The CEO himself admitted to going into The_Donald subreddit (before it was banned) and editing user comments. I don't think this guy is leading the charge to admin transparency.
This gets brought up a lot. And it's a bit of a doozy to make sense of.
First, consider the context: the CEO (spez) was an easy punching bag on the_donald subreddit, in fact it was a bit of a meme there to attack reddit's admins (and those in the know do know that the attacks were often crossing a line, like accusing them of being pedophiles and things of the nature). The change that spez made was a bit of a joke itself, it was turning an attack on its head. If the edit had been made in the early early days of Reddit, especially in the jokey context it was made in, I don't think anyone would have batted an eyelash. But in the last few years, right around the time these things happened, it became clear that Reddit is a big deal.
I think what I'm trying to say is, whatever may be your feelings of Reddit and its stature, this particular act by spez was pretty insignifiant in the grand scheme of things. Indeed the subreddit that this happened in actually no longer even exists, the_donald and similar subreddits were banned to make Reddit a friendlier place such that it's now an easier decision for corporate America to put ads on there.
> pretty insignifiant in the grand scheme of things.
It was super significant in that it was evidence that Reddit employees have the ability to edit messages with no audit trail and no governance.
So while the individual edit was not important, the fact that it happened was. And there is an unknown number of other edits that were never disclosed and is unprovable. So Reddit broke the one thing it’s supposed to do- allow users to talk to each other.
Important for this article too because Knight claims her boyfriend’s Twitter account was hacked and someone else posted about fantasizing about kids. If it was Reddit we wouldn’t be able to know if it was Knight’s boyfriend, hackers, or some Reddit admin.
> It was super significant in that it was evidence that Reddit employees have the ability to edit messages with no audit trail and no governance.
Yeah this is an issue, but let’s be real here, this matters to you me and a few other people here, and outside in the real world no-one cares. Even this expectation is new, any admin who was hosting phpbb forums or whatever else had this freedom to change a few entries in their Mysql Db, heck there was an engineer who was able to go inside people’s private gmail (https://www.wired.com/2010/09/google-spy/) — and Google is a company we expected to have better safeguards. Better security measures, sophisticated software architecture to prevent this, these things only happen after a startup reaches a high level of maturity in its timeline, Reddit hadn’t quite reached that point when this happened. I would be concerned if such a thing happened now though. Now these safeguards do exist on Reddit so there’s that.
It mattered a lot to the people in the subreddit who were upset enough about that and other things to create their own website and move their community off reddit.
I think it's less about the technical aspect and more about the expectation that people with the ability to change your comments won't do that. If you wrote an opinion letter to a magazine, and they published it, but only after changing a few words in your letter to make you seem dumb, everyone would understand why you were upset even though nobody would doubt that magazines have the technical capability to do this.
One of the things I first set up in systems like this is to really lock down who can change and do stuff like put content into immutable read only stores so it’s hard to change.
And I also set up audits and alarms so if someone does change things that shouldn’t be changed then alerts get pushed out to the right places for review. Even if it’s simple stuff like putting a trigger on a column that shouldn’t change so it’s logged and reviewed when someone changes it.
This is just a reasonable thing for an admin to set up. Decades ago, I got really pissed when sysadmins were just reading email and worked to set up controls so people could only do this with the right controls and reading a users’ content was a big deal that was super hard, hopefully impossible to do inappropriately.
There are situations where this has to happen right- HR investigating a complaint, laws, audits, etc- and that’s still possible. But casually browsing and changing without anyone knowing should not be allowed in any serious business. It’s not that hard to set up.
>Reddit employees have the ability to edit messages with no audit trail and no governance.
How did you come to this conclusion? It is entirely possible that there was an audit trail and governance, spez simply ignored the governance, and he would have been fired after an examination of the audit trail if he was anyone else but the co-founder/CEO.
I'm not going to defend Reddit's corporate culture, but you are making a much more nebulous complaint here than OP did when they stated rather definitively that there was "no audit trail and no governance".
