Mastodawn

Twitter:
*I make a post at 9am and go about my day
*A racist replies with racial slurs at 9:15am
*Everyone sees the racist replies
*Everyone reports the racist replies
*Twitter mods take it down by 10am
*I check Twitter again at 11am, and never even see the racism!

Masto:
*I post at 9am
*Racists reply in such a way that only me, them and their followers, see the racism
*So no one reports it
*Everyone gaslights me with "I don't see racism here!"

https://hachyderm.io/@mekkaokereke/111012743709881062

mekka okereke :verified: (@[email protected])

@[email protected] @[email protected] @[email protected] @[email protected] @[email protected] From your screenshot above, and the scenario I listed below, imagine if: 1) the racist user is on "Nazis dot social." They have 5000 followers. 2) the Black user is on "Good people dot social" 3) the nazi replies "Followers only." The scenario: https://hachyderm.io/@mekkaokereke/111010421955145872 None of the good people would see the gore images, or the subsequent pile-on.

Hachyderm.io

Rich Puchalsky ⩜⃝Aug 2, 2024

I was going to post and agree that the "people can't see the full reply set" design sucks but I looked and saw it was covered upthread. So this is a reply guy yes thing sorry

April’s Fool Aug 2, 2024

@mekkaokereke @ddritter this is a great way to explain it, thank you!

Mastodon Migration Aug 2, 2024

@mekkaokereke @ddritter

☝️ This is a really good explanation of why "Followers only" replies are a problem. ☝️

Stephen Bannasch (316 ppm)Aug 2, 2024

@mastodonmigration

Thanks for mentioning the followers-only reply feature. I didn’t know it existed! I can easily see how that could be used for harassment .

@mekkaokereke @ddritter

Daniel Gibson Aug 2, 2024

@stepheneb @mastodonmigration @mekkaokereke @ddritter
I always assumed it would indeed only be visible to followers, so the author of the replied toot would only see it if they follow me

ᴮᵉⁿ ᴿᵒʸᶜᵉVOTE IN THE PRIMARIES Aug 2, 2024

@Doomed_Daniel @stepheneb @mastodonmigration @mekkaokereke @ddritter

i think that's the vector for harassment:

if you post open, and someone replies follower-only, you can see the reply (because you're mentioned in it), anyone else (except the harasser and their followers) can't

i'm guessing here

i'll do a test. we don't follow each other

so i will reply to you again, but reply as "followers only"

see if you can see it

Daniel Gibson Aug 2, 2024

@benroyce @stepheneb @mastodonmigration @mekkaokereke @ddritter

Yes, that appears to be the case.
It's not terribly surprising (to me) that it is like this, I mean, being able to reply to someones post without them seeing could also be kinda shitty, so in a way it makes sense?

I just assumed it would indeed do exactly what it says, which would be better to prevent direct harassment (and thus also make sense, maybe even a bit more)

ᴮᵉⁿ ᴿᵒʸᶜᵉVOTE IN THE PRIMARIES Aug 2, 2024

@Doomed_Daniel @stepheneb @mastodonmigration @mekkaokereke @ddritter

Maybe a solution to the harassment vector is to limit all replies to the format of the top level post

If the top is public so are all replies

If the top is unlisted so are all replies

If the top is followers only so are all replies

same limitation for DMs? Hmmm. I suppose. No reason why DMs can't be stand alone only rather than attached to a public thread

Daniel Gibson Aug 2, 2024

@benroyce @stepheneb @mastodonmigration @mekkaokereke @ddritter

No, unlisted replies to a public post are usual, and not bad at all (I think?).

I could even imagine that followers-only replies have their place (talk to mutuals about the topic), but they shouldn't be visible to other people then, no matter if they're tagged in or not.

And answering with a direct (private) message to a non-private toot is also useful, but that should also be a thing for followers, esp if DMs aren't set public

Daniel Gibson Aug 2, 2024

@benroyce @stepheneb @mastodonmigration @mekkaokereke @ddritter

But thank god Mastodon doesn't implement quote toots, that would only lead to harassment! 🙃

ᴮᵉⁿ ᴿᵒʸᶜᵉVOTE IN THE PRIMARIES Aug 2, 2024

@Doomed_Daniel @stepheneb @mastodonmigration @mekkaokereke @ddritter

agreed on all counts

Hmmm

Maybe... a setting in your profile: "no follower only replies to my posts" or something like that

I dunno. It's complicated

Daniel Gibson Aug 2, 2024

@benroyce @stepheneb @mastodonmigration @mekkaokereke @ddritter

No followers-only replies to posts of people who don't follow you.
*Maybe* unless you untag them so they don't see your post, so you can talk with your followers/mutuals about a public post, but not sure if that would also be abused to dunk on someone w/o them seeing it? OTOH, they could do that in separate posts linking to the orig or sth like that

