Propose new functionalities for Decidim software
#DecidimRoadmap Designing Decidim together
Detect the use of spam-bots and ban non compliant users
**Is your feature request related to a problem? Please describe.**
Fight against disinformation, spamming and trolls. At the moment, if the administrators do not set a proposals limit per user, it is easy for a malevolent user to create one account and use a tool like Selenium to publish hundreds of contributions. Furthermore, administrators are not able to ban users.
**Describe the solution you'd like**
Implement a way to report users
Like we have a way to flag a contribution for moderation, a similar mechanism can be implemented to flag users and give moderators the ability to block said user. Everyone can participate in this reporting (admin, moderators, users) and flag users based on their harmful behaviour towards the debate or the content they posted on they public profile (avatar, biography, personal website).
- Add a flag to report users on their public profile;
- In the admin, add a column to the participant table that displays the number of time a user was reported and make a sortable column so the admin can see first the ones with most reports and take action (block) if needed;
- Send notification to moderator and admin when a user is reported.
Allow administrators to ban non compliant users
Administrators should be able to ban users, for example when someone repeatedly attack the debate. This ban should be transparent.
Add a “ban” action button in the Participants panel.
- Admin can unban user
- Users will be banned at the Decidim Identities level meaning they cannot access the website with another provider through the EU login. (Ex : I connect with Twitter, got banned I cannot connect using Facebook if it has the same email or is associated to my EU login id)
When a user is banned :
- an attribute (ex: blocked) is added to their profile which makes it impossible for them to login
- its avatar is replaced by the default one
- its pseudo is replaced by “Banned user”
- Profile page is rendered inaccessible by non-admin users (to facilitate moderation based on their contribution history)
- All contribution remain visible
Automate the ban of spamming users
In order to detect those users, we need to define behaviours we want to prevent. For example, we can consider that more than ten messages published in less than one minute from the account justifies that the system automatically blocks the user.
- An asynchronous job could check the database every minute, searching for such behaviour and report or block user.
- The detailed list of behaviours in question should be made public and the code open sourced.
**Describe alternatives you've considered**
Above measure are up to selection / discussion.
**Additional context**
We've seen these behaviour happen in our latest experiences when we scaled it to a couple dozens of thousand users : automated user creation, automated content creation, coordinated mass posting.
**Does this issue could impact on users private data?**
No
**Funded by**
EU Commission
This proposal has been accepted and is under development
List of Endorsements
Report inappropriate content
Is this content inappropriate?
35 comments
> The detailed list of behaviours in question should be made public and the code open sourced.
This should also be reflected in the Terms of Use of the installation of course.
> For example, we can consider that more than ten messages published in less than one minute from the account justifies that the system automatically blocks the user.
I would also add that we could tune this rules with the gem rack-attack that we've already implemented on decidim-core. For instance, we could have rules like: "if you post more than 10 proposals on 10 minutes" or things like that.
Conversation with Virgile Deville
@andres we were thinking of having a metric for the number of banned users that could be available :
- through the API
- the homepage statistic block (do we want to have this much visibility)
- in the admin panel in the dashboard tab (Activity block) https://imgur.com/TFnQ0Zm
What do you think ?
After discussing with the client and the implementer here is the updated spec for this metrics part
We are considering having 2 metrics, 1 for the number banned users and 1 for the number of reported users. For the latter the could also be a metric with the total amount of user reports. Is there a metric already for the total number of reported content / hidden content ? @microstudi maybe you can answer.
Like there isn't any metric on the home page or participatory space for content moderation we'll do the same for banned users
The idea is to make these metrics available through the API.
In the admin, we'd like to add a line to « Activity » table (mockup) —> https://user-images.githubusercontent.com/11473995/99048601-0f7b6800-2596-11eb-9b4f-4c95c1877248.png
We were also wondering if it would be possible to add these metrics to the metrics bloc only on the admin side ?
This is the block I'm talking about :
https://user-images.githubusercontent.com/11473995/99089169-41f48780-25cd-11eb-9fbc-01142b3f7f69.png
https://user-images.githubusercontent.com/11473995/99089038-183b6080-25cd-11eb-8710-6050341239a8.png
You mean blocked users?
We could have 3 metrics blocs for this :
- Number of blocked users --> that is the most important one
- Number of reported users
- Number of user reports (when people click on the flag and fill a report)
What do you think @carol ?
I think it's good that the admins have clear information about these indicators, but this would be an internal metric, I think right now the block of metrics is the same for the frontend and the backend. Probably it would have to be split.
Conversation with Virgile Deville
Another feedback on this spec by the company implementing the spec. Ping @carol
To list reported user tab was added, to better keep track of blocked user we suggest adopting the same UX as moderation. Adding tabs (Not suspended , Suspended) in the card divider. Mockup —> https://user-images.githubusercontent.com/11473995/99051904-d395d200-2598-11eb-9bf3-d0122457ff4d.png
Looks good to me @virgile_deville
Conversation with Virgile Deville
I noticed the in the implementation by Tremend that the word "ban" wasn't use. Currently 2 terms are used :
- Users' name are replaced by "Blocked user"
- The tooltip text on the icon is "suspend user"
Which one do you think we should use ? Ban, block, suspend ? Ping @carol
IMO the word "blocked" is clear and more widely used. But the most important is that we choose one and stick with that one only 🙏🏽
Let's go for blocked then. Thanks
Conversation with Virgile Deville
@carol we realized with the team that the way blocking is implemented (it can be reverted by the admin, so the user's data is kept) might go against the GDPR rules. Because as a consequence the user will no longer be able to access his account and will not be able to change/delete his data.
