. There is a reason we dont ask users for any personal data (we dont want to know it). So until we are forced to do so (your idea sounds good for when that time comes) becasue of abuse we cant control, we dont want to retrieve any information about our users.

2 Likes