ᴮᵉⁿ ᴿᵒʸᶜᵉVOTE IN THE PRIMARIES Aug 2, 2024

@Doomed_Daniel @stepheneb @mastodonmigration @mekkaokereke @ddritter

"No followers-only replies to posts of people who don't follow you."

this is what is needed. that cuts right to the vector for abuse

Daniel Gibson Aug 2, 2024

@benroyce @stepheneb @mastodonmigration @mekkaokereke @ddritter

problem is, I think this is not just a Mastodon feature, but should be part of the underlying protocol (ActivityPub), so changing that won't be easy and would take time.

(Which doesn't mean it shouldn't be done! But it's one thing the Mastodon devs probably haven't fucked up themselves, unlike e.g. ignoring/rejecting the demands for subscribeable blocklists in their software)

Stephen Bannasch (316 ppm)Aug 2, 2024

Ben, Thanks for investigating.

Opened the web interface and my instance is running Mastodon 4.2.10.

Don't see anything in my prefs for setting ""No followers-only replies to posts of people who don't follow you." or when making a reply.

Where is this setting? Or maybe a special app or an instance server running something different??

Other posts in this thread by me were using ios #IceCubes app.

@Doomed_Daniel @mastodonmigration @mekkaokereke @ddritter

ᴮᵉⁿ ᴿᵒʸᶜᵉVOTE IN THE PRIMARIES Aug 2, 2024

@stepheneb @Doomed_Daniel @mastodonmigration @mekkaokereke @ddritter

No, it doesn't exist, sorry for not clarifying. I was just openly musing on what we need, not what is

I edited my post and clarified I was speculating

Stuart Longland (VK4MSL)Aug 2, 2024

@stepheneb @benroyce @Doomed_Daniel @mastodonmigration @mekkaokereke @ddritter

It's a proposal for such a feature, as @Doomed_Daniel points out, this would need changes to the underlying ActivityPub protocol, and all servers would then need to be updated to fully respect it.

(What's the bet the cesspit instances patch that feature out?)

Abuse isn't a problem until it is sadly, and we'll be playing this cat-and-mouse game until the Internet shuts down entirely.

Another possibility (not mutually exclusive) might be to limit the acceptance of follower-only replies from specific users/instances… so if a user abuses the feature (or lots of users on an instance do it), they can be added to a blocklist which filters such posts.

Members of that list who then continue such harassment could be automatically flagged, which may enable a server admin to look at more significant measures (defederation).

The hard bit is we're figuring out a technical solution to a social problem, this is never going to be easy. Doesn't mean we shouldn't try though, no one deserves abuse from deranged weirdos.

Daniel Gibson Aug 2, 2024

@stuartl @stepheneb @benroyce @mastodonmigration @mekkaokereke @ddritter

> What's the bet the cesspit instances patch that feature out?

Non-cesspit software could refuse to deliver such replies to non-following users

Random Damage 🌻Aug 3, 2024

@Doomed_Daniel @benroyce @stepheneb @mastodonmigration @mekkaokereke @ddritter you can't prevent that, because you can always link to the post on the original server if it's posted publicly, and that takes it outside the federation mechanism

Cassandrich Aug 3, 2024

@mastodonmigration @mekkaokereke @ddritter It really should be visible to followers of everyone @'d.

Or just not available to use at all except in new posts (non replies). I really hate replies that silently change privacy mode, in general. It's like replying off-list on a mailing list.

Cassandrich Aug 3, 2024

@mastodonmigration @mekkaokereke @ddritter Maybe an even better idea: configurable "minimum visibility for posts I'm @'d in".

Like, you could force any post that @'s you to be full public visibility.

Sender UI should then warn if it's above replying person's intended visibility.

This should apply to "DMs" too. 😁

Coles Street Pothole Aug 2, 2024

@mekkaokereke @ddritter
Thank you! 🙏 This is the best, most concise explanation of how Mastodon's reply filters—which are meant to be a form of protection—can actually be weaponized to enable racist abuse.

See that third option below, "Followers only"? Someone with a bunch of racist followers could reply with racist abuse and only the victim and the racists see it.

