thenexusofprivacy

@thenexusofprivacy@infosec.exchange

A newsletter about #privacy, #technology, #policy, #strategy, and #justice.

Currently at @nexusofprivacy, but looking for a new home and so checking out infosec.exchange

This profile is from a federated server and may be incomplete. Browse more on the original instance.

thenexusofprivacy, to fediverse

Threat modeling Meta, the fediverse, and privacy

https://privacy.thenexus.today/fediverse-threat-modeling-privacy-and-meta/

There's very little privacy on the fediverse today. Mastodon and other fediverse software wasn't designed and implemented with privacy in mind. Even the underlying protocol that powers the fediverse has major limitations. But it doesn't have to be that way!

Meta's new product means that it's critical for the fediverse to start focusing more on privacy. Of course, 's a threat in many other ways as well; that said, the privacy aspects are important too.

For one thing, if Meta does indeed follow through on its plans to work with instance admins and others "partners" who to monetize their users (and their data), people in the region of the fediverse that's not Meta-friendly will need stronger privacy protections to protect their data. And Meta's far from the only threat to privacy out there; changes that reduce the amount of data Meta can gather without consent will also help with other bad actors.

More positively, there's also a huge opportunity here. Privacy's even worse on Facebook and Instagram than it is in the fediverse. So If the fediverse can provide a more private alternative, that will be hugely appealing to a lot of people.

Any way you look at it, now's a good time for the fediverse to take privacy more seriously.

The bulk of the article focuses on threat modeling, a useful technique for identifying opportunities for improvement. It's a long article, though, so if you don't want to wallow in the details, feel free to skip ahead to the section at the end on the path forward and the specific recommendations.

And if you're already bought in to the idea that the
should focus more on privacy, and just want to know how you can help make it happen, it also suggests specific actions you can take -- and there's a section with some thoughts for

Here's the table of contents:

  • There's very little privacy on the fediverse today. But it doesn't have to be that way!
  • Today's fediverse is prototyping at scale
  • Threat modeling 101
  • They can't scrape it if they can't fetch it
  • Different kinds of mitigations
  • Attack surface reduction and privacy by default
  • Scraping's far from the only attack to consider
  • Win/win "monetization" partnerships, threat or menace?
  • A quick note to instance admins
  • Charting a path forward
  • Recommendations

This is still a draft, so as always feedback is welcome. And thanks to everybody for the feedback on previous drafts!

https://privacy.thenexus.today/fediverse-threat-modeling-privacy-and-meta/

thenexusofprivacy,

@gunchleoc that's a great point, thank you very much for bringing it up! I'll incorporate that when I do a revision. Is it okay if I acknowledge and thank you for pointing it out to me?

thenexusofprivacy,

@gunchleoc good point, I should have mentioned that and been clearer about some of what's needed to make it practical on a large scale. Great feedback once again, I really appreciate it!

WizardBear, to random
@WizardBear@mstdn.social avatar

@thenexusofprivacy Was following your personal account before. Now following this one as well. All the best to you.

thenexusofprivacy,

@WizardBear thanks for following, and all the best to you as well!

darnell, to Instagram

Threads by Instagram will launch on July 6th (thanks for the heads up @dansup!) & I noticed Meta collects a lot of data. So much data!

Threads is rumored to adopt ActivityPub later on (in October maybe‽ We will see), but when it joins the Fediverse (if not on launch day), it’s data collection policies will make it easier to convince some (but not all) to migrate over to Misskey, Pixelfed, Mastodon & Pleroma.

Note: Uploading on Misskey as my Mastodon account @darnell is being fixed server side right now.

thenexusofprivacy,

@darnell @darnell Agreed that people are asking about ads ... although the question folks aren't asking is what about promoted posts (which aren't necessarily ads) and how that'll affect fediverse followers and timelines. We shall see.

In terms of Meta having other ways to get the data, yes, but those could largely be blocked or reduced (and I expect will be by instances that don't federate with Meta). Agreed that Google's also doing this, and I'm sure various bad actors are as well, so reducing this is a good thing in general. I'm working on a more detailed analysis of these various ways of getting at the data, I'll let you know once a draft is ready.

@dansup
@the_Effekt

thenexusofprivacy,

@jerome And agreed that the approach of turning everything off only works for instances and people that want to keep a very low profile, but that's not the case in general. The Mastodon option that disables public access to the site even breaks the About page so it's useless. But, it's not all-or-nothing. Straightforward improvements can really cut down on the scraping and other ways of accessing data.

