Synopsis: The article discusses the FBI’s seizure of the Mastodon server and emphasizes the need for privacy protection in decentralized platforms like the Fediverse. It calls for hosts to implement basic security measures, adopt policies to protect users, and notify them of law enforcement actions. Users are encouraged to evaluate server precautions and voice concerns. Developers should prioritize end-to-end encryption for direct messages. Overall, the Fediverse community must prioritize user privacy and security to create a safer environment for all.
Summary:
Introduction
- We are in an exciting time for users wanting to regain control from major platforms like Twitter and Facebook.
- However, decentralized platforms like the Fediverse and Bluesky must be mindful of user privacy challenges and risks.
- Last May, the Mastodon server Kolektiva.social was compromised when the FBI seized all electronics, including a backup of the instance database, during an unrelated raid on one of the server’s admins.
- This incident serves as a reminder to protect user privacy on decentralized platforms.
A Fediverse Wake-up Call
- The story of equipment seizure echoes past digital rights cases like Steve Jackson Games v. Secret Service, emphasizing the need for more focused seizures.
- Law enforcement must improve its approach to seizing equipment and should only do so when relevant to an investigation.
- Decentralized web hosts need to have their users’ backs and protect their privacy.
Why Protecting the Fediverse Matters
- The Fediverse serves marginalized communities targeted by law enforcement, making user privacy protection crucial.
- The FBI’s seizure of Kolektiva’s database compromised personal information, posts, and interactions from thousands of users, affecting other instances as well.
- Users’ data collected by the government can be used for unrelated investigations, highlighting the importance of strong privacy measures.
What is a decentralized server host to do?
- Basic security practices, such as firewalls and limited user access, should be implemented for servers exposed to the internet.
- Limit data collection and storage to what is necessary and stay informed about security threats in the platform’s code.
- Adopt policies and practices to protect users, including transparency reports about law enforcement attempts and notification to users about any access to their information.
What can users do?
- Evaluate a server’s precautions before joining the Fediverse and raise privacy concerns with admins and users on the instance.
- Encourage servers to include privacy commitments in their terms of service to resist law enforcement demands.
- Users have the freedom to move to another instance if they are dissatisfied with the privacy measures.
What can developers do?
- Implement end-to-end encryption of direct messages to protect sensitive content.
- The Kolektiva raid highlights the need for all decentralized content hosts to prioritize privacy and follow EFF’s recommendations.
Conclusion
- Decentralized platforms offer opportunities for user control, but user privacy protection is vital.
- Hosts, users, and developers must work together to build a more secure and privacy-focused Fediverse.
You must log in or register to comment.
The Fediverse serves marginalized communities targeted by law enforcement
Ohh no, no no no
Why the state seize mastodon/exit nodes/megaupload/private servers and NEVER amazon/apple/facebook/twitter/google servers? The law is different if you are a zuckemberg?
The reason we don’t see seizure of those servers is that those services have established working relationships with law enforcement, so there’s no need to physically seize the servers.
It’s worth noting that while various CEOs claim not to cooperate with law enforcement, the Patriot Act created provisions for establishing that cooperation without CEO permission or awareness.
It is, sadly, like to say in the 1800: if your newspaper cooperates with government it is not closed, otherwise we can close it at will. A lot of established freedom of press laws now will never had passed.
deleting, see other replies
?
In the case of Meta and the Muskverse, it’s because they regard themselves as a third party and cooperate with law enforcement in disclosing everything about you on request. As per MEGAupload and Backpage (and presently TikTok) this tactic doesn’t always work.
Google used to claim that they would demand warrants, and then run them past their blue-haired lawyers to make sure all the jots and tittles were in place before releasing data, but that was back in the aughts and early 2010s. I don’t know what Google’s relationships is to law enforcement today.
Amazon will also totally snitch on you, as will all the telecommunications services (Verizon, AT&T, Comcast, T-Mobile, Astound, etc.) It’s one of the reasons you want to get a VPN service that actively deletes its records, and law enforcement doesn’t like very much.
Once US law enforcement wants to get you, do not expect your civil rights to protect you. And don’t talk to law enforcement. Wait for council and get a lawyer, because they will try to nail you for CFAA violations which can land you 25 years (which is more than some murder).
I just think the fediverse should start storing hashed and salted passwords instead of plaintext as a start
Where is the source…
Imagine making a serious claim like this based off hearsay
Kolektiva.social
Kolektiva.social stored only hashed passwords. https://kolektiva.social/@admin/110637031574056150 .
