Guillaume RossoliniMar 22
Deborah Pickett

So with the revelation that the owner of a big Fedi server is a target of a lawsuit, and that if things go badly the server may find itself seized—

I realize that that users on that instance follow users on my instance, so there are going to be semiprivate posts of mine that may fall into the hands of people—law enforcement, data brokers—who are not beholden to any Fedi Admin Code of Honour.

(I already do not post about my crimes on Fedi, if I were the kind to do crimes.)

Server seizure is just not a part of the ActivityPub threat model. What if it was? How would it change the protocol to protect data at rest, or perhaps not even keep it at rest on a server but defer to the originating server?

End-to-end encryption [user-to-user, not server-to-server] could be part of the answer, but it need not be the whole answer.

I welcome considered thoughts, so any response I see within an hour of my posting this will be ignored.

Mar 22 at 12:42amWeb
Show threadSteveg58Mar 22
@futzle
Well a 'delete all my posts' function has some other obvious benefits but it would have to be cryptographically secures so that bad actors could not just delete all your posts from fun or profit.
How would you target it against a particular server?
Show threadGeorge Liquor, AmericanMar 22
@Steveg58 @futzle oh no you didn't read the post
Show threadSteveg58Mar 22
@liquor_american @futzle
I don't have an hour. In an hour all my thoughts on the matter will be gone.
Show threadDeborah PickettMar 22
@Steveg58 @liquor_american Functioning as designed.
Show threadGeorge Liquor, AmericanMar 22
@futzle @Steveg58 
Show threadNeville ParkMar 22
@futzle this isn't even the first time this has happened, recall kolektiva
Show threadDeborah PickettMar 22
@nev (Sorry I only just saw your post.) I was definitely thinking about the kolektiva seizure, and how we’ve learned approximately nothing about operational security from it except “don’t be raided”. Great, so that’s solved and will never happen again.
Show threadToroidalCoreMar 22
@futzle One thing to keep in mind with end-to-end encryption, is that it could still be a source of metadata. Since even if somebody can't read the message, if they see it came from a user on one server to a user on the server they now possess, that's a data point.
Show threadune abeilleMar 22
@futzle Do you have a link to what's going on? I feel like I missed something big.
Show threadDeborah PickettMar 22
@uneabeille Here’s a good intro: https://beige.party/@mayintoronto/116267245720478585
May Likes Toronto (@[email protected])

Time to back up, export, and leave if you're on mstdn.ca https://ottawa.place/@stephanie/116267088513251309 If you can't see the above post, here's the CBC article about the person who owns and runs the server. https://www.cbc.ca/news/canada/edmonton/inglewood-league-lawsuit-missing-funds-9.7136933 Migration tips: https://zeroes.ca/@StaceyCornelius/115967726861839689 Edit: These are allegations and there's a state of the instance coming up. I'd err on the side of caution and migrate early, or at least back everything up, because losing an account here kind of sucks.

beige.party
Show threadDrew MayoMar 22

@futzle Frankly i have no expectation of my admins taking any action against server seizure, and wish them all the chill vibes in the world so it never happens. I consider Federation itself to be the defence against seizure in that if I need to protect an instance it should be my instance, my thermite and my problem.

That said, as much as I’d hate the hassle it would cause them, I’d almost like to see what would happen after they seize @tyrant’s server.

Show threadDeborah PickettMar 22
@drew It’s not @tyrant that I’m worried about. It’s the perfectly legitimate follower who runs a GTS instance in their basement in Catistan, and then they get raided by the Catistan Special Police on Suspicion of Liking Dogs, and then all your schnauzer posts are captured and you can never visit Catistan again.
Show threadJonMar 22
@futzle encryption at rest (even without E2EE) could provide some mitigation … for example when the FBI seized a copy of kolekitva’s database back in 2023, people in general seemed to think that the fact that the fact that the admin had unencrypted it to do some maintenance work made the situation worse than it would have been otherwise. Of course if the admin of the instance has the decryption keys they can be forced to reveal them (or could do so with poor opsec) so it’s certainly less protection than E2EE but assuming good opsec could be helpful in cases like the current one.
Show threadDeborah PickettMar 22
@jdp23 Agree, it does only work in certain jurisdictions (and mine is not one of them: they’ll just lock me up until I provide the keys).
Show threadJonMar 22
@futzle yeah in general if law enforcement has specific grounds to seize the server they’ll probably be able to compel disclosure if any keys the admin has access to. The kolektiva situation was kind of weird, as I understand it they weren’t particularly going after the DB (they were going after the admin for something unrelated) so not sure how that would have played out.
Show threadknackMar 22

