I've been thinking about this for a while, that there's kind of not a great solution, that I know of or can think of, for long-form internal political discussions within an organisation. There are of course existing platforms that are not private (like you could have a Facebook group for instance).

There's obviously a lot of encrypted chat apps out there but they're all more "texting" form and are not great for like forum-style discussion.

The best I can think of might be Matrix, but it's more of a chatroom style format and I've not tried using it for this forum-style of discussion which I'm not sure if it works smoothly for.

Tbh a mailing list would kind of be my ideal (I assume there's mailing list software out there that integrates with PGP so we can protect our emails) but so many people in organising spaces are pretty tech-resistant boomers (no offence to the older generation, I'm aware it's a generalisation that doesn't apply to everyone) and it'd be hard to get everyone to use PGP I think. Also email is just not very secure in the first place and would expose a lot of metadata, making it not suitable for organisations that are heavily criminalised or otherwise have a higher threat model. Not to mention that the mail server in question would be able to read the emails sent to the mailing list, as it has to decrypt emails sent to the mailing list in order to encrypt it with all recipients' personal PGP keys. And there's just so many points of failure in terms of all messages to the mailing list getting accessed if just one member gets compromised.

Maybe I'm missing an obvious solution, in which case please tell me of course. But this is just an issue that's crossed my mind over the years as I've watched organisations use insecure platforms for long-form discussion, and I cringe, but I don't think I know the ideal solution either.

  • someone [comrade/them, they/them]
    ·
    20 days ago

    In the early days of the pandemic when I was at home alone and super bored, I put together a working forum system that was pretty much aimed at this problem. It had the added bonus of not using any javascript so that it would work perfectly on a default Tor browser. I used sqlite3 for ease of installation. It was mostly a self-teaching project for me to get better in Go. But it did work. I can't link to it as it has my real name plastered all over. But I've been thinking of rewriting it now that I'm a much better programmer. And this time I wouldn't have any personal details linked to it. I'd still write it in Go though. Go has great html templating that makes server-side rendering of forum-type pages dead simple. And the additions to Go's standard library over the past few years have reduced the 3rd-party dependencies considerably. I could probably pull off a rewrite with only mattn's sqlite3 module as the last remaining module pulled in.

    I included a few fun ideas that I haven't seen elsewhere, like an emergency account deletion page where you just enter a TOTP code to wipe your account and posting history instantly. Admins could also do an emergency site deletion with a TOTP code as well. The philosophy is that it's aimed at people who are more concerned with security than keeping long-term records.

    It also had a feature where the site sign-up could be limited to people with one-time codes. An admin page could generate a list of these codes, which the admin would give to a trusted friend. That trusted friend in turn gave out individual codes to people they trust who wanted to sign up. The idea was to make sure users and admins could credibly say they didn't know who the other was. A variation on clandestine cells.