So check it out: Mastodon decided to implement follower-only posts for their users. All good. They did it in a way where they were still broadcasting those posts (described as āprivateā) in a format that other servers could easily wind up erroneously showing them to random people. Thatās not ideal.
Probably the clearest explanation of the root of the problem is this:
Something you may not know about Mastodonās privacy settings is that they are recommendations, not demands. This means that it is up to each individual server whether or not it chooses to enforce them. For example, you may mark your post with unlisted, which indicates that servers shouldnāt display the post on their global timelines, but servers which donāt implement the unlisted privacy setting still can (and do).
Servers donāt necessarily disregard Mastodonās privacy settings for malicious reasons. Mastodonās privacy settings arenāt a part of the original OStatus protocol, and servers which donāt run a recent version of the Mastodon software simply arenāt configured to recognize them. This means that unlisted, private, or even direct posts may end up in places you didnāt expect on one of these serversālike in the public timeline, or a userās reblogs.
That is super relevant for āprivateā posts by Mastodon. They fall into the same category as how youāve been voting on Lemmy posts and comments: This stuff seems private, because itās being hidden in your UI, but itās actually being broadcasted out to random untrusted servers behind the scenes, and some server software is going to expose it. Itās simply going to happen. You need to be aware of that. Even if itās not shown in your UI, it is available.
Anyway, Pixelfed had a bug in its handling of those types of posts, which meant that in some circumstances it would show them to everyone. Somebody wrote on her blog about how her partner has been posting sensitive information as āprivate,ā and Pixelfed was exposing it, and how itās a massive problem. For some reason, Dansup (Pixelfed author) taking it seriously and fixing the problem and pushing out a new version within a few days only made this person more upset, because in her (IMO incorrect) opinion, the way Dansup had done it was wrong.
I think the blog-writer is just mistaken about some of the technical issues involved. It sounds like sheās planning on telling her partner that itās still okay to be posting her private stuff on Mastodon, marked āprivate,ā now that Pixelfed and only Pixelfed has fixed the issue. I think thatās a huge mistake for reasons that should be obvious. It sounds like sheās very upset that Dansup made it explicit that he was fixing this issue, thinking that even exposing it in commit comments (which as we know get way more readership than blog posts) would mean people knew about it, and the less people that knew about it, the safer her partnerās information would be since she is continuing to do this apparently. You will not be surprised to discover that I think that type of thinking is also a mistake.
Thatās not even what I want to talk about, though. I have done security-related work professionally before, so maybe I look at this stuff from a different perspective than this lady does. What I want to talk about is this type of comments on Lemmy, when this situation got posted here under the title āPixelfed leaks private posts from other Fediverse instancesā:
Non-malicious servers arenāt supposed to do what Pixelfed did.
Pixelfed got caught with its pants down
rtfm and do NOT give a rest to bad behaving software
dansup remains either incompetent for implementing badly something easy or toxic for federating ignoring what the federation requires
i completely blame pixelfed here: it breaks trust in transit and thatās unacceptable because it makes the system untrustworthy
periodic reminder to not touch dansup software and to move away from pixelfed and loops
dansup is not competent and quite problematic and itās not even over
developers with less funding (even 0) contributed way more to fedi, theyāre just less vocal
dansup is all bark no bite, stop falling for it
dansup showed quite some incompetence in handling security, delivering features, communicating clearly and honestly and treating properly third party devs
I sort of started out in the ensuing conversation just explaining the issues involved, because they are subtle, but there are people who are still sending me messages a day later insisting that Dansup is a big piece of shit and he broke the internet on purpose. Theyāre also consistently upset, among other reasons, that heās getting paid because people like the stuff he made and gave away, and chose to back his Kickstarter. Very upset. I keep hearing about it.
This is not the first time, or even the first time with Dansup. From time to time, I see this with some kind of person on the Fediverse whoās doing something. Usually someone whoās giving away their time to do something for everyone else. Then thereās some giant outcry that they are āproblematicā or awful on purpose in some way. With Dansup at least, every time Iāve looked at it, itās mostly been trumped-up nonsense. The worst it ever is, in actuality, is āhe got mad and posted an angry status HOW DARE HE.ā Usually it is based more or less on nothing.
Dansup isnāt just a person making free software, who sometimes posts angry unreasonable statuses or gets embroiled in drama for some reason because he is human and has human emotions. Heās the worst. He is toxic and unhinged. He is keeping his Loops code secret and breaking his promises. He makes money. He broke privacy for everyone (no donāt tell me any details about the protocol or why he didnāt he broke it for everyone) (and donāt tell me he fixed it in a few days and pushed out a new version that just makes it worse because he put it in the notes and itāll be hard for people to upgrade anyway so it doesnāt count)
And so on.
Some particular moderator isnāt just a person who sometimes makes poor moderation decisions and then doubles down on them. No, he is:
a racist and a zionist and will do whatever he can to delete pro-Palestinian posts, or posts that criticize Israel.
a vile, racist, zionist piece of shit, and anyone who defends or supports him is sitting at the table with him and accepts those labels for themselves.
And so on. The exact same pattern happened with a different lemmy.world mod who was extensively harassed for months for various made-up bullshit, all the way up until the time where he (related or not) decided to stop modding altogether.
