Have you seen this news?
#Mastodon just got funding to add end to end encryption into their software.
So, some time next year, youāll be able to send truly private messages to the vast majority of the #Fediverse
Im so excited about this.
Because itās an open spec, this opens the doors for every Fediverse app to join the party.
Yesterday, this project was a proof of concept. Today, Mastodon has turned it into a stampede.
https://blog.joinmastodon.org/2026/04/sovereign-tech-agency-funding/
I knew it was in the works, but didnāt know that it has landed in the next release yet.
Also fantastic news!
Piece by piece, we are bringing the Fediverse closer together AND reaching out to the wider web.
The future is looking brighter every day!
@benpate I'm wondering what the advantage of e2ee private messages on Mastodon is when we have Signal, Matrix and other robust encrypted messaging tools that you could invite a friend to if you want to have a private conversation.
Is anyone worried about this creating moderation issues?
Generally I'm in favor of privacy and security, but I'm just not sure what the value of this feature is on Mastodon. Maybe you or others can provide your perspective on this.
It's not either-or. You can use both.
If you prefer to switch apps and identities and go over to Signal, awesome.
If you'd rather message someone with your ActivityPub identity, you can do that securely now, too.
The E2EE work on ActivityPub uses an open standard, MLS, to encrypt data. One reason we chose it was so it's at least possible to bridge to other social and messaging networks while keeping the data encrypted from end to end.
I donāt have all the answers, but I believe thereās a network effect at work.
Signal is fantastic. I use it for lots of things. But itās āyet anotherā place to go.
But the Fediverse is my primary place to talk with people (like you)
If you and I could have a truly private follow-on discussion without switching networks, it would be a win for the Fediverse.
Signal also has 50 employees and money in the bank to pay the lawyers.
I'm certainly not a lawyer or expert on this, and I'm sure it varies between legal jurisdictions... but I thought that US law has (some?) liability protections for "common carriers" who pass data but are unable to read it.
Your ISP isn't liable for stuff you download over a secure HTTPS/SSL connection. In theory, the same *should* apply here. But still, someone may try to test it in court.
US law is certainly one jurisdiction, one which routinely compels the sharing of metadata of E2EE users and their conversations, and one which is trying very hard to remove a number of protections currently enjoyed by US-based service providers through legislation such as KOSA and EARN-IT.
Also, social media companies are not common carriers. That's a very different thing (like ISPs, telcos, and railroads.)
Also...
https://umap.openstreetmap.fr/en/map/fediverse-near-me_828094#3/25.799891/29.794922
Also, even if I enjoyed all the protections in the world, I am not in the E2EE business.
I am not in the patio installation business.
I am not in the porn business.
I am not in the banana peel recycling business.
I operate a public-facing social networking service for charitable purposes, with various liabilities I have chosen to take on, and various regulatory requirements I have chosen to comply with.
E2EE is not in my mission, nor in my wheelhouse, nor in my business plan.
Yup. I've heard some discussion about allowing users to "Flag" content to admins. But then there's the question of how to prove that the message is authentic (and I didn't just use a screenshot maker to frame someone)
Right now, I don't know how that'll play out. But I'm glad Mastodon is going to be asking those questions.
@jaz I can only say "yes" so many times before I dig up the Meg Ryan gif.
Do you want me to dig up the Meg Ryan gif?
@jaz @evan @benpate I would add, in regards to 'Signal has 50 employees", that Mastodon does not. And there's a lot of things that need fixing and improving already without having to solve E2EE messaging.
Something, something, resourcing.
But whatever, it is what it is. I'm sure it'll be fine. It just sounds like a lot of work for not a lot of reward. š
@aslakr I can only imagine @evan says "like what?" because he's thinking of the protocol / backend work and not Mastodon as a piece of software with a frontend.
There's so much sub-par public UX in Mastodon, but even more so if you look at the Admin and Moderation panels. A lot needs a rethink.