It's true that many are scraping the whole fediverse already, one of the interesting things about looking at Meta as a threat actor is that mitigations that stop them also stop other threats.

jerry, (edited ) to random

For people new to the fediverse/mastodon: there are some strong customs and strong personalities. I can make a few important quality of life recommendations to give you a more pleasant experience:

In your account settings, go to filters and add a filter to block the following words:
Nazi
Fash
Fascism
Fascist
Twitter
Reddit
Elon
Musk
Defederate
Fediblock

There’s a lot of name-calling and protracted and unproductive discussions using these words. Certainly it’s up to you, but this is my recommendation.

We strongly encourage you to add alt text to any images you post, and if for some reason you do not, you’ll likely be met with many replies all reminding you, with varying levels of intensity, that you forgot. I recommend blocking any account who is rude about it.

Some times you may post something important to you that causes others to be uncomfortable without a content warning. Similarly, you can expect replies of varying politeness asking you to “add a CW”. Things that are patently offensive or not safe for work definitely should have a content warning for obvious reasons, but other than that, use your discretion. Again, I recommend simply blocking people who are too aggressive in their replies related to CWs.

Follow your instance’s rules.

You will rightly be bounced for expressing hate, racism, sexism, homophobia, transphobia, or unwanted harassment. There is no place for that - don’t do it here. I can’t tell you what to think, but if you want to post hateful or harassing content, you should find another platform somewhere else. It isn’t hard to be kind. Or at least not an ass.

The fediverse is all about delegating control to instances and end users. We have many tools available, like muting and blocking accounts, and blocking entire instances, as well as muting conversations. These are very useful to have a good time on the fedi.

Be well and be kind.

thenexusofprivacy,

@jerry "How to use filtering and muting to hear less discussion of odious people on Mastodon and Twitter" has screenshots on how to set up the filters -- I just updated. Interestingly enough, one of the examples I use is the "Elmo" filter, which covers two of the terms in your list!

https://privacy.thenexus.today/how-to-filter-out-mentions-of-unpalatable-people-on-twitter-and-mastodon/

In terms of your specific recommendations, newcomers may want to hold off on filtering the ones related to Fediverse and Mastodon culture -- like blocking and the first four in your list (which I won't mention by name just in case you're filtering them). Understanding instances and blocking is vital for people to know how to navigate the fediverse; and, a lot of people came to in 2017 in response to an article called "Mastodon is like Twitter without _____" ... that is a huge part of what's shaped and continues to shape Mastodon. Of course there are _____ here as well as anywhere else, but well-moderated instances block them proactively and that's a new experience to many people.

Of course the great thing about filters is that everybody makes their own decisions ... if people don't want to see that stuff they don't have to.

thenexusofprivacy, to mastodon

How to choose the right Mastodon instance

https://privacy.thenexus.today/choosing-a-mastodon-instance/

An excerpt:

...

One of the challenges for newcomers to Mastodon is that you're faced with a major decision you face when signing up: what server (aka "instance") to choose? Different instances have different focuses: are geographically focused (sfba.social), identity-based (tech.lgbt), interest-based (mastodon.art), professional (infosec.exchange), a group of friends (friend.camp), or even lipogrammatic (oulipo.social, which doesn't allow the letter 'e' in posts). Others are "general purpose", without a specific focus – like mastodon.social, mastodon.ai, and hachyderm.io. The choice isn't irrevocable – you can migrate your account to another instance and keep the list of who you're following and who's following you – but it's still daunting.

Newcomers are often told that it doesn't matter what instance you're on, or encouraged to join mastodon.social (the "flagship" instance, which is the default for mobile apps and spreadmastodon.com). This is really horrible advice, because what instance you're on has a big effect on your experience – and for most people, mastodon.social is not a good place to start.

...

[This is an an updated version of the post I originally did last November. I've tried to double-check that the links all still work, please let me know if I missed any!]

@fediverse @fediverse

thenexusofprivacy,

@daveley Great question. A rew reasons:

  • mastodon.social's so big that the Local and Federated timelines aren't very useful.

  • smaller instances (even if they're not special-interest focused) are more likely to have a good community.

  • many other instances have "silenced" mastodon.social (because of its long history of moderation issues -- or just because of the volume), so people on other instances are less likely to connect with you.

All that being said, I wasn't trying to say that mastodon.social was terrible - it's the advice that's horrible. It's just that for most people it's not the best place to start.

@fediverse @fediverse

thenexusofprivacy,

@badsynthesis Yeah, it's a challenge. I agree that there should be a basic bar but when it's a part-time volunteer project for so many admins it's hard to know how much is realistic.

