Chris Wolff 6d ago
Em 

ALERT for Bluesky Bridge Users 🚨 πŸ¦‹

If you are using a Bluesky bridge on Mastodon, DO NOT TAG Mastodon accounts in your posts without prior informed consent from this person.

This could end up showing a preview of this person's profile picture and bio on Bluesky without their consent.

Additionally, be careful about how the upcoming Quote Post feature could behave with Bluesky bridges.

Some of us don't want our information shared with commercial platforms like Bluesky, and have not consented to this bridge.

This practice can even endanger some Fediverse users.

If you have chosen to share your
own data with commercial platforms, make sure you leave the same choice to others.

This is important.

#Privacy #Mastodon #Bluesky #BlueskyBridge #Fediverse #Consent

Jul 17 at 10:05pmWeb
Show threadLAUREN6d ago

@Em0nM4stodon

❣️

Show threadMemento MoriπŸ“πŸ‡ͺπŸ‡ΊπŸ‡©πŸ‡ͺ5d ago

@noondlyt

Very important information.

@Em0nM4stodon

Show threadSnowyCA 6d ago

@Em0nM4stodon

Thank you for posting this EM, I am seeing too many that are dismissive of our responsibility to protect the individuals in this community.

Yes, we can block bridges, yes we can add protective measures to our accounts, but I like to think we in the hive mind are also thoughtful and respectful enough to take care of our friends safety.

Show threadEm 6d ago
@SnowyCA Indeed, privacy is a communal responsibility, and we must all work together to improve our culture regarding consent and the protection of others πŸ’š
Show threadKnud Jahnke5d ago

@Em0nM4stodon @SnowyCA

But you do realize that Fediverse info is out in the open, right? There is no access barrier except not directly knowing where to look.

Show threadZeborah5d ago

@knud Everyone realises that.

Do you realise there's a difference between "available if you know how to look" (and bear in mind many choose not to be indexed in search engines which means there's an extra barrier to the casual searcher) and "actively broadcast via a bridge to hundreds or thousands of people who weren't even looking... yet"?

Because people who've been targeted by stalkers and trollfarms sure know.

Show threadKnud Jahnke5d ago

@zeborah

I definitely know the difference - at the same time there's the old saying that "security by obscurity" isn't a safe approach.

In any case I absolutely support what you are saying!

Show threadSnowyCA 5d ago
@zeborah
That's exactly the point, thanks for saying this.
@knud
Show threadeanopolsky5d ago

@zeborah @knud I came to this thread looking for an explanation of how this can be harmful. Thank you for spelling it out.

Is tagging someone on a non-bridged mastodon post equally risky? And if not, is that specifically because the mastodon audience tends to be friendlier than bluesky, or is there some other reason?

Show threadZeborah5d ago

@eanopolsky It's probably not equally risky, for the reason you mention; but it's still worth being a bit mindful about it (because Mastodon instances vary a fair amount in their cultures too). If you're replying to someone, that's normal and inevitable. But if you're talking about something and think "Oh so-and-so would be interested in this!" then pause and think whether so-and-so wants everyone you're talking to to know they'd be interested. Many people won't mind at all! But if you have any doubt (especially if they're from a more marginalised group, or have mentioned having bad experiences in the past, or their profile/behaviour suggests they're more privacy-minded than average) you could always send them a DM with a link to the thread instead. Then they can choose whether or not to interact with it.

@knud

Show threadMemento MoriπŸ“πŸ‡ͺπŸ‡ΊπŸ‡©πŸ‡ͺ5d ago

@knud @Em0nM4stodon

πŸ‘πŸ½πŸ‘πŸ½πŸ‘πŸ½πŸ‘πŸ½πŸ‘πŸ½πŸ‘πŸ½πŸ‘πŸ½πŸ‘πŸ½πŸ‘πŸ½πŸ‘πŸ½

You just have to enter some data in Google and you get posts and account profiles πŸ€·πŸΌβ€β™€οΈ.

@SnowyCA

Show threadSnowyCA 5d ago

@Mons1serrata

Missing the point. https://mastodon.nz/@zeborah/114872814042321676

@knud @Em0nM4stodon

Zeborah (@zeborah@mastodon.nz)

@knud@mastodon.social Everyone realises that. Do you realise there's a difference between "available if you know how to look" (and bear in mind many choose not to be indexed in search engines which means there's an extra barrier to the casual searcher) and "actively broadcast via a bridge to hundreds or thousands of people who weren't even looking... yet"? Because people who've been targeted by stalkers and trollfarms sure know.