But this $$$ is not being spent on that. It's 2 backend engineers to work on backend according to the press release.
I just don't see E2EE as a priority for a Mastodon experience.
@matt I say "like what?" because part of what I do for a living now is find problems that are keeping the Fediverse from growing and improving, and then I find money to help fix those problems. Sometimes with technology, sometimes with convening meetings, sometimes with research.
So, knowing what experienced instance operators like you think needs to be done to make the Fediverse bigger and better is a really big deal for me!
@evan There's probably two very different buckets full of 'Things I'd like to improve as a Fediverse admin' and 'Reasons why people don't want to adopt yet another social media site in 2026' and there's little overlap between those two buckets. š
Do you publish your findings and research anywhere publicly? I'd be interested in reading along.
For the personal relationships research work I did, it's on my personal blog. There's a video, too.
I agree. I love groups! A lot of great work happening there.
@evan @benpate well, that warning would be more informative - but less readable - if it said "Direct messages on Mastodon, just like Twitter, Instagram, TikTok, LinkedIn and all your SMS messages, are not end-to-end encrypted. Do not share any highly-sensitive information over Mastodon."
The gap here is people think the others /are/ private because they don't take the ethical stance of pointing this out.
Personally, I'd remove the warning.
50% of people in this survey think SMS is secure.
https://connect.lime-technologies.com/en/blog/messaging-data-privacy-survey/
>I think it's good to give people the privacy they need
To be super clear, so do I. I just don't want to be the person giving it to them.
>Would you be more inclined to support E2EE on a server where you control who uses it, like mastodon.iftas.org?
Me personally, no, I will trust my highly-sensitive data to a very focussed, reputable org that does this for a living.
(I honestly don't remember who hosts that server. Every once in a while I have to go look it up.)
@jaz @benpate I don't understand who you are talking about. IFTAS, SWF, cosocial.ca, Emissary, toot.wales, Mastodon? Also using technology from that company, or preserving privacy from that company?
I think users should use E2EE messaging for as many conversations as they can. Using encryption technology that is open source, reviewed by security pros, and based on open standards is the best.
@evan @benpate 100%, you should get to do whatever you want to do for your family, colleagues, or 15,000 person server (if that's your desire).
My original reply is in reference to the original post about E2EE being added to Mastodon, which has has historically kind of sort of not been super great on the admin-gets-to-choose front, so I'm on record now saying make it optional for admins, or I have to pass the torch.
I'm suggesting that a company, any company, whose privacy policy states "if this server is in jurisdiction X then certain things apply, but if not, then maybe something else" /and/ does not provide a terms of service, whosoever that company may be, they would not be my first choice for trusting them with my highly-sensitive messages, and nor would the software they may have created and distributed to keep those messages safe.
@jaz @benpate @earth_walker Signal is also a centralized service controlled by a very few people with the ability to be blocked and cut off easily.
I don't see E2EE fedi as competition for Signal, it's just a way to ensure comms are at least somewhat protected. Is there something complex about the implementation that makes you feel you are operating a E2EE service beyond the fact that Masto servers already do that via TLS?
@reflex @benpate @earth_walker
I'm not trying to be snide here, I mean this very literally.
I don't know what I don't know about operating an E2EE, patio, porn, or recycling business. All I know is they are all regulated, require licensing, insurance, have wildly different requirements in different jurisdictions.
I've done the work for operating social media services.
I have no intention of doing the work for any of the other services listed.
(Export controls come to mind though.)
I'd say watch @delta too!
If people are already on Signal, good for them. But the real issue is getting people off the Meta apps. So if there's a good Fedi Messenger, that can definitely help!
šš
Ben Pate š¤š»
Andy Piper
Adam Katz
Dingo
rickf
senna.apk
Evan Prodromou
jaz 
Michael Stanclift
Matt
Aslak Raanes
David Fleetwood - RG Admin
Tim Chambers
O.VoĆ£o
Weird Socks
Violet Madder
ZenHeathen šØš¦