Deborah PickettMar 22

So with the revelation that the owner of a big Fedi server is a target of a lawsuit, and that if things go badly the server may find itself seized—

I realize that that users on that instance follow users on my instance, so there are going to be semiprivate posts of mine that may fall into the hands of people—law enforcement, data brokers—who are not beholden to any Fedi Admin Code of Honour.

(I already do not post about my crimes on Fedi, if I were the kind to do crimes.)

Server seizure is just not a part of the ActivityPub threat model. What if it was? How would it change the protocol to protect data at rest, or perhaps not even keep it at rest on a server but defer to the originating server?

End-to-end encryption [user-to-user, not server-to-server] could be part of the answer, but it need not be the whole answer.

I welcome considered thoughts, so any response I see within an hour of my posting this will be ignored.

Show threadknackMar 22

@futzle so, a “hostile admin” (or “coerced by threats”) is, I think, not possible to forwards-defend against in a federated system(that is, new follows made after they turn malicious cannot be protected from snooping). They could (eg) store any e2ee keys, etc.

E2ee breaks search and the local timeline (some homomorphic encryption methods might make authenticated search possible, but it won’t be cheap or easy).

Encryption at rest with a regular proof-of-life required to avoid scrambling the keys could protect from seizure by incompetent cops, but then you randomly lose your instance if the admin goes away briefly (and competent cops will physically freeze the ram before disconnecting power, so it doesn’t lose state). You would need some way of detecting movement near the server and requiring reality every time it happened to offer any protection from that.

Show threadDeborah Pickett
@knack This is interesting reading. ActivityPub is at least async, so short periods of downtime while an admin reactivates a dead man’s switch is not out of scope. But I suspect in your jurisdiction and mine, an admin would just be compelled by the Feds to provide the encryption key, end of story.
Mar 22 at 3:15amWeb
Show threadknackMar 22

@futzle in a secure-vs-seizure design, failing to hit the switch in time would delete the key irrevocably; you could not produce it later, it’s gone (along with all instance data).

You _could_ use partitioned storage with postgres to put only non-public posts on the encrypted storage.

Show threadsabikMar 22

@knack @futzle
How long are you willing to be in jail for deliberately letting the key get destroyed

At the end of the day, it'll be an anon.penet.fi situation at the very best

Show threadknackMar 22

@sabik @futzle

In jurisdictions I'm familiar with, 'actively destroying evidence' is treated very differently from 'failing to act to preserve evidence'.

I think whether that works would hinge on how tech-ignorant the judge is / is not - not something I'd stake my personal freedom on lightly.

Show threadsabikMar 22
@knack @futzle
Letting the key get destroyed in a way that you wouldn't have absent the demand would probably get any judge annoyed at you; the technical details don't come into it