Rachel Greenham Aug 2, 2024

@ColesStreetPothole @mekkaokereke @ddritter @benroyce if that's the behaviour it's also misnamed. Followers only should *mean* followers only.

i want to think it's a bug. because it's mis-named, as if the mismatch between name and function isn't deliberate. Maybe submit it as a simple bug report on that basis. 😅

ᴮᵉⁿ ᴿᵒʸᶜᵉVOTE IN THE PRIMARIES Aug 2, 2024

@StrangeNoises @ColesStreetPothole @mekkaokereke @ddritter

it's because the person replied to is mentioned in the post. if you're mentioned, you can see any post, no matter how marked

Coles Street Pothole Aug 2, 2024

@benroyce @StrangeNoises @mekkaokereke @ddritter Yep, person replied to sees it, and all the replier's followers. In a nice world, that's a nice feature, but we don't live in a nice world.

Matthew Aug 4, 2024

@ColesStreetPothole
@mekkaokereke @ddritter @bytebro

They can send a DM and then block you after you read it. The messages all then disappear!

Bytebro 🇬🇧 🇺🇦 🇬🇱Aug 4, 2024

@mrblissett @ColesStreetPothole @mekkaokereke @ddritter That doesn't stop the initial insult spew. Yes, *then* one can block/report them.

I now fedi is kind of a work-in-progress, but for the sake of all participants, it needs to get a bit better at this stuff.

Carrie Shanafelt Aug 2, 2024

@mekkaokereke @ddritter Another similar thing I've run into is someone who has a lurker account on a mainstream server who then goes back to their Nazi/pedo server with screenshots to plan harassment brigades together. There's the harassment everyone sees (very little), the harassment the target sees (much higher), and then the totally unregulated, unchecked doxxing and harassment campaigning, which spills out into other venues online and IRL.

@mekkaokereke @ddritter
Yeah, targeted harassment seems to be a weakness of the fediverse architecture that scumbags are aware of and exploiting. I don't have any answers, I'm afraid.

Edit: reading through the thread, it would seem that removing the "Followers only" type of replies could potentially stop some of this. But then I guess some will fall back to mentioned posters so a proper DM implementation would be necessary too.

Oh, that is a problem. Hadn't thought of that. Weaponizing the Fediverse's privacy policy, by keeping anyone but your victim from being able to see it. So the racist perpetrator can gaslight you, since everyone else has no way to tell that it's happening. And what do you do about it?

You can link to the offending messages, but the racist didn't mark them as public, so if anyone follows the links they'll surely see "You aren't allowed to view this message."

You could post screencaps, but those are easy to fake, and it's just a mess. Sorry, I really don't know what to do here. Maybe... any private recipient of a message should be able to make it public? Even then, you'd have to deal with all of them on your own, and other people couldn't preemptively help moderate.

OK I think I have an idea. There should be a way to ignore private messages to multiple recipients. That's the only thing abusers can do here, that they cannot do on Twitter: send you a private message, and also send it to all their followers to brag. With that as a feature, the only racism you encountered that others could not help moderate would be private messages, just like on Twitter.

CC: @[email protected]

Alvin DeStygian Aug 2, 2024

@mekkaokereke @ddritter

P&n/s waffle racist's.

Jerks

Kristoffer Lawson Aug 2, 2024

@mekkaokereke @ddritter it’s actually a bit worse than that. Due to the way #Mastodon federation works, other people will miss a portion of the replies to you. Potentially even the majority of them. They only see them if they follow that user or someone on their server follows that user, or someone followed on the server boosts the reply.

So a nazi, just by being a nazi and not being followed by decent people, will reply and only you see it.

Kristoffer Lawson Aug 2, 2024

@mekkaokereke @ddritter at worst this can appear to others as if there are zero replies, even if there are dozens. #Mastodon doesn’t even indicate that to be the case.

The way this should work is either all replies are pushed to all following servers as they come in or that an on-demand fetch is in the protocol to allow servers to request missing replies (which a client could trigger).

dereisenhofer Aug 2, 2024

@mekkaokereke Thanks for making that point clear. I can totally see how this enables harassment and abuse.

Brian Grinter Aug 2, 2024

@mekkaokereke @ddritter @mastodonmigration mastodon has to do better, although the last few posts I reported on Xitter got a reply “we see no problem” ☹️
Hoping for better tools here

your auntifa liza 🇵🇷 🦛 🦦Aug 3, 2024

also, Twitter found it easier to neutralize influential Black folks like me by shadow-banning us. and with shadow-banning, ironically, came a decline in racist abuse. the problem is that with shadow-banning not even all my followers would see my posts.

another data point: LISTS. Twitter was transparent on who would put you on a surveillance list. they didn't even have to follow you. not such thing on Mastodon (i don't use other AP software so can't speak of others).

