From cd63e0c493bb7d05e08473c9de7b55bc0f9036df Mon Sep 17 00:00:00 2001 From: gnuxie Date: Wed, 2 Oct 2024 14:24:41 +0100 Subject: [PATCH 1/6] media identifier policy --- proposals/0000-media-identifier-policy.md | 105 ++++++++++++++++++++++ 1 file changed, 105 insertions(+) create mode 100644 proposals/0000-media-identifier-policy.md diff --git a/proposals/0000-media-identifier-policy.md b/proposals/0000-media-identifier-policy.md new file mode 100644 index 00000000000..fc16d4bd7bc --- /dev/null +++ b/proposals/0000-media-identifier-policy.md @@ -0,0 +1,105 @@ +# MSC0000: Media identifier moderation policy + +Moderation policies are used to refer to entities that +need to be takendown. + +No such policy exists for media because of a number of safety, +security, and legal reasons. + +A moderation policy that targets media is highly desired, +because there is no current means to share knowledge about +abusive content other than through backchannels. + +This is because we must not inadvertantly propagate the media +by referring to it directly. + +## Proposal + +This proposal builds upon both [MSC0000 Hashed policy entitites] +and [MSC0000 m.takedown recommendation]. + +A new policy type is introduced `m.policy.rule.mxc`. + +A policy targetting the media `mxc://example.com/0` +would have the following content: + +```json +{ + "hashes": { + "sha256": "ZDSM130dcJ578ANfiJxoN5Nle2+c5uEkDuHHduxj6AM=" + }, + "recommendation": "m.takedown" +} +``` + +A reason must not be used + +### Recommendations + +#### MSC0000 `m.takedown` + +- When applied to a user: Media is automatically purged from + local storage and is never displayed in the client. + +- When appiled to a room: Messages containing the media + uri are automatically redacted. + +- When applied to a server: Media matching the mxc uri is immediately + quarantined or removed. + +A reason should never be provided when this recommendation is used. +This is to prevent policy lists being used to classify media +on Matrix in order to deliberately seek a certain classification of +material. + +#### `m.ban` + +- When applied to a user: Media is hidden entirely or behind a spoiler + tag with an explanation. + +- When applied to a room: Messages containing the media uri are + automatically redacted. + +- When applied to a server: The media is quarantined. + +## Potential issues + +### Reactive only + +This only provides a reactive means to remove the media once it +has been sent to a room and downloaded on various homeservers. + +It can only be proactive in instances where the attacker doesn't +know the media id has been listed yet, or the media simply +hasn't propagated to all target homeservers yet. + + +## Alternatives + +### Content or perceptual hashing + +Hashing the content of the media and distributing the media could +be the same as distributing a content address. + +Distributing perceptual hashes is also problematic. + +## Security considerations + +### Dictionary attack + +Please see [MSC0000 m.takedown]. + +## Unstable prefix + +*If a proposal is implemented before it is included in the spec, then implementers must ensure that the +implementation is compatible with the final version that lands in the spec. This generally means that +experimental implementations should use `/unstable` endpoints, and use vendor prefixes where necessary. +For more information, see [MSC2324](https://github.com/matrix-org/matrix-doc/pull/2324). This section +should be used to document things such as what endpoints and names are being used while the feature is +in development, the name of the unstable feature flag to use to detect support for the feature, or what +migration steps are needed to switch to newer versions of the proposal.* + +## Dependencies + +* [MSC0000 `m.takedown`] +* [MSC0000 hashed policy entity] From c27cc5601c63fdd75eef5a74da9ace5a49e3e935 Mon Sep 17 00:00:00 2001 From: gnuxie Date: Wed, 2 Oct 2024 15:03:43 +0100 Subject: [PATCH 2/6] link up MSC --- ...icy.md => 4207-media-identifier-policy.md} | 24 ++++++++----------- 1 file changed, 10 insertions(+), 14 deletions(-) rename proposals/{0000-media-identifier-policy.md => 4207-media-identifier-policy.md} (69%) diff --git a/proposals/0000-media-identifier-policy.md b/proposals/4207-media-identifier-policy.md similarity index 69% rename from proposals/0000-media-identifier-policy.md rename to proposals/4207-media-identifier-policy.md index fc16d4bd7bc..b79426ff497 100644 --- a/proposals/0000-media-identifier-policy.md +++ b/proposals/4207-media-identifier-policy.md @@ -1,4 +1,4 @@ -# MSC0000: Media identifier moderation policy +# MSC4207: Media identifier moderation policy