Mastodawn

NullRegister Apr 28, 2025

sigh. There are a lot of posts going around right now claiming that #bluesky is feeding data to the various data sniffers that the US government uses for surveillance and that #Mastodon is not.

This. Is. Crap.

Anything you post on Mastodon is nearly as easy to vacuum up as things you post on BlueSky. You should treat *all* social media platforms larger than a Signal group of your college friends + Pete Hegseth as "assumed public." It's slightly more work to slurp up almost all of mastodon but really not that much more.

Matt Blaze Apr 24, 2025

@dave_andersen People are on edge, I get that, but misinformation like that is so harmful.

Rob Ricci Apr 24, 2025

@dave_andersen Good news everyone, the "decentralized" network is currently down (at least for me) so it's not feeding data to anyone!

Kuba Suder • @mackuba.eu on 🦋Apr 24, 2025

@ricci @dave_andersen Very interesting 😎

David Andersen Apr 24, 2025

@mackuba @ricci The Blue sky hosted pdses are down, but systems like bridgey still work because they run their own PDS, IIRC.

Darryl Ramm Apr 24, 2025

I am just going to encrypt all my posts from now on Mastodon from now on.

Darryl Ramm Apr 24, 2025

5UoNvzaSNBexUZZ1SyQ54J0nqvj7Df2QcDoLooQ0ObGPonOMZsZZuHs2GnrGHrDyx0r0SMaRBYg2Bh6CVaSWNdoCr2WRr

David Andersen Apr 24, 2025

@darryl_ramm gesundheit

Darryl Ramm Apr 24, 2025

ylCEYN6pq! 🙂

Thestaroftheworlds Apr 25, 2025

@darryl_ramm @dave_andersen

Ah I see but what did you do after that?

⁂ Jnk ∞ 📎Apr 25, 2025

@darryl_ramm @dave_andersen Ả ĂẢẠÁ ĀA̰AĀ, ȦÄĀ ẢĀ'Ã ÂÅĀ AÃ ÁA̮A̮ÁA̧ĀẢÀÁ AÃ ÄÃẢÂA̋ A ȦAÃÁA̱, ȂÁA̧ÅA̋ÂẢȺAȦĂÁ ÁÂA̧ȂA̦A̯ĀẢÅÂ ĀA̰AĀ ÅÂĂA̦ ȦAÃÁA̱ AÂA̱ ÃÁA̽A̦ A̯ÁÅA̯ĂÁ (ĂẢẠÁ A̦ÅÄ, A̱ÁAȂ ȂÁAA̱ÁȂ) ȀÅÄĂA̱ ÄÂA̱ÁȂÃĀAÂA̱

Hierarchy Apr 25, 2025

@jnk @darryl_ramm @dave_andersen nicely encrypted message there. What encryption are u using

Darryl Ramm Apr 25, 2025

@Hierarchy @jnk @dave_andersen

DdRnYGPijLn8sSkijn7DWTpv

Patrick Loftus 🖖

@darryl_ramm @dave_andersen SWYgeW91IGNvdWxkIGtlZXAgdGhpcyBiYXNlNjQgZW5jb2RlZCB1bmxlc3MgeW91IHdhbnQgdG8gcG9zdCB5b3VyIHByaXZhdGUga2V5IHRoYXQgd291bGQgYmUgZ3JlYXQhICBUaGFuayB5b3Uh

Hierarchy Apr 25, 2025

@darryl_ramm @dave_andersen msjwJj7nw2ksaA188jHwb

Eljorgeabides Apr 25, 2025

@darryl_ramm @dave_andersen

hunter2

D2 Apr 24, 2025

@dave_andersen you had me until we put Whiskey Pete into the chat. Are we at least denying him chat admin privs?

David Andersen Apr 24, 2025

@cascheranno The first rule of houthi small group chat is never to let whiskey Pete be able to invite more members.

Michael Kohlman Apr 24, 2025

@dave_andersen Absolutely.

I chose to move much of my presence to the Fediverse because of its decentralized and independent model. Not because I consider anything I post here to be secure or of limited access.

If your data is on systems that allow public access, anyone can access that data.

I'm not sure how one can be more clear about that.

Davey Apr 24, 2025

@dave_andersen mostly agree.

Bluesky gives the Firehose away for free though, and large swathes of the posting history are free to download in HuggingFace models.

Mastodon servers and accounts are each various degrees of accessible, though the public timeline on the average Mastodon server is easily scraped.

And everything is ultimately stored in plaintext.

Joe Mansfield Apr 24, 2025

@davey_cakes @dave_andersen

If I search for my name and a random topic I have posted a comment about on Mastodon I can find a link to that post using Google.

So my assumption is if Google search has it, basically everyone has it.

Ellie 🏴🏳️‍⚧️Apr 25, 2025

@helvick @davey_cakes @dave_andersen not sure if that's a good indicator, you can just untick "Include profile page in search engines" in settings/privacy

Joe Mansfield Apr 25, 2025

@31113 @davey_cakes @dave_andersen

I might not be fully representative then as I have my profile page searchable but these search results for me link directly to specific posts when the search query is about the post content.

