jonw's mayhem academy

Canadiana. Tech. Dogs.

(AKA Mastodon, Pleroma, and Friendicas)

There are lots of “new” social media sites and software cropping up these days; largely in response to Facebook’s terrible behaviour, but also because a lot of things are coming together which make it easy to do so. Social Media in general has reached critical mass and has become so ingrained in modern societies that pretty much any social media has a chance to take hold. On the practical side, programs like Mastodon (and Pleroma, and Friendica, etc) are almost trivial to install and maintain. This makes it possible and fun for almost anyone with basic sysadmin skills to deploy an instance and join the Fediverse.

The Fediverse

I am going to try to avoid turning this into a Fediverse post so I will explain the Fediverse only to the level of detail needed to continue with the point of this post.

The term “Fediverse” is a colloquial portmanteau most commonly used to refer to The Federated Universe. Federation essentially means to join or form together and that accurately describes how Fediverse applications like Mastodon work. An individual Mastodon instance become aware of other Mastodon instances and they start to share posts from their respective users with each other. The instances continue to join with other instances they becomes aware of over time, and the connections — or federation — continue to grow. Instances that are federated with each other will display the public posts from each other on their own timelines. Therefore, a public post I make on Instance A will appear on the public federated timeline of Instance B automatically. This is done by Instance A actually sending my post to Instance B so there is now two copies of it, one on each instance.

A visual representation of the Fediverse gives some idea of what the Fediverse looks like. You can easily find the more influential instances by selecting the “Activity” color coding option and observing the level of opacity of the rays coming from each instance. The instances with more opague rays have more activity.

In practical terms, this means that although there are thousands of individual Fediverse instances, it doesn’t matter terribly much which one you join. You’re able to directly interact with people on other instances due to federation, so being on the same instance as another person doesn’t significantly lessen your ability to interact with them. Assuming your two instances know of each other, your posts will still reach them, and their posts will still reach you.

Fediverse applications use the ActivityPub protocol which lends itself well to a Twitter-like social media experience, rather than a Facebook-like experience. By that I mean it has weak friend support — it’s basically limited to “Following” a user, or direct messaging a user, such as you’d do on Twitter rather than the rich two-way private friendship complete with lots of visual media that you can establish on Facebook.

The two most common ways Fediverse instances discover each other are:

  1. The admin of the instance purposely federates with an instances using a relay.

  2. A user on an instance follows or mentions a user on another instance.

OK, that should be enough to get us going.

Social network privacy

Privacy is the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively.

I think we can all agree by now that there’s really no such thing a privacy on social networks. Nobody has yet found a way to make users pay money for the use of a social network, therefore the networks have to make their money elsewhere. The most obvious way to make money is to sell advertising targeted at users of the network, which all the social network sites do now. Inherent in the ability to sell targeted ads is the collection of as much user data as possible. A network can’t fulfill an ad request to target “millennial white males making over $50K in Toronto with two or more dogs” if the social network isn’t collecting data such as gender, birthdate, income, and lifestyle data.

At this point in our collective social network evolution, it’s arguably not possible for a social network to survive without harvesting and selling aggregate user data.

Privacy on Facebook, Twitter, and the Fediverse

Facebook and Twitter harvest user data. They make that clear in their respective terms of service and privacy policies. There’s no secret there. The Fediverse, however, isn’t a company. The Fediverse has no terms of service or privacy policy because it is just a protocol and some software. If there is a privacy policy or terms of service to be found anywhere, it is because an individual instance administrator has published it; in which case its scope is limited to that instance alone.

And therein lies probably the biggest privacy issue with the Fediverse: based on how federation works, users have no way to tell where their posts go or how long they live.

To make the issue easier to understand, I’ll use my home instance as an example. My Fediverse account is on Hackers.Town (HT). HT is a private instance that does not allow open registrations. As such, it has a fairly low user count of 145 (at the time of this writing). Let’s look at the HT stats harvested by the Fediverse Network project here.

At only 145 users, HT is federating with 4,849 other instances that it knows about.

Another Fediverse stats site tells me that HT has over 11,000 peers.

Obviously there is some work to be done in stat collection overall, but the point is that my public posts on HT go to thousands of other instances that I do not have a relationship with. I don’t have any agreement with the admins of those other instances and those admins aren’t required to uphold the terms of service of the instance I do have a relationship with, Hackers.Town.

The big Fediverse apps (Mastodon and Pleroma) are open source, presumably they all are. That means an admin of an instance has full access to the code, which is a good thing for society at large. However, it does mean an instance admin could do some bad things. In the scope of privacy, one of the most egregious things an admin could do is stub out the ‘post delete’ code (somewhere around here, I think /app/lib/activitypub/activity/delete.rb) which would have the effect of the instance not honouring delete requests. In that case, the instance becomes a vacum cleaner, hoovering up every post that comes its way and storing it away for...why?

How is the Fediverse less private than existing social networks?