To make things right with GDPR we came up with the following idea :
- Inside the email notification notifying the user has been block insert a unique link (the user cannot login anymore) offering the user to delete it's account.
- Upon clicking the user will get a special made modal saying "Are you sure ? You account has been blocked. You might be unblocked if it was an error. Deleting you account will anonimyse your contribution and delete your personal data".
A technical input might be good to evaluate the feasibility
@carol sorry to ping you again on this but does this approach work for you ?
Yep I think this could work. Is there any PR yet to test it?
@RoxanaOprescu is there ?
No, there is no PR because we didn't start implementing this.
Conversation with Roxana Oprescu
Hello @virgile_deville ! We decided to structure this proposal in 4 parts:
- part 1: Add the functionality to report users (PR: https://github.com/decidim/decidim/pull/6696)
- part 2: Add the functionality to block users (PR: https://github.com/decidim/decidim/pull/6804)
- part 3: Implement an anti-spam solution
- part 4: Moderation metrics (including all the mentioned aspects in previous comments: tab for "blocked/not_blocked" users, use "block/unblock" everywhere, include "reports count" column on "Reported users" page, add those 3 metrics: "suspended_users", "reported_users", "user_reports")
Part 1 and Part 2 have PRs opened on decidim repo and also for Part 4 a new one will be opened. But Part 3 was implemented in our repository, because we were not sure about the rules we would apply and we did not want to interfere with the current proposal. Our project had some specifications and we decided to develop this functionality in-house.
We have a user_quota system based on number of content that a user is allowed to publish in a certain period of time.
Also, we will integrate JRC response in this anti-spam solution. If you consider this implementation a good approach for you, we will gladly open a PR to decidim repository.
Hello @RoxanaOprescu
I think the community is interested in the user_quota system you describe.
We should make it easy to enable / disable in the admin because it might not be useful to all instances.
Could you provide more details on your implementation so we can discuss it ? @carol and @andres are also interested
Our quota system works like this:
○ Allow 3 posts per day for citizens that have no post in the last 6 months
○ Allow 10 posts per day for citizens that have at least three posts for more than
one day and less than six months old
○ Allow 25 posts per day for citizens that have more than 20 posts in the last six
months and older than 24 hours
○ Allow any moderator / admin up to 100 posts per day
○ Inform any user that exceeds the quota that they did so and ask them to come
back in 24 hours (this will be as an warning message)
Those values are configurable from admin's dashboard (Settings section)
https://www.linkpicture.com/q/Screenshot-from-2020-11-26-09-47-10.png
So the logic behind it is the more active you are the more post you get to make right ?
Could you tell me what you put behind the word post ?
I'm assuming : proposals, meetings, debates, comments
Is the amount of post a total of these four ?
What do you think about my proposal of implementing a checkbox to enable, disable the quota system ?
@virgile_deville Yes, the main idea is to encourage users to be more active and to have less content reported (because all the content that has been reported is not included into the calculation of the new quota value). So it's important to be active, but at the same time to have unreported content in order to be able to post more on the website.
"Post" = add content (comments and meetings) on the website. For each user we take into account all the comments published (and not reported) and all the meetings created (and not reported).
About your proposal with the checkbox, we cannot give you an answer right now because we need confirmation from our client. But in order to obtain a similar behavior, quota's values can be updated to a large value (e.3000) from admin's settings.
> But in order to obtain a similar behavior, quota's values can be updated to a large value (e.3000) from admin's settings.
Right that's a good way to disable it.
I think it's weird that "Post" doesn't include at least proposals (which is gonna be used by the EU for COFE).
Best would be that Post = proposals, meetings, debates, comments
so that the feature cover whole the UGC possibilities in Decidim
@carol let us if this implementation would be welcome as PR to the core ? It my opinion it is aligned with the proposal but Tremend want a validation from product before going ahead. Thanks in advance.
@virgile_deville I'll get back to you with product's feedback later today
thanks :)
Hey Virgile, we have commented this in @product and we do not see it. We don't understand the logic behind user quotas and how that improves participation. We prefer to leave it out of the scope.
Hello @carol thanks for you answer.
This feature aims at responding to this part of the spec described in this proposal.
> Automate the ban of spamming user
In order to detect those users, we need to define behaviours we want to prevent. For example, we can consider that more than ten messages published in less than one minute from the account justifies that the system automatically blocks the user.
@andres suggested we use `rack attack` for this. See first comment on this thread.
>I would also add that we could tune this rules with the gem rack-attack that we've already implemented on decidim-core. For instance, we could have rules like: "if you post more than 10 proposals on 10 minutes" or things like that.
1/2
Without automated response to automated spamming behaviour there are only a manual option : blocking. Moderators cannot always be on the lookout.
Maybe the implementation is to be rethought. Tremend kinda went ahead on this one. I'm sure that collectively we can come up with the right rules to avoid automated spamming.
@carol what are your thoughts on this ? Thanks in advance :)
Hello @product !
Looping back to this, can we think collectively of the right of implementing this ?
We need to validate a technical approach, Andrés was suggesting using rack attack and defining the behaviours and the thresholds that triggers the automated blocking of the user.
Available for a quick call whenever you guys are free.
Conversation with Virgile Deville
@carol another question came while implementing the feature.
When blocking a user the concerned user will receive a notification containing the justification inputed by the admin.
We were wondering if we should also send a notification to admins, spaces admins and moderators so that everyone keeps in sync.
One may consider that the admin change log is enough. Curious to know what you think.
@virgile_deville I personally would not overwhelm all the admins with more notifications ☺️
Yeah, I agree. Thanks for your input :)
Add your comment
Sign in with your account or sign up to add your comment.
Loading comments ...