Private Managed Groups

Expected behavior

A group people (moderators and an owner of the group) will be the one that can add/remove members.

Require consent from the one being added to avoid a troll adding people to other groups.

A single owner of the group can change the moderators.

This is private managed group (using DeltaChat usual private group, just layering the “only listen to owner & moderator” messaging process) to contrast with the public managed group that trading the security for performance (using public key, no resigning the messages with each private keys): Spec Proposal: Super Groups

Actual behavior

Currently every member can add/remove every others. Some trolls or even your friends/family get hacked (or suddenly change their mind to be nice) remove everyone else and then we need to rebuild the group. Limiting the people who can do that will reduce this occurence.

Deliberation (actual proposal is above, below is just what the rational led to the above proposal)

Previously the title of this topic is: Coordination (moderation, election) without bots

My ( @irvan-putra ) thinking is like this:
Current workaround is using bots, which then this is too centralized, especially since we don’t have easy button to re-host the bots at another instance (which i guess another topic, Re-host bots using separate servers ).

This is coordination problem, which we could enable by wrapping the messaging process needed to elect the moderators which will then be only the removal actions by moderators is listened.

We can even go fancy of this with an impeach messaging process that will execute the group cloning (or the removal of moderation powers) if the needs arise, for example if moderators are unresponsive (busy, sick, dead) or just incompetents.

Concern from @ian : multiple vulnerabilities with just elected moderators, Private Managed Groups - #4 by ian

Suggestion from @ell1e :
So what if adding people was also limited to the people that can remove people? So they have the ability to revoke their own invite links. I feel like that seems like the natural evolution of this concept of having multiple people with removal rights.

It might also be worthwhile to have a single owner on top of things, and to have that be the only account that can change who is part of the list that can remove and add people. That would be less shaky than an election which is hard to implement safely in a distributed system.

Concern from @ian: creating an infinite stream of new abusive groups and adding the members

Suggestion from @ell1e :
This would be trivial to fix if DeltaChat simply made adding require consent of the target, like a private message already does.

Concern from me, @irvan-putra:
Any idea on how to deal the small groups when people doesn’t want to be the owner? I know it is more than what current Whatsapp/Telegram/Discord doing (they still have a group ownership), but I am just thinking it more like mailing list but multiple admin accounts

From @ell1e :
I’m guessing they’ll just have to pick one, even if it is begrudgingly.

Are you still working on this proposal and do you plan to post further elaboration in edits and comments? The above description does not address most of the threats to DC groups already discussed in other topics. I can elaborate here again if you’d like.

i don’t have anything more to add, feel free to elaborate

If you broadcast an invite link to your private DC group, anyone can later exploit further vulnerabilities:

• [undisclosed security issue about overtaking groups of others]
• adding a huge number of members
• adding a huge number of spam or bomb messages to the group either directly or through a constant stream of new members
• directly sending spam messages to each member (if you share a group with someone, you are free to message them)
• adding impersonated members to the group, perhaps even after puppetting the removal of the original one and explaining that they “migrated for a bigger quota”
• cloning the group in a way that every member would be MITM to each other, but would superficially resemble the same group with the same set of members
• creating an infinite stream of new abusive groups and adding the members from the original group to them (if you share a group with someone, you are free to add them to any group)
• fingerprint and track the members via P2P calls and webxdc
• send in new bait webxdc or infected “new” versions of existing, familiar ones (users don’t check the hash, let alone the source before clicking anyway)
• abuse the election and impeachment process by a Sybil-attacks
• target those few designated moderators in the group one wants to attack with a steady trickle of DDoS (bombing) so nobody will be able to remove abuse sent to the groups they moderate or even initiate an impeachment takeover with cloning during this time. This actually happens more often on other platforms than you would think.
• without a single coordinating “owner” designated, the list of moderators can be made to drift/desync/fork
• track the account generating the invitation via already published securejoin vulnerabilities using silent pings

Thanks, especially the election and impeachment part. Hm…

So what if adding people was also limited to the people that can remove people? So they have the ability to revoke their own invite links. I feel like that seems like the natural evolution of this concept of having multiple people with removal rights.

It might also be worthwhile to have a single owner on top of things, and to have that be the only account that can change who is part of the list that can remove and add people. That would be less shaky than an election which is hard to implement safely in a distributed system.

This would be trivial to fix if DeltaChat simply made adding require consent of the target, like a private message already does. I’ve been suggesting for a longer while that they should do that.

I like your proposal better than the super groups, since 1. it can work without bots and 2. it seems to retain the normal, full encryption.

Thanks for the idea. Any idea on how to deal the small groups when people doesn’t want to be the owner? I know it is more than what current Whatsapp/Telegram/Discord doing (they still have a group ownership), but I am just thinking it more like mailing list but multiple admin accounts

I’m guessing they’ll just have to pick one, even if it is begrudgingly.

Thank you @ian & @ell1e , feel free to add more.

my next action probably learn how to contribute coding to DeltaChat because i really want to move my game developer groups from Discord

I have modified this topic starter as suggested by @ell1e and my additional understandings, to avoid confusion what the latest proposal status is.

I am still open with feedback, it will be a while before I can propose code changes.

Adding a use case; remote instructional classes. Students and random strangers can be disruptive brats, and temporarily openly muting them in the group can be necessary.

most of the spam problems you list there are solved by the super groups proposal