ActivityPub, the protocol that powers the fediverse (including Mastodon – same caveats as the first two times, will be used interchangeably, deal with it) is not private. It is not even semi-private. It is a completely public medium and absolutely nothing posted on it, including direct messages, can be seen as even remotely secure. Worse, anything you post on Mastodon is, once sent, for all intents and purposes completely irrevocable. To function, the network relies upon the good faith participation of thousands of independently owned and operated servers, but a bad actor simply has to behave not in good faith and there is absolutely no mechanism to stop them or to get around this. Worse, whatever legal protections are in place around personal data are either non-applicable or would be stunningly hard to enforce.

  • TiffyBelle@feddit.uk
    link
    fedilink
    English
    arrow-up
    64
    ·
    edit-2
    1 year ago

    I’m not sure this blog post is the “ah-ha!” revelation you think it is.

    If you’re posting something, you’re choosing to put that out there on the public internet which should henceforth be considered “public.” This isn’t a privacy violation unless you choose to make it one by violating your own privacy by oversharing sensitive information.

    This has been the case online since time immemorial. Once something’s out there, consider it non-retractable. This isn’t specific to the Fediverse/ActivityPub. Even in centralized forums/reddit the things you post were cached by web archive/scraped by unscrupulous sites/used to train AI, etc. even if you tried to delete them from the source server. “Deletion” has never truly been a thing on the internet, which is precisely why people should really consider what they post. Heck, there were specific sites dedicated to showing which comments were “deleted” from reddit in full.

    I don’t consider any of these things “privacy violations.” A privacy violation would be if the email address you signed up to your instance with was being broadcast to other servers in the open. What you choose to put out there is up to you and the inherent danger with interacting with any form of social media.

    • bathrobe@kbin.social
      link
      fedilink
      arrow-up
      10
      ·
      1 year ago

      @TiffyBelle

      @Bloonface

      Maybe you didn’t read where it says even DIRECT MESSAGES aka private messages you send to people, and don’t choose to post in public, is easily and easily available.

      This place is already an echo chamber. Jesus that’s bad. Everyone is on a new team and now we love this team and this team is never wrong and all criticisms are invalid. Even the really bad ones.

      I don’t really care. I’m old enough to have never trusted the internet. But let’s not pretend this isn’t a huge fucking deal, and isn’t completely fucked just because Reddit bad and fediverse good

      • TiffyBelle@feddit.uk
        link
        fedilink
        arrow-up
        24
        ·
        1 year ago

        There are literally warnings when you try to DM someone on Fediverse apps that say it should not be treated as a secure medium:

        Even on traditional centralized platforms I’ve never treated DMs as “private.” Anything not end-to-end encrypted cannot be considered private and never has been able to be.

        • melmc@kbin.social
          link
          fedilink
          arrow-up
          4
          ·
          edit-2
          1 year ago

          Of course you can have encrypted group chats on Signal, if you’re not concerned about meta data. Or xmpp group chats with encryption if you want decentralization. You can keep your secret stuff secret and your public stuff public simply by using different apps.

        • bathrobe@kbin.social
          link
          fedilink
          arrow-up
          3
          ·
          1 year ago

          @TiffyBelle

          @Bloonface

          And if other instance owners have access to the private messages of people on every instance, that is a shockingly large flaw. I’m not exactly sure how insecure private messaging would be here. Not that I have people to message. But it being centralized would be more secure if decentralization would allow a much larger number of people to have access to something that, really, should be private.

          There are an overwhelming number of people I don’t think are savvy or cynical enough, call it what you will, to understand that just because they call something a private message - or just because it’s supposed to be a one to one interaction - doesn’t mean no one else can see it. I would think, if anything, an overwhelming majority of people who send a private message/DM on a social media assume that no one else at ALL has access to that information.

      • Melpomene@kbin.social
        link
        fedilink
        arrow-up
        12
        ·
        1 year ago

        Direct messages, private messages, whatever you want to call them… have ALWAYS been available to your social media hosts. Reddit, Twitter, Facebook, Instagram, Discord… they can all read your private communications if they choose to do so. While I’d support E2EE for private messages for kBin etc, pretending that this is some sort of flaw inherent to the fediverse is inaccurate. It’s fair to want the fediverse to be better. It is not fair to hold it to a standard no one has ever applied to other social media.

      • Deceptichum@kbin.social
        link
        fedilink
        arrow-up
        9
        ·
        1 year ago

        Huh funny how a direct message is not a private message, almost like they’re even called completely different things.

        Everything is public here, some stupid Euro anti-user ideals on privacy aren’t the be all and end all .

        Things put in public are public. There is no privacy concern because there has never any privacy, nor will there ever be any privacy to be concerned about in a non-private platform such as this.

          • Deceptichum@kbin.social
            link
            fedilink
            arrow-up
            2
            ·
            1 year ago

            Does Twitter have private messages? I’d have assumed they have access to everything you’ve posted.

            IMs, PMs, and DMs are all pretty different things.

            • bathrobe@kbin.social
              link
              fedilink
              arrow-up
              3
              ·
              1 year ago

              @Deceptichum

              Yes. DMs on Twitter are Direct Messages and are supposed to be private messages send to someone else that no one else can see (except server admins, et al, as we are talking about here). If you send a DM to someone on Twitter or whatever social media (they use DMs to mean private messages on Instagram as well) it’s not on the public feed, no one can search it. Like having a text message conversation

          • Emotional_Series7814@kbin.cafe
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            “Direct Message” and “Private Message” indeed mean different things. In practice, because both involve messaging one individual user, a good deal of people (including myself) still expect them to be functionally the same. Part of this functionality we expect is that there is an attempt to make these messages less visible and easy to access than the reply I just sent to you right now. This expectation is validated on Twitter:

            Direct Messages are the private side of Twitter. You can use Direct Messages to have private conversations with people about Tweets and other content.

            on Instagram:

            Instagram DMs are an in-app messaging feature that allow you to share and privately exchange text, photos, Reels, and posts with one or more people.

            by Cambridge Dictionary:

            a private message sent on a social media website, that only the person it is sent to can see

            and by the fact that if you go on anyone’s profile, you can see post history, comment history, and boosts, but not a list of who they tried to send an individual message to or what those messages were. I believe that more technical people could retrieve such messages, that the messages are not totally secure, but to my layman eyes, I do still expect that there was at least an attempt to make these messages private.

    • mightysashiman@kbin.social
      link
      fedilink
      arrow-up
      9
      ·
      edit-2
      1 year ago

      The core issue is not the technology imho. It’s the people : their rampant narcissism that has become the new norm since facebook, and the urge to always post useless crap about themselve everywhere, then suprise-pokemoning when they realise it may not have been the brightest of ideas.