• © Goverland Inc. 2026
  • v1.0.3
  • Privacy Policy
  • Terms of Use
DecentralandDecentralandby0x5E23D08324f017d5425e59A2782C9ae27aCE09580x5E23…0958

Prevent harassment and surveillance of all users via overly-exposing endpoint

Voting ended over 3 years agoSucceeded

by 0xf2f58ed9ab3057838d88d06be8269270cdc8aa89 (menduz)

Hello I am Mendez, and I've been a core contributor of Decentraland since Jan 2018. This is my first governance proposal ever since.

Several people have brought this problem to my attention and I acknowledge this as a vulnerability that needs to be addressed before it starts affecting people and their digital lives.

In Decentraland, users’ addresses represent more than a transaction parameter in a blockchain, they are part of a user’s digital identity, and exposing this information along with real-time position data could lead to a form of digital surveillance that could be damaging to users and to Decentraland itself.

Catalyst communications server exposes an API endpoint that responds with user addresses and their exact locations at every moment, facilitating hostile actors to harass platform users. This API could also enable the creation of hate bots that could target specific users or types of audiences. This type of information should be treated as sensitive to prevent these types of scenarios. The endpoints to be removed are:

  • https://peer.decentraland.org/comms/peers
  • https://peer.decentraland.org/comms/islands

These endpoints are not needed in order for Decentraland to work. In fact, they were originally intended for manual debugging purposes only.

However, by removing the endpoints in question, there is also a drawback: this API is used to know if a user is in a specific location at the time of making a request. In some scenes, this feature is used by some anti-bot mechanisms. To that extent, a new API endpoint is proposed to validate if a user is in a specific position on a case-by-case basis instead of tracking all the users all the time. For analytics/statistical information of islands, new privacy-aware endpoints were already created /stats/parcels

Summary of the proposed changes:

  • Remove the /comms/peers and /comms/islands endpoints. Use /stats/parcels instead
  • Create a new endpoint to validate if a user holding the specified address is in the specified position
  • Remove the endpoints
  • Keep the endpoints
  • Invalid question/options

Vote on this proposal on the Decentraland DAO

Off-Chain Vote

Remove the endpoints
5.99M VP58.3%
Keep the endpoints
4.14M VP40.2%
Invalid question/options
152.74K VP1.5%
Download mobile app to vote

Timeline

Aug 15, 2022Proposal created
Aug 15, 2022Proposal vote started
Aug 20, 2022Proposal vote ended
Oct 26, 2023Proposal updated