I realize that and it is why I referenced “OP” in that comment. They made a specific and direct statement which was in my opinion unsupported by the evidence. You countered my response with a more general and vaguer complaint that I can’t really disagree with but isn’t directly related to the original complaint I was refuting.
If someone can ignore the governance process then it’s not an effective governance process.
If there’s not auditing to identify when someone bypasses governance, then that’s not effective auditing.
Assuming effective controls are in place without any description of them and evidence that they fail is foolish, I think.
Reddit could have shown off their governance and audit process, but didn’t. I’ve worked on similar systems where someone can just edit the db records and there have been places with no and decent governance. It’s more likely that anyone with admin rights can change stuff. This is bad for a company as big as Reddit with as many users.
> If it was Reddit we wouldn’t be able to know if it was Knight’s boyfriend, hackers, or some Reddit admin.
Sorry I don't see your point, I work in systems in very large e-commerce multinationals and I have been given the production database credentials many times allowing me to change anything of any user or any product using the mandatory company VPN and the admin account. What are you going to track? The VPN IP and and the general admin credential that can be 100 different people not including hackers that could have compromised any of our PCs?
The only important thing is that she doesn't stand behind the comments, she denies them. So that's it. She clearly doesn't support those statements, end of story.
Whoever with the intent to kill, injure, harass, intimidate, or place under surveillance with intent to kill, injure, harass, or intimidate another person, uses the mail, any interactive computer service or electronic communication service or electronic communication system of interstate commerce, or any other facility of interstate or foreign commerce to engage in a course of conduct that causes, attempts to cause, or would be reasonably expected to cause substantial emotional distress to a person described in clause ...
>that Reddit employees have the ability to edit messages with no audit trail and no governance.
Help me understand this. Reddit is a private company. Is there some sort of contract somewhere that says they won't edit messages and will maintain an audit trail? I mean, I might not like that they are doing it, but I'm also not paying a dime for Reddit (and I have all ads blocked, so they doubly aren't making any money off of me) so I don't see where I can be upset if Reddit does this. You get what you pay for.
If we want governance and audit trails, it either needs to be maintained as a public resource, paid for out of tax dollars, or needs to be a fully paid for product that involves entering into a 2 way contract. Otherwise, I think they are free and clear to do whatever they want to do with any subreddits, posts, or comments.
> Is there some sort of contract somewhere that says they won't edit messages and will maintain an audit trail?
Legal contract? No. Social contract? Yes.
> Otherwise, I think they are free and clear to do whatever they want to do with any subreddits, posts, or comments.
I'm surprised this is where you went with your rationale. The parent was clearly saying that the intent of the communities is the ability for people to freely speak each other. Any function, especially by authority, to undermine that will erode confidence and thus eventually cause people to use the site less.
Social contract? Seriously? Who in the world is using Reddit because they have confidence in it? That is insane. It's an anonymous black hole of posts and comments and come and go like dust in the wind and have no lasting permanence or value. It's not social. There is no contract. Nobody in their right mind should have confidence in Reddit or believe that anything on there is real or authentic.
> dust in the wind and have no lasting permanence or value
You mean like the massive russian "troll farms" that have effectively coerced people into political beliefs, or places like /r/RedPill that have galvanized young males to be ant-feminine, or WSB where thousands of people have placed savings into Gamestop. Want me to go on?
So yes there is most definitely a social contract. Just because you don't believe the information, doesn't mean others don't as well.
When you go to Disneyland it involves losing a lot of money but people usually enjoy it. Same thing here. People are not being quoted in the news or testifying to Congress that they lost their retirement and Mr. DFV has not lost his SEC broker registration.
You are right up until you end the sentence with the wrong cranberry. A vast majority of content on Reddit is shockingly real (going by Occam's razor), it is one of the reasons why in light of this whole debacle I'm considering never setting foot on that platform ever again.
