We would like to share our thoughts that came out of the series of brainstorming sessions we have had the last days.
Possible solutions we have considered and our opinion about them.
1. Invite only - where new accounts can be created only when invited by other users.
We have quite a strong position on that one. We started Disroot with the intention of being accessible to a wide audience. Invite only solution creates a barrier where only certain circles of people are allowed in. We want to be as open as possible for anyone seeking better solutions for their digital realm. By allowing invite only account we would've exclude a big portion of our current disrooters, supporters and contributors.
2. Paid accounts.
Money is the solution to everything... It's seems like the perfect tool to get all the abusers, scammers and spammers out of the platform. Paid accounts seems to solve the financial situation too. However, money also means another set of complications. First of, it closes the doors to those that can't afford to pay. It changes the whole nature of the project and creates a different relationship between disrooters (users) and admins, where certain expectations are held. It also asks for a whole set of new administrative tools and financial obligations which we would rather avoid. Such change to the project's nature is too drastic so that we feel it would be more honest to start a new separate platform based on paid accounts rather then change Disroot into such.
3. Approval based user creation.
This is the solution we are leaning towards. Originally we thought it to be too labor intensive, but after giving it some further thought we start to think approving account after a short delay will prevent most obvious abuse from happening. And with the help of some good automation backstage, we hope the extra work will be minimal.
The idea would be to ask new signups for a confirmation email address. After confirming the request (which will prevent automatic bot account creation and thus render re-captcha obsolete) we, the admins, will still have to approve the account based on a specific criteria we will develop, this will take up to 24 or 48 hours (to be decided). The waiting time will prevent spammers that need immediate access, our approval criteria will prevent other obvious abuse cases. Users could afterwards remove the verification email address or keep it as another possibility to reset password. We would like to try this method and see what the results are. How much abuse we can prevent, how much work will it impose on us and what other consequences it will bring.