Privacy is a reverse idea on the Fediverse. I know it’s a hot take, but by design the Fediverse is never going to be private and people should stop assuming it is.
When you send out a comment/like/post/whatever, you are literally broadcasting a message to any other instance listening. It essentially just says
{ messageId: 42, message: "This is some message", action: "comment" }
and if you want to delete that message it’s essentially
{ messageId: 42, action: "delete" }
While Lemmy and Mastodon respect that, anyone can build any fediverse app and simply choose not to use it. Anyone can build a search engine and can choose to respect the delete or not. Any instance could defederate from them if they don’t like that, or they may not care. The point however is that ActivityPub is designed this way, and there really isn’t a better way.
If your comment has been sent out to other instances - well then it’s there already. You can’t delete it without some form of just asking politely that they delete it. They have it already, it could be stored in their DB, duplicated in other DBs, aggregated and sent to AI, searchable, whatever. They have it. There is no concept of “delete” on the fediverse. It’s asking nicely for them to delete it.
The thing most people get wrong is privacy friendly =! private. If you say something publicly (on the internet) you can assume it will stay for ever, if not directly then via some sort of archive. The privacy part of Lemmy/Mastodon is them not collecting data on what you look at to sell it. If you want something private then don’t use Social Media, because what you say publicly will stay public.
The privacy part of Lemmy/Mastodon is them not collecting data on what you look at to sell it.
Nor requesting your real name and ID, phone number…
Yes, open federation is terrible for privacy for all the reasons you listed and more. That’s exactly the point here.
If you only share data with trusted parties, that you know will delete comments and data when requested and have the same standards vetting federating parties you do, you can have federation and privacy friendly networking. It’s also the only way to be GDPR compliant when running a Fediverse server as a business.
The protocol is entirely irrelevant here. ActivityPub merely standardised sharing information. The same problems also exist with Matrix, IRC, SMTP, or plain old “sending data over HTTP and storing it in a database”.
Also, Lemmy decidedly doesn’t accept deletes as you may expect it to. Deletes don’t always propagate (probably a bug) and delete requests will leave traces on a whole bunch of servers. It’s not intentional, but don’t expect deletions to work on Lemmy.
Furthermore, deletions don’t actually delete any data, instance moderators can click a button and restore a post even if you hit delete on it!
As you say though it’s only shared to any other instance listening. The point of consent-based federation is that you get to choose which instances do and don’t get to listen. So if your comment hasn’t been sent out out to other instances, they don’t have it.
Its documentation, for example, describes consent-based allow-list federation as “contrary to Mastodon’s mission.”
and I would agree with them. Consent based federation would fundamentally change the fediverse and create large tenants overnight. Small instances like mine would be at the mercy of large instances to be federated with them. It relies on people being kind and open, something we have already seen that some instance owners can be, others are not. I would even argue that that isn’t even federation anymore, it’s just slightly more open walled gardens
Yeah, as I say in the article Mastodon makes other decisions that are also hostile to the idea of consent, so I also agree that they see it as contrary to their mission. In terms of large tenants, though, Mastodon changed the defaults to put sign people on mastodon.social, which as a result now has 27% of the active Mastodon users, so I don’t think that’s the basis of their objection.
And no, consent-based federation doesn’t rely on people being kind and open. To the contrary, it assumes that a lot of people aren’t kind, and so the default should be that they can’t hassle you without permission. It’s certainly true that large instances might choose not to consent to federate with smaller instances (just as they can choose to block smaller instances today), but I don’t see how you can say that’s not even federation anymore. Open source projects approve PRs and often limit direct checkins to team members but that doesn’t mean they’re not open source.
I’m not saying that it’s not open source, I’m saying that I would argue it’s not federation anymore. Open source is irrelevant here, I’m not talking about the code.
I’m saying instances being “Closed to federation by default” and “whitelist only” is not true federation in my book.
I also am saying that instance owners are the ones who all of a sudden get a ton of power, specifically larger instance owners because they can decided arbitrarily not to federate with an instance they don’t deem worth federating with. The larger userbase aside, instance owners I believe can become power hungry and greedy and refuse to federate.
For example, even I, a teeny tiny instance owner, felt a pang of annoyance when someone created a duplicate community on their instance. It was fleeting and I told myself that that’s what the federation is, and that it’s okay, but not everyone will react that way. It’s inevitable that larger instances will say things like “Why should I federate with you, we have all of those communities over here”
My open source analogy wasn’t great, but the point I was trying to make is that even things we usually think of as open are compatible with consent. Similarly we’re used to thinking of federation as unconstrained (well except for Gab) (and everybody else who gets blocked) but that’s just the specific flavor of federation that’s been practiced on the fediverse so far -federation’s compatible with consent, at least in my books.
Power-hungry instance owners can already decide not to federate with other instances, arbitrarily or for any reason – counter.social’s an example. Consent-based federation just changes the default. It’s true that this changes the equation a bit; today there’s a small amount of effort required not to federate, a consent-based approach flips that and there’s a small amount of effort required to federate. At the end of the day, though, power-hungry instance owners are gonna do what power-hungry instance owners are gonna do; threads.net and mastodon.social are going to make their own decisions about federation policies no matter what the free fediverses decide.
So if your comment hasn’t been sent out out to other instances, they don’t have it.
What’s stopping malicious actors to create an account on the same instance as you and follow you (or your RSS feed) exclusively to pull your data?
Remember “information wants to be free”? That adage works both ways. If people want (or need) real privacy, they need to be equipped with tools that actually guarantee that their communication is only accessible to those intended to. The “ActivityPub” Fediverse is not it. They will be better off by using private Matrix (or XMPP rooms) with actual end-to-end encryption.
Agreed that people who need strong privacy should use something like Signal (or maybe Matrix or XMPP). And also agreed that RSS feeds are a privacy hole on most of the fediverse; Hometown and GoToSocial both disable them by default, Mastodon should do the same.
Nothing prevents malicious actors who want to make enough of an effort from creating accounts on instances (or for that matter Matrix chat rooms). But that’s not feasible for broad data harvesting by Meta.
Your whole wordlview is hinging on two conflicting realities:
- social networking is an inherently public activity, and this is the way that the majority of people want it to be.
- the only way to be free from surveillance capitalism is by having private communications, and while this is something that affects everyone, only a minority of people seem to be actively opposed to it.
The “consent-based” social media does not work well for a small business owner who wants to promote their place to their local community, or the artisan that wants to put up a gallery with their work online. They want to be found.
If you tell them that they have to choose between (a) a social network that makes it easier for them to reach their communities or (b) a niche network that is only used by a handful of people who keeps putting barriers for any kind of contact; which one do you think they will choose?
What your recent articles are trying to do is (basically) try to shove the idea that the majority should change their behavior and completely reject a public internet. You are basically saying that the “social” networks should be "anti-"social in nature. This is, quite honestly, borderline totalitarian.
But that’s not feasible for broad data harvesting by Meta.
Why? You keep writing about how evil Meta is and their infinite amount of resources. If you really believe that, why do you think they would stop at the mere wall of “federation consent”?
It’s not that I think that most people will (or should) reject a public internet. In fact I don’t even think most people will reject surveillance capitalism-based social networks. As I say in the article “many people who make their home in the free fediverses (including me!) are likely to have other accounts for now – on Threads, or in Meta’s fediverses – just as many do today on Facebook, Instagram, Xitter, TikTok, LinkedIn, and other surveillance capitalism social networks.” As you say, small business owners and artists will want the broadest possibility for their work; and there are lots of other situations where that’s what people want.
And I wouldn’t frame the choice between (a) and (b) the way you do. With queer and trans people, I’d frame it as an opportunity to have an account on a smaller pro-queer social network that’s gone to great lengths to insulate itself from hate groups like Libs of TikTok, and a choice of whether their other account is better on Threads or in Meta’s fediverses. With progressive or leftist people, I’d frame it in terms of being on a social network that’s not actively working with white supremacists, fascists, and authoritarians. With people who hate Facebook / Instagram / etc, I’d phrase it in terms of being as far away from Meta as possible. And so on …
Some will say “two accounts? I think not! And there’s a lot of stuff on Threads that’s valuable for me, so I’m not interested.” Oh well. But most people already have a bunches of accounts on various social networks – none of which are particularly queer-friendly, all of which work with white supemacists, fascists, and authoritarians – so (if signup is easy, the software’s easy to use, if it’s well-moderated and they don’t have to deal with harassment, if there are enough interesting people there, etc etc etc) won’t be averse to one more.
Also, why do you think most people want social networking to be an inherently public activity? Look at the most popular social network. Facebook gorups are extremely popular. Facebook supports friends-only posts and viritually everybody I know uses them at least part of the time. Facebook events allow posts that are only visible to people attending the event. The list goes on … And it’s not just Facebook. Reddit has private subreddits. Twitter has private profiles. Most fediverse microblogging software has local-only posts. Heck even Mastodon has followers-only posts. So, I’d say it’s the other way around. Most people want social networking to be a mix of public and private activity.
I think I get your point, but I surely don’t agree with it. Honestly, it seems that you are not really interested in dismantling Surveillance Capitalism, just afraid that “Big Fedi” will attract the attention of too many people, and ending bringing scrutiny to some marginalized groups you care about.
To put it less nicer words, you are not really concerned about privacy or Surveillance Capitalism, you are just worried about losing your echo chamber.
Right, I’m on Lemmy because I want to stay in my echo chamber. 🤣 🤣 🤣
This is nonsensical to me. Why make a big raucous about Threads and others, go through all of these private and secure measures to then have two accounts, one actively on the side or the Fediverse you so called need protection from? That’s some real privilege
Today, I’ve gone to a lot of trouble to have fediverse accounts today, and accounts on other enviroments that aren’t as toxic and hostile as Facebook … I still have a Facebook account. It’s necessary to keep in touch with some family members. It’s valuable for activism – meet people where they are. It’s the best place to find out about music events. There are some friends and former colleagues that it’s the best way to keep in touch with. etc etc I wish those things weren’t the case, but they are. So I have an account but limit my engagement – these days I rarely post except for activism, private messages, and occasionally resharing posts that people are trying to get the word out about. There’s still a lot of value in keeping most of my activity off there.
And I still have a Twitter account despite all its issues. A lot of reproductive justice and abolitionist organizers are still there. It’s better than any other social network for getting first-hand views of Palestinians. A lot of Black Twitter is still there. There are some friends and former colleagues that it’s the best way to keep in touch with. It’s potentially still useful for activism purposes. etc etc. So I have an account but limit my engagement – these days I rarely post except for retweeting, DMs, and stuff that I don’t care if it’s public. There’s still a lot of value in keeping most of my activity off there.
And some reproductive justice and abolitionist organizers have left Twitter and gone to Threads. Threads is likely to be useful for activism purposes. Over time there are likely to be friends and former colleagues that it’s the best way to keep in touch with. I’m sure other etc etc’s will evolve. So I have an account but limit my engagement. There’s still a lot of value in keeping most of my activity off there.
And Meta’s fediverse is likely to be useful for activism, and there are likely to be people there that I don’t have any way to keep in touch with. Also, it’s a great audience for The Nexus Today. I already have accounts there so don’t expect to give them up. So I have an account but limit my engagement.
It’s a classic double-bind. Being able to staying in an environment that some people find isn’t safe enough to stay in is a form of privilege; but then again, feeling like I have to stay in an anti-LGBTQIA2S+ environment where I feel constrained as to what I can say publicly and my data’s being exploited is a form of oppression – and so is the expectation that I should have to give up on all these valuable things just because I want to spend most of my time in an pro-LGBTQIA2S+ enviroment. So, there aren’t any perfect answers.
You may be interested in more privacy oriented social networks, because the Fediverse just isn’t. Even on privacy focused communities, the general consensus seems to be “yeah we don’t do privacy here, oh well”.
Almost all Fediverse software places the burden of information protection on the user (“don’t DM anyone unless you want that message to be shared with the world, it’s your fault for using the internet in the first place”). Mastodon is particularly bad about this, because it doesn’t have DMs (it just pretends to); rather, it has toots that aren’t published to any list. If you know the right IDs, you can pretty much read them. In fact, if you tag someone in a Mastodon DM, they’ll be notified and added to the conversation, so make sure not to tag anyone when gossiping on the Fediverse!
I think it’s pretty funny that the Fediverse is so mad at Facebook for its many privacy violations while maintaining that you should never expect any privacy on social media when it comes to their preferred medium.
If you care about privacy: Circles is a federated social media platform using Matrix as a backing protocol which uses encryption to control who can or can’t read your messages. You can use it to message and follow people on other servers just like on the Fediverse, but messages aren’t inherently public on it. I haven’t tried the app myself, because I don’t need yet another app in my life, but it’s underlying concept is a much better solution to personal social networking than the Fediverse will ever be. Unfortunately, I don’t think many people use it, but if you’re setting up an environment for people who may want privacy, you should consider it.
I totally agree that there isn’t a lot of privacy on the fediverse today – in fact I even say that in the article and link off to recommendations for how to improve things. But also I think there’s a huge difference between the situation on the fediverse where there’s no privacy because developers haven’t prioritize it and with Meta, where their model is focused on exploiting data that they’ve acquired without consent and they’ve repeatedly broken privacy laws (although to be fair they break other laws too, not just privacy).
And it’s true, many people don’t care about privacy, and many more care some but it’s not important eough to them to make it their primary reason for choosing a social network. But a lot of people do care, at least to some extent, so the free fediverses will be a lot more appealing to them if they improve privacy. And even though I think privacy by itself won’t the major driver for most people who choose the free fediverses, improving privacy also works well with that I think will be the major drivers – like safety, pro-LGBTQIA2S+ focus, and (for people who want nothing to do with Meta) highlighting the core differences from Meta.
Circles’ approach is certainly interesting, I remember looking at it when they did their kickstarter. Did it go forward? It looks like their blog hasn’t been updated since 2021.
deleted by creator
That’s good to see – seems like they’ve made a lot of progress. I’ll check it out!
this seems like nonsense. as if youre going to limit who can see your public posts… the fediverse is opt-out not opt-in. you opted-in when you signed up with an AP federating platform.
if you dont want to federate, dont use a federating platform. if you want privacy, dont use a platform designed for public distribution.
It’s not as much about seeing, it’s about using, and profiting from.
This post under CC-BY-NC-SA.
U know activpub supports adding licences to things but lemmy doesnt want it. Pixelfed and peertube already have it but lemmy told me i was an idiot for wanting to licence my content.
If something is on a public unencrypted website, it isn’t private.
Unfortunately certain people have chosen to mislead users about this.
You may as well post your ass on a billboard then complain that people look at it.
Fediverse software has followers-only posts, direct messages, local-only posts … Mobilizon and Streams even have private groups.
None of that is private. It’s all readable by anyone with an admin account.
As a general rule. If it’s not end to end encrypted, assume it’s public.“Anyone with an admin account” comes down to “one or two people” not “public”. If your admin is a dick then yeah, your stuff may get leaked, but that’s not normal.
That’s missing the point though: if something isn’t completely private then it has the chance of going public. Too many services pretend to be more private than they really are by using terms like “private message” when all they’re really offering is a relatively small barrier to seeing your data, especially if anyone can set up their own instance.
deleted by creator
“Readable by anybody with an admin account” is not the same as public. And as a bunch of people involved in January 6 found out, end-to-end-encrypting something doesn’t keep mean it won’t get revealed. So the general rule is assume anything you say online could be made public; use Signal (or some other encrypted messaging that you trust) and limit distribution to a small number of trusted people to reduce the chances of that happening – but don’t count on it!
Might spund a little conspiratorial but this fubdamentally breaks what federation means and specificly gives enormaus power to larger instances. Also the language of it by calling it consent feels like its meant to evoke a certain emotional reaction almost like its part of a larger phyop.
Also there is no such thing as privacy on the fediverse. There is anonymity if ur carefull.
It’s fine if single instances do consent-based federation that prioritize safety over openess, but why should it become the default for all instances? It will result in instance protectionism and an overall decline in discussion quality. Making it opt-in means people will connect less likely with folks from other instances, meaning people will mainly stay on their instances, meaning it supports tribalism in the Fediverse. More safety usually comes at a cost, too. In this case: less interaction with other instances.
But if you federate with instances that you trust good enough in the first place, constent-based federation is not necessary imo.
No wait, I was wrong Its not necessarily instance protectionism. For especially vulnarable groups consens-oriented federation might make sense.
The question is whether this is the desired state for all instances and I would disagree here. I think this falls under a bigger societal debate: should the fediverse become a place were all potentials of harm are completely erased? In other words: should the Fediverse become a safer space?
First of all, minorities should be protected as by the laws of many countries. However, what harm looks like beyond that should be dynamically defined in social debate. Now you want to skip that and erase all potential out of the stand.
This ignores that these societal norms change over time and that a certain risk is part of the human condition. There always needs to be a balance between freedom and protection for the whole society. But as said before, safer place are also needed, but they dont work as blueprint for the whole society.
Early christian groups can also considered safe places. You are aligned here with what to me are totalitarian argumentation patterns that thrive for a garden eden that will never exist.
That doesnt mean that we shouldnt thrive for certain ideals but not for things that cannot and shouldnt be expected of people, like giving up their free will for complete safety.
I agree that different instances will make different choices based on their priorities, but follow this through. Take trans people as an example of an especially vulnerable group that consent-oriented federation makes sense for – so trans people will be be less safe on instances that don’t take a consent-based approach. What instances do you think trans people will prefer to be on?
And there must be something I’m issing, because I don’t understand how you got from consent-based federation to “giving up free will”. Consent is literally about having the ability to choose, so exercising your free will.
Well, there are always people who want a more safe space and in turn leave (or threaten to leave) a certain environment. Whether the environment then choses to make itself more safe or to stay the same is a careful consideration. Making it more safe might make other users leave, but also attract others to the instance.
In the same way, there will be people calling for more openess/“free speech”, prompting the same consideration.
For me, the basis of this is given by law; everything else needs to be negotiated dynamically, how open/save an instance is might change over time depending on its users.
Now, in this debate, identity politics tends to favour more safety by default, which might make sense at first, but if you follow it through consistent, you end up in something like garden eden. Because there, everything is safe, you don’t need to fear any threat whatsoever, but you are also not really doing anything. If you default to “safe is always better” you end up in a totalitarian system.
So safety/openness is in general a worth consideration and it should be dynamically debated. Maybe in a few years, consent-based federation proves itself to be a best-practice to make a place safer for trans people and becomes a standard; then we all adapt it happily - that would be fine with me; but if so, I see it at the end of a process.
Yep, I agree that instances and social networks that focus more on safety will attract some people but others will leave. Today, there are a whole bunch of social networks that don’t focus on safety, and very few that do. So there are a lot of options for people who prefer “openness” and very few for people who prefer safety. Strategically, that’s an opportunity for the free fediverses today.
Strategically, that’s an opportunity for the free fediverses today.
Yeah, probably. Question is how big it will become. Let’s see.
In the short term, they’ll be much smaller than Meta’s fediverse (because mastodon.social and most of the big instances are federating with Threads) and of course much smaller than Threads. Longer term, we’ll see, but I wouldn’t expect them to be as big as Threads for a long time if ever.
Ok, I may have blown the discussion a bit out of proposition earlier. It’s just that I thought you meant basically the whole Fediverse. The name “Free Fediverse” is a bit misleading imo.
@ada@lemmy.blahaj.zone
prioritize safety over openess
I don’t expect anything I post here to be private.
On Lemmy? Certainly not. But on other fediverse software, there are followers-only posts, direct messages, local-only posts … none of it’s encrypted, but still it’s not public.
Tbh I’m struggling to imagine what this would look like in something like Lemmy. It seems to be describing an extreme form of setting your account to private, but this only really makes sense in a situation where you have followers who are friends and family. How would I decide who to “approve”?
Great point, I should be more explicit in the article. On Lemmy, it would look like a couple of things:
-
today, another instance’s request to federate is accepted unless it’s explicitly blocked. This means that bad actors can get away with stuff until they’re discovered and blocked (although it makes it easier for good actors to federate). Consent-based federation turns that around: a request to federate isn’t accepted unless it’s approved. One way an instance admin could decide whether or not to approve a request is to look at FediSeer to see what other instances are saying about the requestor.
-
at the individual level, it would mean that people would start out by participating in local communities (and maybe even just seeing posts from their instance, not sure about that), and could then choose to have their posts federated out
That sounds like it punishes small instances… a lot. What would starting an instance look like? Do you start with a huge list of servers to inspect and approve?
For new instances, the easiest thing is to start with the list of an instance that the kind of moderation you agree with. If I were starting up an instance in the Lemmy world, I might go with the current federation list of lemmy.blahaj.zone or beehaw.org (although others might make differnet choices), in the Mastodon world I might use awoo.space as a starting point.
There’s certainly a need for tools to make this more scalable. “Recommended lists” are a likely next step; there isn’t much software support for this yet, but it’s similar enough to blocklists that they’re also fairly straightforward; it would be up to the new instance admin to decide how many to inspect or whether just to trust the list. And tools are also needed to address the challenge in the other direction: how do existing instances decide whether or not to accept the request? Instance catalogs like fediseer can help. Another possibility that I mention and link to in the article is “letters of introduction”; federations of instances (which I’ll talk about in the next installment) are another.
-