@futzle so, a “hostile admin” (or “coerced by threats”) is, I think, not possible to forwards-defend against in a federated system(that is, new follows made after they turn malicious cannot be protected from snooping). They could (eg) store any e2ee keys, etc.

E2ee breaks search and the local timeline (some homomorphic encryption methods might make authenticated search possible, but it won’t be cheap or easy).

Encryption at rest with a regular proof-of-life required to avoid scrambling the keys could protect from seizure by incompetent cops, but then you randomly lose your instance if the admin goes away briefly (and competent cops will physically freeze the ram before disconnecting power, so it doesn’t lose state). You would need some way of detecting movement near the server and requiring reality every time it happened to offer any protection from that.

Show threadDeborah PickettMar 22
@knack This is interesting reading. ActivityPub is at least async, so short periods of downtime while an admin reactivates a dead man’s switch is not out of scope. But I suspect in your jurisdiction and mine, an admin would just be compelled by the Feds to provide the encryption key, end of story.
Show threadknackMar 22

@futzle in a secure-vs-seizure design, failing to hit the switch in time would delete the key irrevocably; you could not produce it later, it’s gone (along with all instance data).

You _could_ use partitioned storage with postgres to put only non-public posts on the encrypted storage.

Show threadsabikMar 22

@knack @futzle
How long are you willing to be in jail for deliberately letting the key get destroyed

At the end of the day, it'll be an anon.penet.fi situation at the very best

Show threadknackMar 22

@sabik @futzle

In jurisdictions I'm familiar with, 'actively destroying evidence' is treated very differently from 'failing to act to preserve evidence'.

I think whether that works would hinge on how tech-ignorant the judge is / is not - not something I'd stake my personal freedom on lightly.

Show threadsabikMar 22
@knack @futzle
Letting the key get destroyed in a way that you wouldn't have absent the demand would probably get any judge annoyed at you; the technical details don't come into it
Show threadLuci Bitchface AngerfootMar 22

@futzle maybe i am just too stupid but i have thought a lot about it and i don’t think it’s possible without basically majorly breaking compatibility with all existing software.

It seems like cwebber has come to the same conclusion

Show threadDeborah PickettMar 22
@bri7 Yes, my thought is also that it would require a protocol revision and a period of adoption, and that this is unlikely to happen unless we have a major incident where the revision would have helped. I hope the looming mstdn.ca incident isn’t major enough, TBH.
Show threadCycling StuMar 22

@futzle well…

That is a very interesting rabbit hole to fall into.

I admit a level of surprise, reading what is going on.

Show threadEldritch kcarruthersMar 22
@futzle oh wow - interesting conundrum
Show threadKrisMar 22

@futzle I do not understand how the example changes the threat model.

We must assume that corrupted servers already federate. There is threads.net, there are almost certainly instances of Nation State Actors and other interested parties that federate and collect all data they can possibly access.

How would a server seizure change any of that, making it more dangerous?

Show threadDeborah PickettMar 22

@isotopp Untrustable servers like Threads already get defederated by responsible admins. As we discover other instances that behave like this, we defederate those too. Admins have backchannels to share and discuss these kinds of servers. I consider the amount of leakage through these kinds of instances to be relatively low, and when there is, the window is short.

Seizure is different because it’s a rapid and unscheduled change of an instance from long-term trusted to untrusted, and even if we defederate a seized server immediately, it’s got a snapshot of a lot of sensitive data at rest.