Thank you for this information, this allowed me to resolve the issue.
Now, separately, and in a more formal/precise tone.
I want to inform you that there is a unintended leak of EA forum or LessWrong private user information, that is substantial.
To calibrate on severity: this is something you want to change soon. It is not extremely sensitive, (less sensitive than private messages) but in my opinion, it is about at least as sensitive as leaking email addresses.
I propose the following:
Please agree that the EA forum team and the LessWrong team, will not remove, restrict, or allow to deteriorate forum access and/or API functionality, as a consequence of my disclosure of this leak.
Specifically, I am worried that the team might turn off access or functionality of the EA forum or the LW forum to reduce the likelihood of future leaks by reducing the amount of code that needs to be maintained (it’s not that the access/functionality is a security concern by itself, but it’s easier not to have leaks if you don’t have websites/API endpoints).
Note that my disclosure is in good faith, I do not directly benefit from the disclosure. I believe my “use” of the leak or knowledge of its existence would be undetectable without me notifying you.
If you agree on the point above, please provide an email where I can send information about the leak.
Note that I may email Habyrka and other people in addition to the email you provide.
Note that the leak should not be difficult to correct.
I have no intention of suddenly deciding to turn off our openly explorable API, or restricting access. We’re an open source codebase, and I highly value the ability of our users to develop experiments.
TLDR; Unfortunately, I think I am asking for a somewhat clearer statement from a senior source that CEA won’t take such action. To be clear, this might be a clear, good faith statement from someone like Max Dalton or Habryka, that they will do best efforts not to restrict or adjust the open vision of API use, as a result of this leak. Because the EA forum technical development is closely intertwined with LW, this statement should include consent of the LW team, such as Habryka.
I believe the leak is substantial (it’s not an emergency but there is some chance it’s embarrassing).
Because of the moderate severity of the leak, I think something like the following scenario could occur:
Two weeks after being notified of the leak, JP, Ben West, Max Dalton and the CEA board have a routine, private meeting about CEA’s online programs, like most organizations do.
In this routine meeting meeting, one of the conclusions was the suspension of further development of EA forum features in favor of another technical project. The leak had a large influence on this decision.
Three months after the private meeting, a message was posted “We’re restricting use of [specific forum/API] use because of limited developer attention. Unfortunately, we decided to turn it off because of the maintenance demands”.
While no connection with the leak is stated and other factors, including actually limited developer time played a role, the truth was that leaks/headaches was the causal reason the feature stopped being developed.
Note that the above does not require bad faith on the part of CEA. I actually don’t think anyone wants the above to happen. The above scenario is just the logical, rational way of doing things if you’re heading an entity that has a lot of projects and limited developer time.
Like, this is a confession, this is what I would do.
Another way of seeing this is that the forces are just the normal forces of being a public entity.
By this request, I’m trying to proportionately “tie” your hands (to the degree that a public good faith statement would) so that these forces can’t act to deteriorate access.
I was wrong, this entire thread about a “leak”, my last two comments, was wrong/noise.
What happened:
I thought I was obtaining private information through an API endpoint. Upon more examination, the information was not private, the data had no additional information, and I misinterpreted the meaning of the information.
Thank you for this information, this allowed me to resolve the issue.
Now, separately, and in a more formal/precise tone.
I want to inform you that there is a unintended leak of EA forum or LessWrong private user information, that is substantial.
To calibrate on severity: this is something you want to change soon. It is not extremely sensitive, (less sensitive than private messages) but in my opinion, it is about at least as sensitive as leaking email addresses.
I propose the following:
Please agree that the EA forum team and the LessWrong team, will not remove, restrict, or allow to deteriorate forum access and/or API functionality, as a consequence of my disclosure of this leak.
Specifically, I am worried that the team might turn off access or functionality of the EA forum or the LW forum to reduce the likelihood of future leaks by reducing the amount of code that needs to be maintained (it’s not that the access/functionality is a security concern by itself, but it’s easier not to have leaks if you don’t have websites/API endpoints).
Note that my disclosure is in good faith, I do not directly benefit from the disclosure. I believe my “use” of the leak or knowledge of its existence would be undetectable without me notifying you.
If you agree on the point above, please provide an email where I can send information about the leak.
Note that I may email Habyrka and other people in addition to the email you provide.
Note that the leak should not be difficult to correct.
I have no intention of suddenly deciding to turn off our openly explorable API, or restricting access. We’re an open source codebase, and I highly value the ability of our users to develop experiments.
You can email us at forum@centreforeffectivealtruism.org . If the above is not enough of a guarantee, please email and we can talk offline.
TLDR; Unfortunately, I think I am asking for a somewhat clearer statement from a senior source that CEA won’t take such action. To be clear, this might be a clear, good faith statement from someone like Max Dalton or Habryka, that they will do best efforts not to restrict or adjust the open vision of API use, as a result of this leak. Because the EA forum technical development is closely intertwined with LW, this statement should include consent of the LW team, such as Habryka.
I believe the leak is substantial (it’s not an emergency but there is some chance it’s embarrassing).
Because of the moderate severity of the leak, I think something like the following scenario could occur:
Two weeks after being notified of the leak, JP, Ben West, Max Dalton and the CEA board have a routine, private meeting about CEA’s online programs, like most organizations do.
In this routine meeting meeting, one of the conclusions was the suspension of further development of EA forum features in favor of another technical project. The leak had a large influence on this decision.
Three months after the private meeting, a message was posted “We’re restricting use of [specific forum/API] use because of limited developer attention. Unfortunately, we decided to turn it off because of the maintenance demands”.
While no connection with the leak is stated and other factors, including actually limited developer time played a role, the truth was that leaks/headaches was the causal reason the feature stopped being developed.
Note that the above does not require bad faith on the part of CEA. I actually don’t think anyone wants the above to happen. The above scenario is just the logical, rational way of doing things if you’re heading an entity that has a lot of projects and limited developer time.
Like, this is a confession, this is what I would do.
Another way of seeing this is that the forces are just the normal forces of being a public entity.
By this request, I’m trying to proportionately “tie” your hands (to the degree that a public good faith statement would) so that these forces can’t act to deteriorate access.
I appreciate that ask.
I am the person who makes this call, not CEA’s board, Max Dalton, or Ben West.
Let’s discuss this via email.
Update:
I was wrong, this entire thread about a “leak”, my last two comments, was wrong/noise.
What happened:
I thought I was obtaining private information through an API endpoint. Upon more examination, the information was not private, the data had no additional information, and I misinterpreted the meaning of the information.