Synopsis: The article discusses the FBI’s seizure of the Mastodon server and emphasizes the need for privacy protection in decentralized platforms like the Fediverse. It calls for hosts to implement basic security measures, adopt policies to protect users, and notify them of law enforcement actions. Users are encouraged to evaluate server precautions and voice concerns. Developers should prioritize end-to-end encryption for direct messages. Overall, the Fediverse community must prioritize user privacy and security to create a safer environment for all.

Summary:

Introduction

  • We are in an exciting time for users wanting to regain control from major platforms like Twitter and Facebook.
  • However, decentralized platforms like the Fediverse and Bluesky must be mindful of user privacy challenges and risks.
  • Last May, the Mastodon server Kolektiva.social was compromised when the FBI seized all electronics, including a backup of the instance database, during an unrelated raid on one of the server’s admins.
  • This incident serves as a reminder to protect user privacy on decentralized platforms.

A Fediverse Wake-up Call

  • The story of equipment seizure echoes past digital rights cases like Steve Jackson Games v. Secret Service, emphasizing the need for more focused seizures.
  • Law enforcement must improve its approach to seizing equipment and should only do so when relevant to an investigation.
  • Decentralized web hosts need to have their users’ backs and protect their privacy.

Why Protecting the Fediverse Matters

  • The Fediverse serves marginalized communities targeted by law enforcement, making user privacy protection crucial.
  • The FBI’s seizure of Kolektiva’s database compromised personal information, posts, and interactions from thousands of users, affecting other instances as well.
  • Users’ data collected by the government can be used for unrelated investigations, highlighting the importance of strong privacy measures.

What is a decentralized server host to do?

  • Basic security practices, such as firewalls and limited user access, should be implemented for servers exposed to the internet.
  • Limit data collection and storage to what is necessary and stay informed about security threats in the platform’s code.
  • Adopt policies and practices to protect users, including transparency reports about law enforcement attempts and notification to users about any access to their information.

What can users do?

  • Evaluate a server’s precautions before joining the Fediverse and raise privacy concerns with admins and users on the instance.
  • Encourage servers to include privacy commitments in their terms of service to resist law enforcement demands.
  • Users have the freedom to move to another instance if they are dissatisfied with the privacy measures.

What can developers do?

  • Implement end-to-end encryption of direct messages to protect sensitive content.
  • The Kolektiva raid highlights the need for all decentralized content hosts to prioritize privacy and follow EFF’s recommendations.

Conclusion

  • Decentralized platforms offer opportunities for user control, but user privacy protection is vital.
  • Hosts, users, and developers must work together to build a more secure and privacy-focused Fediverse.
  • mrmanager@lemmy.today
    link
    fedilink
    English
    arrow-up
    6
    ·
    edit-2
    1 year ago

    I don’t think gdpr is required when it’s not a company running the instances? We have 1389 instances running now, rented or owned by individuals. Interesting point though, wonder if gdpr applies still.

    And if an instance is hosted in America, does it still apply? It seems many advertising companies are avoiding Europe because there is privacy laws like gdpr.

    • Atemu@lemmy.ml
      link
      fedilink
      English
      arrow-up
      7
      ·
      1 year ago

      IANAL.

      I don’t think gdpr is required when it’s not a company running the instances?

      Depends on whether your thing is intended for public or private use. If it’s just a static website to share files with friends and family or a chat service for a similarly limited group, then no, the GDPR does not apply.

      Most popular Fediverse instances are clearly made for public use however.

      if an instance is hosted in America, does it still apply

      As long as it processes data of EU citizens, the GDPR applies. Whether the EU is able to enforce it is a different question.

    • Atemu@lemmy.ml
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      IANAL.

      I don’t think gdpr is required when it’s not a company running the instances?

      Depends on whether your thing is intended for public or private use. If it’s just a static website to share files with friends and family or a chat service for a similarly limited group, then no, the GDPR does not apply.

      Most popular Fediverse instances are clearly made for public use however.

      if an instance is hosted in America, does it still apply

      As long as it processes data of EU citizens, the GDPR applies. Whether the EU is able to enforce it is a different question.

    • Zetaphor@zemmy.cc
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      1 year ago

      When the regulation does not apply

      Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn’t specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.

      Source: European Commission

      This has been my primary understanding, since many of us instance admins are not specifically targeting individuals in the EU, say as opposed to a company like Facebook or Spotify, we are not subject to the GDPR.

      • mrmanager@lemmy.today
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        1 year ago

        It also says company here. We (instance owners) don’t have companies (corporations), which also makes gdpr not apply on it’s own, correct?

        • Zetaphor@zemmy.cc
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          1 year ago

          It says “company or entity” further up in the page, that quote is just an example they provided.

          I am neither a lawyer or an EU citizen, so honestly I don’t know. This is the law as I understand it from reading that source.

          This is one of the many reasons I have a semi-private instance, so I’m only liable to myself and maybe a few friends.

          • mrmanager@lemmy.today
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            1 year ago

            I asked chatgpt and it seems to apply to instance owners:

            The General Data Protection Regulation (GDPR) is a data protection law that was implemented by the European Union (EU) to protect the personal data and privacy of individuals within the EU. It applies to both corporations and individuals who process personal data in the context of offering goods or services to individuals in the EU or monitoring the behavior of individuals within the EU, regardless of where the company is located.

            So, the GDPR does not only apply to corporations but also to any individual or organization that handles personal data of individuals within the EU, irrespective of their size or location. This means that even small businesses, non-profit organizations, and individuals who process personal data falling within the scope of the GDPR must comply with its provisions.

            • Zetaphor@zemmy.cc
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              I’m definitely not taking legal advice from ChatGPT lol

              This does beg the question, what constitutes personal data? If I don’t require an email for signup, does information you publicly post count as personal data?

              It seems we’d be best asking a lawyer for these kinds of things

              • mrmanager@lemmy.today
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                Chatgpt is usually accurate enough in my experience and also what it says below is what i I know myself is included:

                Personal data, as defined by various data protection laws, refers to any information that relates to an identified or identifiable natural person. This means that personal data includes any data that can be used, directly or indirectly, to identify an individual. It can be a name, identification number, location data, online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

                Examples of personal data include:

                1. Name: Full name, first name, last name, or initials.
                2. Contact Information: Email address, phone number, physical address, or social media handles.
                3. Identification Numbers: National ID number, passport number, social security number, or driver’s license number.
                4. Location Data: GPS coordinates, IP address, or data from tracking systems.
                5. Online Identifiers: Usernames, account numbers, or device-specific identifiers.
                6. Biometric Data: Fingerprints, facial recognition data, or voiceprints.
                7. Health Information: Medical history, health conditions, or health insurance details.
                8. Financial Information: Bank account numbers, credit card details, or income information.
                9. Racial or Ethnic Information: Information about race, ethnicity, or cultural background.
                10. Sexual Orientation: Information regarding a person’s sexual orientation or preferences.

                It’s important to note that even if a single piece of data seems innocuous or does not appear personally identifiable by itself, when combined with other data points, it might lead to the identification of an individual. Therefore, data controllers and processors are obligated to treat all such data with care and follow data protection regulations, such as the General Data Protection Regulation (GDPR) in the European Union or other relevant laws, to ensure the privacy and security of individuals’ personal data.