Mastodon NZ
Show threadMemento MoriπŸ“πŸ‡ͺπŸ‡ΊπŸ‡©πŸ‡ͺ5d ago

@SnowyCA @knud

I understand the difference. Nevertheless, I'm right.

@Em0nM4stodon

Show threadSnowyCA 5d ago
@Mons1serrata
thanks for letting me know you prefer to chose not to protect others.
@knud @Em0nM4stodon
Show threadFlyingMana5d ago
@knud it is still a question of good manners, respect and politeness.
Show threadKnud Jahnke5d ago

@Flyingmana

I agree that it's a question of manners. But to think that this will provide any meaningful kind of protection in a public network is an illusion.

Show threadpatpro5d ago

@SnowyCA Lets say I want to block bridges on my own one-person #gotosocial instance, would it be enough to protect my profile from being leaked to Bluesky by people sharing my posts from other instances?

@Em0nM4stodon

Show threadSnowyCA 5d ago
@patpro
I found this, but as far as I know, if someone wanted to share your profile , say though a screenshot, there is not much you can do about it, but EM would know better than me.. the link is here
https://fed.brid.gy/docs#opt-out
@Em0nM4stodon
Show threadpatpro5d ago
@SnowyCA @Em0nM4stodon obviously any screenshot / copy-paste cannot be prevented. Thank you for the pointer on the available opt-out methods.
Show threadSnowyCA 5d ago

@patpro I thought you probably knew the opt out features but I sent them just in case you weren't sure.

@Em0nM4stodon

Show threadsi_irini6d ago

@Em0nM4stodon

πŸ’―

Show threadAndrew C6d ago

@Em0nM4stodon yes. Polite not to tag random unrelated people into conversations generally either, but it's especially important when bridging to a corpo space.

Always possible to send someone a link if you think they might be interested. Links are still a thing

Show threadGeorge Dinwiddie5d ago
@achadwick @Em0nM4stodon Note that if you reply to a reply, it tags the person to whom the original reply was to. This reply demonstrates that.
Show threadZeborah5d ago
@gdinwiddie You can choose to untag them though. This reply demonstrates that. πŸ˜‰
Show threadinpc5d ago
@zeborah @gdinwiddie This reply demonstrates neither, it just is!
Show threadRoy6d ago
@Em0nM4stodon
Thanks for the reminder Em.
Show threadStuartB6d ago
@Em0nM4stodon This!
Show threadNazo6d ago

@Em0nM4stodon I'm a bit concerned that people are looking at it only this way though. That publicly viewable profile is still being crawled by a number of crawlers even if they don't @ a person. It's still publicly searchable with just a name. Personally I'm against interacting with Blusky in any way or it interacting with me, so I get the sentiment here, but I don't think people should be putting stuff they don't want publicly viewed in their publicly viewable profile...

Perhaps a good alternative is a followers-only locked post pinned to the profile (along with setting it to require approval to follow) but really the Fediverse should be treated as the open Internet for safety's sake just in general.

What's the alternative? Talking to/about people without letting them know?

Show threadEm 6d ago

@nazokiyoubinbou

Each improvement matters. We must inform yes, but we also must also oppose and correct each non-consensual data exposure we can.

Each step matters in improving data privacy overtime.

Otherwise, we just let all the space free for abuse. The responsibility shouldn't be on people to hide.

Show threadAlan5d ago
@nazokiyoubinbou @Em0nM4stodon i wonder if the bridges run an identifiable crawler? If so it might be an added layer of defense to block bridge preview crawlers?
Show threadNazo5d ago

@metaphase @Em0nM4stodon I'm pretty sure that it could be blocked, yeah, but people could still click the link and see. Or even just go to any Mastodon server and type in the name and server (or maybe even just the name) in the search box.

That's what I'm trying to get through here: this is what you're posting publicly. Your profile and etc are visible. Mastodon is NOT meant to be secure. There are ways you could limit some things, but treat everything you post on Mastodon as public.

Show threadAlan5d ago
@nazokiyoubinbou @Em0nM4stodon thats the state of things - i think most of the tech experts know that. But fedi should consider how to improve the state of now towards a better future. Its an unfortunate but possible issue that if ones direct instance blocks bluesky or threads, that an indirect server or by reference could end up bypassing the intent to block. We should discuss the different changes which could build better tech aligned to intent & safety
Show threadAlan5d ago
@nazokiyoubinbou @Em0nM4stodon it's completely valid to point out that, right now, the way to improve intent is to take personal note and actions. But its also good to discuss ways to systemically improve the tech base itself.
Show threadNazo5d ago

@metaphase @Em0nM4stodon I don't think any of my posts are in any way shooting down discussions of ways to improve it. I'm not aware of any such discussions taking place here.