@mekkaokereke @ddritter

Ben Ramsey Aug 3, 2024

@blogdiva @mekkaokereke @ddritter I was just looking through the ActivityPub spec because I was curious whether it defines anything related to who can read your activity. It doesn’t, so mentioned-only & followers-only is a Mastodon thing. I’m not sure how it works with other AP software, but maybe it’s related to the inbox concept, so it sends it to the inbox of any users that are supposed to be able to see it.

Similarly, lists aren’t part of AP.

@mekkaokereke @ddritter i hate that you had to post this, but thank you for explaining how this kind of attack works

Lauren Weinstein Aug 3, 2024

@mekkaokereke @ddritter Mastodon's reply topology is fundamentally broken. I've largely given up complaining about it, because if I'm going to figuratively bash my head into a brick wall repeatedly, I'd rather do so on topics where there's more than a microscopic probability of making any headway. No pun intended, of course.

Martin Seeger Aug 3, 2024

@mekkaokereke I once formulated such mechanisms as m“Martin’s Third Law”: If anything permits the harassment of people, that will become its dominant use case.

Everyone who designs systems must be aware of it. No matter how pure and benevolent the intended use case is, if it can be abused for harassment, it will be to the point it renders the intentions completely irrelevant.

Reddog Aug 3, 2024

@mekkaokereke Question.
If the poster posts to 'followers only' how does it come up on your timeline if. as I assume, you're not a follower of said poster?

Gabbo the wafrn dev guy Aug 3, 2024

@mekkaokereke do you think mastodon fetching the list of replies automatically of a post would help on this?

Shlee fooled around &Aug 3, 2024

@gabboman @mekkaokereke the existence of unlisted, followers only, and specific were originally built due to the benefits of privacy, but open the gates for abuse.... pulling in replies that are limited in scope won't do much in practice (unless the abuse is in public)

I think the better solution would be for abuse targets to be able to reject toots that include their user tag. As in, I don't follow you, or (you're not a friends of my friends).... you cannot @ me until I approve it. (maybe let people tick a box to approve first contact).

The rejection could also be hard.. eg. if it's a reply to a toot.. the owner of the original toot can delete the reply from the collection. (so it only exists on the abusers instance).

but all of this requires major AP changes.

edit: Twitter having everything as public makes it easier to audit. I think is the core point. unlisted/followers only/specific should be a privilege not a right etc.

gkrnours Aug 3, 2024

@mekkaokereke @ddritter for racist slur, a spam filter might be a better tool than a community. It won't help with stuff like sea-lion but that would be a nice start

@gkrnours @ddritter

Unfortunately not, for at least two reasons.

1) False negatives: Keyword filters are pretty useless outside of context. Eg, You can keyword ban the N-word. It's harder to ban "ninja," "nakkers," or "🥷🏿."

2) False positives: keyword filters don't understand the context of in-group usage of terms, and punish those sub-groups. Eg, the c-word is extremely offensive, but some of my best friends called me the term for years without malice or insult.

https://hachyderm.io/@mekkaokereke/109989027419424661

mekka okereke :verified: (@[email protected])

@[email protected] @Paxxi @timbray The "C-word" is one of the most offensive words in the US. It's often used in the vilest, most misogynistic contexts. But it's less offensive in Australia? And when combined with other words and contexts, the meaning changes a lot. When an AUS friend told someone "Mekka's a hard c-word!" that was in reference to me being our rugby team's enforcer. When they said "Oh you're a sick c-word now!" that means I lost weight but stayed muscular. Both intended as compliments.🤷🏿‍♂️

Hachyderm.io

gkrnours Aug 3, 2024

@mekkaokereke @ddritter I thought these were solved problem with spam filter, which are a bit smarter than keywords filters if I understand things correctly? To clarify, I'm not suggesting that there is currently a good solution available but that maybe there are better solutions to work on than what worked on twitter

Szymon Nowicki Aug 3, 2024

@mekkaokereke @ddritter thanks for this explanation. I did it understand the problem until I read this post.

Are they coming from some shady instances or general big ones?

@hey @mekkaokereke @ddritter from what I've been reading, it's both

Ericka Simone Aug 3, 2024

@mekkaokereke im in the "using my identity politics to silence you" phase of this journey now

at this point its intentional and i think theyre letting us know how its going to go

Johan Paul Aug 3, 2024

@mekkaokereke @ddritter everyone has their own reality on Mastodon.

Which is really a flaw in the foundation of the Fediverse.

🇳🇱 🇪🇺Jeroen 🇺🇦 🇺🇦Aug 3, 2024

@mekkaokereke @ddritter So basically the option to reply “followers only” enables this? Maybe this should be changed so it’s really followers only, and not “followers + the person I’m replying to”? I’d be interested to hear what valid use cases there are for the current behavior anyway.