Do not allow group members to be mass-exiled

I just saw another case of someone’s group being severely damaged because a rogue moderator used a script to exile thousands of members in a matter of seconds:

It’s very scary to think that anyone in your group with exile privileges could do such a massive amount of damage in such a short amount of time. It doesn’t even have to be the moderators themselves - if any one of your moderators happen to get their accounts compromised, your entire group will be in serious danger. It seems that Roblox Support cannot reverse exiles, either.

Proposal: Do not allow more than 200 people to be exiled from a group per day. Also, if someone starts exiling an unusually high number of people, send an alert message to the group owner so they can quickly deal with the situation.
This should be a group-wide limit as opposed to a per-user limit, since a high ranked person could promote their alt accounts to a rank with exile privileges and get them each to exile members. The group owner should not be able to override the limit, in case their own account has been compromised.

Even on a day rife with rulebreakers, I don’t think you’d ever have any legitimate reason for exiling hundreds of people within a 24 hour timespan. I’ve never had to exile that many people in my group of 2 million+ members. (If you are suddenly getting hundreds of rulebreakers attacking your group, you’re better off just disabling the group wall for the starting rank… if it’s bots inflating your member count, you should contact Roblox Support to deal with that situation)

Even if it’s too late for this to be added to the current group system, there absolutely needs to be mass-exile protection whenever the new groups system is created.

46 Likes

A static threshold might not be great depending on the group size. For instance, 200 members could be an entire group if it’s small enough, and a large group may exile well over 200 bots a day. I don’t think % would work well either, because a group that’s accumulated 500,000 members over the years may only have 10,000 or so active users, which is only 2% versus 2% in a 200-member group being 4 accounts.

Preventative measures are great, but I don’t think we’ll ever be able to stop all incidents of this, so we need to be capable of reactive responses. For instance, any user that is exiled is put in an internal “pending exile” rank for a day. Users in this state can leave the group if they need space, but otherwise they are in limbo. During this time, anyone with exile permissions can undo the action and add them back to the group with their previous role. All incidents of admin abuse I’ve seen are caught fairly quickly, so this should be enough to undo it whenever it happens.

33 Likes

This seems pretty solid, I like it. :+1:

3 Likes

Frankly the only way to stop this is by not giving exile permission to anyone but yourself. If an exile is needed, have an exile rank with no permissions which you check every day or so.

6 Likes

Or if your community is very valuable, figure out how to set up a legally binding contract so you can sue them into the stone age if they try to delete your entire fanbase.

Be very VERY selective over who you let access tools that can mess with your income. Imho we still need more permission ranks for things like server shutdowns, and per-place edit settings.

2 Likes

What if the moderator’s account was compromised? that would be pretty awkward

Compromised accounts can cause significant damage regardless of the platform. Which brings me to another point, 2FA should be a requirement for certain place permissions. It would also be useful to devs to see if their team has 2FA enabled.

1 Like

yeah I had a guy kick like 5000 people from a group I used to own back in like 2011 because we had a fight on how the group should be run or something

safe to say the only people I use as moderators now are people I actually know and have met in person

3 Likes

this is why no one in Trade. has exile permissions

that not I don’t trust the people, but at any moment in time someone could possibly gain control of their accounts/something funky. (This has saved the group from being mass exiled in the past, since said group admin couldn’t exile, they resorted to demoting every user to the default rank using a bot)

if there were better measures in place for groups, I’d feel comfortable giving extra permissions to people that would actually benefit the group with them.

I feel like a great solution to this problem would either be forcing exiles to be approved by the group owner or by allowing a one-day window before getting removed where the exiled user basically gets treated like a guest permissions-wise but still remains in the group with their rank. This way the group owner can still redact the exile before any real damage can be done and can still see which user mass exiled via the audit log and etc.

Yeah that’s a more professional idea but I won’t recommend it since I’m not legal counsel, plus I doubt I’d find any high ranks who would sign any contract, lol.

Yeah, I don’t think contracts are user-friendly. AbstractAlex is probably suggesting it from the perspective of a game dev group which makes more sense, but not all groups develop games, are meant to be professional, etc.

1 Like

A better alternative might be that only the group owner can exile users.

this is already an option, but if you are running a larger group, it can become overwhelming moderating it yourself

1 Like

Personally, I think the number of people that can be exiled per day should be based on the average of joins per day. Perhaps one point two times the average number of joins per day? I don’t know. Or maybe based on how many joined that particular day?

Personally would be my opinion to agree with some of those who have already argued against any static value. For purposes of memorialization and simply administrative direction, it might be best to simply limit the power a certain rank has.

Sometimes we actually do need to exile that many, and by instituting a maximum value per day universally I think we exclude those players that require the feature like they do.

Limiting it to the number of joins a day would prevent exiling in small groups who don’t get a join every day, and still allow users in large groups to exile the majority of active members just because of the volume of new members. No sort of limit is going to work – what if you’re proud of a particular inactive member and someone exiles just that one member?

This isn’t a problem we can solve by making guesses at what is malicious or not. The correct solution is to let the owner decide what is malicious and empower them with the tools necessary to correct any malicious exiles e.g. a temporary holding period for all exiles.

1 Like

Good point. Maybe add a few exiles to a group per day if the join-per-day mean is small?

There’s no need to resort to hacky workarounds required by limits instead of just implementing the correct solution.

Read your previous message. It may be a better solution.