Also the software isn't easy to adminster well. infosec.exchange's a good choice and .the admin is indeed good about patching. On the other hand, set your expectations realistically: last fall infosec.exchange was one of the many Mastodon sites with a misconfiguration that allowed for the downloading and deleting of all files stored on the server (even images attached to followers-only and friends-only posts) and replacing every user’s profile picture.

https://arstechnica.com/information-technology/2022/11/how-secure-a-twitter-replacement-is-mastodon-let-us-count-the-ways/

https://www.alevsk.com/2022/11/system-misconfiguration-is-the-number-one-vulnerability-at-least-for-mastodon/


@fediverse @fediverse

Maya, to Futurology Spanish

"Should the Fediverse welcome its new surveillance-capitalism overlords? Opinions differ!"

Traducción del título:

"¿Debería el Fediverso dar la bienvenida a sus nuevos amos del capitalismo de vigilancia? ¡Las opiniones difieren!"

Este ensayo realizado por Jon @jdp23 en @thenexusofprivacy, largo pero muy completo, muestra distintas perspectivas e incluye las opiniones de:

@vantablack @Seirdy @fancysandwiches @alice @viennawriter @oblomov @mcp @fosstodon @darnell @PoliticaConC @tchambers @ianbetteridge @dangillmor @smallpatatas @gcrkrause y de muchos más.

Toot (en inglés):
https://infosec.exchange/@thenexusofprivacy/110594384248698967

Artículo (en inglés):
https://privacy.thenexus.today/should-the-fediverse-welcome-surveillance-capitalism/

Vale la pena usar un traductor de sitios e intentar leerlo.

thenexusofprivacy,

@Maya Muchas gracias por la traducción del título!

thenexusofprivacy, (edited ) to queer

We're here, we're queer, we're federated: How queer, trans, and non-binary people helped create Mastodon and are shaping today's fediverse

https://privacy.thenexus.today/here-queer-and-federated-on-mastodon-and-the-fediverse/

Happy !

THis is a draft version, so feedback is very welcome!

@lgbtq_plus

.

thenexusofprivacy,

@UngodlyAudrey thanks, glad you liked it!

thenexusofprivacy, to fediverse

Should the Fediverse welcome its new surveillance-capitalism overlords? Opinions differ!

https://privacy.thenexus.today/should-the-fediverse-welcome-surveillance-capitalism/

Contents:

  • Two views of the fediverse
  • The case for "Trust but verify"
  • Wait a second. Why should anybody trust Facebook, Instagram, or Meta?
  • Why the Anti-Meta FediPact is good strategy
  • We're here, we're queer, fuck Facebook
  • A few words about digital colonialism
  • Now's a good time for instance admins to discuss with their communities
  • In chaos there is opportunity!

@fediverse @fediverse

thenexusofprivacy, (edited )

"Should the Fediverse welcome its new surveillance-capitalism overlords? Opinions differ!" ⬆️
has links to perspectives from @vantablack @Seirdy @fancysandwiches @alice @viennawriter @oblomov @mcp @fosstodon @darnell @PoliticaConC @tchambers @deadsuperhero @ianbetteridge @dangillmor @smallpatatas @gcrkrause and more ... like I say, opinions differ, but no matter where you are on it, I appreciate the time everybody's put into articulating their positions.

Thanks also @cendawanita @jo @edendestroyer @ophiocephalic @oliphant @admin1 and @damon for the feedback and discussions!

BTW in the last section when I'm discussing Mastodon's moderation issues, one of the things I mention is the lack of an ability to control who can reply to tweets ... so apologies in advance if this generates a bunch of notifications! I left the acknowedgments out of the main post to try to limit the damage, we'll see how well it works.

https://infosec.exchange/@thenexusofprivacy/110594384248698967

thenexusofprivacy,

Thanks @darnell , glad you like the analysis! I also think it's an opportunity as well as a threat, and I agree that right now it looks like most large instances won't block, and most of all I agree that we'll have to wait and see what happens!

@fancysandwiches when Darnell and I discussed this before he pointed to some things they've said that certainly might imply that -- although also might not (which is back to the wait and see). It's certainly true that somebody like Oprah would have an IT department capable of running it and would see the advantages of being able to do that. But we don't really know,
all they've said is "decentralized".

thenexusofprivacy,

@Chimaera there are a hundreds of instances that don't want to federate with Meta, so it won't be just a single walled-off server. It's hard to know about second and third hand interactions, it depends to some extent on how the implementation is and how the software evolves. One possibility is a schism where the anti-Meta servers defederate from the Meta-friendly servers and there are sone "neutral ground" servers where everybody can interact. We shall see!

And @Kwakigra you are far from the only one who feels that way!

thenexusofprivacy,

@Chimaera We can't stop Meta from doing what they want with the millions of Insta accounts, and we can't stop instances who want to work with Meta from working with Meta. We can however have a Meta-free region of the fediverse, and it's very likely to be better in a lot of ways than the Meta-friendly region.

