Hope no one minds me chiming in here.
To make this easy, I see it as there are basically two types of individuals when it comes to wanting to set up a Moodle site. Ignoring for now, the techies that have experience with application and server security.
There are those individuals that will assume that they can just host Moodle, either on their own or through someone else, and that they do not need to worry about someone posting offensive material or even hacking their site. Typically, when something happens they will point the finger at anyone but themselves. They will blame the Moodle application for allowing this to happen or their hosting company for allowing it to happen.
Then, there are those users that are concerned about security and privacy and want to know how to make Moodle secure. They will either try to research this themselves or rely on a "techie".
So either way, there needs to be some good documentation about Moodle security, privacy, and managing content that may be deemed offensive.
It would be in the best interest for all supporters of Moodle to create this documentation in a fashion that someone with no technical background can understand or at least in a manner that they understand the importance and that they need to get a "techie" to help them.
Though managing (censoring) content is not really a responsibility of Moodle as an applicaiton, it is its responsibility to provide tools that can be used to monitor and completely remove the objectionable material. The filter for censoring text is a step in the right direction. An easy to use administrator tool for deleting images from any location in Moodle, is definately needed.
Now as to the responsibility of a Moodle Hosting Partner that is contracted to host a site, here is a simple list that I see as their responsibility.
- Ensure the servers and network is secure. This is mandatory, if they can not ensure a secure host system, then they should not be a Hosting Partner.
- Provide the customer with their SLA and a list of what they do provide as part of the package being purchased. If there is optional support services, then those should be detailed out.
- Ask the customer how they are going to use their Moodle site, who will be accessing it, and who will be the administrator for maintaining it.
- Based on those answers the Partner can then properly install Moodle to be as secure as possible. If the customer wants anyone in the world to access it, the Partner should point out the potential risks, like offensive material being posted and how to monitor for it and remove it.
- Provide training/documentation to the designated Moodle Administrator on how to keep the site secure and monitor content.
- If there is no designated admin, then the Partner should inform the customer as to the importance of this role and offer to provide the service for them or some other alternative.
- Constantly monitor for security issue with Moodle and either install them or inform the customer of the security issue and that it needs to be installed.
If the Moodle Hosting Partner provides all the above, then, as I see it, they have fulfilled their basic obligations as a Moodle Hosting Partner. I personally have researched some of the partners and found that they are not currently offering all of the above automatically. I had to request it and then only one so far has provide most of what I requested.
The bar needs to be raised at least for the Moodle Hosting Partners, if not for the Moodle Community at large, to look seriously at the issue of security, privacy and content monitoring. Let me give you an example of what could happen, at least in the US.
A teacher decides to set up a Moodle site to supplement their classroom teaching. A spammer
finds the site and is able to post porn on it. A student sees it and informs their parents. The parents file a lawsuit against the school and the teacher gets fired. Now what would have happened if the teacher had used a Hosting Partner? If the partner had not provided the teacher with the necessary information, the teacher could turn around and file a lawsuit against the Hosting Partner and possibly even Moodle. What would the outcome be? It would depend a lot on what was provided to the teacher when setting up Moodle.
So is this Moodle's responsibility that the porn was posted, not really, but it definately is not good publicity. Could it have been prevented? Absolutely, but only if the teacher was aware of the risk and understood how to prevent it. That is why the documentation is so critical and that Hosting Partners take this seriously and be proactive about educating and informing their customers about all the risks.