Keeping in mind that the definition of privacy I’m working with is the ability to selectively express myself , I suggest that the Fediverse is less private than existing social networks for three main reasons:

My individual data is sent to unknown third parties

On Facebook and Twitter (and the rest), I send my data to Facebook and Twitter. And yes, they can and do stuff with it but at least I know who did that stuff and I gave them permission to do so. The Fediverse offers no such identification method — I do not know who my data is given to, but I do know for certain that it is shared with unknown parties.

The Fediverse shares my individual (not aggregate) data

Facebook and Twitter don’t technically sell user data. They sell aggregate user data which is what allows them to target my millennial dog owner earlier in the post. They can’t, or aren’t supposed to, sell me, personally. That is what prevents advertisers from saying “I want Jon Watson to see this ad”.

Conversely, because I have no relationship with most of the parties that hold my Fediverse data, they can make use of my individual data without my consent or even notification that they’re doing so.

The Fediverse provides no way for me to delete all my account data

There is a lot of privacy legislation aimed at social networks these days. A lot of it has to do with ensuring that users have access to their full data upon request and also have the ability to insist that their account and data be deleted if desired. Unfortunately, federation is not an exact science. The vagaries of the internet, different site configurations, malicious sites, and broken instances can all contribute to messages not being federated properly to all sites. That means that not only is a user unable to determine all the instances that may have their data, it’s also not possible to be certain that user data has been deleted completely, across the entire Fediverse, upon request. And that’s not likely to be fixed soo. Because there is no “Fediverse, Inc.”, there is no entity that can be regulated by privacy laws into developing ways to comply with this type of privacy legislation.

So what?

Good question. I use the Fediverse as my primary social media so obviously I am OK with all these issues. Mostly, I use the Fediverse because I actually like it. I find the level of discourse to be higher than on Facebook or Twitter, and because I am aware of the unique privacy issues of the Fediverse, I am able to tailor my interactions accordingly.

The reach of a single Fediverse instance can be wide, even if it is a very small instance. I was given permission by the admin of a single-user Mastodon instance to use his site to show how a very small instance federates as easily as larger instances. It’s a good example of how a single-user instance still shares data with almost 5,000 other sites. While I don’t worry that this particular admin is doing this, it serves to illustrate how anyone can set up a locked down, inaccessible Mastodon instance and just collect data from all over the Fediverse for any reason at all.

I am not ignorant to the fact that there’s very little rich user data on the Fediverse to capture. Facebook is an extremely rich trove of user data so the risks are much higher when that data is shared than the risk of my relatively meagre Fediverse data being shared. However, the richness of Fediverse user data is not inherently restrained in the protocol so there’s room for that pool of data to get richer over time and privacy controls may not develop at the same rate.

Finally, I’d like to try to proactively address some comments which may be coming.

  1. I acknowledge that there are privacy controls within the Fediverse apps and protocols such as direct messages and post-specific settings such as “followers only” and “unlisted”. However, because the underlying federation aspect will send at least some of my posts to unknown people without my consent or knowledge, I don’t feel that those controls comprehensively support the ability to “selectively” express myself in the scope of the fediverse at large.

  2. I’ve heard the argument that a public post on Facebook or Twitter is the same as a public post on the Fediverse and therefore a Fediverse post poses no more risk. However, I disagree with this argument for the three reasons I’ve stated earlier in this post, as well as a more nuanced reason. I’ve already stated that when I give data to Facebook or Twitter, I know I am giving it to them. Therefore, there’s also only one place for someone to harvest that data from Facebook or Twitter and those companies exercise some control over data scraping and API usage. That is a very different circumstance than a rogue Mastodon instance silently copying the entire Fediverse.

Originally published athttps://www.jonwatson.ca on October 6, 2019.

my shorter content on the fediverse: https://the.mayhem.academy/@jdw

I’ve been on course this week for work. I’m taking subsequently more challenging Amazon Web Services (AWS) courses and certifications and it’s been an eye-opening experience. Tech is fast-moving and nearly everyone working in it is under-trained and barely up to speed on whatever the new thing is, so when I actually get loaded on a training course it’s a pretty big deal. This week I’ve discovered the widening delta between what my role as a Linux Sysadmin used to be, and what it entails today.

Most of you reading this will associate the company Amazon with buying stuff online. That’s OK, I get that. I have an ongoing Amazon “Prime” bill just like the rest of us. Amazon is a giant in the retail world and the model for how to build an online business. But the AWS product category is a profit juggernaut that powers a huge chunk of the internet. Fun fact: AWS accounted for almost 70% of Amazon’s operating profit in Q4 2019. Some of you are unaware of the specifics of AWS, but you’ll likely be familiar with the term “the cloud”. Some technologists like to quip that the cloud is really just someone else’s computer which is true, but it vastly over-simplifies the benefits of the cloud. It’s in those benefits where the current set of Sysadmin skills diverge from the skills needed in days of yore.

