moderated A privacy setting loophole with subgrups #misc


Bart Fried
 

Hi Mark,

My group is set for Members List Visibility -> Owners Only. Subgroups permissions in the Features Settings was set for Permissions -> Members. This led to one issue and one seemingly glaring privacy loophole.

First, the loophole: A regular member (not a moderator or owner) told me that she had added two other regular members to a subgroup. I thought that it was impossible, but she showed me how she did it. Simply by selecting the Subgroups option in the main menu, she saw a screen that listed three options: Members; +Create Subgroup; Categories. She clicked on Members and the entire membership list appeared with the options to add them to subgroups. She did not click on +Create Subgroup first, nor was she a moderator or owner of any subgroups. Thus, if the Permissions is set for any Member to be able to create a Subgroup, then any member in the entire group can override the group privacy setting and can now see the entire members list. I see this as a violation of the members' privacy. And what is worse, any member, even if not in any subgroup, can check off boxes for any other member in the entire group and then Update (showing at the bottom in the usual spot) them. Without their permission or their prior knowledge. Basically, a Direct Add. If you are aware of this, it is surprising that this exists, but perhaps there is a reason I'm not understanding.

This leads to the issue that I have had to change the Subgroups creation permission to Moderators & Owners Only. That does solve the privacy problem by closing the loophole, but it denies us the opportunity to have our members create their own subgroups. What we believe is a good option would be for a member to be able to create a subgroup, and to Moderate it, but not have access to the general membership list. To populate their group, they can easily post a notification, and the subgroup can be visible in the list of subgroups if desired. Anyone who wants to join it can subscribe to it. But overall privacy is maintained. Of course, Moderators of the subgroup should be able to see the subgroup Directory.

Thanks,

Bart Fried
Owner, AMATEUR ASTRONOMERS ASSOCIATION, INC. [AAA-NY]

Join main@beta.groups.io to automatically receive all group messages.