@FloppySalmon
Not sure if you're aware of how Mastodon/Fediverse privacy levels work.

It may seem intuitively obvious, but some aspects of "who sees which thing you post" I only pieced together over time myself. I *think* it works as follows:
#Mastodon #MastodonTimelines #MastodonPrivacy
1/x

#MastodonPrivacy

User tip - if you find a celebrity on Mastodon flying incognito, there is a reason.

Please respect their privacy and don't broadcast their secret identity. 🙂

So if you opened this, I am going to assume you want to read about #MastodonPrivacy issues and form your own opinion on whether these things are a concern or not.

So the #fediverse we have going on is a very cool system, so much potential. However, it comes with some worrying #privacy issues, one of which I will outline here quickly. Lets get to it.

Each #mastodon server has a set of public API's, that anyone with a browser/curl/what ever can get to. One of those is /api/v1/instance/peers - this is a list of all the other #mastodonservers that it connects to. It's often over 10k or more on many servers. Each of those, should you be able to connect to it, has it's own peers list, and before you know it, you're 7 degrees into a massive graph of #mastodonservers. Sweet.

So another thing each of them has is a public list of the top tags over the last week. /api/v1/trends with how many accounts, and how many uses per day. SWeet.

So combining those 2 public endpoints, you get something like this: https://hashtags.fyi (and https://hashtags.fyi/status if so interested). Now this is just a listing of the top used hashtags across a bunch of servers, and really, this is not dangerous, it's not violating anyone's privacy, no one can see what tags of those you used.

In fact, given how important tags are to forming communities, the real reason I built that is to help people discovery cool interesting new topics to follow and join in on.

Anyhow, no #privacy thing yet you whacko, what gives?

Well, see that top tag, #introduction ? Well its one that people are being encouraged to spill their lifes stories in (hell I did too) and add all the tags associated with the various groups they associated with, including potentially fringe/attacked/sensitive tags too.

So that big list of servers we got earlier? Yeah so if we run over that, and do like this (demo on this server) https://infosec.exchange/api/v1/timelines/tag/introduction

Suddenly we have info about every person on that server posting about that hashtag, and we have their introduction post, with their lifes story, and all their other tags. Do this across all the server, and .. woah.. yeah now we have a #MastodonPrivacy issue.

There are other ones we could dig into, but lets sit with this one a bit.

Recently there was a witch hunt, and a burning at the stake for a person who was just wanting to build some tools to make peoples experience here better. The #Federati got wind of it, and he was turfed from the server and shut down the project. That is #bullying

Not a peep about how you build a system like this, and make claims about how you'd like the experience and do not build controls to do it like that. Why are these endpoints public?

Now there are some personal controls that users can adopt, things like changing the default visibility of their posts and such, but not all/many of them are set in a "Private by default" kind of way.

On top of that, we're encouraging users to throw out a bunch of private/personal info across this platform, that has not been setup to protect the privacy of those users.

Now I think people should be able to do an #introduction upon joining and also not have to go and unfuck the privacy settings on their account before they do so.

So, I think we can do better around #MastodonPrivacy, #MastodonIntegrity also.

There are reasons large social networks have generally large Privacy, Security and Integrity teams (Trust Teams), and if we want this place to be successful, we're going to need the #Fediverse equivalent . No I don't mean some big Trust org etc, but I do mean that we all have distributed responsibility, especially those who work in the Trust field, to try and help make this place better, safer for all.

Damn, that was long, well if you made it this far, thanks. Now you know about one of my biggest passions, User Trust.

I want to talk about some worrying #MastodonPrivacy issues I'm seeing, but I am a little concerned people are not yet wanting me/others to pop their bubbles, ruin the "new place" buzz we have going on with some harsh reality. So I think I'll post a bit about some of them, but hide it behind a warning tag so that people who wish to remain unaware, can.

Some discussions recently on here really remind me that Mastodon needs more #MastodonPrivacy controls, and #MastodonIntegrity controls to help with the influx of people.

I'm a terrible software engineer, but I am sure we have some around. Perhaps we could start some kind of effort to determine what kinds of features it might need, and try adding a few of them?