Can we address the potential for misuse of our code?

[Oshyan]

This is an issue I have brought up before, but a Reddit comment on a topic about another OS dating app (DatingLibre) raised the concern again, and clearly others are thinking about it. I'll quote:

I can't see a benefit to an open source dating site. A network penetration tool can be used for Evil to attack a network or Good and help secure one. Free dating software is just going to lower the cost of setting up a scam site. Open sourcing it just makes reskinning and bot making easier to do.

I think this is absolutely an important concern, and I don't think "freedom is more important than doing good" is acceptable, at least not for me. The entire reason I am part of this project is I want to at least make some headway in fixing what's broken in the modern, tech-driven dating world. But if we empower scammers to do greater harm, that's a significant problem in my view.

So it feels important to consider whether there are any actual development-level decisions, changes, etc. we can make to make it significantly harder for someone to setup a "honeypot" or general scam dating site with our tech.

One thought I have is simply not allowing bulk account creation. They could still be created by directly writing to the DB of course, but you could then require some kind of unique hash be recorded in the DB upon account creation through the platform, which can't easily be replicated outside of that system. Of course they have access to the code and can remove that, but perhaps it's possible to make it annoying enough to do so that it's not worth it to scammers? 🤔 More or less just thinking out loud here, and as a non-coder. Anyone else have some better ideas?

[ethanblake4]

Bulk account creation should definitely not be possible. I mean that ability is already significantly hampered just by requiring a phone number, but IP rate limiting / device & network fingerprinting etc are all ways to severely restrict this. Unfortunately keeping shadow profiles is against the GDPR though, which does substantially complicate things. In addition we'd have to be careful not to mass-ban legitimate users using a VPN.

[Oshyan]

I think you misunderstand what I meant by "bulk account creation". I was talking about admins/server hosts, the people who e.g. would take our platform, install it on their own hosting, and then create a bunch of fake profiles to fish credentials/personal info from people for scamming purposes. I.e. their entire "instance" of the dating app would be a big honeypot. Those people can theoretically create fake profiles just fine because they have direct access to write to the database whatever values they want. The only mitigation I came up with above was a unique hash value that can only be created through the UI, and would be checked at profile load time or something, though of course this could be bypassed somehow too.

[ethanblake4]

Ah. I'd have to think about whether this is really possible to prevent (thinking some sort of private/public key pair or postgres constraint) but honestly doubt it's a good idea anyway, it would just make things harder for us as well and would be fairly easy to remove. If someone else wants to take our code and make a scammy app, that's not really our problem unless they use our branding imo.

[Oshyan]

Yeah, I'm not sure it's technically possible either, but I think worth contemplating. And while you might not be concerned if someone sets up a scam site using our tech, without our brand, as I mention below, for me branding is not the biggest concern at all. Think about the massive rise in scamming and ransomware attacks that occurred in the last ~10 years as that tech got commodified. I do not want to see our work turn into something similar.

[WilliamDormer]

Since people will have to download the application through the appstore/playstore which has a record of how popular the download is, verified publishers, and such, it would be pretty hard for another company to "pretend" to be us. They could start a competing service, but it will be hard to scam people into thinking it is our platform.

[Oshyan]

I'm not worried about anyone pretending to be us, just using the finished code, app, etc. to make it easier to setup scam apps/sites. It's not our branding that I think would be the real draw to a scammer, it's the turnkey tech resources. I do not want to inadvertently facilitate that if we can avoid it.