The content of Reddit comments have been used in legal proceedings. It's a huge deal that the CEO has edit permissions in the main Reddit site database, they simply shouldn't have that access at all.
It's like Mark Zuckerberg personally (and invisibly) editing your facebook posts, for which you're legally culpable. I don't really get how people here just brush it off.
The fact that Reddit comments are admissible in a court sounds insane to me. I can't believe people actually take Reddit that seriously. It's like taking preschoolers yelling at each other seriously, but with anonymity thrown in. The fact that adults can take it seriously enough to use it in court cases is crazy.
Just because you don't know the reddit user in real life doesn't mean other people don't know each other in real life. If someone says they're going to kill someone for a comment, and then that user ends up dead, I don't see why it would be shocking that might be used as evidence in a court case.
It was a pretty common occurrence on Twitter back when people posted their gang crap everywhere.
> It's a huge deal that the CEO has edit permissions in the main Reddit site database
Surely you jest! Do you know how programs work? You don't think HN comments can't be edited by anyone with access to the DB and permission to make changes?
Frankly the idea that people on HN thought that people who run a website can't edit the content on it is one of the most bizarre, disingenuous things I've read on here.
You all know it can be done. Why is everyone pretending otherwise? Is it performative?
I think the expectation is that spez (and, ideally every other Reddit employee) would not have credentials to the prod database. Definitely not _write_ credentials.
In a system as large as Reddit, there's rarely a good reason for a human to be running hand-written SQL commands in prod.
There's a large amount of process in place at traditional companies to prevent this kind of tampering. Commonly, it involves separation of powers, with an "Operations" team that runs the software and an "Engineering" team that runs the software. This way, theoretically, nobody who has the knowledge of how to abuse the system would have access to abuse it. Making "unwanted" changes to software would require the consent of two parties at odds - One on Ops, one on Eng.
In practice, it was impossible to debug software if you didn't have knowledge of how it ran and it was impossible for teams to cooperate when designed as antagonistic. "Operations" people needed to know enough programming and SQL to be able to audit engineering access, or they became blind drones parroting the actions that the Engineering team took. A useless layer of signaling that added no substance. And it was easy to align bad actors in Ops and Eng, at least in places where it mattered - Usually with money.
My career in DevOps has been breaking down these barriers, promoting a "shared ownership" model where it's devs are directly oncall and have production credentials to their services. Still, there are serious protections in place: The passwords to the production databases are stored securely, not typically visible to devs - They have to jump through hoops of using a auditable bastion box to run SQL commands directly on the production databases. Not that it's not possible, not that it's not done (Though good engineering practices make it an uncommon task, I think we've actually used the ability half a dozen times in the last year), but as the commands are being typed they send out logs to a third-party service that's instructed to archive them. It's not hard to get access, but it would be easy to see the trail.
That said: This is on a mature team. That doesn't come out of the box and we didn't get there easily. Many teams, even with all of that protection, don't actually audit the logs, and do generate a lot of logs because of poor system behavior.
Knowing the engineering talent at Reddit, I doubt that it's a concern. Whether by malice or naivete, it has likely never crossed their mind that anyone would break protocol and access databases directly for anything other than legitimate debugging purposes. I'm convinced that the SF bay has some of the narrowest focused minds... and also many of the most malicious.
At a technical level it is always possible somehow but the point people are trying to make is that there should be access controls and protocols in place. The CEO should not have absolute unconstrained access in all matters.
The person I would trust the least to run raw SQL at (easy to find if you care) has the most privilege to do so: The "Growth Hacker" business operations person. Probably reddit is among the few companies where the CEO is technical enough to be doing raw SQL queries themselves, but it's trivial for a CEO to generate a purpose for credentials to be stored in their remit: Business reports. The bizops people with direct ties to the CEO will do whatever they're asked.
Still, agreed - The fact that they've now shown, multiple times, to have insufficient auditing and repercussions for the administrative abuse is sobering.
