Attachment System Improvements in 1.1 - Privacy concerns

Not to be a killjoy, but this function walks a very fine line if you wish to give it the benefit of the doubt, it flat out violates EU data privacy laws if you don't. You (as a service provider) are *not* at liberty to "keep up with what the users are doing in private conversations", not even attachment-wise. You are allowed to inspect things like this, under very narrowly defined circumstances, varying by country.
A function that can be easily accessible, that would display attachments of personal conversations whenever you inspect the regular attachment list, or that would be accessible to moderators as well would be problematical, to put it very mildly.

Unless, of course, you put it in your ToS that private conversations aren't private and are routinely beeing snooped if attachments are present... suboptimal, if you ask me.

Not everyone lives in the EU and not all forums are public. Fair enough point you made, but let's try and stop having software limit those that don't have such restrictions and have administrators be responsible for their own actions/configurations.

Well, let me put it like this: you've got to be creative to find any western country where you're allowed to do what this browser allows, even the US, which is worse than some banana republics with regard to data privacy and whose check-ups on companies who declare Safe Harbor compliance is dismal, has provisions that very likely forbid this. ;-)

I've got nothing against the function though, if the ToS clearly state that it's there it's still not entirely fine for many countries, but you'll likely get away with it unless we're talking pretty major players.
I just wanted to mention that this *is* a very hot topic.

AFAIK PMs are not recognized anywhere as private data, like email and physical letters are. Could you please reference your claims that browsing PM attachments might not be legal?

I always thought that there were conversations that allow people to contact others directly as apposed to being private messages. Could just be me

Or, if you live in such a country (I know Germany, for example, is pretty stringent) you could just not give your users permissions to do PM attachments while the rest of the world goes along happy with the new functionality.

The feature is named Conversations, there is no privacy implied. The only feature it allows is a one-on-one (or group) conversation.

I imagine Kier/Mike/Ashley did get their lawyers' advice before making attachments in personal conversations searchable by admins.

First the definition:

Next:

Additional thoughts:

Whatever gave you that idea?
I know this argument has been advanced previously, but never understood why people figured that it was the case.

Depending on the jurisdiction, a forum membership is either an actual contractual relationship, semicontractual or quasicontractual, and you're considered a service provider, which comes with a lot of baggage.

Privacy laws are formulated with a vague language in order to apply to a very wide class of scenario, irrespective of the technologies used, there generally isn't a data privacy law specifically forbidding tapping emails or faxes or private messages because there are wider provisions on wiretapping, interception of communication and other means of invasion of privacy that adequately cover the issue and courts generally let the it boil down to the very simple consideration whether the user can reasonably expect that a certain information is "private" or directed to a specific audience of his choosing. If that's the case, stuff is likely private, no matter how trivial it is for you to look at it with phpMyAdmin.

In the US, the most likely starting point would be the Stored Communications Act, only recently invoked in a number of cases, in the EU you may look into the Data Protection Directive (95/46/EC), in the UK, the Data Protection Act of '98 is your friend.

As a caveat, I have to say that US federal law on the matter is considerably weaker than EU or British law, even though some states have quite strong auxilliary provisions, but in general, while I am not aware of a court case actually testing this, I wouldn't bet my hat on coming out on top if I had to argue that user "private messages" are generally understood by the users to be "not private". Calling them conversations likely won't change that, because those, too, are generally assumed and understood to be conversations "among the participants".
Yeah, it's a nice case to make money off, arguing that thing up to the high courts, but generally, you prefer not to be part of that argument as a party.

Then again, Vitamin Water got away with the "Our customers are idiots if they assume our stuff is healthy"-defense in the US...

/edit Thank you kyrgyz for already posting the SCA and auxilliary materials.

In any case, if XenForo is even slightly or vaguely in the wrong, they should watch out. IB might use it against XenForo to drain them financially by stealthily being behind a possible lawsuit.

jwiechers, have you seen an official reference to conversations being private anywhere on the XenForo software (excluding threads/posts)?

The discussion regarding the private messages is very interesting. Someone could open up a thread and the posts from this topic could be moved into it.

Coming back to topic, I'd love to see that some attachment types would need the admins approvement, while others don't.

I think this kind of argument won't fly well in the courtroom.

From Legalese:

Take for example contracts:

Source

Have XenForo implied that conversations are private? As far as the software goes, they're merely conversations used for one-to-one or group conversation purposes that aren't fit for a thread.

on the other hand a webmaster is responsible of what happens on his website. so there needs to be a tool to check what is going on.

I hope nothing I wrote came across as confrontational, it wasn't meant like that, it's just that these things are rather annoyingly complex and I've had my fair share of intra- and inter-corporate as well as private battling over the topic and so I'm sensitized with regard to the issue.

Obviously, I cannot tell what courts would decide, especially since far too many variables come into this, but whether something is explicitly called "private" likely doesn't play such a big role. As kyrgyz pointed out as well, the primary question to resolve in those cases is what the "reasonable", "typical" user will expect from a certain function and how the users rights for privacy relate to the justifiable rights of the service provider to curtail those in order to provide his services. A "Conversation" feature that allows someone to have a "conversation" with a single person or a specified group of people would (I'd think) likely fall under this as well.

As said, I'm just sensitized, and while I am not aware of court cases involving forum software and private messages/conversations specifically, I'd find it a tough sell to argue they are different, or, more precisely, that the user can reasonably expect them to be open to the administrators of a website if he is able to specifically address them to certain people. That is, unless there is a clear and justifiable reason for doing so that *exceeds* the users generally pretty highly valued right for privacy: e.g. if user X accuses user Y of threatening behavior (and certain conditions are met), a service provider *is* allowed and may even be compelled to provide otherwise private information to relevant authorities. What constitutes such private information, well, that depends on who you ask ... but there have been court cases over forwarded emails and other internet messages which have swung either way depending on jurisdiction and specific content.

Disclaimer: I'm not a lawyer, but I've served as liaison between management and lawyers in a couple of data privacy matters more than once in differing forms of organizations and/or companies, specifically with regard to data privacy harmonization and internet privacy concerns. I didn't mean to be confrontational in anything, but wanted to voice this because issues surrounding these things (particularly the privacy of any form of electronic messages) flare up *very* regularly. I realize my initial post was written a bit too bluntly. I'm sorry for that.

/edit A clarification added to the end ("That is...")
/edit2 Another bit.

Judge for yourself.

About importing vB Private Messages:

Personal = of or relating to the private aspects of a person's life: personal letters a personal question

This means, all email services are allowed to peep inside your data?

Xenforo can't hide behind a sneaky word change.
The implication is that the Conversation is not being snooped upon.
Xenforo seems to be enabling admins to snoop on their members.
And it seems like it is getting worse.

As it stands now, it is quite unfair to the unsuspecting member.

I wonder whom reads (or can read) the "Conversations" here at xenforo.com ?