It doesn’t work for anything recent, it won’t find yesterdays posts but stuff from two months ago for sure. I’m pretty sure this data is there because Google are slurping up the public feed.

David Andersen Apr 24, 2025

@davey_cakes it's easier to archive bluesky but it's still basically trivial for a reasonable programmer to do the same with fedi. The difference is one of taking an hour versus taking a couple days, but that's not really any difference in the big picture.

DerAutowerbekartenSammler Apr 25, 2025

@dave_andersen @davey_cakes

Only that Bluesky still has my real name e.g. the mobile phone number, which can be linked to my identity much more easily.

The question is when Bluesky passes on data or what data? Because not all data is passed on, only when a filter responds maybe to certain attributes?

I think that's another major difference. A preselection may already have been made.

DerAutowerbekartenSammler Apr 25, 2025

@dave_andersen @davey_cakes Also there are tracking data that is not visible to the public. When are you online, how long or private messages, all your contacts etc.

Will this data perhaps also be passed on?

DerAutowerbekartenSammler Apr 25, 2025

@dave_andersen @davey_cakes I don't have my own Mastodon server now, and theoretically the admins of my instance could also pass on more of my data. But norden.social is now a german registered association (eingetragener Verein).

I somehow have more Trust than in an american startup.

Gabriel Pettier Apr 25, 2025

@davey_cakes @dave_andersen create a server, an account on it that asks people to boost to federate your poor solo server, then drop silent and just archive your federated timeline.

Pretty sure that should be enough. Sure, people who posts "only to followers" will be out, unless you follow everyone (are you Nicole??), but you should get the vast majority of the content.

Davey Apr 25, 2025

@tshirtman @dave_andersen

It's not really enough, which is why people make followbots. And then some mod on a server with follower approval on, notices the request from the obvious follow bot, checks the one person server, suspends it, and lets others know.

For example a server which doesn't reveal its public timeline for non-members, has approval on registrations, and uses authorised fetch, is going to be a lot harder to scrape than a default settings server.

Davey Apr 25, 2025

@tshirtman @dave_andersen generally, Mastodon and other Fedi software let you be awkward as fuck if you want to.

If it gets to the level that you have to do social engineering to get at particular servers - allowlist only servers, for example - there's really no comparison to the public Firehouse on Bluesky.

Gabriel Pettier Apr 25, 2025

@davey_cakes @dave_andersen it's a bit more work, but you can have a multiuser server, with open registrations, moderate it responsibly and let it grow organically large enough to capture most of the trafic, a motivated individual with a modest bit of money can do it (and with benevolent mods, no less) and it's trivial for any intel agency.

I do advise treating things posted here as recorded forever and will be used to take you down if you have a difficult relationship with your state.

Davey Apr 25, 2025

@tshirtman @dave_andersen

"I do advise treating things posted here as recorded forever and will be used to take you down if you have a difficult relationship with your state."

Yeah, 100%. And with the best mods in the world, your hosting company isn't going to jump on a grenade for you if the cops come knocking.

econads May 8, 2025

@davey_cakes @dave_andersen You're talking to strangers, encryption doesn't seem like a useful thing here?

Bssr4 (TЯ☭M₽ )Apr 24, 2025

"See you guys at CECOT!

@dave_andersen even @signalapp has to comply with #CloudAct.

And we can be very shure they did simply because it's a statistical inevitability by the sheer amount of users they have…

Only real #E2EE (= #SelfHosting-capable with #SelfCustody of all the keys) can be considered safe.

Demanding #PII like #PhoneNumbers is #KYC, and KYC is the illicit activity!

Vincent Sparks 🔜 Furlingame Apr 25, 2025

isn't literally the entire point of Signal that they don't store any data on you and couldn't collect encryption keys even if they wanted to?

@dave_andersen @signalapp

David Andersen Apr 26, 2025

@AVincentInSpace @kkarhan @signalapp Yes, basically. They know your phone number, when you created your account, and when you connect to signal.

That may or may not be dangerous information to have potentially available to an adversary depending on your specific threat model, but for most folks, the strong message privacy (which is basically "you trust everyone you send data to, and you trust your and their devices not to be pwned") is probably sufficient. Not all. But most.

If you, e.g., connect to signal from your personal phone from the white house when you're not supposed to have signal or a personal phone, you could still be caught.

@dave_andersen @AVincentInSpace personally I consider any "#KYC" a risk-factor, and @signalapp has proven their ability and willingness to restrict functionality (i.e. their #Shitcoin-#Scam #MobileCoin) based off said #PhoneNumbers (Cuban, Russian and North Korean Numbers were excluded) which are in fact #PII (even if one doesn't have to #ID for obtaining a #SIM, they are circumstantial PII)...

They have neither "legitimate interest" nor legal mandate to collect said data (or to integrate a scammy Shitcoin for that matter) as the discontinuation of #ChatSecure / #TextSecure has eliminated the "technical necessity" to have those.

Either way they either have to yeet #Hegseth as client and/or stop collecting PII like PhoneNumbers - they gotta have to do something…

As for #InfoSec, #OpSec & #ComSec, I'd say #XMPP+#OMEMO remains the gold standard alongside #PGP/MIME...

