Update on sending notifications to private workspaces

Dear Rocket.Chat community

Yesterday some of you received a notification about our registration requirement for push notifications. For many of you this came as a surprise - in most cases not about the content of the notice, but the notice popping up in your private workspace.

We realized we made a lot of errors in that process in pushing out that message. We apologize for that. We want to explain to you how this happened and what we will do so this does not happen again.

The notice happened via an embedded cron job which checks every day for alerts regarding system updates, important service maintenance and security fixes. It has been added since version v0.62.0. This cron job has so far only been used to notify administrators on our hosted services about available version upgrades and upcoming maintenance - and should not have been used to send out messages to private workspaces without clear and prior consent.

We promise Rocket.Chat to be 100% free of any kind of backdoor. This cronjob could be interpreted as such, therefore we will give you the option to deactivate it and turn it off by default for unregistered, private workspaces. We did an emergency review with our developers and concluded that no other such cron job or similar feature exists. The only other ways of interacting with Rocket.Chat´s services is if you have registered your workspace or if you have opted in to sending anonymous server statistics. We also want to be clear: Rocket.Chat will always be able to be used free and without any kind of registration - if you prefer not registering, that option will always be there for you.

We also received reports that the registration does not work in some cases. We are working with all available resources to resolve the remaining issues. Please contact us with any remaining errors via our ticketing system if you are still encountering errors. Most of them have been resolved by now.

What we will do immediately:

  • No longer send notifications via that cron job to installations that are not registered.
  • Add a setting to disable the cron job update notifications check on the next release and make it clearly visible during the initial setup wizard.
  • New workspaces, that are not registered, will have the option for update notification disabled by default.
  • New workspaces, that are registered, will have the option for update notification enabled by default, but can turn that off in their administration settings.

Lastly: we did send out this message in good faith, hoping to provide those of you that have not registered with an early warning before your push notifications would go dark. Even with the forums and our open server, reaching the majority of our workspaces for potentially breaking updates is difficult for us. We did not choose the right method this time, but did so in believing this would reach most of the affected individuals for a good cause. Push notifications are an important part of our product. The registration enforcement allows us to prevent abuses and charge the most consuming workspaces in order to maintain a reliable service for everyone.

For Information about push notification caps and costs please see this announcement.

5 Likes