Read more...

With so many trackers in our homes, why are TV manufacturers now spying on us, too?

I’m not sure why adding Internet connectivity to a device suddenly qualifies it as a “smart” device, but here we are. While some manufacturers still naively make the best product they can and enhance it by adding useful internet access, most of these devices are really Trojan horses designed to be attractive enough to get into our houses, and then blend into the background.

There they sit, forgotten, until some catastrophe like a new wifi router or power outage causes us to pay brief attention to them again. But, until then they silently sit in plain view, listening and watching, harvesting our daily lives for every tiny scrap of information they can sense, squirrelling it away for some future, coveting it against the time when it may be useful. How did we get here? Believe it or not, it’s all about advertising.

Read more...

I’m Canadian and therefore painfully aware that most of the world looks at Canada as “America Lite”. And, until 2016, I would have agreed with you. Two important things happened in 2016 to change my views on that: the whole Trump thing, and I started working for a U.S. based company. During that time I have become far more acquainted with Americans than before, and have learned a lot about American culture. One of the things I’ve learned is that somehow Ameri cans are not Americ a. By that, I mean that the Americans I work with are intelligent, thoughtful, fun-loving rapscallions. But America itself has a global public relations problem and is widely viewed as xenophobic and racist. I believe that America is the Americans I know and work with, not the press’ view, but this experience has been very instructional to me about how a polarized media can hurt the world’s view of a country. Keep on keeping on, my Americans. You got this.

Close the door door

In some circumstances, the correct thing to do is do the thing again. Like, if someone shoots you, it is perfectly acceptable to shoot them back. I get that, and while I hope nobody gets shot, that’s a pretty normal human reaction to bad things happening to us. But sometimes doing the thing again doesn’t make sense. Like, if you’re mad that a website censors content you like, blocking that website so you can’t look at it makes no sense at all. Side note: people say “no sense” enough that we now just call it “nonsense”, but we should call it Idahosense.

Read more...

Seth Stephens-Davidowitz is a trained philosopher and economist and he’s written one of the most interesting books I’ve ever read titled Everybody Lies. The theme of the book is to debunk “common wisdom” through the use of empirical data to show that the answers people give to things like surveys and polls are lies. Stephens-Davidowitz uses internet data, primarily Google Trends, as evidence.

Read more...

I publish all my posts as text (below) and audio (above). Enjoy!

I've been writing for a long time. My first published article was in 2006 in the now-defunct print version of the Linux Journal and I haven't stopped since. I've written a handful of print articles, a short computer history book, and literally thousands of online articles and blog posts over the years. I've probably deleted a good third of what I've written but my stuff is still all over the internet in one form or another. I've learned a lot over the years and one thing that many writers will tell you is that the toughest part of writing isn't writing. Okay, it is, but there’s a close second and that is transferring that writing to the many different formats that your writing partners want.

Read more...

I’ve worked from home for 13 years, exclusively for the last 7. By now I have a sweet setup that meets all my needs. My office (yes, an actual office) goes way beyond the 10-step listicles that most blogs are posting these days amid the Covid-19 pandemic, but it’s hard to remember how it was in the beginning. I am trying to remember how my office started and I am envisioning the latest crop of forced work-from-home office workers learning the same things I learned years ago. My memory isn’t perfect, but here are some of the things I recall learning about working from home that I am betting most office workers haven’t even considered.

Ergonomics – If it looks good, it’s not.

There are many threads on Twitter and the Fediverse where people are posting their home offices. Honestly? Most of those pictures horrify me and bring me back to a time when I was just getting started and was equally clueless.

Read more...

I have been working as a Linux systems administrator full time since 2006. I started dabbling in Linux in 2002 and set up my first mail server using Debian GNU/Linux in 2003. I became such a fan that I wrote articles for Linux magazines and produced a Linux podcast for years. While there certainly are more skilled Linux admins than I, there aren’t many that have broader experience. I’ve recently learned that Information Security (Infosec) hiring managers are weighting experience much higher than degrees or certifications these days which restores some of my faith in the Infosec hiring practices.

Read more...

Regular readers will recall that I took a little break from writing. I paused paying reader’s subscriptions to ensure I was being fair to everyone, and the break was a little longer than I intended. But now I’m back so let’s get right into it.

I’ve been on a short, but fairly complicated journey, to get my motorcycle license and buy my first new-to-me bike. The journey technically started a while ago when my partner, knowing I was hoping to get my bike license this year, bought me the licensing course and protective gear. I then had nothing to do but wait for the weather to get better so I could take the licensing course which starts running at the beginning of May. But then COVID-19 hit, and everything was shut down for an indeterminate amount of time, so I waited again.

Read more...

Image copyrightKelly Mitchelmore

I don’t always write about tech. I work remotely in a small New England town in Canada and have a weird life. Sometimes, I write about that life. I hope you enjoy this break from tech and view into my life.

Read more...