Moderation policies are used to refer to entities that need to be takendown. @@ -15,8 +15,8 @@ by referring to it directly. ## Proposal -This proposal builds upon both [MSC0000 Hashed policy entitites] -and [MSC0000 m.takedown recommendation]. +This proposal builds upon both [MSC4205 Hashed policy entitites](https://github.com/matrix-org/matrix-spec-proposals/pull/4205) +and [MSC4204 m.takedown recommendation](https://github.com/matrix-org/matrix-spec-proposals/pull/4204). A new policy type is introduced `m.policy.rule.mxc`. @@ -36,7 +36,7 @@ A reason must not be used ### Recommendations -#### MSC0000 `m.takedown` +#### [MSC4204](https://github.com/matrix-org/matrix-spec-proposals/pull/4204) `m.takedown` - When applied to a user: Media is automatically purged from local storage and is never displayed in the client. @@ -87,19 +87,15 @@ Distributing perceptual hashes is also problematic. ### Dictionary attack -Please see [MSC0000 m.takedown]. +Please see [MSC4205 Hashed policy entitites](https://github.com/matrix-org/matrix-spec-proposals/pull/4205), in particular +the note on [dictionary attacks](https://github.com/Gnuxie/matrix-doc/blob/gnuxie/sha256-policy-entity/proposals/4205-sha256-policy-entity.md#dictionary-attack). ## Unstable prefix -*If a proposal is implemented before it is included in the spec, then implementers must ensure that the -implementation is compatible with the final version that lands in the spec. This generally means that -experimental implementations should use `/unstable` endpoints, and use vendor prefixes where necessary. -For more information, see [MSC2324](https://github.com/matrix-org/matrix-doc/pull/2324). This section -should be used to document things such as what endpoints and names are being used while the feature is -in development, the name of the unstable feature flag to use to detect support for the feature, or what -migration steps are needed to switch to newer versions of the proposal.* +`org.matrix.msc4207.mxc` -> `m.policy.rule.mxc` ## Dependencies -* [MSC0000 `m.takedown`] -* [MSC0000 hashed policy entity] +This MSC depends upon both: +* [MSC4205 Hashed policy entitites](https://github.com/matrix-org/matrix-spec-proposals/pull/4205) +* [MSC4204 m.takedown recommendation](https://github.com/matrix-org/matrix-spec-proposals/pull/4204) From 0d675e6830cb79554265b771434ad7b81cf2d2b1 Mon Sep 17 00:00:00 2001 From: gnuxie Date: Wed, 2 Oct 2024 15:06:02 +0100 Subject: [PATCH 3/6] spelling --- proposals/4207-media-identifier-policy.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/proposals/4207-media-identifier-policy.md b/proposals/4207-media-identifier-policy.md index b79426ff497..a038eeaf78e 100644 --- a/proposals/4207-media-identifier-policy.md +++ b/proposals/4207-media-identifier-policy.md @@ -1,16 +1,16 @@ # MSC4207: Media identifier moderation policy Moderation policies are used to refer to entities that -need to be takendown. +need to be taken down. No such policy exists for media because of a number of safety, security, and legal reasons. A moderation policy that targets media is highly desired, because there is no current means to share knowledge about -abusive content other than through backchannels. +abusive content other than through back-channels. -This is because we must not inadvertantly propagate the media +This is because we must not inadvertently propagate the media by referring to it directly. ## Proposal @@ -20,7 +20,7 @@ and [MSC4204 m.takedown recommendation](https://github.com/matrix-org/matrix-spe A new policy type is introduced `m.policy.rule.mxc`. -A policy targetting the media `mxc://example.com/0` +A policy targeting the media `mxc://example.com/0` would have the following content: ```json @@ -41,7 +41,7 @@ A reason must not be used - When applied to a user: Media is automatically purged from local storage and is never displayed in the client. -- When appiled to a room: Messages containing the media +- When applied to a room: Messages containing the media uri are automatically redacted. - When applied to a server: Media matching the mxc uri is immediately From 58c42afa69bc801ac5ee5d073c79e08bc084bc17 Mon Sep 17 00:00:00 2001 From: gnuxie Date: Wed, 2 Oct 2024 15:07:51 +0100 Subject: [PATCH 4/6] no more entitities whoopsie --- proposals/4207-media-identifier-policy.