Synopsis: The article discusses the FBI’s seizure of the Mastodon server and emphasizes the need for privacy protection in decentralized platforms like the Fediverse. It calls for hosts to implement basic security measures, adopt policies to protect users, and notify them of law enforcement actions. Users are encouraged to evaluate server precautions and voice concerns. Developers should prioritize end-to-end encryption for direct messages. Overall, the Fediverse community must prioritize user privacy and security to create a safer environment for all.

Summary:

Introduction

  • We are in an exciting time for users wanting to regain control from major platforms like Twitter and Facebook.
  • However, decentralized platforms like the Fediverse and Bluesky must be mindful of user privacy challenges and risks.
  • Last May, the Mastodon server Kolektiva.social was compromised when the FBI seized all electronics, including a backup of the instance database, during an unrelated raid on one of the server’s admins.
  • This incident serves as a reminder to protect user privacy on decentralized platforms.

A Fediverse Wake-up Call

  • The story of equipment seizure echoes past digital rights cases like Steve Jackson Games v. Secret Service, emphasizing the need for more focused seizures.
  • Law enforcement must improve its approach to seizing equipment and should only do so when relevant to an investigation.
  • Decentralized web hosts need to have their users’ backs and protect their privacy.

Why Protecting the Fediverse Matters

  • The Fediverse serves marginalized communities targeted by law enforcement, making user privacy protection crucial.
  • The FBI’s seizure of Kolektiva’s database compromised personal information, posts, and interactions from thousands of users, affecting other instances as well.
  • Users’ data collected by the government can be used for unrelated investigations, highlighting the importance of strong privacy measures.

What is a decentralized server host to do?

  • Basic security practices, such as firewalls and limited user access, should be implemented for servers exposed to the internet.
  • Limit data collection and storage to what is necessary and stay informed about security threats in the platform’s code.
  • Adopt policies and practices to protect users, including transparency reports about law enforcement attempts and notification to users about any access to their information.

What can users do?

  • Evaluate a server’s precautions before joining the Fediverse and raise privacy concerns with admins and users on the instance.
  • Encourage servers to include privacy commitments in their terms of service to resist law enforcement demands.
  • Users have the freedom to move to another instance if they are dissatisfied with the privacy measures.

What can developers do?

  • Implement end-to-end encryption of direct messages to protect sensitive content.
  • The Kolektiva raid highlights the need for all decentralized content hosts to prioritize privacy and follow EFF’s recommendations.

Conclusion

  • Decentralized platforms offer opportunities for user control, but user privacy protection is vital.
  • Hosts, users, and developers must work together to build a more secure and privacy-focused Fediverse.
  • Proteus@lemmy.world
    link
    fedilink
    English
    arrow-up
    30
    ·
    1 year ago

    great info! question: how can users, “Evaluate a server’s precautions before joining the Fediverse”? ELI5 please.

    • Raisin8659@monyet.ccOP
      link
      fedilink
      English
      arrow-up
      14
      ·
      1 year ago

      That’s a great question. The EFF article gives answers that I find somewhat unsatisfactory (but may be possible solutions given what’re there at the moment):

      For users joining the fediverse, you should evaluate the about page for a given server, to see what precautions (if any) they outline. Once you’ve joined, you can take advantage of the smaller scale of community on the platform, and raise these issues directly with admin and other users on your instance. Insist that the obligations from Who has Your Back, including to notify you and to resist law enforcement demands where possible, be included in the instance information and terms of service. Making these commitments binding in the terms of service is not only a good idea, it can help the host fight back against overbroad law enforcement requests and can support later motions by defendants to exclude the evidence.

      Another benefit of the fediverse, unlike the major lock-in platforms, is that if you don’t like their answer, you can easily find and move to a new instance. However, since most servers in this new decentralized social web are hosted by enthusiasts, users should approach these networks mindful of privacy and security concerns. This means not using these services for sensitive communications, being aware of the risks of social network mapping, and taking some additional precautions when necessary like using a VPN or Tor, and a temporary email address.

      • Proteus@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        very informative. thank you! I like to think I’m pretty good with privacy, but without scoping out the servers, that might not be good enough.

    • Rivalarrival@lemmy.today
      link
      fedilink
      English
      arrow-up
      8
      ·
      1 year ago

      Well, you could determine what jurisdiction the server is physically located in, to determine what law enforcement agencies will be targeting it. For example, a community focused on abortion rights is going to attract users who have had abortions. It would be a tremendously bad idea for such a community to be hosted in Texas, where law enforcement agencies would be directed to target it for harassment. California would be a better option, but that still leaves the server under the jurisdiction of US courts, who may direct the server owner to provide user data to Texas.

      Pirates would want to avoid a physical presence in copyright-unfriendly jurisdictions. Potheads would want to avoid weed-hating jurisdictions.

      Most “servers” now are virtual machines. Police don’t seize VMs. Police seize the physical hardware running the VM. When they target a torrent seedbox VM running on the same physical server as a Lemmy VM instance, they have access to everything on the Lemmy site as well. It would be useful, from a risk assessment profile, to know what else is attracting attention.

      • Proteus@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        very helpful, thanks! IIRC, lemmy.world is based in Poland? I need to look into that. 🤔

    • AnonymousLlama@kbin.social
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      People also need to factor in their choice of platform. Things like kbin and Lemmy are always being worked on and improved, but like any software there’s definitely going to be bugs, blindspots and issues. I’ve found a lot of these fediverse systems are being made as best as they can but they don’t have the resources like a full on commercial funded endeavor will have (with a dedicated security team etc)

      • Rhaedas@kbin.social
        link
        fedilink
        arrow-up
        3
        ·
        edit-2
        1 year ago

        Being open source is a huge advantage though. Plenty of commercial proprietary systems have failed terribly because they only had their own security eyes on things. Just pointing how many separate large companies have had client info and passwords stored in plain text on servers. Anyone in IT knows better, and yet… But also open source is as good as the number of people reviewing it though, so it’s potential, not guarantee.