Matt BlazeNov 25, 2023

Periodic reminder that the "Direct Message" / "Private Mention" function here is dangerously broken with confusing semantics.

- Anyone mentioned *anywhere* in the body of a PM gets a copy.

- "Disabling" PMs in your profile merely means YOU never see messages sent to you; senders can still send them, with no error indication.

- Nothing is encrypted, which means administrators on any instance that processes a message can see them.

I strongly recommend using something else for private messages.

Show threadBenjaminNov 25, 2023
@mattblaze agreed. I don’t understand why this pseudo-DM feature was even implemented in the first place. It poses serious safety and security concerns, which means if you don’t do it right, you shouldn’t do it at all. Love the mastodon devs but this isn’t okay!
Show threadJim VernonNov 25, 2023
@benjamincodes @mattblaze There is no "Direct Message" feature in Mastodon. You have the option to post something with the privacy level set to "Only mentioned people". That seems pretty straight forward. You mention people, they can see the toot. It doesn't claim to be a secure, end-to-end encrypted messaging system. In fact, Mastodon specifically warns you of this when you change the privacy setting to "Only mentioned people". The feature is just for when you want to limit who you're interacting with when posting, perhaps to continue a conversation without public visibility.
Show threadDavid Penfold 
@jimvernon @benjamincodes @mattblaze With a privacy setting to "Only mentioned people" there might be an expectation that there is privacy with "Only mentioned people". This is not the case.
Nov 25, 2023 at 6:44amWeb
Show threadJim VernonNov 25, 2023

@davep @benjamincodes @mattblaze How is it not the case?

I'm not counting that the server admins can potentially see the posts, as that's pretty much the case on every social media system unless they specifically mention things being end to end encrypted (which also generally requires jumping through a few hoops on the user's end of things).

Show threadDavid Penfold Nov 25, 2023
@jimvernon @benjamincodes @mattblaze People have an expectation of privacy in the age of the double ratchet. This is simply not the case, and tagging someone who you may be talking about brings them into the conversation. It's rubbish.
Show threadcraftycatNov 25, 2023
@davep @jimvernon @benjamincodes @mattblaze Yes, because they're mentioned? Like that's how mentions work, you tag them, they're mentioned, meaning that the setting "mentioned people only" includes people who are, in fact, mentioned.
Show threadDavid Penfold Nov 25, 2023
@craftycat @jimvernon @benjamincodes @mattblaze
The point is that people mainly used to E2EE messengers may not know this.
Show threadcraftycatNov 25, 2023
@davep @jimvernon @benjamincodes @mattblaze it specifically states this though. "Only mentioned people" isn't really that ambigous. This is also not a messenger and doesn't claim to be. Social media should never be assumed to be private by anyone.
Show threadDavid Penfold Nov 25, 2023

@craftycat @jimvernon @benjamincodes @mattblaze
"Social media should never be assumed to be private by anyone."

Should being the operative word. A lot of people don't know this, despite how many times you repeat it.

Show threadcraftycatNov 25, 2023
@davep @jimvernon @benjamincodes @mattblaze Right, and that's not Mastodon's fault, nor does it show a flaw in how Mastodon works. If people are too lazy to read the literal option they're clicking on, that really has to fall under personal stupidity.