We’re in an exciting time for users who want to take back control from major platforms like Twitter and Facebook. However, this new environment comes with challenges and risks for user privacy, so we need to get it right and make sure networks like the Fediverse and Bluesky are mindful of past...
Synopsis:
The article discusses the FBI's seizure of the Mastodon server and emphasizes the need for privacy protection in decentralized platforms like the Fediverse. It calls for hosts to implement basic security measures, adopt policies to protect users, and notify them of law enforcement actions. Users are encouraged to evaluate server precautions and voice concerns. Developers should prioritize end-to-end encryption for direct messages. Overall, the Fediverse community must prioritize user privacy and security to create a safer environment for all.
Summary:
Introduction
We are in an exciting time for users wanting to regain control from major platforms like Twitter and Facebook.
However, decentralized platforms like the Fediverse and Bluesky must be mindful of user privacy challenges and risks.
Last May, the Mastodon server Kolektiva.social was compromised when the FBI seized all electronics, including a backup of the instance database, during an unrelated raid on one of the server's admins.
This incident serves as a reminder to protect user privacy on decentralized platforms.
A Fediverse Wake-up Call
The story of equipment seizure echoes past digital rights cases like Steve Jackson Games v. Secret Service, emphasizing the need for more focused seizures.
Law enforcement must improve its approach to seizing equipment and should only do so when relevant to an investigation.
Decentralized web hosts need to have their users' backs and protect their privacy.
Why Protecting the Fediverse Matters
The Fediverse serves marginalized communities targeted by law enforcement, making user privacy protection crucial.
The FBI's seizure of Kolektiva's database compromised personal information, posts, and interactions from thousands of users, affecting other instances as well.
Users' data collected by the government can be used for unrelated investigations, highlighting the importance of strong privacy measures.
What is a decentralized server host to do?
Basic security practices, such as firewalls and limited user access, should be implemented for servers exposed to the internet.
Limit data collection and storage to what is necessary and stay informed about security threats in the platform's code.
Adopt policies and practices to protect users, including transparency reports about law enforcement attempts and notification to users about any access to their information.
What can users do?
Evaluate a server's precautions before joining the Fediverse and raise privacy concerns with admins and users on the instance.
Encourage servers to include privacy commitments in their terms of service to resist law enforcement demands.
Users have the freedom to move to another instance if they are dissatisfied with the privacy measures.
What can developers do?
Implement end-to-end encryption of direct messages to protect sensitive content.
The Kolektiva raid highlights the need for all decentralized content hosts to prioritize privacy and follow EFF's recommendations.
Conclusion
Decentralized platforms offer opportunities for user control, but user privacy protection is vital.
Hosts, users, and developers must work together to build a more secure and privacy-focused Fediverse.
Important context missing from the EFF article is that the Mastodon instance wasn't the target of the raid according to the admins.
In mid-May 2023, the home of one of Kolektiva.social's admins was raided, and all their electronics were seized by the FBI. The raid was part of an investigation into a local protest. Kolektiva was neither a subject nor target of this investigation. Today, that admin was charged in relation to their alleged participation in this protest.
I actually have a question about this - can’t anyone already see the posts and users’ data? Even a simple user account/script can query most stuff, like posts and comments, and you can indirectly query less easily available things like upvotes by compromising any connected server
I have been laughed at and down voted every single fucking time I point out how woefully unprepared every fucking instance is.
The free model is flawed and will be unsuccessful every fucking time there is any signs popular server. And users aren't going to tolerate moving fucking servers every month.
You think cloudflare is going to keep on protecting lemmy.world each week on their free/professional their? Enterprise starts at 20k a year before traffic, good luck raising that kind of yearly money on a hobby server.
And then there is GDPR and CCPA all of which are ignored and clearly not being enforced just waiting for a lawsuit.
Oh and I do I need to explain to you people the child porn reporting mechanisms that need to be in place?
The only way if this bullshit is successful it's if someone starts a no profit e.g Mozilla foundation and acts like a functioning adult running a business vs a 16 year old tinkering with Linux.
Why the state seize mastodon/exit nodes/megaupload/private servers and NEVER amazon/apple/facebook/twitter/google servers? The law is different if you are a zuckemberg?
I would love defederated identity management in the Fediverse that came with direct and encrypted DM capabilities too. I don't use DMs but there's no need for an admin or anyone else to see what's in them either.
To look at the bright side (or less horribly depressing side, anyway) it’s good that this happened now, while the fediverse is relatively young. Making the necessary changes won’t be quite as complicated.
EDIT: I'm just going to note that kolektiva was an anarchist collective. Doesn't sound quite as trivial as before.
This says that the server was grabbed during an unrelated raid?
How is that even legal. You can just get seized because your neighbor in the server rack is doing something? I feel like that should be a lawsuit for taking down someone's business essentially.
I'll be real with you it doesn't matter if the shits encrypted or not - in 15-20 years if Feds hold onto your messages trivial or not, with their budget and resources they can probably crack hashed data, if Quantum computing comes online especially, where quantum was stuck in a state of laughable doubt just like ML or AI was eight years back.
If what they did was really illegal, then f- them. Otherwise, it's a hint to other instances that they should be investing in offsite redundancy, and a hint to the users that they should join the instances that do. Law enforcement going gestapo is the bread and butter of free speech, regardless of whether that free speech is being used to promote bullshit or facts.
Because of the nature of the fediverse, this also implicates user messages and posts from other instances.
When they say 'messages and posts', the posts are publicly available, by messages do they mean comments?... or is this saying that private messages between users are also in this data?
I guess I'm still ignorant about parts of how the fediverse works. If I private message someone on our .world instance, that data is stored on Ruud's server only, correct? But if I private message someone on another instance, that data is stored on both servers?
edit I just read the mastodon post, it says:
All your posts: public, unlisted, followers-only, and direct ("DMs")