This is why legal disclaimers are put on websites to hold the forum, owners, admin, mods harmless of any damages, and this certainly falls under safety and trust; the last thing a site wants is to be accused of harboring terrorist conversations that no one can access. If someone wants total privacy, then they should go and set up their own forum, then they do not have to worry about such things "what could happen" or "what if" If you are on my property, then I expect you to follow my rules, and the forum is no different, otherwise, you have the right to leave, and not use the site.
just say'n...
I'll throw my 2p in; disclaimers are 100% pointless when you are dealing with people and not legal entities. Sure, you're absolutely right in saying that if the police demands access to the thread you should acquiesce, but what about if it's more about personal embarrassment to one of the members of the site rather than a legal question?
When we as addon developers contemplate adding a feature to a mod, we have to ask ourselves "how can this option be misused? Do the benefits of adding this feature outweigh the potential negatives?"
For instance, let's say you've developed an addon for automatically archiving threads older than X days in the AdminCP. A little bit later, someone says "hey, it would be great if we could give this option to moderators too".
Sounds reasonable enough, and the damage is minimal as the mod would automatically replicate the forum structure in an archive category or whatnot, so if it gets misused you can always just move the threads back and fire that moderator.
Then someone asks for the ability to delete the threads instead of archiving them. Now all of a sudden you have to consider the scenario of someone having enabled the feature for moderators AND enabled the delete option. Undeleting hundreds, if not thousands of threads would be a really time consuming job.
Then, to take it even further, they ask for the ability to
hard delete threads. Now you are faced with the possibility of
permanent data loss as a result of a misconfiguration either accidentally or by a malicious administrator.
If I was the addon developer, I would reject this feature request unless the majority of users / customers were in support of this feature. Even if I added a million "are you sure, are you really really sure, this is more dangerous than jumping into a sea of hungry lions made of lava" popups, someone would have their forum wiped out. All it takes is one person posting "My forum got wiped out as a result of your mod" and suddenly your reputation as an addon developer is damaged (even if it's only in a small way).
As developers, part of our jobs is to think of worst-case scenarios. How can feature X be exploited? How can it be misused? Is this feature vulnerable to some form of exploit, be it SQL Injection, XSS (cross site scripting) or social engineering?
We have to evaluate the pros and cons of every feature to decide whether it's worth adding.
A feature whose only purpose is to cause permanent data loss would not have enough pros to offset the obvious con of "someone's entire site is wiped out, permanently, unless they have a backup".
----
To bring it back to the actual feature in question here: if it was possible for moderators to implicitly bypass privacy restrictions, the entire addon is vulnerable to a social engineering exploit by simply having a malicious party talk a moderator into revealing something from the private thread that could be used against the participants.
Even if there were no malicious intent, another possible scenario could be that a moderator is friends with someone who's being discussed in a private thread, and feels a stronger sense of duty to their friend than they do to the rules of the site. A forum is, after all, not a job where there's real legal ramifications for breaches of operational security.
Those are two very serious potential outcomes that I thought off as I was writing this post, with no actual serious thought or planning. I'm sure if I, or others who are smarter than me, spent more time thinking of ways this feature could go wrong, more potential problems would arise.
----
This post is not meant as a "callout", I am trying to add a bit more context as to why a developer might reject a given feature. It's not that we're lazy or we don't have perfect vision of how brilliant this feature would be and how we would sell fimto-twen bajillion copies if we just added this feature
Fillip
![[OzzModz] Private Threads](/community/data/resource_icons/5/5856.jpg?1511528669){kind=icon}
It is one I would certainly pay for though
