1

If I build a website that has a messaging feature between users, what laws are there governing my behavior as the owner of the website?

That is to say, I am the sole moderator and database administrator. By default I can see everyone's messages to each other and am automatically privy to every private conversation.

This is a new position for me to be in. Are there any laws around this in the US or EU? I mean, it is my website, and I never promised that messages were encrypted or anything. I'm really unsure.

To an extent I feel this is important for me to be able to do, to prevent or mitigate harassment. But at the same time, idk.

Improve this question
4
  • Unencrypted private messages on server side in 2020? You must be kidding (whereas legally still possible, it is a high deterrent for users). Either it has to be end-to-end encryption with no messages stored in your database at all, or, if stored, the users should be the only ones who can decrypt them.
    – Greendrake
    Commented Oct 2, 2020 at 2:23
  • 3
    @Greendrake meh, thats a product decision, not a legal or MVP requirement - no one in their right mind is going to implement end to end encryption for a cheap forum for example. End to end encryption is impossible if the sole means of access is a website, anyway. Back to the question, I'm pretty sure just voyeuristic reading of messages would fall foul of Article 6 of the GDPR as there would be no lawful basis for that kind of processing of the data...
    – user28517
    Commented Oct 2, 2020 at 2:41
  • Yes, my situation is much closer to a cheap forum than any sort of serious messaging app.
    – temporary_user_name
    Commented Oct 2, 2020 at 3:34
  • @Moo there would be a lawful basis if the users consent to it.
    – phoog
    Commented Jun 29, 2021 at 22:49

2 Answers 2

Reset to default
1

If you haven't disclosed to your users that you are willing and able to arbitrarily read any "private conversation," as you put it, I think it would be fair to say that the users haven't consented to that kind of access to their messages.

If that's the case, I think you'd want to look at 18 U.S. Code § 2511, which imposes criminal sanctions on anyone who "intentionally intercepts ... any wire, oral, or electronic communication."

As for the E.U., my guess is that the GDPR would have a lot to say about this, but I'm not familiar enough with it to say how it handles this kind of situation.

Improve this answer
1

Under the GDPR, you are required to take "technical and organizational measures" to safeguard the privacy of your users.

  • You are allowed to have admins who can read the messages.
  • You cannot allow them to do it on a whim, or to satisfy their curiosity.
  • You can allow them to do it to resolve technical issues.
  • I don't know what you can allow your moderators.

The fact that you are owner, admin and moderator in one person means that you "wear different hats" at different times. Things you can do as admin to safeguard the system integrity may be different from things you can do as a moderator to uphold community standards.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .