So check it out: Mastodon decided to implement follower-only posts for their users. All good. They did it in a way where they were still broadcasting those posts (described as “private”) in a format that other servers could easily wind up erroneously showing them to random people. That’s not ideal.

Probably the clearest explanation of the root of the problem is this:

Something you may not know about Mastodon’s privacy settings is that they are recommendations, not demands. This means that it is up to each individual server whether or not it chooses to enforce them. For example, you may mark your post with unlisted, which indicates that servers shouldn’t display the post on their global timelines, but servers which don’t implement the unlisted privacy setting still can (and do).

Servers don’t necessarily disregard Mastodon’s privacy settings for malicious reasons. Mastodon’s privacy settings aren’t a part of the original OStatus protocol, and servers which don’t run a recent version of the Mastodon software simply aren’t configured to recognize them. This means that unlisted, private, or even direct posts may end up in places you didn’t expect on one of these servers—like in the public timeline, or a user’s reblogs.

That is super relevant for “private” posts by Mastodon. They fall into the same category as how you’ve been voting on Lemmy posts and comments: This stuff seems private, because it’s being hidden in your UI, but it’s actually being broadcasted out to random untrusted servers behind the scenes, and some server software is going to expose it. It’s simply going to happen. You need to be aware of that. Even if it’s not shown in your UI, it is available.

Anyway, Pixelfed had a bug in its handling of those types of posts, which meant that in some circumstances it would show them to everyone. Somebody wrote on her blog about how her partner has been posting sensitive information as “private,” and Pixelfed was exposing it, and how it’s a massive problem. For some reason, Dansup (Pixelfed author) taking it seriously and fixing the problem and pushing out a new version within a few days only made this person more upset, because in her (IMO incorrect) opinion, the way Dansup had done it was wrong.

I think the blog-writer is just mistaken about some of the technical issues involved. It sounds like she’s planning on telling her partner that it’s still okay to be posting her private stuff on Mastodon, marked “private,” now that Pixelfed and only Pixelfed has fixed the issue. I think that’s a huge mistake for reasons that should be obvious. It sounds like she’s very upset that Dansup made it explicit that he was fixing this issue, thinking that even exposing it in commit comments (which as we know get way more readership than blog posts) would mean people knew about it, and the less people that knew about it, the safer her partner’s information would be since she is continuing to do this apparently. You will not be surprised to discover that I think that type of thinking is also a mistake.

That’s not even what I want to talk about, though. I have done security-related work professionally before, so maybe I look at this stuff from a different perspective than this lady does. What I want to talk about is this type of comments on Lemmy, when this situation got posted here under the title “Pixelfed leaks private posts from other Fediverse instances”:

Non-malicious servers aren’t supposed to do what Pixelfed did.

Pixelfed got caught with its pants down

rtfm and do NOT give a rest to bad behaving software

dansup remains either incompetent for implementing badly something easy or toxic for federating ignoring what the federation requires

i completely blame pixelfed here: it breaks trust in transit and that’s unacceptable because it makes the system untrustworthy

periodic reminder to not touch dansup software and to move away from pixelfed and loops

dansup is not competent and quite problematic and it’s not even over

developers with less funding (even 0) contributed way more to fedi, they’re just less vocal

dansup is all bark no bite, stop falling for it

dansup showed quite some incompetence in handling security, delivering features, communicating clearly and honestly and treating properly third party devs

I sort of started out in the ensuing conversation just explaining the issues involved, because they are subtle, but there are people who are still sending me messages a day later insisting that Dansup is a big piece of shit and he broke the internet on purpose. They’re also consistently upset, among other reasons, that he’s getting paid because people like the stuff he made and gave away, and chose to back his Kickstarter. Very upset. I keep hearing about it.

This is not the first time, or even the first time with Dansup. From time to time, I see this with some kind of person on the Fediverse who’s doing something. Usually someone who’s giving away their time to do something for everyone else. Then there’s some giant outcry that they are “problematic” or awful on purpose in some way. With Dansup at least, every time I’ve looked at it, it’s mostly been trumped-up nonsense. The worst it ever is, in actuality, is “he got mad and posted an angry status HOW DARE HE.” Usually it is based more or less on nothing.

Dansup isn’t just a person making free software, who sometimes posts angry unreasonable statuses or gets embroiled in drama for some reason because he is human and has human emotions. He’s the worst. He is toxic and unhinged. He is keeping his Loops code secret and breaking his promises. He makes money. He broke privacy for everyone (no don’t tell me any details about the protocol or why he didn’t he broke it for everyone) (and don’t tell me he fixed it in a few days and pushed out a new version that just makes it worse because he put it in the notes and it’ll be hard for people to upgrade anyway so it doesn’t count)

And so on.

Some particular moderator isn’t just a person who sometimes makes poor moderation decisions and then doubles down on them. No, he is:

a racist and a zionist and will do whatever he can to delete pro-Palestinian posts, or posts that criticize Israel.

a vile, racist, zionist piece of shit, and anyone who defends or supports him is sitting at the table with him and accepts those labels for themselves.

And so on. The exact same pattern happened with a different lemmy.world mod who was extensively harassed for months for various made-up bullshit, all the way up until the time where he (related or not) decided to stop modding altogether.

It’s weird. Why are people so vindictive and personal, and why do they double down so enthusiastically about taking it to this personal place where this person involved is being bad on purpose and needs to be attacked for being horrible, instead of just being a normal person with a variety of normal human failings as we all have? Why are people so un-amenable to someone trying to say “actually it’s not that simple”, to the point that a day later my inbox is still getting peppered with insistences that Dansup is the worst on this private-posts issue, and I’m completely wrong and incompetent for thinking otherwise and all the references I’ve been digging up and sending to try to illustrate the point are just more proof that I’m horrible?

Guys: Chill out.

I would just recommend, if you are one of these people that likes to double down on all this stuff and get all amped-up about how some particular fediverse person is “problematic” or “toxic” or various other vague insinuations, or you feel the need to bring up all kinds of past drama any time anything at all happens with the person, that you not.

I am probably guilty of this sometimes. I definitely like to give people hell sometimes, if in my opinion they are doing something that’s causing a problem. But the extent to which the fediverse seems to like to do this stuff just seems really extreme to me, and a lot of times what it’s based on is just weird petty bullying nonsense.

Just take it it with a grain of salt, too, if you see it, is also what I’m saying. Whether it comes from me or whoever. A lot of times, the issue doesn’t look like such a huge deal once you strip away the histrionics and the assumption that everyone’s being malicious on purpose. Doubly so if the emotion and the innuendo is running way ahead of what the actual facts are.

  • Zak@lemmy.world
    link
    fedilink
    English
    arrow-up
    183
    arrow-down
    1
    ·
    7 months ago

    Some people have privacy expectations that are not realistic in an unencrypted, federated, heterogeneous environment run by hobbyist volunteers in their spare time.

    It you have something private and sensitive to share with a small audience, make a group chat on Signal. Don’t invite any reporters.

    • RobotToaster@mander.xyz
      link
      fedilink
      English
      arrow-up
      62
      arrow-down
      1
      ·
      7 months ago

      Nothing is private on the fediverse, and Mastodon’s bodge only gives the illusion of privacy. There should be zero expectation that any fediverse software will follow their non-standard extensions.

      • zedage@lemm.ee
        link
        fedilink
        English
        arrow-up
        7
        arrow-down
        1
        ·
        edit-2
        7 months ago

        I think the confusion from fediverse’s claims of privacy stem from poor enunciation elucidation of the nature of the privacy from its proponents. It is definitely more private in the amount of passive data mining for ad tracking purposes compared to for profit social media. The architecture is designed to discourage instance managers from implementing ad-tech from building sophisticated user profiles of your behaviour in order to serve you more targeted ads from the people that manage the infrastructure. There’s no monitoring of clicks, click through rates, time spent on the platform, the type of content you like, etc. And the price for that mechanism is, making public, data that cannot be monetised on a large scale, which for profit social media guaranteed “privacy” to(in quotes because it was private from prying eyes through E2EE but not your keys not your data.)

        I can see where the confusion might arise for nontechnical people who aren’t familiar with the technical aspects of ActivityPub implementations. I don’t think there should be any confusion for technical people in understanding the architecture clearly guarantees a total lack of private data, seeing as how decentralisation works.

    • Chozo@fedia.io
      link
      fedilink
      arrow-up
      45
      arrow-down
      1
      ·
      7 months ago

      This is my thought on it, too. I don’t disagree with any of the point OP is making, but I think a larger issue is people misusing ActivityPub platforms and trying to make them into something they’re not. It’s not meant to be a messenger, it’s not meant for privacy. Everything being public and transparent is part of the core design of the Fediverse. The idea of private groups/posts on the Fediverse seems counterintuitive to me.

      • PhilipTheBucket@ponder.catOP
        link
        fedilink
        English
        arrow-up
        21
        arrow-down
        1
        ·
        7 months ago

        Completely agree.

        It is fine if you want to add privacy to a federated platform. If you wanted to, you would need to think through how to do it (probably it would involve either adding something specific and very carefully laid-out to the ActivityPub spec, or just doing like Lemmy does and switching to a whole other protocol like Matrix and warning the users that anything over ActivityPub is not private). Neither of those is what Mastodon did, but now they’re going around telling users they can have private posts, which is why I think they’re ultimately at fault in the situation that kicked off this whole shebang.

        • Matth78@lemm.ee
          link
          fedilink
          English
          arrow-up
          7
          ·
          edit-2
          7 months ago

          Just a random thought, if there is a need for privacy wouldn’t it be possible to create public / private encryption key for users so messages can be encrypted and exchanged.

          This way what would be public is that there’s an exchange but nobody would be able to know what was said. It would make it at least message content private.

          To make it a step further could exchange between servers also use it to encrypt which users exchange private message. I am thinking it could make it fully private then. Only sender and receiver servers could know which users were private messaging.

          • AwesomeLowlander@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            10
            arrow-down
            2
            ·
            edit-2
            7 months ago

            To keep it secure from the servers themself would require users to handle the encryption. See PGP for an idea of how much uptake that’s likely to get. If you mean for the servers to handle the encryption, that’s already the case, and the issue right now is that servers are privy to what users do, and by nature are a 3rd party in the convo.

          • PhilipTheBucket@ponder.catOP
            link
            fedilink
            English
            arrow-up
            2
            ·
            7 months ago

            You actually could do this kind of thing with AP. It’s designed to give a key pair to every user to use for signing all their activities, so so the some careful redesign, you might be able to do something like have the browser authenticating the user’s identity in a way that the server isn’t able to do, or even messages being sent encrypted in a way that the server can’t read.

            In practice, the server keeps the user’s private keys, and moving away from that model would be difficult. But you could in theory redesign it away from that.

        • ThorrJo@lemmy.sdf.org
          link
          fedilink
          English
          arrow-up
          3
          ·
          7 months ago

          If any dev should be getting roasted, it’s Gargron, for his many bad decisions over the years.

      • SorteKanin@feddit.dk
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        1
        ·
        7 months ago

        It’s not meant to be a messenger, it’s not meant for privacy. Everything being public and transparent is part of the core design of the Fediverse. The idea of private groups/posts on the Fediverse seems counterintuitive to me.

        Just want to counter this: Privacy is in fact a part of ActivityPub. Stuff is only meant to be public if it is sent to the Public collection, otherwise it should only be delivered to the intended recipients, much like email. This is part of the core protocol, not any extension.

    • candyman337@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      19
      ·
      7 months ago

      I definitely think it’s important to make people aware of the difference in the fedeiverse. Especially since that is not how it worked in non-federated social media

      • MudMan@fedia.io
        link
        fedilink
        arrow-up
        22
        arrow-down
        1
        ·
        7 months ago

        Well, where are you all when the Fedi cheerleading squad keeps posting about how bad it is that this or that competitor stores this or that information and how secure and private and great it is in Fedi servers because they don’t store anything?

        Because I’ve spent years chiming in to explain these things in those and it normally just gets people angry and complaining that you’re shilling for corporate social media or whatever. The image being projected, both accidentally and on purpose is that no centralized data collection means your data on Fedi is private when it is extremely not.

        • candyman337@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          4
          ·
          7 months ago

          I definitely agree, it’s advertised as private, when really it’s more “open” so that it’s not profitable I think

          • zedage@lemm.ee
            link
            fedilink
            English
            arrow-up
            5
            ·
            7 months ago

            I think the confusion from fediverse’s claims of privacy stem from poor enunciation from its proponents. It is more private in the amount of passive data mining for ad tracking purposes compared to for profit social media. The architecture is designed to discourage these practices from the people that manage the infrastructure. And the price for that mechanism is, making public, data that cannot be monetised on a large scale, which for profit social media guaranteed “privacy” to(in quotes because it was private from prying eyes through E2EE but not your keys not your data.)

            I can see where the confusion might arise for nontechnical people who aren’t familiar with the technical aspects of ActivityPub implementations. I don’t think there should be any confusion for technical people in understanding the architecture clearly guarantees a total lack of private data, seeing as how decentralisation works.

      • TORFdot0@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        7 months ago

        Just because the average user doesn’t consider whether they should trust the platform, doesn’t mean the fediverse is less trustworthy. It’s not. Nothing online should be considered trustworthy if it’s not encrypted.

        You still have to consider whether Facebook is trustworthy with your posts and click data, whether the thousands of advertisers they sell your info too are trustworthy. Whether the persons you message are trustworthy and that they won’t get hacked.

        About the same risks as with trusting a fediverse instance operator except they don’t have the same motivations to sell your data.

        I’m not sure if you are aware of fediblock which allows instance operators to coordinate banning and defederating bad actors from the network. And of course you can always mute or block any user or instance you wish independently of your instance’s block list.

        Your data being leaked to “malicious servers” in this case also requires approving a follow to a user on that instance or having your profile set to public (and at that point you should expect your content to be public)

        I do think you are right that it is a paradigm shift of thinking for new users who aren’t familiar with federation. But I think anyone who wants to join will just either have to give up control to big platforms and stay put or shift their thinking.

    • letzlo@feddit.nl
      link
      fedilink
      English
      arrow-up
      7
      ·
      7 months ago

      It’s perhaps a communication problem, where the privacy settings should clearly state this. Or these settings shouldn’t be offered. But maybe this current structure is fine for most people?

      Regardless, it’s how existing social media used to work. In that sense, federated social media can’t offer an alternative and that could be a problem for some.

      • PhilipTheBucket@ponder.catOP
        link
        fedilink
        English
        arrow-up
        17
        arrow-down
        1
        ·
        7 months ago

        Yeah, but offering something that claims to be private, but isn’t, is actually much worse than refusing to offer something that’s private. Even if people want the private feature.

        Truly private posts just are going to require something that isn’t ActivityPub, because ActivityPub just isn’t designed to give assurances about what’s going to happen to an activity that you are sending off to some other server. Or, the other option would be to go through the whole process of adding it into the spec in a thought through fashion instead of just hacking it in and moving on. Although, I do kind of get why Mastodon doesn’t want to go through that snail’s pace process for every single protocol change they would need to be able to make things work.

    • arakhis_@feddit.org
      link
      fedilink
      English
      arrow-up
      3
      ·
      7 months ago

      This poster… its like every other social media platform is not anonymous?!

      Why should this one be? Did you really think i.e. reddit wouldn’t corpo-analyze the fork out of your data with data science practices? Anonymous upvotes? LOL

    • iltg@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      1
      ·
      7 months ago

      it’s not unrealistic to keep trust at the server level. following your rationale, you can’t trust my reply, or any, because any server could modify the content in transit. or hide posts. or make up posts from actors to make them look bad.

      if you assume the network is badly behaved, fedi breaks down. it makes no sense to me that everything is taken for granted, except privacy.

      servers will deliver, not modify, not make up stuff, not dos stuff, not spam you, but apparently obviously will leak your content?

      fedi models trust at the server level, not user. i dont need to trust you, i need to trust just your server admin, and if i dont i defederate

      • PhilipTheBucket@ponder.catOP
        link
        fedilink
        English
        arrow-up
        1
        ·
        7 months ago

        if you assume the network is badly behaved, fedi breaks down. it makes no sense to me that everything is taken for granted, except privacy.

        This is backwards in my opinion.

        What you described is exactly how it works. Everything in the network is potentially badly behaved. You need to put on rate limits, digital signatures for activities back to actors, blocks for particular instances, and so on, specifically because whenever you are talking with someone else on the network, they might be badly behaved.

        In general, it’s okay in practice to be a little bit loose with it. If you get some spam from a not-yet-blocked instance, or you send some server a message which it has a bug and it doesn’t deliver, then it is okay. But, if you’re sending a message which can compromise someone’s privacy if mishandled, then all of a sudden you have to care on a stricter level. Because it’s not harmless anymore if the server which is receiving the message is broken (or malicious).

        So yes, privacy is different. In practice it’s usually okay to just let users know that nothing they’re sending is really private. Email works that way, Lemmy DMs work that way, it’s okay. But if you start telling people their stuff is really private, and you’re still letting it interact with untrusted servers (which is all of them), you have to suddenly care on this whole other level and do all sorts of E2EE and verification stuff, or else you’re lying to your users. In my opinion.

        • iltg@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          1
          ·
          7 months ago

          taking care of bad servers is instance admin business, you’re conflating the user concerns with the instance owner concerns

          generally this thread and previous ones have such bad takes on fedi structure: a federated and decentralized system must delegate responsibility and trust

          if you’re concerned about spam, that’s mostly instance owner business. it’s like that with every service: even signal has spam, and signal staff deals with it, not you. you’re delegating trust

          if you want privacy, on signal you need to delegate privacy to software. on fedi to server owners too, but that’s the only extra trust you need to pay

          sending private messages is up to you. if i send a note and address it only to you, i’m delegating trust to you to not leak it, to the software to keep it confidential, and to the server owner to not snoop on it. on signal you still need to trust the software and the recipient

          this whole “nothing is private on fedi” is a bad black/white answer to a gray issue. nothing is private ever, how can you trust AES and RSA? do you know every computer passing your packet is safe from side chain attacks to break your encryption? you claimed to work in security in another thread, i would expect you to know the concept of “threat modeling”

      • Zak@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        7 months ago

        There’s a significant distinction between servers that are actively malicious as you’re describing and servers that aren’t fully compatible with certain features, or that are simply buggy.

        Lemmy, for example modifies posts federated from other platforms to fit its format constraints. One of them is that a post from Mastodon with multiple images attached will only show one image on Lemmy. Mastodon does it too: inline images from a Lemmy post don’t show on vanilla Mastodon.

        I’ll note that Lemmy’s version numbers all start with 0. So do Piixelfed’s. That implies the software is unfinished and unstable.