#ITsec is a different story, but unlike #Signal these do not depend on a #PhoneNumber and work through @torproject / #Tor.

And I've been using Tor for almost 15 years daily now...

Bssr4 (TЯ☭M₽ )Apr 24, 2025

I meme, therefore I am!

DopeGhoti Apr 24, 2025

@dave_andersen
I would argue though that there is a significant, if nominal, difference between Mastodon and the greater Fediverse being scrapeable, and Bluesky affirmatively going to the effort to deliver the data.

David Andersen Apr 24, 2025

@DopeGhoti not when it comes to a question of whether ICE can see your data. It can in both cases.

⁂ Jnk ∞ 📎Apr 25, 2025

@DopeGhoti @dave_andersen not only that, you can't know my email or IP unless you're my admin. Private posts exist, even tho I wouldn't trust them on my life. And, unless I missed the option, you can't see who I blocked or silenced, only guess.

Data is all data, not just public posts you can even read from a RSS client.

Kuba Suder • @mackuba.eu on 🦋Apr 27, 2025

@DopeGhoti @dave_andersen Do you have any proof that Bluesky is "affirmatively" delivering the data and not just being read from via the public API?

DopeGhoti Apr 28, 2025

@mackuba @dave_andersen
I do not. I used the word to emphasize the contrast between the OP's referenced claim about BSky "feeding data" and Mastodon, of which I presume very few, if any, instance admins are "feeding data" to anyone other than federated instances.

Furbland's Very Cool Mastodon™Apr 24, 2025

@dave_andersen agreed! let's focus on telling people about the actual merits of the Fediverse over bluesky, like decentralization and being censorship-resistant (not -proof, but certainly better than bluesky)

Ian Apr 25, 2025

@dave_andersen There's a difference between being able to scrape data and actively feeding it to nefarious organizations. Especially since a lot more meta data could possibly go along with the posts.

David Andersen Apr 25, 2025

@soviut what evidence is there that blue sky is doing anything active other than providing the fire hose that's public in the same way other data is scrape-able?

Trebetheric Apr 25, 2025

@dave_andersen @soviut This is a weird response because your OP didn't address the evidence they were facilitating it. (Which is what "is feeding data" implies.) And (IMO) that's what people really care about more than whether or not there's some way to get the data. It's the decisions the organizations make. (I'm not commenting on whether bs has made that or not. Just pointing out that's the issue, not the result, which is what your OP addressed.)

Brian Vastag Apr 25, 2025

@dave_andersen It's bizarre to me that anyone posting on social media thinks their post is anything but public.

Kit Malone Apr 25, 2025

@dave_andersen I will never understand how people can think that information that they post that is available to anyone with a *web* *browser* will somehow not be sniffed by anyone who wants it.

ᴮᵉⁿ ᴿᵒʸᶜᵉVOTE IN THE PRIMARIES Apr 25, 2025

yeah the whole

"i am going to post this in public

but i want my posts to be private"

is a kind of insanity

that being said there's other factors. backend access to hidden account details for example

i'm not going to cast accusations to #bluesky i have no evidence of. but i will ask people to ask themselves which model they trust more: bluesky or #mastodon / #fediverse

Danielle Crawford Apr 25, 2025

@benroyce @dave_andersen read up on Moscow Rules. Layers of security, everyone! Signal on your isn’t very secure if they can get the phone provider to replace your keyboard input method with spyware.

etsy Apr 25, 2025

@aizuchi @benroyce @dave_andersen your phone provider doesn't control the input app ?

ferricoxide Apr 25, 2025

@dave_andersen

Greater reliance on having to exploit network effects, plus having to actively pull data from multiple sources versus having it fed from a single source isn't exactly nothing (if your goal is truly to gather "everything").

That said, anything you put out that isn't strongly encrypted you should probably consider as being as private as a postcard sent through the mail.

Patrick Loftus 🖖

@dave_andersen I keep the privacy policy of my single-user instance very simple "Privacy promises are precluded; presume none on this public platform."

Not that I have to remind myself that a public forum is public... but there was a field to fill out in the server admin section.

Marcus Adams Apr 25, 2025

@dave_andersen I mean all you need is the global timeline on the web interface of an instance and you've got access to basically everything free of charge. You don't even need an account.

https://mastodon.social/public

André Menrath Apr 25, 2025

@dave_andersen Metadata makes the difference though! You can hide your followers. Your search history is not saved, what content you watched when is not tracked...

Ronny Lam Apr 25, 2025

@dave_andersen Social media is public media, except if you encrypt it, but then it is not so social anymore, at least with a small group. If the group gets to big, chances are that somebody gets allowed that leaks (part of) your group posts. We see that in a lot of the big Telegram groups.

Angela Scholder Apr 25, 2025

@dave_andersen Hmmm.... You mean that if it's posted as Public everyone can see it.....???! Wow! Shock, horror...!
🤔🤭

David Andersen Apr 25, 2025

@AngelaScholder you would think this would be obvious, wouldn't you? :)