# Administration Category > Administrative issues >  PM's

## pmbguy

I would like to ask a question that comes about after reading a very recent post.  


I dont suspect admin is reading PMs, at least not without our explicit permission, but can somebody please explain exactly how it works.

----------


## Dave A

> I dont suspect admin is reading PMs, at least not without our explicit permission


It's not even a permission issue - there is no mechanism in vBulletin that allows the admins to read anyone's PM's except their own.

There was a plug-in advertised on one of the support sites years ago that did introduce this possibility, but it got slated as unethical by all and sundry (including me). It certainly isn't enabled here, and I'm confident it'll never become a part of the standard distro.

This doesn't mean there aren't things the admins can do in respect of PMs, and I include a snapshot of the relevant dropdown of options we have in this regard:



About the most intrusive is the PM stats report, I guess. And all that gives is the total PM count in each of the particular member's PM folder.
(And an option to delete all PMs, which is there if we get reports of abuse of the PM system).

----------

ians (13-Mar-14), pmbguy (13-Mar-14), wynn (14-Mar-14)

----------


## pmbguy

Shot for explaining it Dave. This is the first forum I have joined so I just don’t know these things. I apologise if it seemed like I was questioning TFSA. Its only clarification I seek. 

I only have good things to say about TFSA.

----------


## ians

Glad to see Dave cleared this up. 

A question Dave does this mean admin has never been able to view PMs on any forums or only ones with vbulletin? The reason I ask, this was many years ago 2006 - 2007 if I recall. It caused quite a stir. 

This is a rather interesting subject because if I where part a terrorist organisation for example I could use PM's on forums to relay sensitive information I didn't want to share with authorities.

Just to clear the air it had nothing to do with this forum.

----------


## Dave A

Ian, as mentioned in my previous post, there was (and quite possibly still is) a 3rd party plug-in for vBulletin published that did (or does) enable an admin to look at other people's PM's rather easily.

There is also the issue that *all* content of the website is actually kept in a MySQL database. Now while each user's password *is* encrypted data, pretty much everything else isn't. This means if you've got read permissions to the database, and if you know where to look, you could read the content quite easily. 

Ultimately the only protection any of us have is the ethics of the website admin (including the hosting company) and the overall level of the website's security (which is a complex combination of factors on its own - the platform software, OS, permission settings, firewalls, malicious software injection detection scripts, password strength, invalid log-in attempt reporting, and probably more besides).

This situation is much the same for most other forum software as far as I know. And realistically the bottom line issue of _database and file access security_ is much the same for *any* website - it's only as good as the way it's set up and to some extent, maintained.




> The reason I ask, this was many years ago 2006 - 2007 if I recall. It caused quite a stir.


Yeah, as I recall the PM snoop plug-in was first released about that time. And you're right, it did cause quite a stir, particularly in webmaster circles. Not only because someone came up with the idea and went to the trouble of writing it, but because some web admins did actually download it (and no doubt used it too).

----------

KristiKat (14-Mar-14)

----------


## Dave A

:Hmmm:  Just got to the post that triggered the question, I guess.




> Someone asked the question, whether or not admin could read peoples PM's and the response was well they shouldn't because it is unethical but yes admin can access people PM's if they "need to".


I certainly wouldn't have been happy with that response either. It begs the question - why would the admin "need to"?

After all these years I've certainly never had occasion to even come close to thinking "heck, being able to read so-and-so's PMs would be handy right now".
And I've yet to hear a valid reason why they might "need to" either.

If a member has a problem with a PM they've received, there's a _Report Post_ button. And on the exceptionally rare occasion a member has seen fit to use it (on TFSA only twice ever, I think), understanding and resolving the issue certainly didn't require accessing anyone's PM content.

----------


## AndyD

I'd suggest that whilst the PM system is to all intents and purposes private, you shouldn't ever assume privacy is a 'given' or take privacy for granted same as you should never assume that something has been removed from the internet (or a harddrive for that matter) because you deleted it.

----------


## SilverNodashi

You should never assume that anything you share on the internet is either, a) safe or be b) secure, especially if it's on a 3rd party platform. The moment you use a platform created by, or managed by someone else, you loose the right to your privacy. And by that I don't mean the developers or owners will steal your data, but rather that the data you share is in someone else's "possession". i.e. it's stored on a system managed and owned by someone else. 
and, while in most cases the forum owner or admin might be a trustworthy guy (like Dave  :Wink: , his system could be compromised and the thieves now have access to your precious data.  Most forums, for example, don't use encrypted communications, primarily due to the extra costs (an SSL certificate can cost R250+ per year) and the extra load on the servers (which again, cost money) so a man-in-the-middle attack could very easily be performed and someone could have captured every byte transferred to and from the forum. 


I'm by no means slanting anyone with the above statement, nor do I want to put Dave or The Forum SA in a bad position. Instead, I'm trying to show you how insecure the internet is by design. You should take responsibility for what you post online, even in a PM. 

For this reason, you should never use the same password on any two websites. In fact, you should actually be using a different email address for very sensitive stuff like online banking as well.

----------


## KristiKat

> Just got to the post that triggered the question, I guess.
> 
> 
> I certainly wouldn't have been happy with that response either. It begs the question - why would the admin "need to"?



I CANNOT believe that admins on other sites have the time to read other people's PMs...

but if they do, then they might as well be bigger trolls than the ones they are trying to "inspect".

----------


## Dave A

> Most forums, for example, don't use encrypted communications, primarily due to the extra costs (an SSL certificate can cost R250+ per year)


Peanuts compared to the hosting costs for a website this size.




> so a man-in-the-middle attack could very easily be performed and someone could have captured every byte transferred to and from the forum.


Interesting. Where would you put the script?

----------


## SilverNodashi

> Peanuts compared to the hosting costs for a website this size.


True, but since most forums don't make much money, most admins don't want to spend extra on it. I know some forums which blatantly ask for "donations". But it's not just the SSL which you need to cater for. If every page on this forum was encrypted, you would quickly see a spike in the server's load and may need a bigger CPU / more RAM / etc. 




> Interesting. Where would you put the script?


Well, it's "man in the middle", so it could be anywhere between my PC (for example) and your server. Even on your ISP's network. And, judging by the amount of spam, hack bots which our firewalls block, that comes from "large reputable hosts" (even in South Africa), it wouldn't surprise me if someone already has some some packer sniffers in place and the network admins don't even know it...

----------

