The Great Open Source Debate with Elastic, Gluu and GitHub 🎤 Oct 27

Where is the basic privacy for communities and multi-team organisations?

I spent a fair amount of time and money getting Rocket.Chat set up and implemented, but I’m now discovering that it’s just not an option to use it due to the lack of privacy for anything more than a single transparent organisation. It’s a shame since besides this everything else seems excellent. Am I missing something?

I imagine my needs are pretty standard, and maybe the missing privacy options are why RC is not more popular. It doesn’t seem like you can use it with users who don’t know each other without violating their privacy (unless they don’t mind anyone else seeing their profile). The requirements I’m looking for are:

  • Disabling the user directory or have it only showing users who are connected with each other through a team/private channel.

  • Ability to have user directory disable/private but still be able to search for other users, whether that’s only by username or also by name.

  • Ability to choose a preference of a team/channel/discussion’s privacy - e.g. make a channel where users cannot see other members based on role.

  • Potentially also a better system for connecting users in a more private way - friend requests and contacts, or add contact via URL.

I am far from the only person looking for some basic privacy options, here are a few others I saw after a quick search, most of which were ignored. It’s concerning.

This unanswered discussion asks how users can be allowed to search for other users whilst having the global user directory public - disabling the view-outside-room permission hides the directory successfully but then it’s unusable since you can’t find other users at all:
/forums.rocket.chat/t/view-outside-room-whitout-acces-to-all-user-list-in-directory-is-it-possible/8193

Another ignored discussion asking for the ability to keep the userbase list private:
/github.com/RocketChat/Rocket.Chat/issues/14930

This discussion is also looking for better privacy and identifies view-outside-room permission but as I mentioned this makes RC almost unusable since it’s impossible to discover other users:
/forums.rocket.chat/t/disable-user-search-directory-users-for-some-user-groups/10764

The @ command also has the potential to leak all users, the discussion below highlights that even with the directory disabled, @ still reveals them. I’m not sure if this was fixed, but again the discussion went unanswered.
/forums.rocket.chat/t/hide-users-from-command/6505

Hopefully some of this is already possible and I’m just missing the setting, if so I would appreciate any guidance. Otherwise I am interested to know when at least some of this will be implemented.

With great privacy for large communities and organisations I can see Rocket Chat becoming very popular, but without it is limited to small organisations that have no need for privacy (who I imagine would be better served by Slack, Teams, Mattermost, etc at a tiny cost anyway).

I don’t know, it seems like you are trying to fit a square peg into a round hole. Rocket Chat is a Slack replacement. It offers onsite chat repos. That is something none of the options outside of MM offer.

People on a RC server are supposed to be part of a team. Hiding their names is not part of that paradigm.

If you want user anonymity then you should be looking at a xmpp setup. I can recommend prosody, although the iOS clients are kind of weak, which has more to do with the limitations iOS poses.

1 Like

Hi and thanks for your considered comments.

As you may or may not be aware, Rocket is building out fast. We were resource restrained for some while so it has been difficult to look at every single issue and requirement.

With the new Community team we are starting to get some of theses issues looked at but we can’t do everything overnight, and there are always some constraints.

Yes, as has been pointed out, it is designed for team collaboration first. But we recognize the need for more privacy and will take on board your points which I will raise with the Product Team.

Remember that it is open source. Unlike some other systems. I’m not sure how you can resolve ‘privacy’ when you host your server in the cloud on someone elses infra, or use their hosted system entirely, with code you cannot inspect. Privacy has many facets.

There is no such thing as ‘standard’ IME!! We have all sorts of requests from all sorts of people, all with competing priorities.

Probably possible to implement to hide the global search. You can probably hide the global directory listing from the main panel anyway - think this has been asked before.

When you are in a Team or channel I think you can only view other members in there, unless you have enough permissions to add people.

Hiding users from the global directory based on roles - I don’t know and will have to ask.

Not sure how you can disable a directory, and still search for a user. Even if you disable a ‘list’ view, type ahead will still reveal other users. You can just use @user.name

Just make a team or channel where only the appropriate people are members? If you have a channel where some people are blocked your conversations will be disjointed?

If you create a discussion in a channel you can bring in others who can’t see the main channel IIRC.

You can already do that?

You probably ought to test on the latest versions (you haven’t mentioned what you are using) and have a good read in the docs too.

But I’m not sure how you balance privacy with adding people outside Rocket.

I don’t really want an app searching through my contacts.

Think say Whatsapp where I give you my number personally, just for you, but then Whatsapp ‘helpfully’ sends it to FB who can then link it with other people I have given it too. I never gave permission for FB to take it, or to link me to other people.

Real privacy is a complex issue!!

If you know their name you can just type it using @user.name - you don’t need a directory at all… but you will fall foul of your type ahead as per my previous comment

Ahh. That’s the other great thing about open source - you can make a code contribution to fix the things you want done, or just build it for yourself so you can have it exactly how you want it. Or pay a developer to do some modifications for you.

Or alternatively we have various paid support packages where you can get more advanced support and assistance.

Failing that you can rest assured that we will consider these requests going forward but it might not happen overnight.

If you clarify some of your ideas a little more in a curated list then we can take a look.

1 Like