Governments need to get off Twitter and at first glance this seems easy: set up a gov-centric Mastodon instance and convince governments to move.
Except it's far more complicated than that.
In evaluating if this was an endeavor I wanted to pursue (spoiler: no) I wrote up a list of things to consider for this to be done well. Hopefully it helps someone else in solving this problem.
@ottsatwork You're welcome and I hope they find some of it useful. Oddly this is all stuff they're probably already familiar as IT workers in government.
My primary audience were techies who are unfamiliar with some of the requirements needed to play in the government space.
@gairdeachas I think impersonation would be less (but not none) of an issue thanks to website verification. Plus, .gov accounts are restricted, so instances ending with .gov would be pretty straightforward to distinguish?
@philbetts Website verification does indeed help. If you go the single-tenant route and host an instance per government you should be able to use a subdomain to get their .gov -- not sure how else those are handed out. Could a non-profit providing government services get a .gov domain for a multi-tenant instance? Totally outside my wheelhouse I'm afraid.
@gairdeachas my understanding is it's really just about who has rights to configure the domain/server. To verify an account, Mastodon will generate a unique verification code that then needs to be uploaded to the verifying website, then Mastodon will go and check it.
There are government agencies that determine which entities can have .gov domains - they're not available to the public, but are heavily regulated.
@philbetts Right, website validation is really simple but it still requires the human looking at the account to know that the URL in question belongs to the government in question. And its notoriously easy to use subtly different ones that are validated but are still wrong, like śeattle.gov is not seattle.gov.
I don't see website validation alone as sufficient to address impersonation. Important and useful, yes, but not sufficient.
@philbetts śeattle.gov was a poor choice since it is a .gov TLD and would very likely not be given out by the TLD governing body.
For a better example take the domain of my hometown: littlefieldtexas.net. I could easily copy the entire contents of that site at a the new domain littlefieldtx.net, use that for a validated URL on an impersonated account, and start posting official-looking content as the city.
@gairdeachas yeah, it's not a total solution, but the restricted .gov domain, and other signals like follower count, will be a decent proxy. Active moderation policies to defederate fake servers also part of the solution. Less straightforward, but not insurmountable I think.
Add comment