C* executives are normally prevented from accessing these systems directly for accounting reasons. I'm certain the person meant that it was inappropriate for the CEO of Reddit to have the ability to edit the production database, not that they didn't understand how DB ACLs work.
I've worked on production DBs that have had these kinds of restrictions- like, an alert gets sent if an SVP accesses a system. There are a lot of good reasons for this but most of them come down to avoiding fraud.
Yes, like many people, I use my real name on HN. (But not on Reddit, of course.) And people frequently identify themselves on HN by linking to their blogs or projects. I wouldn't call those people stupid.
You're missing the point. No one is saying that they're not legally allowed to do it. The issue here is that it's possible, and that it was done at least once.
What if it was done constantly all day long every day? How would that be any different than having been done once? This is reddit, the bastion of anonymous inanity.
There is really no excuse for what he did and most other businesses would have fired him immediately. Reddit simply has a very immature corporate culture. Post-IPO (if they get that far) I would expect a massive clean-out.
What's the harm in such a pointless joke? It was silly, but it's not like the meme subreddit he did it to was a super serious one like AskHistorians is.
Personally I don't think that action in itself is a big deal, but it shows that Reddit has a lack of internal security i.e. reddit employees are admins in the old-school CMS/forum software sense: they simply can do anything. (Edit: Reply points out that spez says not all admins can do this)
For comparison, I don't expect that a Google employee, or C-level executive, has an "Edit" button next to every single post on Google Groups.
Being able to silently change the content appearing under a user's name is a big deal. It's a more significant capability than being able to e.g. take down content.
To be fair, nobody has an edit button on any Google Groups post anymore. Nobody has any buttons on them, in fact. Also, when it happened, he also pointed out that most reddit admins weren't able to do this.
> Also, when it happened, he also pointed out that most reddit admins weren't able to do this.
That’s worse though, right? Why does he have this special functionality the other admins don’t have? Why would the CEO ever legitimately need to personally edit a reddit comment? Surely he has many better things to do.
I'm sure he could just connect directly to the database if he wanted to. At some point people have enough access to systems to bypass any security checks put in place.
This is the guy who created reddit, by default he can do anything physically possible. The only way he wouldn't have this functionality is if one of his employees specifically added something to block him from being able to do it, and this addition could not be reversed.
And there are many very legitimate reasons to have the capability to modify entries in a database, but honestly even if there weren't, making a system where it's impossible for anyone other than the originating user to modify an entry is a challenging task.
People have been arrested over reddit comments, and what he did showed that there are employees at reddit who can go in and edit your comments to say whatever they want, with no oversight.
It is rather fascinating isn't it. Not that long ago I remember reading FBI agent documentation describing to the judge how he got the information and publicly available comments were a big part of this. It throws a serious wrench into validity of such submissions by LEOs now.
Is this a joke? Why would anyone think that any post or comment on a place like Reddit is real or authentic? The entire thing is an anonymous black hole. It is as far from real and authentic as I can imagine anything being.
The clear harm is that Reddit posts have been used in court cases. People have and will go to jail based on that content.
The unclear harm is they use “we’re being professional business” as an excuse to do unpopular and unfriendly things and also “it’s just a prank bro” when stealth editing posts... no dude. Can’t have it both ways. No one should trust this company at all, and they’re proving why.
Yes. You're the one who chose to use their platform to broadcast your words, if you don't believe they will do so with fidelity use a different platform. You're not paying or otherwise offering them anything in exchange for a guarantee of fidelity, nor are you under any obligation to use their service.
So by your logic, it would be okay for a twitter employee to modify a tweet from of the president's account to declare war (or to any number of things that would have very real repercussions in the real world)
I take no issue with the modification. Trying to start a war is wrong, but that's true regardless of method. Giving someone food isn't a problem, giving someone food you know they are deathly allergic to on the other hand is. They would certainly be responsible for any damages they caused through malice or negligence, but they have the right to face those consequences.
I get where you're coming from, but to the users of the_donald, it wasn't a meme subreddit. They thought they were the main reason he got elected in 2016 and were looking forward to playing a similarly pivotal role in 2020.
