Ask HN: How to nab and block a creepy user?
We have recently created a marketplace app. Which allows users to message other users. We have found one user making lewd comments to other users.
After first report we blocked that user.
That user created another account & started doing same thing. How do we block such users? This is a mobile app built with Flutter. We have our own DB + Firebase for messaging.
57 comments
[ 1.9 ms ] story [ 122 ms ] threadThe right answer for us has been to make the website utterly annoying for him, slowing down pages, disconnecting him randomly, removing the styling randomly, throwing a 500 page randomly, his experience was truly miserable.
It was somethink like a shadow-ban but where you would give random timeouts/slow loads to the user
You don't need to be perfect with blocking these folks, but you need to be better than your competitors so that the cost/benefit balance shifts to encourage the user to go elsewhere. Unfortunately trolls don't disappear, they just go somewhere else.
Similar to the saying about the hungry lion. If a hungry lion approaches your group while hiking, you don't need to be faster than the lion, you just have to be faster than at least 1 of the other people in your group.
Let them handle account creation and detect misuse.
1) use device identifer / advertising identifier to identify the user and block them. problem: user can reinstall app and these identifiers are recreated
2) store a random identifier on the disk or in nsuserdefaults or some other app storage. problem: user can reinstall app and these locations are wiped
3) store a random identifier in icloud keychain. my understanding is this doesn't have the same problem as above but its possible for user to wipe this.
4) use apple device check API. https://developer.apple.com/documentation/devicecheck this allows you to associate 2 bits of information with a users device. you can use 1 bit to control whether the device should be banned.
5) use a third party device fingerprinting solution or roll your own device fingerprinting. my understanding is there is enough entropy on the phone to uniquely identify it. for example you can find out what time the original OS was installed in the Foxconn factory. i think apple should ban all apps that do this but a lot of apps do this. :(
Can you provide a reference for “find out what time the original OS was installed in the Foxconn factory”?
You can also determine when the last update was installed by stat'ing files in the filesystem. But this is less useful for fingerprinting a device because it is prone to change.
This is somewhat obvious, but take care in designing social interactions on your app, and introduce easy reporting systems and user-controlled blocking systems (e.g., even if you don't respond to a user's report in a timely manner, a user should still be able to block communications from another user using a button in the app). You may want to allow users to choose to only allow messages from users who have been on the site for a certain amount of time, or have some kind of additional level of verification. Also consider introducing active, paid moderators who actively respond to reports as they come in, if your budget allows.
Allowing users access to open text fields on the internet is inherently dangerous. I have tried to avoid it in all of my apps (for example, I've made games that use randomly-generated user names rather than allow users to input their own, and I only added user comments to an app I was building _after_ I'd built a user reporting system and ensured I got an immediate alert on my phone if a user sent a report). It is your responsibility to try to design your app, and moderate your community, to mitigate these risks.
Adding to this - when you do act, your ban should be that all users are effectively blocking this user, ie a shadow ban.
That way the bad user, to themselves, still seems to be interacting with the site, just nobody else seems to care.
We do the same for moderating user photos (they get posted into slack with a "remove" button) as well as for other moderation features. I highly recommend this approach for when the volume of reports is manageable.
That’s not really a barrier for anyone who cares to give a moments thought to how they can get around that limitation.
* Under GDPR, user can request for it's account deletion where we have to delete all the user's reference. If a user signup again there would be no way whether it is the same malicious user, how to overcome this?
Let them think they sent messages and comments to other users, but don't actually deliver them.
If you really want to put some work in, generate some automatic replies you show them, so they think they are getting brief, boring replies.
One the one hand, this approach seems very effective, but I can't help but feel pity for this person and even some sense of cruelty if I were to implement such a feature myself (although I probably would).
Of course, I'm also the person in real life who will eventually 'engage' with that "one person" in a group who everyone has been tuning out for a while. I don't get the impression doing so matters to said person, because clearly they're oblivious, but at least it makes me feel better or less guilty.
Took idea from this talk https://www.youtube.com/watch?v=0kBhvM9OIaI
On your app, you want them off if they are a jerk. The ISP doesn't care about that level misbehavior.
I think this is way more easier than handling those who abuse the actual service you're selling.