[DAO:j6droqu] Prevent harassment and surveillance of all users via overly-exposing endpoint

dao · August 15, 2022, 8:38pm

by 0xf2f58ed9ab3057838d88d06be8269270cdc8aa89 (menduz)

Hello I am Mendez, and I’ve been a core contributor of Decentraland since Jan 2018. This is my first governance proposal ever since.

Several people have brought this problem to my attention and I acknowledge this as a vulnerability that needs to be addressed before it starts affecting people and their digital lives.

In Decentraland, users’ addresses represent more than a transaction parameter in a blockchain, they are part of a user’s digital identity, and exposing this information along with real-time position data could lead to a form of digital surveillance that could be damaging to users and to Decentraland itself.

Catalyst communications server exposes an API endpoint that responds with user addresses and their exact locations at every moment, facilitating hostile actors to harass platform users. This API could also enable the creation of hate bots that could target specific users or types of audiences. This type of information should be treated as sensitive to prevent these types of scenarios. The endpoints to be removed are:

These endpoints are not needed in order for Decentraland to work. In fact, they were originally intended for manual debugging purposes only.

However, by removing the endpoints in question, there is also a drawback: this API is used to know if a user is in a specific location at the time of making a request. In some scenes, this feature is used by some anti-bot mechanisms. To that extent, a new API endpoint is proposed to validate if a user is in a specific position on a case-by-case basis instead of tracking all the users all the time. For analytics/statistical information of islands, new privacy-aware endpoints were already created /stats/parcels

Summary of the proposed changes:

Remove the /comms/peers and /comms/islands endpoints. Use /stats/parcels instead
Create a new endpoint to validate if a user holding the specified address is in the specified position

Remove the endpoints
Keep the endpoints
Invalid question/options

Vote on this proposal on the Decentraland DAO

View this proposal on Snapshot

MorrisMustang · August 15, 2022, 11:01pm

Classic example of gate keeping, similar to that which you are trying to escape from web2. As a core contributor, Mendez is well aware that the Foundation is collecting all of this data from the client using two different services, one is custom and the other pipes data through Google Analytics. In addition, The Foundation has direct access to all of the Decentraland nodes approved by the DAO for collecting “metrics”. Part of their deal for providing a stipend to node operators is in exchange for data. These metrics have never been shared with the community at large and I wouldn’t expect them to be. There has never been a proper disclosure about the data, what it looks like and who has direct access to it.

Node operators are in control of the software they run. Regardless of what the Foundation merges into github, node operators could strike similar deals to that which they have with the Foundation and provide this data to any party should they choose. Creating such obstacles only boxes out those not willing to create the proper incentive models to get at the data. Another form of gate keeping.

Mendez mentions a new API that will validate location. This means the current signed fetch method, which allows some control those who implement it will be broken. This is currently embedded into scenes both in the front end and the back end and the only suitable replacement for the lack of CORS afforded to the scene developer. In time, I’m sure whatever API is proposed, will be “hackable” such that the same information could be teased out of it, but likely will create an even larger load on the servers than exists today as bots try to search the data.

We’ve learned better in web3. Lets stop gatekeeping. Let the data be open source. Everyone should have the same access. Decentraland should be decentralized all the way down to the data.

The DAO has voted twice in recent weeks to build services on top of these end points and to cache this data to empower a whole new world of apps and data science in the Metaverse, with overwhelming yes turn outs.

It’s clear there is an alternate agenda here. It’s very easy to fear monger. I would have hoped for a more unbiased presentation of the topic.

mattimus · August 16, 2022, 3:42am

I do not agree with removing the endpoints, as they are currently the only means for the community to access usage related information. Several recently passed grants are dependent on this data and there is no mention of any possible replacements.

If the issue is privacy, why immediately go as far as removing them and not just make them accessible only to registered parties with access and registration similar to a traditional web api with api key etc?

dax · August 16, 2022, 7:41am

absolutely - the idea to design decentraland based on fear of bullies rather than along principles of decentralization is honestly shocking to me.

yemel · August 16, 2022, 4:06pm

TL;DR: We have more to win by keeping that data open, we could mitigate the risks with other solutions.

Targeted harassment is not happening at the moment AFAIK. I heard some LAND owners have implemented their own banning mechanisms in their scenes. I prefer to address this matter under a broader Moderation Policy, defining how to handle harassment reports in general (botted or not).

Regarding surveillance, we are at the same crossroad as many other web3 projects. I believe as an industry we are still understanding the implications of using a decentralized identity system. IMHO the bottom line is that anyone can create a new address and kickstart a new identity for free.

