matrix-doc/proposals/3823-code-for-account-suspe...

4.6 KiB

MSC3823: Account Suspension

Unlike account locking, suspension allows the user to have a (largely) readonly view of their account. Homeserver administrators and moderators may use this functionality to temporarily deactivate an account, or place conditions on the account's experience. Critically, like locking, account suspension is reversible, unlike the deactivation mechanism currently available in Matrix - a destructive, irreversible, action.

This proposal introduces a concept of suspension to complement locking for server admins to use. Locking is typically more used in narrow scenarios, where the server admin wants to prevent the account from engaging any further. An example of this may be too many failed password attempts. Suspension is more general purpose to create a barrier to further action - a "something weird is going on -> suspend" kind of button.

The error code introduced by this proposal is accompanied by guidelines on how servers can implement suspension. APIs to invoke or clear suspension are not introduced, and left as an implementation detail. These will typically be done through an administrator-only API.

Proposal

When an account is suspended, any Client-Server API endpoint MAY return a 403 HTTP status code with errcode of M_USER_SUSPENDED. This indicates to the user that the associated action is unavailable.

Clients should note that for more general endpoints, like /send/:eventType, suspension MAY only be applied to a subset of request parameters. For example, a user may be allowed to redact events but not send messages.

The specific list of permitted actions during suspension is left as a deliberate implementation detail, however a server SHOULD permit the user to:

  • Log in/create additional sessions (which should also behave as suspended).
  • See and receive messages, particularly via /sync and /messages.
  • Verify their other devices and write associated cross-signing data.
  • Populate their key backup.
  • Leave rooms & reject invites.
  • Redacting their own events.
  • Log out/delete any device of theirs, including the current session.
  • Deactivate their account, potentially with a deliberate time delay to discourage making a new account right away.
  • Change or add admin contacts, but not remove. Servers are recommended to only permit this if they keep a changelog on contact information to prevent misuse.

The recommendation for users to continue receiving/reading messages is largely so the administrator can maintain contact with the user, where applicable. Future MSCs may improve upon the admin<>user communication, and account locking may also be used to prevent access to messages.

The suggested set of explicitly forbidden actions is:

  • Joining or knocking on rooms, including accepting invites.
  • Sending messages.
  • Sending invites.
  • Changing profile data (display name and avatar).
  • Redacting other users' events (when a moderator/admin of a room, for example).

Potential issues

This proposal does not communicate why a user's account is restricted. The human-readable error field may contain some information, though anything comprehensive may not be surfaced to the user. A future MSC is expected to build a system for both informing the user of the action taken against their account and allow the user to appeal that action.

Alternatives

No significant alternatives are plausible. M_USER_DEACTIVATED could be expanded with a permanent flag, though ideally each error code should provide meaning on its own.

The related concept of locking, as discussed in places like MSC3939 and matrix-org/glossary, is semantically different from suspension. Suspension has the key difference that the user is not logged out of their client, typically used by safety teams, while locking does log the user out and would primarily be used by security teams. A future MSC may combine or split the two related error codes into a descriptive set of capabilities the user can perform.

Unstable prefixes

Until this proposal is considered stable, implementations must use ORG.MATRIX.MSC3823.USER_SUSPENDED instead of M_USER_SUSPENDED.