Join the discussion on the Fediverse with #FediLibrary.
Published on 25 March 2018
Submitted on 8 August 2020
How much privacy can you expect on the fediverse
Recently, there have been some shocking revelations. Facebook, a company in the business of selling your data to advertisers, had some of its data used illegally by a third party that used it to advertise to you. As people hate nothing more than getting their data misused without Facebook getting a cut, they are now up in arms and want to leave Facebook once and for all.
Media eye seems to have fallen on
the Mastodon network as a
solution this time. For an example, look at this Washington Post article,
The new technology that aspires to #DeleteFacebook for good
(19 trackers on the page, including Facebook), in which they tout it as a
privacy-preserving alternative to walled-garden company-run networks.
Mastodon BDFL Gargron himself wrote an article with the nice subtitle Perspective from a platform that doesn’t put democracy in peril. He is privacy conscious, so this page only has two trackers.
(Aside: This article contains the delightful phrase “#DeleteFacebook is trending on Twitter.")
In all of these articles, Mastodon (and by extension, the Fediverse) are described as a more private and secure way of posting cat pictures and “please subscribe to my patreon” online. But is this actually true? Let’s check the situation on the fediverse.
Mastodon and Pleroma support four settings for post visibility. These are
public, friends only, unlisted and direct messages. What actually happens
when you use those settings? The only thing they will change are the
cc fields of the created activity and object.
Your server will federate the post to other servers depending on those
fields, and hopes the other server respects this. There is no technological
guarantee for this, though. A malicious server could leak all the data it
receives. This includes posts to friends and direct messages.
“Unlisted” posts are not even in the ActivityPub standard. There’s no reason to expect any non-Mastodon server to respect the ‘unlisted’ setting, and they will most probably display those posts like public posts.
There is no end-to-end encryption on the Fediverse. Even direct messages are sent unencrypted. That means that the admin of any server that your message travelled to can read it by looking it up in the database. With the recent addition of an ElasticSearch server, this has become easier, although it was always possible. In the end, you’ll have to trust your admin and the admin of all the recipients with your data, so better keep that in mind when posting personal information.
In the end, I’d suggest treating these settings as recommendations only. They have a similar security to a meeting with your friends in a cafe. Someone might overhear you, but generally, only the people you want to address will hear what you’re saying. If you have something truly private to say, don’t do it on the fediverse or use actual end-to-end encryption.
[https://pawoo.net] is the largest Mastodon instance, with over 300.000 users. It is run by the Pixiv corporation in Japan, as a complimentary service to their image sharing service. It uses Google Analytics to track your usage of the site.
While it is true that no fediverse software includes tracking by default, there is zero reason why it can’t be added. You will still have to evaluate the tracking status of the server you are on and can’t just rely on the software it uses. This is true for all fediverse servers, be they GNU Social, Hubzilla, PostActiv, Friendica, Mastodon or Pleroma.
Some people are afraid of corporations buying other services to get the users’ data. There is nothing that prevents this on the fediverse. Someone buying pawoo.net would get access to a third of the users in the fediverse, with connections to probably 80% of it. I don’t think it’s likely to happen, but there’s nothing to prevent it, either.
So did Pawoo stray far from the standard Mastodon privacy expectations? When you give your data to a Mastodon instance, what are you agreeing to? Here are some quotes straight from the Terms and Conditions on Mastodon.social:
On keeping users’ IP addresses:
When registered and posting, we record the IP address that the post originated from. We also may retain server logs which include the IP address of every request to our server.
Here’s one about cookies and sharing that data with third-party services like Google Analytics.
And this part is my favorite:
We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information. This does not include trusted third parties who assist us in operating our site, conducting our business, or servicing you, so long as those parties agree to keep this information confidential. We may also release your information when we believe release is appropriate to comply with the law, enforce our site policies, or protect ours or others rights, property, or safety. However, non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses.
Take all that as you will. I don’t believe that mastodon.social actually tries to track and analyze you, but the terms allow more than many anti-tracking people would be comfortable with.
After telling you all about why the privacy situation isn’t as good as people make it out to be, it’s still vastly superior to networks like Facebook and Twitter. Here are some reasons:
If you find a server run by someone you trust or by yourself, you will have a vastly better expectation of privacy than with the ad-selling networks. I would trust [https://shitposter.club] and [https://niu.moe] with my data. Still, you should expect everything you post publically to be searchable, analyzable and trackable. If you need better privacy guarantees, use a different service with end-to-end encryption. If you want to have fun hanging out with new friends, get a fediverse account on Mastodon, Pleroma, GNU Social or any other compatible system!