@fediverse @fediverse

thenexusofprivacy,

Agreed. I think the offering @darnell sketched for political figures, ceiebrities, and brands with IT departments is a compelling one and I'm sure they'll offer it, the only question is timing. A hosted version makes sense as well, either them providing the domain or a "bring your own domain" (for a modest fee). For individuals who host on Meta services, the same infrastructure can work and it can either be an upsell from Insta Premium (or whatever it's called) or just drive adoption.

As for supporting individuals on non-Meta hosting ... I'm not sure if the cost structure works for them factoring in moderation and abuse possibilities, and I'm not sure it's a big enough market for them to give up that kind of control. But Darnell had some good points about scenarios where it might well be in their interest. We shall see.

And yes @damon's point about offloading moderation (and legal risk) is a great one. Starting with the larger instances who have a "growth mindset" makes sense. Again it's hard to know how well the business model will actually work, but if not then they can certainly abandon it once it's served their uses. It sounds like they're planning on making it easy for people to move their Mastodon accounts to Project92 right out of the box so there's built-in migration if and when they flick the kill switch (as Google did with XMPP). Interesting times!

@fancysandwiches

thenexusofprivacy,

@damon @darnell Also, they could offer politicians / celebreties / organizations / etc the ability to host their own communities, either using their own IT staff or with Meta's hosting partners (or maybe even Meta themselves).

It could well be that they're looking at working with instance admins who host their own communities as an experiment. If it works, great, they've got a proof point. If not, oh well, they can try something else. That'd be too bad for instance. admins who trusted them but hey, move fast and break things!

thenexusofprivacy,

@ianbetteridge Lots of good stuff has been written about this!

thenexusofprivacy,

@CutThroatNeko thanks, glad you like it!

thenexusofprivacy, (edited ) to kbin

Don't tell people "it's easy", and seven more things Kbin, Lemmy, and the fediverse can learn from Mastodon (UPDATED)

https://privacy.thenexus.today/kbin-lemmy-fediverse-learnings-from-mastodon/

This adds several new sections to the previous version -- including an update on what's happened since then. Here's the new table of contents:

I'm flashing!!!!!
But first, some background

  1. Don't tell people "it's easy"
  2. Improve the "getting-started experience"
  3. Keep scalability and sustainability in mind
  4. Prioritize accessibility
  5. Get ready for trolls, hate speech, harassment, spam, porn, and disinformation
  6. Invest in moderation tools
  7. Experiment to find what approaches are a good fit for the current state of the software
  8. Values matter

This is a great opportunity – and it won't be the last great opportunity
Ten days later ...
A few more thoughts on moderation

@lemmy @fediversenews

thenexusofprivacy,

@AudraTran 💯. When I sent out the earlier version, so much of the discussion was techie people saying "no it's not hard", Meanwhile I'm trying to figure out why some the comments only wound up on my Mastodon account and others only wound up on Lemmy and the answer is ... actually I still have no idea.

thenexusofprivacy, to kbin

Don't tell people "it's easy", and six more things KBin, Lemmy, and the fediverse can learn from Mastodon

https://privacy.thenexus.today/kbin-lemmy-fediverse-learnings-from-mastodon/

Reddit's strategy of antagonizing app writters, moderators, and millions of redditors is good news for reddit alternatives like KBin and Lemmy. And not just them! The fediverse has always grown in waves and we're at the start of one.

Previous waves have led to innovation but also major challenges and limited growth. It's worth looking at what tactics worked well in the past, to use them again or adapt them and build on them. It's also valuable to look at what went wrong or didn't work out as well in the past, to see if there are ways to do better.

Here's the current table of contents:

  • I'm flashing!!!!!
  • But first, some background
  1. Don't tell people "it's easy"
  2. Improve the "getting-started experience"
  3. Keep scalability and sustainability in mind
  4. Prioritize accessibility
  5. Get ready for trolls, hate speech, harassment, spam, porn, and disinformation
  6. Invest in moderation tools
  7. Values matter
  • This is a great opportunity – and it won't be the last great opportunity

https://privacy.thenexus.today/kbin-lemmy-fediverse-learnings-from-mastodon/

Thanks to everybody for the great feedback on the draft version of the post!

@fediversenews @fediverse @fediverse

  • All
  • Subscribed
  • Moderated
  • Favorites
  • megavids
  • kavyap
  • DreamBathrooms
  • InstantRegret
  • magazineikmin
  • osvaldo12
  • everett
  • Youngstown
  • khanakhh
  • slotface
  • rosin
  • thenastyranch
  • ngwrru68w68
  • Durango
  • JUstTest
  • normalnudes
  • ethstaker
  • GTA5RPClips
  • modclub
  • cisconetworking
  • mdbf
  • tacticalgear
  • cubers
  • provamag3
  • tester
  • anitta
  • Leos
  • lostlight
  • All magazines
    •