Itās weird. Why are people so vindictive and personal, and why do they double down so enthusiastically about taking it to this personal place where this person involved is being bad on purpose and needs to be attacked for being horrible, instead of just being a normal person with a variety of normal human failings as we all have? Why are people so un-amenable to someone trying to say āactually itās not that simpleā, to the point that a day later my inbox is still getting peppered with insistences that Dansup is the worst on this private-posts issue, and Iām completely wrong and incompetent for thinking otherwise and all the references Iāve been digging up and sending to try to illustrate the point are just more proof that Iām horrible?
Guys: Chill out.
I would just recommend, if you are one of these people that likes to double down on all this stuff and get all amped-up about how some particular fediverse person is āproblematicā or ātoxicā or various other vague insinuations, or you feel the need to bring up all kinds of past drama any time anything at all happens with the person, that you not.
I am probably guilty of this sometimes. I definitely like to give people hell sometimes, if in my opinion they are doing something thatās causing a problem. But the extent to which the fediverse seems to like to do this stuff just seems really extreme to me, and a lot of times what itās based on is just weird petty bullying nonsense.
Just take it it with a grain of salt, too, if you see it, is also what Iām saying. Whether it comes from me or whoever. A lot of times, the issue doesnāt look like such a huge deal once you strip away the histrionics and the assumption that everyoneās being malicious on purpose. Doubly so if the emotion and the innuendo is running way ahead of what the actual facts are.
This is exactly why ActivityPub makes for such a mediocre replacement for the big social media apps. You have to let go of any assumptions that at least some of your data remains exclusive to the ad algorithm and accept that everything you post or look at or scroll past is being recorded by malicious servers. Which, in turn, kind of makes it a failure, as replacing traditional social media is exactly what itās supposed to do.
The Fediverse also lacks tooling to filter out the idiots and assholes. That kind of moderation is a lot easier when you have a centralised database and moderation staff on board, but the network of tiny servers with each their own moderation capabilities will promote the worst behaviour as much as the best behaviour.
But really, the worst part is the UX for apps. Fediverse apps suck at setting expectations. Of course Lemmy publishes when youāve upvoted what posts, thatās essential for how the protocol works, but what other Reddit clone has a public voting history? Same with anyone using any form of the word āprivateā or even āunlistedā, as those only apply in a perfect world where servers have no bugs and where there are no malicious servers.
Just because the average user doesnāt consider whether they should trust the platform, doesnāt mean the fediverse is less trustworthy. Itās not. Nothing online should be considered trustworthy if itās not encrypted.
You still have to consider whether Facebook is trustworthy with your posts and click data, whether the thousands of advertisers they sell your info too are trustworthy. Whether the persons you message are trustworthy and that they wonāt get hacked.
About the same risks as with trusting a fediverse instance operator except they donāt have the same motivations to sell your data.
Iām not sure if you are aware of fediblock which allows instance operators to coordinate banning and defederating bad actors from the network. And of course you can always mute or block any user or instance you wish independently of your instanceās block list.
Your data being leaked to āmalicious serversā in this case also requires approving a follow to a user on that instance or having your profile set to public (and at that point you should expect your content to be public)
I do think you are right that it is a paradigm shift of thinking for new users who arenāt familiar with federation. But I think anyone who wants to join will just either have to give up control to big platforms and stay put or shift their thinking.
Building trust is hard. Itās easier to trust a few companies than to trust a million unknown servers. Itās why I prefer Wikipedia over amazingnotskgeneratedatalltopicalinformarion.biz when Iām looking up simple facts.
Furthermore, Facebook isnāt selling data directly. At least, not if theyāre following the law. They got caught doing and fined doing that once and itās not their main mode of operation. Like Google, their data is their gold mine, selling it directly would be corporate suicide. They simply provide advertisers with spots to put an ad, but when it comes to data processing, theyāre doing all the work before advertisers get a chance to look at a userās profile.
On the other hand, scraping ActivityPub for advertisers would be trivial. Itād be silly to go through the trouble to set up something like Threads if all you want is information, a basic AP server that follows ever Lemmy community and soaks up gigabytes an hour can be written as a weekend project.
Various Chinese data centers are scraping the hell out of my server, and they carry referer headers from other Fediverse servers. Iāve blocked half of East Asia and new IP addresses keep popping up. Whatever data you think Facebook may be selling, someone else is already selling based on your Fediverse behaviour. Whatever Petal Search and all the others are doing, I donāt believe for a second theyāre being honest about it.
Most Fediverse software defaults to federation and accepting inbound follow requests. At least, Mastodon, Lemmy, GoToSocial, Kbin, and one of those fish named mastodonlikes did. Profiles are often public by default too. The vulnerability applies to a large section of the Fediverse default settings.
Iād like to think people would switch to the Fediverse despite the paradigm shift. The privacy risks are still there if thereās only one company managing them, so Iād prefer it if people used appropriate tools for sharing private stuff. I think platforms like Circles (a Matrix-based social media system) which leverage encryption to ensure nobody can read things they shouldnāt have been able to, are much more appropriate. Perhaps a similar system can be laid on top of ActivityPub as well (after all, every entity already has a public/private key pair).