It was so close they could have made an impact. The Clinton email address / wikileaks dumps were being mined as a collective in the forum. That probably brought to light some emails the press would have ignored.
> I get where you're coming from, but to the users of the_donald, it wasn't a meme subreddit. They thought they were the main reason he got elected in 2016 and were looking forward to playing a similarly pivotal role in 2020.
That sounds exactly like what a Donald Trump meme subreddit would say.
> I think what I'm trying to say is, whatever may be your feelings of Reddit and its stature, this particular act by spez was pretty insignifiant in the grand scheme of things.
In court there’s a concept called “falsus in uno, falsus in omnibus”[1]. If you’re shown to have lied to the court once, then anything else you’ve said can be considered to be a lie as well. You lose the assumption of good faith of the judge and jury.
It might not be a courtroom, but the same concept applies to a so called “bastion of free speech” platform like Reddit.
Sorry to be so cynic, but why do you assume good faith on the part of Reddit? It's a free product, you are not paying for it, they don't owe you a damn thing. If they don't care about their reputation, they can do whatever they want with your comments, including changing them or deleting them.
This is the problem of free stuff, you have no leverage and little to no value to the company as a single user, and if you are the kind of problematic user such as the ones in The Donal, you have negative value because you scare away the ads and ruin the companies reputation, so they actually have a very powerful incentive to push you away and make you leave the site.
if I recall correctly, he edited the comment outside the official moderation workflow. there was no indication that the edit was not made by the user themselves. imo, this is a pretty big deal. if it were done in a way that clearly showed the edit was spez's, it would be a harmless joke. instead it raised questions about how many admins are able to silently edit comments and how often it might happen.
I couldnt disagree more. If Zuck was found out to have been manually changing posts that criticize him would that be insignificant? Not enforcing some moderation policy but manually changing posts.
Like is that really the most important thing for any CEO to do? It's incredibly stupid and worse it kills user trust. I think Reddit should have banned TD early on but I still think this act was awful.
The CEO of a social media company going and personally making political edits to user messages to push their agenda sounds about as bad of a thing as I can imagine. I have a hard time imagining something more wrong for a social network to do. Imagine the CEO of YC editing posts and comments with no way to prove it, people would be rightfully furious. I guess promoting child pornography is worse, but that's also something Reddit and their admins did in the early days. People can say all they want about Facebook and Zuckerberg, but if he had done any of dozens of things Reddit has done and continues to do, he may have literally been crucified. Reddit gets away with way too much crap just because there is no alternative. Reddit is one of the most toxic social networks with the most corrupt leadership but it generally gets ignored because of their political leanings.
The problem isn't just that spez had an act of weakness - it's that reddits admin tools have built in features to modify comments. Meaning they're using that feature more than just this singular time.
Do we know for the a fact that those tools exist? I work on a website that has a database backend. It is trivially for me to go into the database and make any edits I want. How do we know that he doesn't have that kind of database access?
Just replace spez and reddit with Zuckerberg and Facebook and you'll immediately understand why it is bad. Just imagine Mark editing your posts. CEOs shouldn't be monkeying around without a transparent changelog with user content.
Why not? Is their company and you are not paying them a damn thing. Why the entitlement if you are not paying for the service that you are enjoying? That's not how the world works.
If you are not paying don't complain, just move to another site or pay for the service so you are under a different contract and relation and you are no longer the product and are the customer instead.
You are not the customer of Facebook, Reddit or Google, the ads buyers are, and the customer is always right. If they don't like your post, it makes all the sense in the world to change it, censor it or kick you out because you are making them lose money and they are not a non-profit existing to serve you. They exist to make money for their share-holders like any other corporation.
Thats a lot of mental gymnastics and whataboutism to give him a pass. At the end of the day he did what he did. And they lost trust through his actions which is the currency of their platform. As CEO, he made a stupid decision and then joked about it more than he apologized after. If they're doing that type of thing on the front-end, what do you think they're doing on the back-end?