Those endpoints can be foundation to so many interesting and valuable applications. At this point, I believe we have more to win than to lose.

HPrivakos · August 16, 2022, 6:12pm

Those metrics are only system metrics, ram/cpu/disk usage of the server the catalyst is running on.

It’s possible to opt out of those metrics via ads blockers, it’s not possible to opt out of surveillance via catalysts

An issue with that is that all the previous history stays available, we have ways to make Decentraland more anonymous compared to other web3 projects

I do not think those endpoints should be removed, but I think there should be ways to opt out from appearing in them.

menduz · August 16, 2022, 7:06pm

Hello folks, first of all thank you for your answers.

MorrisMustang, I hope my agenda is sufficiently clear at this point. I made this proposal as a member of the Decentraland community as I believe in a platform that is safe for everyone to use and I’m acting upon it with this writings, I bet and hope that you and your closest ones never had to live harassment or stalking situations, I think it would put you on the other side of this conversation.

I also believe that data and information wants to be libre, but privacy is still a right we should pursue. As far as I know the content files (a.k.a deployments) data flows are decentralized and replicated, to ensure Decentraland nodes keep running and information is sufficiently replicated to prevent permanent data loss. The content layer of the whitepaper describes it on a high level.

The real time position lives in another layer of the whitepaper: the P2P layer. The position data is only by one component of the whole system (archipelago), and it is a server side component, completely opaque to what the users perceive as Decentraland. Exposing that information attempts against security. This proposal doesn’t want to remove functionality, don’t get me wrong, my main goal is to preserve the metaverse as a safe place for everyone and ensure that safer alternatives are in place for as many community members as possible without generating potential risks.

Besides the DAO being a new paradigm, the interaction at Decentraland is governed by the Terms of use and Privacy Policy of the web domain, and that’s the reason why users have to review and accept/reject terms and conditions for using the explorer and accept gate-keeps of the content served for those domains for the protection of all the people involved, from users to the ones keeping the nodes up and running.

On the other hand, metrics about the cpu and disk from the nodes are operational metrics, only the folks running the machines that keep Decentraland alive need to know these metrics. You mention that the operator of Decentraland has access to it, and that is true. Because it is the default configuration, but anyone can turn it off, there is a big notice saying it very explicitly. I believe that it is in the best interest of the Decentraland community that the network is stable, it makes sense that they have access to it, and every node owner can configure this as they want operational metrics are not Decentraland, they can disappear or change and the explorer wouldn’t notice it. Like the endpoints discussed above.

Yemel, I don’t think that “create a new address” is a sufficiently good way to handle harassment or stalking. IRL when these situations go out of control, creating a new identity is the last resort but it can be done. Here we have the chance of preventing it from happening on the first place, and adopting the “new address approach” as a first-class citizen and the “proposed solution” sounds odd…

Reading through the answers I think that the initial set of answers of my choice were inaccurate. Better options would have been “remove identifiable information from the endpoints”. It is not about data secrecy, it is about preserving the privacy of the community.

I also consider that what HPrivakos suggests is much more sensible than a sudden change in the API, it could be considered.

web3nit · August 17, 2022, 2:41pm

User’s sensitive information must be kept private. If endpoints compromise it, remove or update endpoints.

Eibriel · August 17, 2022, 10:18pm

Voting to remove the endpoint.

User coordinates in Decentraland should be treated like GPS coordinates.

pablo · August 20, 2022, 3:30pm

What about hashing the public identifiers?
It would be necessary to also add the new endpoint to check address position.
even we could add a public IP identifier to know more data about unique IPs and detect multiple account usage

esteban · August 20, 2022, 7:33pm

If there is an alternative to improve privacy, it should be explored. “Coordinates in DCL should be treated like GPS coordinates” is too strong of an argument.

This is just stage 1/3 before this proposal becomes binding. For the Draft Proposal, it’d be great to see this turned into an approach that also addresses the concerns brought up by @MorrisMustang

dao · August 20, 2022, 8:38pm

Prevent harassment and surveillance of all users via overly-exposing endpoint

This proposal is now in status: FINISHED.

Voting Results:

Remove the endpoints 59% 5,987,685 VP (18 votes)
Keep the endpoints 40% 4,135,398 VP (39 votes)
Invalid question/options 1% 152,738 VP (1 votes)

dao · August 26, 2022, 11:08pm

Prevent harassment and surveillance of all users via overly-exposing endpoint

This proposal has been PASSED by a DAO Committee Member (0xfe91c0c482e09600f2d1dbca10fd705bc6de60bc)