After taking quite a long break from comment moderation on the WeLiveSecurity blog, I’ve recently started receiving comment notifications and have therefore been able to moderate some of the comments that have I’ve seen, and I thought it was worth passing on some thoughts about the moderation process as I see it.

I should make it clear that this is to some extent a personal view: ESET’s corporate view and that of the other ESET bloggers may differ significantly, though I have invited comment from other people before publishing this blog.

We are agreed that ESET appreciates all the genuine comments on our posts, and personally I look upon it as part of a blogger’s job to read and respond (where appropriate) to such comments – at least as regards comments to his or her own blogs. However, comment management is a surprisingly demanding task, and there are many instances where I don’t feel I’m the most appropriate person to approve or respond to a comment. However, it seems that some of our readers are not getting such a prompt response as they would like.

As I’ve mentioned before, it's not necessarily an unpleasant task to review comments: for every abusive snottogram that gets submitted, there are many comments that are thoughtful and thought-provoking, or add useful information or corrections to the original post, and some of them are even complimentary. So I do read every one of the comments for which I receive notification, and try to moderate every comment to my own articles as soon as possible – please bear in mind that I don’t work full-time for ESET – and sometimes reply to interesting comments on other people’s articles.

Still, it is an additional job – in general, we’re researchers first and bloggers second – and we can't always find time to approve or respond to comments as quickly as we'd like, so I can understand that anyone who has posted something relevant and useful but has had to wait for days (or longer!) to see it approved might get a little frustrated. However:

  • We all have other roles and responsibilities (not to mention time spent away from the workplace!)
  • No-one is running 24/7 comment monitoring. It might be nice to be able to do that, but I’m not sure it’s practical. Anyway, it’s not my job to make those decisions.

To those people who post comments several times when their first comment doesn’t appear immediately: sorry, but all external comments are moderated. Unfortunately not all the comments that get past our spam filtering are responsible or useful, and some are downright malicious. And as already explained, we don’t have anyone monitoring comments day and night.

To those people who include their own suggestions as to useful products, web pages, and so on: thanks, but we’re a little paranoid about including such recommendations, as our readers are likely to think – understandably – that ESET is endorsing those products and services. And we won’t do that if we’re not reasonably confident of their value.

For the same reason, we won’t make suggestions as to the best products of a particular type unless we have some experience or research on which to base those recommendations. Or else we’ll make it clear that we don’t have enough knowledge of the specific product or service to make an unconditional recommendation.

We’re always interested in information relating to malware and cybercrime, of course. However, there are occasions when we won’t publish a comment relating to such information because it needs extensive research to verify, though I’ll normally acknowledge that I’ve seen the comment. Of course, I can’t guarantee when or whether our researchers will be able to investigate a particular issue: our resources aren’t unlimited.

A problem area I’ve been encountering in the past few weeks is this: comments that contain some possibly valuable observations interspersed with links back to external blogs and products – sometimes competing products, and sometimes with a clear advertising purpose. Personally, I don’t have a problem with linking back to valid research even where it’s carried out by direct competitors. After all, the core anti-malware industry is significantly reliant on cooperation between researchers that crosses vendor demarcation lines, and I regard it as regrettable that some security bloggers are reluctant to give due credit to competitors (whether it’s another blogger or the company he or she represents).

Sometimes, though, the intrinsic value of a comment is harder to verify without research into the company behind it, and if verification turns out to be difficult, I for one am unlikely to give the comment or company the benefit of the doubt. And comments that are complimentary but add no real content apart from a backlink to the poster’s site are indistinguishable from certain types of comment spam, and are unlikely to get published.

To those people who have problems with ESET products, we regret that we’re not resourced to do one-to-one product support. Of course, if there’s a straightforward answer we can give off the top of our heads, we will, but usually you’re better off going straight to the Support tab on the ESET web site (as we’ll often explain in response to the comment, but not necessarily immediately). I do forward messages about support problems where appropriate, but I can’t promise to do so promptly: the sort of target or guaranteed response times that are often specified in service level agreements can’t be applied here. If you’ve had a problem with an ESET product or support that you haven’t been able to get resolved by other means, I will forward your concerns to an appropriate quarter, but I’m unlikely to approve it as a blog comment unless it’s really relevant to the article. After all, it’s not unknown for people to use fabricated problems with one product as a means of trying to publicize a competitor’s product.

