-
Notifications
You must be signed in to change notification settings - Fork 377
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MSC4207: Media identifier moderation policy #4207
Open
Gnuxie
wants to merge
6
commits into
matrix-org:main
Choose a base branch
from
Gnuxie:gnuxie/media-policy
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+122
−0
Open
Changes from all commits
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,122 @@ | ||
| # MSC4207: Media identifier moderation policy | ||
|
|
||
| Moderation policies are used to refer to entities that | ||
| need to be taken down. | ||
|
|
||
| No such policy exists for media because of a number of safety, | ||
| security, and legal reasons. | ||
|
|
||
| A moderation policy that targets media is highly desired, | ||
| because there is no current means to share knowledge about | ||
| abusive content other than through back-channels. | ||
|
|
||
| This is because we must not inadvertently propagate the media | ||
| by referring to it directly. | ||
|
|
||
| ## Proposal | ||
|
|
||
| This proposal builds upon both [MSC4205 Hashed policy entities](https://github.com/matrix-org/matrix-spec-proposals/pull/4205) | ||
| and [MSC4204 m.takedown recommendation](https://github.com/matrix-org/matrix-spec-proposals/pull/4204). | ||
|
|
||
| A new policy type is introduced `m.policy.rule.mxc`. | ||
|
|
||
| A policy targeting the media `mxc://example.com/0` | ||
| would have the following content: | ||
|
|
||
| ```json | ||
| { | ||
| "hashes": { | ||
| "sha256": "ZDSM130dcJ578ANfiJxoN5Nle2+c5uEkDuHHduxj6AM=" | ||
| }, | ||
| "recommendation": "m.takedown" | ||
| } | ||
| ``` | ||
|
|
||
| As described in [MSC4204](https://github.com/matrix-org/matrix-spec-proposals/pull/4204), | ||
| a reason may be provided with the `m.takedown` recommendation. | ||
| However, in the context of media a reason must not be provided. | ||
|
|
||
| This is to prevent the policy being used to classify the media and to | ||
| keep the reason for takedown ambiguous. | ||
|
|
||
| ### Recommendations | ||
|
|
||
| #### [MSC4204](https://github.com/matrix-org/matrix-spec-proposals/pull/4204) `m.takedown` | ||
|
|
||
| - When applied to a user: Media is automatically purged from | ||
| local storage and is never displayed in the client. | ||
|
|
||
| - When applied to a room: Messages containing the media | ||
| uri are automatically redacted. | ||
|
|
||
| - When applied to a server: Media matching the mxc uri is immediately | ||
| quarantined or removed. | ||
|
|
||
| A reason should never be provided when this recommendation is used. | ||
| This is to prevent policy lists being used to classify media | ||
| on Matrix in order to deliberately seek a certain classification of | ||
| material. | ||
|
|
||
| #### `m.ban` | ||
|
|
||
| Moderators may wish to use `m.ban` when media is considered offensive, | ||
| or the subject of a dispute, but not necessarily worthy of | ||
| `m.takedown`. | ||
|
|
||
| - When applied to a user: Media is hidden entirely or behind a spoiler | ||
| tag with an explanation. | ||
|
|
||
| - When applied to a room: Messages containing the media uri are | ||
| automatically redacted. | ||
|
|
||
| - When applied to a server: The media is quarantined. | ||
|
|
||
| ## Potential issues | ||
|
|
||
| ### Reactive only | ||
|
|
||
| This only provides a reactive means to remove the media once it | ||
| has been sent to a room and downloaded on various homeservers. | ||
|
|
||
| It can only be proactive in instances where the attacker doesn't | ||
| know the media id has been listed yet, or the media simply | ||
| hasn't propagated to all target homeservers yet. | ||
|
|
||
| ### Missing reason | ||
|
|
||
| As mentioned in | ||
| [MSC4204](https://github.com/matrix-org/matrix-spec-proposals/pull/4204) | ||
| in the | ||
| [concerns](https://github.com/Gnuxie/matrix-doc/blob/gnuxie/takedown/proposals/4204-takedown-recommendation.md#potential-issues), | ||
| the absence reason may make it difficult for moderators to determine | ||
| the context behind the policy. An attempt to document the reason | ||
| privately exists through [MSC4206 Moderation policy auditing and | ||
| context](https://github.com/matrix-org/matrix-spec-proposals/pull/4206) | ||
|
|
||
| ## Alternatives | ||
|
|
||
| ### Content or perceptual hashing | ||
|
|
||
| Hashing the content of the media and distributing the media could | ||
| be the same as distributing a content address. | ||
|
|
||
| Distributing perceptual hashes is also problematic. | ||
|
|
||
| See [MSC4113: Image hashes in Policy Lists](https://github.com/matrix-org/matrix-spec-proposals/pull/4113). | ||
|
|
||
| ## Security considerations | ||
|
|
||
| ### Dictionary attack | ||
|
|
||
| Please see [MSC4205 Hashed policy entities](https://github.com/matrix-org/matrix-spec-proposals/pull/4205), in particular | ||
| the note on [dictionary attacks](https://github.com/Gnuxie/matrix-doc/blob/gnuxie/sha256-policy-entity/proposals/4205-sha256-policy-entity.md#dictionary-attack). | ||
|
|
||
| ## Unstable prefix | ||
|
|
||
| `org.matrix.msc4207.mxc` -> `m.policy.rule.mxc` | ||
|
|
||
| ## Dependencies | ||
|
|
||
| This MSC depends upon both: | ||
| * [MSC4205 Hashed policy entities](https://github.com/matrix-org/matrix-spec-proposals/pull/4205) | ||
| * [MSC4204 m.takedown recommendation](https://github.com/matrix-org/matrix-spec-proposals/pull/4204) |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Implementation requirements: