Disable stats section in user profiles


(Ole Begemann) #1

I'd like to ask the @forum_admins to disable the publicly visible "stats" on the user profile pages for privacy reasons. (Edit: if that's even possible in Discourse. I assumed it is.)

I'm talking about this (both the "Stats" section and the header line on top):

I highlighted the figures that bother me particularly:

  • When the user was "last seen"
  • How many people viewed the user profile (I assume that's what "Views" means)
  • Total number of days visited
  • Total read time
  • Recent read time
  • Number of topics viewed
  • Number of posts read

None of this should be public information in my opinion. Ideally, the forum software shouldn't collect any of this data in the first place.

I could give more detailed reasons why I believe this, but I think the burden of justifying the data collection (and its publishing) should fall on those who want to defend it. Not collecting data should be the default.

What do others think? Can you come up with a reason how collecting and publishing this information improves the site for us?

By the way. I'm fine with collecting usage stats that tell the admins how the site is doing, but anonymized data (or deleting the personal info after a few days) should be sufficient for this purpose.

PS: I'm less concerned about the other figures (likes given and received, number of topics and posts created): writing a post is a conscious act by the user that is by definition public. The same is true for giving a like, though arguably less so. The number of likes received is sort of a badge of honor/fame for useful contributions, so it's kind of nice.

I would have no problem with those going away too, however.


(Ankit Aggarwal) #2

Yes +1 to this. I would also like it to not collect such data.


(Jordan Rose) #3

I sometimes like to know if someone's left the project by checking if they've logged on in the past several months, but that probably isn't a good enough use case to justify this. cc @Nicole_Jacque, @soffes


(Nicole Jacque) #4

Hi Ole,

I don't know that there's a strong reason for collecting/displaying those stats, other than I suppose it allows people to see how active a person is. It's helpful in cases where you are perhaps resurrecting an old topic, and are wondering if they're still active in the forums, or if you're trying to figure out if someone is a spammer/troll etc. I don't know that there's a super strong reason to need to do that though for non-admins.

Discourse gathers and displays the stats by default, and there's not a setting to turn it off. I could perhaps mess with CSS to hide it though. I'll investigate further to see what the options are.


(Svein Halvor Halvorsen) #5

Hiding it using css tricks will only serve to obfuscate it. I’d rather then display it as is, so people at least have a somewhat real opportunity to discover that their stats are, indeed, public. And hidden through css tricks should be considered public.

IMHO, we should either turn it off thd proper way, or not at all. Of the two, I prefer the former.


(Nicole Jacque) #6

I tend to agree with you on that. At the present time, there's no way to disable the stat gathering, so at least users can see what's been gathered.


#7

When I first joined this site I hunted around the settings for a way to make my profile details private (a common feature on similar sites) but didn't find anything. I don't particularly mind the collection part, because it's not particularly sensitive and there are generally server logs, etc anyway, but my natural inclination would be to hide it.


(Ole Begemann) #8

Thanks @Nicole_Jacque, that's disappointing. I agree that using CSS to hide the stats is not a good option.

@sam.saffron suggests in this fairly recent (March 2017) thread on Discourse Meta that there should be a "hide user profiles from public" setting, which has the side effect of hiding the stats at least for non-signed-in users, but it does so by disabling the full user directory and user profiles for those people. That's a fairly big hammer for only a partial solution.

I consider the visibility of the stats a fairly big invasion of my privacy, and I don't understand why there's no setting for it.

It seems I'll have to find my own ways to deal with it, such as creating a fake account. That sucks because I'd have to switch accounts for posting. If everybody did this, it would also defeat any utility the stats might have for others (such as checking if a user is still active, as @jrose mentioned).


(Pierpaolo Frasa) #9

I don't really mind much personally, but there's probably users from the EU here, and therefore it would probably a good idea to check the implications of this in terms of the new(-ish) GDPR laws.


(Ole Begemann) #10

I don't want to make this a legal argument. We should not care for our users' privacy because the law forces us to but because it's the right thing to do.

That said, I like the principle of data protection by default that is one of the cornerstones of the GDPR and has been the foundation of many European privacy laws for decades:

Controllers [of personal data] should also implement mechanisms to ensure that personal data is not processed unless necessary for each specific purpose.

There's a great German word for this: Datensparsamkeit (literally, "data parsimony").


(Tomáš Znamenáček) #11

Here’s a corresponding thread from Discourse Meta:

The request went nowhere, but if the issue is important to you, I think the Meta site would be a good place to get something changed?


(Jeremy W. Sherman) #12

Short of that there is no way of removing this information from the payloads (https://meta.discourse.org/t/users-stats-privacy/59539/3)

This got me thinking - you could actually strip that info out with post-processing. Throw a reverse proxy in front of whatever's serving the Discourse API, and strip that info out of the JSON payload. If there's already a proxy in place, that may not be a big change. And it doesn't require tweaking Discourse's code itself – just the contents of some responses.


(David Zarzycki) #13

(Sorry for the late reply. I've been away from email for about a month.)

There are two saying that I like that apply here:

  • "Not everything that is countable counts and not everything that counts is countable."
  • "An interested public doesn't make something in the public interest."

Stats that measure "read-only" behavior (last login, "read time", "topics visited", etc) are rarely actionable, are easily open to misinterpretation and abuse, and are a security risk. In particular, patterns in public read-only stats can strongly imply whether a person is or is not home. I'd strongly support getting rid of them.

In contrast, stats that measure contributed content are fairly harmless. Most of the time, these stats save people the time of counting posts, commits, etc. At worst, people conflate quality engagement with the quantity of engagement.


(Tomáš Znamenáček) #14

This just got released in Discourse 2.2.0-beta3:

Extra Privacy: Disable user presence and profile. Don’t like other users knowing you’re up at 4AM writing a reply? Prefer not to let other users know who you like the most? Users can now enable the “Hide my public profile and presence features” user preference to prevent other users from accessing your profile, or seeing that you are typing.

See the full release notes:


(Ole Begemann) #15

That's awesome, thanks for the headsup @zoul.

I'd very much appreciate if the @forum_admins could install this new version when it comes out of beta. (It does come a little late for me as I set up a second anonymous account for reading and syncing the state of read topics back and forth is a pain, but I'm sure others would appreciate the feature.)


(Ole Begemann) #16

It looks like the "Hide my public profile and presence features" is now available. Thanks @forum_admins! You can find it at your profile under Preferences > Interface:

Note that enabling the checkbox will hide your entire profile, not just the stats section. Your profile will look like this:


(David Zarzycki) #17

Hi @ole – The profile page seems to be largely statistics anyway, so I can kind of see why they went with disabling the whole profile page instead of going through each data point one by one to think about the privacy and security implications. Oh well. At least people have some control now. :-/