We /r/DNMSuperlist mods are discussing new market listing criteria which all new market will have to fulfill to get on the superlist. If, when and how these will also be applied retroactively to currently listed markets [i.e. pushing existing markets to adopt the requirements too], is not discussed yet though.
One point is the auto PGP encryption that some markets provide. It is no secret that I am against it but others raised concerns such as that it would make new market less attractive for users [due to the seemingly convenient auto-encryption feature which would be missing]. So we want to weigh the pros and cons up to determine if it should be set as a requirement or not.
In the following the possible cases which I wrote up for the mod discussion which describe what can happen when running a dnm and how it would play out with and without pgp auto-encryption [short ae].
so please read through the post and comment if you think no ae should be listed as a requirement or not. note: the following assumes that ae was flawlessly implemented.
Case A: everything works
market does not get hacked, not seized and everything works. as we all know this does not continue forever and most markets end with drama [hack, exit scam or seizure]. so it is rather a period of time till one of the cases below happen.
if users use ae, they are either safe or can be fucked royally by the market admins if they secretly copy the plain text before encrypting it. it may seem counter-intuitive but we saw many vendors collecting addresses too. so all ae users are at the mercy of the market admins.
Case B: market gets hacked and databases compromised
it happened several times in the past and will happen in the future. if the users would have used the ae, the messages would be encrypted. if they did not they would obviously be in plain text which is why we have to push users to follow the easy pgp tutorials and preach to always encrypt sensitive information.
however the markets could [and should] encrypt all non-pgp messages any way. this can be done for example with a hard-coded key and simple symmetric encryption [which is not performance costly] in the market source code. then an attacker would need to compromise the whole site, which is much harder, to get the content of the messages.
so this means a database leak should never leak un-encrypted private messages in the first place, whether or not ae was implemented. maybe we can also discuss if such an encryption [symmetric, done by the market with the hard-coded key] should be put on the market-criteria list.
Case C: market gets hacked, whole site compromised
this means the hacker can also modify the page code. happens not as often but hugbunter has demonstrated that it occasionally happens. in such a case the ae could fire back dramatically since the hacker can simply grab the plain text before the encryption and go on a big blackmail-rampage or send the data to law enforcement.
Case D: market seizure with shutting down
law enforcement takes over the market and shuts it down. they would probably get all the messages that were not deleted already [market has to delete all messages older than 2 months according to the must-have list]. if ae worked and the market admins did not secretly circumvent it, the data encrypted with ae is not recoverable.
Case E: market seizure with taking over
law enforcement seizes the market, takes it over and continues to run it. they did it for other sites in the past and I think it is only a matter of time till they also apply these techniques to dnms. one of the first things they would do, is to de-anonymize users. focusing on ae, that would mean they would get themselves a plain text copy of the data that gets sent to the ae function which would mean a massive address collection if many people relied on the ae.
so while the cases where the ae would dramatically back-fire are not that common [market takeover, full market hack, market staff storing addresses themselves], they would hit the dnm community even harder due to us allowing ae to spread. why would users, especially new ones, take the time to learn pgp if they can just check a box?
so if we would allow ae, that would mean a dramatic increase in users using ae. sooner or later one of the situations where the ae users get fucked hard will take place and it will be a huge shit-storm because they all expected their data to be encrypted. this is also not even addressing that the whole topic of abusing pgp to not be end-to-end encrypted could spread out to other services [e.g. email providers] and then have an every bigger impact when the ae fails.
without ae, users would always know if their data is actually secure or not [talking about markets, not vendors here]. most of the users would encrypt sensitive data when we show them how easy it is and when vendors refuse orders who are not encrypted [which is not that uncommon].
so instead of having many users living in a pseudo-secure mindset, we would have the majority of users doing pgp encryption right so that they can lay back even if a market gets taken over or the other worst cases happen.
the alternative would be living perfectly fine till a nuke fucks us all up. so looking at the pros and cons, I would see us rather push for correctly done pgp encryption instead of a temporary workaround that is only waiting to become a disaster.
This is a good summary and a topic worth discussing.
I think it's also worth being explicit about the assumptions you are making. Namely, that the Reddit-based superlist is important enough in the dnm ecosystem to bend behavior of the markets toward your/our preferences. Does that seem accurate?
I'm not worried about a slippery slope toward dnm mods being the nanny state. But you may hear that argument.