I barely even use Reddit anymore because I simply dont trust it for an accumulation of reasons. Its ~50% astroturf for political and commercial reasons, you can somewhat easily game the votes, and I don't think they care because they make money.
It's been interesting to watch the community actually grow (it was thedonald.win, but there was a difference between moderators - aka the domain owner wanted to make money).
You left out some context: he did that in a (failed) attempt at lulz. It was a long thread where (IMHO) he was fielding tough questions pretty frankly and honestly, as one might hope he would, but he ruined it by editing someone's post to troll them. In context, it was obvious that he did it, he wasn't trying to be sneaky.
I'm not justifying it; obviously it was dumb, given that people are still using it to denigrate him years later. But the implication that this means he is more likely to have edited other peoples' posts surreptitiously is (again IMHO) not true.
I can't imagine Twitter/Facebook/etc. actually changing what a user wrote, in any context. This does reveal something about Reddit and I would be less surprised to learn they are editing other posts.
On the flip side, administrators can and do directly edit user posts on a lot of web forums I've used, some of which make it more obvious than others. I think the Facebook/Twitter position is the more unusual one, and it's tied up with those platforms' obsessions with real names and verified identities...
> this means he is more likely to have edited other peoples' posts surreptitiously is (again IMHO) not true.
In what way can you support this claim? We’re you provided any indication or proof that this is the first this has happened? Or is the first time they were caught?
IMHO means "in my humble opinion". The reason I hold that opinion is that when someone is using their power surreptitiously, they generally don't call attention to it.
More subjectively, none of us can know for certain, but this line of reasoning just isn't supported by an honest reading of the thread in question. The Reddit leadership was in between a rock ("this sub is full of white supremacists and if you don't ban them you're racist!") and a hard place ("we're being persecuted for being conservative and white and if you ban us you're racist!"). Spez isn't perfect, but he seemed to be at least trying to engage honestly and field questions about what he had done and why. After many hours of arguing with people (and, it goes without saying, taking a fair amount of insults and abuse) he did this thing where he edited some posts in a way that seemed pretty clearly to be an attempt to blow off steam.
Now, was that wise? Clearly not, and I'm not defending it. But neither is it defensible to selectively pluck the fact that he edited some posts out of its context and use it to push the idea that Reddit leadership is in the habit of editing peoples' posts surreptitiously to push a viewpoint. AFAIK that's never happened, and I feel like Reddit is under enough of a microscope that we'd know if it had.
It was a single time, and in a way that was an obvious joke (literally just regex to switch his name with mods' names). It's not exactly heinous, what he did.
He's been remarkably open every time he's changed user content (once with a post in 200...7? I think, and the single time he edited comments).
I don't like reddit, and I don't like spez for other reasons (downgraded from Lisp to Python), but what he did was literally just a harmless joke. All reddit posts and comments are publicly archived by services like pushshift; we'd know if they had a habit of doing this.
> remarkably open every time he's changed user content
Are you sarcastic? This is logically a very useless statement due to the nature of trust. Once trust was broken it’s hard to obtain because does clearly lied about other things, why should he be trusted now that he’s been caught.
“I’ve been remarkably open about all the extra marital affairs where I’ve been caught, please trust there are no others.”
“I’ve been remarkably open about all the robberies where I was convicted, please trust that there are no others.”
Etc etc.
I would feel foolish even presenting any unsound logic and can’t even think of a situation where it would be relevant to trust. Officiated lie detector? Sodium pentathol administered by an adversarial government? Testimony under oath?
The trust was never broken. He neither denied nor tried to hide that he changed the post. No one caught him, he did it in broad daylight.
If you have extra marital sex right in front of your spouse, that is no indication that you are hiding secret affairs.
If you walk into a police station and tell them you robbed the bank across the street, there is no reason to believe you have secretly robbed many others.
https://www.huffpost.com/entry/reddit-ceo-edits-user-comment...