Now it’s stored without any hashing, really ?
I can only assume as I haven’t checked and I’m not sure anyone else reading this has checked either.
Oh do you’re just making shit up and passing misinformation then… Got it
I would love defederated identity management in the Fediverse that came with direct and encrypted DM capabilities too. I don’t use DMs but there’s no need for an admin or anyone else to see what’s in them either.
OpenPGP still exists. I’ve been saying this forever
And it’s the year of the Linux desktop 🤦♂️
You aren’t making any relevant point. Just showing how incompetent oss designers and the Linux desktop teams really are.
Stop trying to make PGP happen. It’s not going to happen.
haha yeah, for 26 years now. year of the OpenPGP any day now.
I agree with you, but the vast majority of people will always sell themselves out for convenience. If PGP caught on, you’d have iPhones with a built-in PGP messaging feature that sends everything unencrypted straight to apple before it sends the encrypted version.
That’d be funny if a random sends me a private message, like
"Hey, nice cock.
Love, FBI"
That’d make my day ngl
No it’s not, stop posting this sensational bullshit. Or did you guys forget websites and http are also decentralized with the same issues?
deleted by creator
great info! question: how can users, “Evaluate a server’s precautions before joining the Fediverse”? ELI5 please.
That’s a great question. The EFF article gives answers that I find somewhat unsatisfactory (but may be possible solutions given what’re there at the moment):
For users joining the fediverse, you should evaluate the about page for a given server, to see what precautions (if any) they outline. Once you’ve joined, you can take advantage of the smaller scale of community on the platform, and raise these issues directly with admin and other users on your instance. Insist that the obligations from Who has Your Back, including to notify you and to resist law enforcement demands where possible, be included in the instance information and terms of service. Making these commitments binding in the terms of service is not only a good idea, it can help the host fight back against overbroad law enforcement requests and can support later motions by defendants to exclude the evidence.
Another benefit of the fediverse, unlike the major lock-in platforms, is that if you don’t like their answer, you can easily find and move to a new instance. However, since most servers in this new decentralized social web are hosted by enthusiasts, users should approach these networks mindful of privacy and security concerns. This means not using these services for sensitive communications, being aware of the risks of social network mapping, and taking some additional precautions when necessary like using a VPN or Tor, and a temporary email address.
very informative. thank you! I like to think I’m pretty good with privacy, but without scoping out the servers, that might not be good enough.
People also need to factor in their choice of platform. Things like kbin and Lemmy are always being worked on and improved, but like any software there’s definitely going to be bugs, blindspots and issues. I’ve found a lot of these fediverse systems are being made as best as they can but they don’t have the resources like a full on commercial funded endeavor will have (with a dedicated security team etc)
Being open source is a huge advantage though. Plenty of commercial proprietary systems have failed terribly because they only had their own security eyes on things. Just pointing how many separate large companies have had client info and passwords stored in plain text on servers. Anyone in IT knows better, and yet… But also open source is as good as the number of people reviewing it though, so it’s potential, not guarantee.
Well, you could determine what jurisdiction the server is physically located in, to determine what law enforcement agencies will be targeting it. For example, a community focused on abortion rights is going to attract users who have had abortions. It would be a tremendously bad idea for such a community to be hosted in Texas, where law enforcement agencies would be directed to target it for harassment. California would be a better option, but that still leaves the server under the jurisdiction of US courts, who may direct the server owner to provide user data to Texas.
Pirates would want to avoid a physical presence in copyright-unfriendly jurisdictions. Potheads would want to avoid weed-hating jurisdictions.
Most “servers” now are virtual machines. Police don’t seize VMs. Police seize the physical hardware running the VM. When they target a torrent seedbox VM running on the same physical server as a Lemmy VM instance, they have access to everything on the Lemmy site as well. It would be useful, from a risk assessment profile, to know what else is attracting attention.
very helpful, thanks! IIRC, lemmy.world is based in Poland? I need to look into that. 🤔
And thats why you host servers in some shithole country under a fake name…
With full disk encryption.
There should be a killswitch command completely erasing all data.
It would be easier to just not store the IP in the logs. Or offer options to store all, none or a portion of it. This could be toggled for debugging or during at attack.
Then they could EASILY charge with obstruction of justice. They are already being corrupt fascists…
There’s maybe some unnecessary data being kept on the instance but I mean, if you’re gonna pull illegal shit this is not the platform for you.