To those people who have problems with non-ESET products and services, even services like Facebook that we often discuss here from a security point of view, this isn’t necessarily the best place to ask for help with problems that we aren’t equipped to address, such as regaining control of your account.

To those people who correct our errors and misconceptions, thank you. We try hard to maintain professional standards, but everyone makes mistakes sometimes. We’re not always going to agree that what you see as a misconception is really wrong, but it’s useful and sometimes educational to see an issue from someone else’s point of view. To those who offer those corrections politely and don’t think that anyone whose first language isn’t English or who doesn’t write in American English must be an idiot, an even bigger thank you. Flames and deliberate rudeness are more likely to be approved if they have some redeeming factors, like wit and accuracy...

To those people who make kind comments about the product and services, thank you, but I tend not to publish those unless the commenter also makes a valid point about the article on which he’s commenting. If you care to Like an article on Facebook or other social media services, or even make complimentary remarks on one of ESET’s Facebook pages, I’m sure that will be appreciated.

So, to the guy who thought that one of our articles was intended to push product rather than to give useful information, I don’t actually think that was the case. I might well have approved your comment and offered my own view, if you hadn’t tried to post a comment before I got to it, asserting that we only approve complimentary comments. That isn’t actually the case, but I simply trashed the comment because it also included some xenophobic abuse suggesting that people in Bratislava should engage in some novel but probably anatomically impossible sexual practices. I did discuss the possibilities of further research with my wife, but we English tend to be conservative in these matters. I will mention here that if you’d actually spent just a little more time actually reading the blog, you’d have seen that:

  • We do, in fact, publish and respond to critical comments if they’re not abusively expressed and make a valid point.
  • ESET’s headquarters are in Slovakia, but a lot of its bloggers live and work in other parts of the world. And in my possibly biased opinion, none of them are stupid.

Of course, it’s the generally abusive nature of comments like this that is likely to cause them not to be published: it’s not just Slovaks or ESET bloggers who are entitled to a modicum of courtesy and respect. Another comment I discarded today suggested that someone who was quoted in one of our articles was ‘a moron’. I was tempted to pass that one so that I could point out that the ‘moronic’ comment made much better sense security-wise than the commenter’s view, but reluctantly decided that would risk descending to the same level of inappropriate expression.

Unfortunately, it’s easier to pick out and comment on particular comments than it is to put together comprehensive guidelines, but a little googling turned up some useful articles on the subject, such as Ginny Soskey’s The 11 Do’s and Don’ts for Writing and Managing Blog Comments, Melanie Nelson’s 5 Blogging Etiquette Tips for Beginning Bloggers, Daria Black’s Blogger’s Guide to Comment Etiquette and Lorelle VanFossen’s Time Wasting Blog Comments, Comments Policies, and Comment Etiquette. It’s quite interesting and instructive to see how the bloggers have responded to comments on those articles.

Back in the early days of the Internet and the Web, there were a number of pointers to ‘netiquette’ that summarized expected standards of behaviour, such as RFC1855, ‘a minimum set of guidelines for Network Etiquette (Netiquette) which organizations may take and adapt for their own use.’ Fellow ESET blogger Aryeh Goretsky drew my attention to a lighter take on some of the same issues from ‘Emily Postnews’. Documents like these have been overtaken by the development of technology – far fewer people make use of newsgroups for instance – and the sheer volume of people who’ve subsequently obtained an Internet connection has outstripped the ability of old-timers to pass on older mores and expectations. (If only it was true that ‘chain letters are forbidden on the internet’, as the RFC claims…) Perhaps it’s not altogether a bad thing that standards aren’t policed by an elite group of people who were here ahead of everyone else. But those standards were based on a desire for the civility and consideration that is lacking in many online contexts today, where people often feel free to behave in ways they wouldn’t behave in the real world of face-to-face interaction.

David Harley
Small Blue-Green World
ESET Senior Research Fellow