Mastodon is not a good place to share private data. It's a distributed set of SQL databases. There's no real oversight or accountability. There's not really even an attempt to secure anything. There's no encryption, even for DMs. It's all stored in plaintext in Postgres (and often elsewhere, like Elasticsearch and Amazon S3).
@root true day. but it's not designed for security. It's designed for no ads and no attention-sucking algorithms
@mudl agreed, but why not design for both? Mastodon could implement end-to-end encryption for DMs for example, and it would add value without compromising anything else on the platform.
I think most Mastodon users are probably not aware of the privacy trade-offs. There may be an unrealistic expectation of privacy where it does not exist. So I try to help broadcast and educate about the limitations.
@root @mudl i feel like there's a point where you might give other people unrealistic expectations, though. like there is absolutely no way to do federated microblogging where bad actors can't collect private data given out.
this dosen't mean there's no value in it, but people posting have to understand there is zero expectation of privacy
@anna @root @mudl this is incorrect. you can most certainly create a federated microblogging platform in which users can specify the privacy level of their posts and then provide assurances that level is respected. that's literally what encryption and authorization are for in any distributed system. that doesn't mean it's easy but it can be done.
@walruslifestyle @root @mudl the problem is the paradigm is that of sharing and disseminating content, and putting the least amount of barriers in the way of publishing and exposing that content. im not sure it's good to give lay persons who don't understand data security any expectation of privacy in any context because it's not always clear to them what those context boundaries are, and might make bad decisions thinking all content is private
@anna @root @mudl i don't disagree. i wonder, though--short of putting a disclaimer "this is NOT private!" on every post, how do you disabuse people of that expectation? because for better or worse i think users do expect a certain amount of privacy. especially if there is a "private" post feature, or a direct message feature. those names are misleading in a no-privacy scenario, i think.
"Socialize freely and organize responsibly" is how I put it in the docs for the instance I have in soft launch
We need to be able to set the privacy of our toot to the instance only, thus we would know exactly where our message is stored.
@root I'm old enough to remember when CB radio was popular (that anyone could listen into, join in or record to gain info for later) and later when mobile phones were analogue (so easily monitored with scanners, usually illegal but still widely done), so I treat Mastodon use with similar caution
To be fair many admins and other people do warn users about this, and to use other services with end to end encryption for more private comms..
@root private data is not for share.
@root now, to be fair, that describes most online services, even some more "pro" than Mastodon (heck, I remember a number of cases of big services that didn't even crypt the user passwords properly).
@renatoram agreed. I think it's more about making sure people have the right expectations, and understand that even DMs aren't really private. Some people understand this intuitively, but I'm not sure all users do.
Also, the distributed nature of Mastodon in some ways changes the privacy risk, because anyone can start up an instance, and so you have thousands of admins with access to the Postgres databases, and all the content therein.
i run my own instance just for me