Re: On The Safety of Publicly Open-Registration Solid Servers from Sarven Capadisli on 2023-10-02 (public-solid@w3.org from October 2023)

From: Sarven Capadisli <info@csarven.ca>
Date: Mon, 2 Oct 2023 11:16:54 +0200
To: public-solid@w3.org
Message-ID: <227c7b14-cbf7-4dc3-3286-ad82baf967cb@csarven.ca>
On 2023-10-02 04:28, Emelia Smith wrote:
> Given the talk of the hosted server for the solid community, I'd just like to point out that any server setup will & must have both CSAM and other illegal content filtering/scanning.
> 
> Running an open-registration solid server without those is basically like running an open FTP server in many ways: anyone could be uploading anything to it, and the server operators do ultimately have legal responsibility for the content on their solid servers.
> 
> What would perhaps be better is time & energy making it possible to spin up a quick development environments, which would be more ephemeral and less likely to be a target for abuse, as that'd be limited in abuse vectors.
> 
> This comes to mind because I'm currently working on trust & safety and moderation tooling for the Fediverse, and CSAM has been a major talking point over recent months, especially as some bad actors have been deliberately flooding servers with CSAM (both real and computer generated), and violent gore content.
> 
> Just asking for an email for sign up likely isn't enough... if the software you used supported S3 compatible storage, you might be able to use Cloudflare's CSAM scanning solution.
> 
> But honestly, the better answer is disposable developer environments via an easily runnable local server, rather than public open-registration servers.
> 
> The code running platforms like CodeSandbox, Glitch, and Repl.it all had similar issues where fraudsters and scammers used their free services for hosting scam websites to steal people's credentials & private information, and all have since implemented content scanning & filtering.
> 
> Yours,
> Emelia


Emelia, thanks for raising concerns that's part of the broader social 
web, and ways in which we can improve work from our (CG and ecosystem) end.

I'd like us (the CG) to follow-up constructively. I don't want this 
information to get lost in the emails (this mailing list is "used for 
general discussions and announcements" [1]).

It would at first glance may appear that your recommendations may not 
specifically fit under the scope of the CG but it is not out of scope 
either [2]. But, I do acknowledge that there are takeaways we can break 
down and work on in the context of the CG and are in scope (and if not, 
why not, right?). And, this work or information is not limited to the CG 
and should be further developed as part of the Solid Project.

Here are some suggestions:

* Storage Terms of Service Template [3] that can be adopted by storage 
providers, in addition to their local laws, in the spirit of the Solid 
project.

* Best Practises and Guidelines for storage providers, taking different 
types of invitations, registrations, and data policy and rights (e.g., 
[4][5]) which also goes together with what's in scope as per "(meta)data 
models.." [2]. And more broadly on hosting, infrastructure and systems 
(e.g., part of Web Sustainability Guidelines [6]).

* Further develop Use Cases and Requirements [7][8][9][10] (and other), 
taking processing (e.g., generally [11] but with further considerations 
towards ensuring trust, safety, and moderation).

May I ask you and others interested in this work to follow-up in one of 
those space? It is not an exhaustive list and may not entirely address 
the concerns you're raising so I can encourage everyone to take up this 
work in one of the, or to be created, workspaces.

Lastly, some of this work is no entirely on the Solid project to solve, 
so please also consider following-up with existing groups and 
communities out there both in W3C and elsewhere. Hint: this would be a 
good CG Task Force if we can distil the needs further.

Huge thanks!

[1] https://www.w3.org/community/solid/charter/#communication
[2] https://www.w3.org/community/solid/charter/#scope
[3] https://github.com/solid/specification/discussions/577

[4] https://www.w3.org/TR/odrl-model/
[5] https://w3id.org/dpv

[6] https://w3c.github.io/sustyweb/#hosting-infrastructure-and-systems

[7] https://github.com/solid/user-stories
[8] https://solid.github.io/authorization-panel/authorization-ucr/
[9] https://solid.github.io/notifications-panel/notifications-ucr
[10] https://github.com/solid/specification/issues/317

[11] https://github.com/solid/specification/issues/394

-Sarven
https://csarven.ca/#i
Received on Monday, 2 October 2023 09:17:07 UTC