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/proposals/4207-media-identifier-policy.md b/proposals/4207-media-identifier-policy.md index a038eeaf78e..bc94f52d743 100644 --- a/proposals/4207-media-identifier-policy.md +++ b/proposals/4207-media-identifier-policy.md @@ -15,7 +15,7 @@ by referring to it directly. ## Proposal -This proposal builds upon both [MSC4205 Hashed policy entitites](https://github.com/matrix-org/matrix-spec-proposals/pull/4205) +This proposal builds upon both [MSC4205 Hashed policy entities](https://github.com/matrix-org/matrix-spec-proposals/pull/4205) and [MSC4204 m.takedown recommendation](https://github.com/matrix-org/matrix-spec-proposals/pull/4204). A new policy type is introduced `m.policy.rule.mxc`. @@ -87,7 +87,7 @@ Distributing perceptual hashes is also problematic. ### Dictionary attack -Please see [MSC4205 Hashed policy entitites](https://github.com/matrix-org/matrix-spec-proposals/pull/4205), in particular +Please see [MSC4205 Hashed policy entities](https://github.com/matrix-org/matrix-spec-proposals/pull/4205), in particular the note on [dictionary attacks](https://github.com/Gnuxie/matrix-doc/blob/gnuxie/sha256-policy-entity/proposals/4205-sha256-policy-entity.md#dictionary-attack). ## Unstable prefix @@ -97,5 +97,5 @@ the note on [dictionary attacks](https://github.com/Gnuxie/matrix-doc/blob/gnuxi ## Dependencies This MSC depends upon both: -* [MSC4205 Hashed policy entitites](https://github.com/matrix-org/matrix-spec-proposals/pull/4205) +* [MSC4205 Hashed policy entities](https://github.com/matrix-org/matrix-spec-proposals/pull/4205) * [MSC4204 m.takedown recommendation](https://github.com/matrix-org/matrix-spec-proposals/pull/4204) From ba999b8e8511095bb989d3427d041cfc23d1b500 Mon Sep 17 00:00:00 2001 From: gnuxie Date: Wed, 2 Oct 2024 17:03:53 +0100 Subject: [PATCH 5/6] Be more clear what's going on with the `reason`. --- proposals/4207-media-identifier-policy.md | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/proposals/4207-media-identifier-policy.md b/proposals/4207-media-identifier-policy.md index bc94f52d743..413552c3e99 100644 --- a/proposals/4207-media-identifier-policy.md +++ b/proposals/4207-media-identifier-policy.md @@ -32,7 +32,12 @@ would have the following content: } ``` -A reason must not be used +As described in [MSC4204](https://github.com/matrix-org/matrix-spec-proposals/pull/4204), +a reason may be provided with the `m.takedown` recommendation. +However, in the context of media a reason must not be provided. + +This is to prevent the policy being used to classify the media and to +keep the reason for takedown ambiguous. ### Recommendations @@ -54,6 +59,10 @@ material. #### `m.ban` +Moderators may wish to use `m.ban` when media is considered offensive, +or the subject of a dispute, but not necessarily worthy of +`m.takedown`. + - When applied to a user: Media is hidden entirely or behind a spoiler tag with an explanation. @@ -73,6 +82,16 @@ It can only be proactive in instances where the attacker doesn't know the media id has been listed yet, or the media simply hasn't propagated to all target homeservers yet. +### Missing reason + +As mentioned in +[MSC4204](https://github.com/matrix-org/matrix-spec-proposals/pull/4204) +in the +[concerns](https://github.com/Gnuxie/matrix-doc/blob/gnuxie/takedown/proposals/4204-takedown-recommendation.md#potential-issues), +the abscence reason may make it difficult for moderators to determine +the context behind the policy. An attempt to document the reason +privately exists through [MSC4206 Moderation policy auditing and +context](https://github.com/matrix-org/matrix-spec-proposals/pull/4206) ## Alternatives @@ -83,6 +102,8 @@ be the same as distributing a content address. Distributing perceptual hashes is also problematic. +See [MSC4113: Image hashes in Policy Lists](https://github.com/matrix-org/matrix-spec-proposals/pull/4113). + ## Security considerations ### Dictionary attack From 1821ac0e0cf090631420278e3bb9e0a4e2954bd4 Mon Sep 17 00:00:00 2001 From: gnuxie Date: Wed, 2 Oct 2024 17:07:23 +0100 Subject: [PATCH 6/6] Spelling. --- proposals/4207-media-identifier-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/4207-media-identifier-policy.md b/proposals/4207-media-identifier-policy.md index 413552c3e99..728118ffa83 100644 --- a/proposals/4207-media-identifier-policy.md +++ b/proposals/4207-media-identifier-policy.md @@ -88,7 +88,7 @@ As mentioned in [MSC4204](https://github.com/matrix-org/matrix-spec-proposals/pull/4204) in the [concerns](https://github.com/Gnuxie/matrix-doc/blob/gnuxie/takedown/proposals/4204-takedown-recommendation.md#potential-issues), -the abscence reason may make it difficult for moderators to determine +the absence reason may make it difficult for moderators to determine the context behind the policy. An attempt to document the reason privately exists through [MSC4206 Moderation policy auditing and context](https://github.com/matrix-org/matrix-spec-proposals/pull/4206)