404 Media has obtained the list of sites and services that ICE contractor ShadowDragon pulls data from. ShadowDragon sources data from all over the web and lets government analysts easily search it and draw connections between people.
They would have to hack the individual servers to get at the DMs, because they’re encrypted in transit. All the public stuff is trivial to scrape.
Nope, ActivityPub DMs are not encrypted between servers - if it’s on the feed, it’s public- or at least it was as of six months ago. I found this out when I attached a Wordpress site to a Mastodon instance and suddenly found i could read anyone’s DMs to users on other servers. Totally unencrypted. I actually paused development and working with ActivityPub because of it.
This doesn’t mean that messages to users on the same server are necessarily exposed, but the potential is there if you don’t have a filter for local publishing only engaged on your Mastodon instance.
It is insofar as TLS/SSL/HTTPS encryption is used in transit. That’s what I mean by encrypted in transit.
i could read anyone’s DMs to users on other servers
If you’re an administrator for (WordPress) ActivityPub server A, you can see all the DMs coming to and leaving from your server, yes. And they’re not encrypted at rest, so you can read them any time. But how would you see DMs going between server B and server C, when your server isn’t involved in the transaction?
If they’re slurping all these other sites, I highly doubt they’re not slurping Reddit, too, even if it’s not on the list.
They would have to hack the individual servers to get at the DMs, because they’re encrypted in transit. All the public stuff is trivial to scrape.
Nope, ActivityPub DMs are not encrypted between servers - if it’s on the feed, it’s public- or at least it was as of six months ago. I found this out when I attached a Wordpress site to a Mastodon instance and suddenly found i could read anyone’s DMs to users on other servers. Totally unencrypted. I actually paused development and working with ActivityPub because of it.
This doesn’t mean that messages to users on the same server are necessarily exposed, but the potential is there if you don’t have a filter for local publishing only engaged on your Mastodon instance.
It is insofar as TLS/SSL/HTTPS encryption is used in transit. That’s what I mean by encrypted in transit.
If you’re an administrator for (WordPress) ActivityPub server A, you can see all the DMs coming to and leaving from your server, yes. And they’re not encrypted at rest, so you can read them any time. But how would you see DMs going between server B and server C, when your server isn’t involved in the transaction?