And what if what’s legal now becomes illegal tomorrow? Don’t fall into the “If you have nothing to hide, you have nothing to fear” trap.
If that’s your counter then why are you here? This convo, right here, can be used against you. Why even get on the Internet?
deleted by creator
This is why I joined a Swiss server
If you federate with other instances they have a copy of your public facing account data. That’s how ActivityPub works and it’s very far from ideal.
But if it’s public law enforcement agencies can just browse/scrape the website to collect the data, or am I missing something?
Things like PMs, your subscription lists,and upvote/downvotes aren’t possible (or are difficult?) to scrape, but are shared across federated instances. Those things were considered private on Reddit, so a lot of folks might assume they are also private on Lemmy.
You sure subscription lists are synced ? I can’t see why they would be.
https://mylemmy.win/post/89871
Any instance admin, proper or rogue, gets a ton of information that users won’t normally see.
The only actual confidential data stored off instance that I can think of is DMs, if you message someone on another instance (which is why you shouldn’t use DMs for any sensitive communication unless they’re e2ee).
The other major issue is whether they delete your data when you delete it from your home instance, or if you edit your post, whether they update their version in a timely manner. ActivityPub sends edits and deletion signals to federated instances, but if they have since defederated without purging your instance’s data or is keeping backups, then they could well have posts you think you deleted or display a version of your post that’s out of date (you should assume all versions of an edited post are kept, some platforms keep them all by design presumably to try and mitigate edit-trolling).
LOL no public social media can function without “public facing account data”. I’m not not worried about that. I’m worried about things like IP address, login info, account metadata, etc
Lemmy.ml is in Swiss?
Switzerland*
And no, I was referring to Mastodon.
Because of the nature of the fediverse, this also implicates user messages and posts from other instances.
When they say ‘messages and posts’, the posts are publicly available, by messages do they mean comments?.. or is this saying that private messages between users are also in this data?
I guess I’m still ignorant about parts of how the fediverse works. If I private message someone on our .world instance, that data is stored on Ruud’s server only, correct? But if I private message someone on another instance, that data is stored on both servers?
edit I just read the mastodon post, it says:
- All your posts: public, unlisted, followers-only, and direct (“DMs”)
Shit.
Lemmy DMs are not private and the software even tells you to use matrix.
They’re semi-private, in that users can’t just see other user’s DMs. However instance admin have the capability - the instance admin can see everything in their instance.
Just like on Reddit, Twitter, Facebook, etc. The only difference between them and Lemmy is scale. If a worker at any of those wanted to see your pm, they could and have.
If what they did was really illegal, then f- them. Otherwise, it’s a hint to other instances that they should be investing in offsite redundancy, and a hint to the users that they should join the instances that do. Law enforcement going gestapo is the bread and butter of free speech, regardless of whether that free speech is being used to promote bullshit or facts.
they make illegal anything that hurts their revenue even if it is legal and moral, see case of megaupload
Speaking of censorship, I think I got blocked on the World News community for talking shit about dumbass socialist and communist stuff. So I’d just like to say, fuck communists and stuff again. Is my comment visible here or are the mods blocking me?
It’s visible but please don’t clutter up unrelated posts with off topic comments.
OK thanks
Original post: https://kolektiva.social/@admin/110637031574056150
Important context missing from the EFF article is that the Mastodon instance wasn’t the target of the raid according to the admins.
In mid-May 2023, the home of one of Kolektiva.social’s admins was raided, and all their electronics were seized by the FBI. The raid was part of an investigation into a local protest. Kolektiva was neither a subject nor target of this investigation. Today, that admin was charged in relation to their alleged participation in this protest.
Very important context! The US is rapidly turning Christo-Fascist. I hate this country.
it has always been a Christian theocracy and American exceptionalism is just open source fascism.
Nothing new is actually happening.
Yeah, it’s always had something of theocratic leaning. It’s just getting even worse nowadays.
American exceptionalism is just open source fascism.
Great expression! I love it.
The article didn’t mention a protest, but the server being compromised due to some sort of unrelated charges was the main topic for a lot of the article
Thank you.
Actual context paints a whole different picture compared to the clickbait post.
Are you going to bring these FBI people to court now?
(the ones of you living in this Usa)
I think this is a good discussion to link this: https://www.eff.org/deeplinks/2022/12/user-generated-content-and-fediverse-legal-primer
