Mastodawn

So with the revelation that the owner of a big Fedi server is a target of a lawsuit, and that if things go badly the server may find itself seized—

I realize that that users on that instance follow users on my instance, so there are going to be semiprivate posts of mine that may fall into the hands of people—law enforcement, data brokers—who are not beholden to any Fedi Admin Code of Honour.

(I already do not post about my crimes on Fedi, if I were the kind to do crimes.)

Server seizure is just not a part of the ActivityPub threat model. What if it was? How would it change the protocol to protect data at rest, or perhaps not even keep it at rest on a server but defer to the originating server?

End-to-end encryption [user-to-user, not server-to-server] could be part of the answer, but it need not be the whole answer.

I welcome considered thoughts, so any response I see within an hour of my posting this will be ignored.

Show thread

Kris

@futzle I do not understand how the example changes the threat model.

We must assume that corrupted servers already federate. There is threads.net, there are almost certainly instances of Nation State Actors and other interested parties that federate and collect all data they can possibly access.

How would a server seizure change any of that, making it more dangerous?

Show thread

Deborah Pickett Mar 22

@isotopp Untrustable servers like Threads already get defederated by responsible admins. As we discover other instances that behave like this, we defederate those too. Admins have backchannels to share and discuss these kinds of servers. I consider the amount of leakage through these kinds of instances to be relatively low, and when there is, the window is short.

Seizure is different because it’s a rapid and unscheduled change of an instance from long-term trusted to untrusted, and even if we defederate a seized server immediately, it’s got a snapshot of a lot of sensitive data at rest.