It's worth remembering here that Mastodon is technically open. It's true a lot of the suggestions on the Github get ignored or shot down that probably shouldn't be, but don't forget that suggestions can be made.

Show threadNazo5d ago

@metaphase @Em0nM4stodon Blocks aren't meant to be that absolute though. It's meant to keep people from said servers actually interacting, but again, you must remember that a public thing is public.

There are actually ways of limiting somewhat. For example, posts can be made followers only (and you can even manually approve followers so not just anyone can automatically follow you.) Perhaps controls like this could be expanded a bit and I would 100% support that, but again it doesn't change the fact that anything you post as publicly available can be reached simply by opening up a Mastodon server and putting in the name or direct URL.

And the thing is, it needs to be that way to work right.

Don't post publicly what you don't want to be public.

Show threadAlan5d ago

@nazokiyoubinbou @Em0nM4stodon or maybe a per account setting to limit public profile view to directly linked servers only.

Btw: its a little tedious and imho unhelpful at this stage of the conversation to repeatedly point out that public info is public

Show threadNazo5d ago

@metaphase @Em0nM4stodon I have to point it out because somehow it seems to not be clear. Is it a definition issue or what here? You're posting stuff for the world to see. Then you're upset that the world can see what you post for the world to see.

Even if you limit what severs can see it via some sort of large blacklist (which servers do actually do somewhat) it doesn't mean they can't easily circumvent it by doing what I said above: going to any server that isn't blacklisted and putting in the URL or name. If you block IPs they can use a VPN or proxy.

Mastodon is meant to be an open social network. You probably want Matrix or something like that for E2EE where you control exactly who sees things.

Show threadAlan4d ago
@nazokiyoubinbou @Em0nM4stodon I see a fundamental disagreement - I dont agree that Mastodon being an "open social network" means that we just shrug at profiles being public and that's immutable. The fediverse built on activity pub is meant to encourage all sorts of individual and collective social interactions- including exploring how to interact while proving different ideas and boundaries of privacy.
Show threadAlan4d ago
Its ok you want to keep a default more open setup but people obviously want to explore better sharing boundaries . Even tiktok has a privacy option of profiles and videos being only visible to approved followers for example. Its harder but worth it to see what can be done in a federated model imho
Show threadNazo4d ago

@metaphase @Em0nM4stodon I don't know what to tell you. The mechanisms are fundamentally open and they kind of have to be for what Mastodon is trying to achieve.

You can limit a lot of things. As I said, posts do offer some limitation options (and as I already mentioned, one could put stuff they wanted in a profile in a pinned followers-only post if they wanted to put more limits on it -- essentially using a post as their real profile.) But by its very nature it just can't limit too much.

The more you limit, the more you lock things down and bring it into the level of being like those we're trying to get away from. Perhaps there is a better balance, but then my post was really just meant to be a reminder of where things currently stand and not to expect differently.

Show threadsotolf4d ago
@nazokiyoubinbou @metaphase @Em0nM4stodon Isn't that kind of like saying that your address is public because it's on all the letters that arrive to you, and therefore I should be allowed to take a picture of it, and share it with 1000s of people because I feel like it ?
Show threadNazo4d ago

@sotolf No, it's kind of like saying you're posting it publicly in a public place for everyone to see with no viewing restrictions and then being annoyed that everyone sees it.

I get the kneejerk here, I totally do. I hate Bluesky as much as the others attacking me for saying this. I'd like to see it fail as a network before it hurts people. And I don't want it getting any more info on me than possible. But "viewable by the entire world" and "except specific people/entities I specifically don't want" are basically mutually exclusive.

Show threadsotolf4d ago
@nazokiyoubinbou @metaphase @Em0nM4stodon there is a difference between me sharing something with my friends, and one of them sharing that with everyone at work. The thing is that having something publicly available, your address is on your house, on packages you send out and so on. you walking down the street without a skimask on does not mean you consent to someone livestreaming your shopping trip.
Show threadNazo4d ago

@sotolf There is a difference. Mastodon is public. Mastodon is not your friends. It's a huge social network. You want some kind of localized server that's basically centralized. That is possible and some may exist, but we wouldn't be having this conversation across servers then, would we?

I can't say this any clearer. Publicly viewable means publicly viewable. What YOU put publicly, is public. If you want to limit, there's mentions only and followers only. Use those if you need them.

I'm done with this back and forth having to repeat a basic definition.

Show threadsotolf4d ago
@nazokiyoubinbou @metaphase @Em0nM4stodon hmm, but you posted this publicly, which means you're inviting people to comment on it, you can't blame other es for replying, what do you expect when you post it for everyone to see?
Show threadNazo4d ago

@sotolf I don't blame you for replying. I blame you for the nature of your replies. If you want to hold a qualitative discussion fine, but you're just making me repeat a basic definition of the word public.

I could link to Websters or Wiktionary or whatever if you'd like.

Show threadsotolf4d ago
@nazokiyoubinbou @metaphase @Em0nM4stodon no, you are repeating the point because you don't understand a neuance in the kind of public that something is, being public but not known is not the same as wanting attention and trying to get your name known.
Show threadNazo4d ago

@sotolf Here you go:

https://en.wiktionary.org/wiki/public#Adjective

It's even the first one...

public - Wiktionary, the free dictionary

Wiktionary
Show threadsotolf4d ago
@nazokiyoubinbou you also keep on editing your posts, so it's impossible to actually reply to what you're saying..
Show threadAlexandre Marcati5d ago
@nazokiyoubinbou @Em0nM4stodon people are shocked that when they make their information public on a website that can be accessed by anyone without an account, that information is public and can be accessed by anyone. Crazy
Show threadOllie πŸ‡ͺπŸ‡ΊπŸ³οΈβ€πŸŒˆπŸ³οΈβ€βš§οΈπŸ‡΅πŸ‡ΈπŸ‡ΊπŸ‡¦6d ago
@Em0nM4stodon Is there a way for individual users to block Bluesky bridges (or similar)?
Show threadEm 6d ago

@distinctdipole Yes, and no. Unfortunately, blocking Bluesky would not prevent the situation described above.

However, it might prevent some other situations.

The Bluesky account responsible for the bridge can be blocked like any regular user can be blocked. But this might only offer minimal protections, sadly.

A stronger protection can be to block the whole domain. Here's how you can do this: https://infosec.exchange/@Em0nM4stodon/114871008693759427

Em :official_verified: (@Em0nM4stodon@infosec.exchange)

Tiny Mastodon Tip to Block a Domain :blobcatstop: If you would like to block an entire domain or instance on Mastodon, there are 2 easy ways to do this. Be careful however, this will block *everyone* from this instance, and you will lose your followers and follows from this instance as well. HOW TO❓ 1. The easiest way is to find a user from the instance you want to block, then click on the 3-dot "Menu" button on their profile. From the drop-menu, select "Block domain DOMAIN_NAME" πŸ™…β€β™€οΈ 2. You can also "pre-block" an instance or domain, even without a user account. From the web interface, go to "Preferences" > "Import and export" > "Export", then download the "CSV" file for your "Domain blocks" πŸ—ƒοΈ 3. Open the `blocked_domains.csv` file as a text file πŸ“‘ 4. Type each domain you wish to block on a separate line. Save this file using the same filename πŸ’Ύ 5. Back to your account, move to the "Import" section from the left-side menu. From the "Import type", select "Domain blocking list" πŸ“‚ 6. Select "Merge" to add blocked domains to your existing list, or "Overwrite" to only use the file you just saved βž• 7. Verify the information on the confirmation page, then click "Confirm" πŸ‘€ 8. You are now (relatively) safer from this domain 😌✨ #TinyMastodonTip #Mastodon #Privacy #Threads #Bluesky #Fediverse

Infosec Exchange
Show threadOllie πŸ‡ͺπŸ‡ΊπŸ³οΈβ€πŸŒˆπŸ³οΈβ€βš§οΈπŸ‡΅πŸ‡ΈπŸ‡ΊπŸ‡¦6d ago

@Em0nM4stodon Thanks. That felt good.

And bookmarked for future reference. Thanks again 

Show threadEm 6d ago
@distinctdipole πŸ’š
Show threadMia5d ago

@distinctdipole @Em0nM4stodon I've done exactly that - blocked the whole domain - after reading Em's post.

A longtime friend on here had this happen to her today. I'm sure I'm not alone in wanting NOTHING to do with corporate socials and crawlers/scrapers, while trying not to make the experience into a "walled garden".

Thanks for the post Em 

Show threadEm 5d ago
@distinctdipole @MiniMia 
Show threadEdwin G. 6d ago

@Em0nM4stodon I will file an issue with the Bridgy devs about this.

I don’t think it should be actually linking to the account if it’s not bridged.

Show threadEm 6d ago

@EdwinG Agreed, this tool shouldn't behave that way.

Thank you so much for taking the time to bring this information to their attention, this could protect many down the road πŸ’š

Show threadNiko Trimmel5d ago
@EdwinG @Em0nM4stodon that is certainly one idea to prevent this from happening again by accident. Does not change the fact however that anyone could post the URL of a fedi user's profile to Bluesky (or Discord, or whereever).