Mastodawn

senna.apk 21h ago

@benpate I'm wondering what the advantage of e2ee private messages on Mastodon is when we have Signal, Matrix and other robust encrypted messaging tools that you could invite a friend to if you want to have a private conversation.

Is anyone worried about this creating moderation issues?

Generally I'm in favor of privacy and security, but I'm just not sure what the value of this feature is on Mastodon. Maybe you or others can provide your perspective on this.

Ben Pate 🤘🏻21h ago

@earth_walker

I don’t have all the answers, but I believe there’s a network effect at work.

Signal is fantastic. I use it for lots of things. But it’s “yet another” place to go.

But the Fediverse is my primary place to talk with people (like you)

If you and I could have a truly private follow-on discussion without switching networks, it would be a win for the Fediverse.

14h ago

@benpate @earth_walker

Signal also has 50 employees and money in the bank to pay the lawyers.

https://umap.openstreetmap.fr/en/map/fediverse-near-me_828094#3/25.799891/29.794922

Ben Pate 🤘🏻14h ago

@jaz @earth_walker

I'm certainly not a lawyer or expert on this, and I'm sure it varies between legal jurisdictions... but I thought that US law has (some?) liability protections for "common carriers" who pass data but are unable to read it.

Your ISP isn't liable for stuff you download over a secure HTTPS/SSL connection. In theory, the same *should* apply here. But still, someone may try to test it in court.

US law is certainly one jurisdiction, one which routinely compels the sharing of metadata of E2EE users and their conversations, and one which is trying very hard to remove a number of protections currently enjoyed by US-based service providers through legislation such as KOSA and EARN-IT.

Also, social media companies are not common carriers. That's a very different thing (like ISPs, telcos, and railroads.)

Also...

Also, even if I enjoyed all the protections in the world, I am not in the E2EE business.

I am not in the patio installation business.

I am not in the porn business.

I am not in the banana peel recycling business.

I operate a public-facing social networking service for charitable purposes, with various liabilities I have chosen to take on, and various regulatory requirements I have chosen to comply with.

E2EE is not in my mission, nor in my wheelhouse, nor in my business plan.

Evan Prodromou 14h ago

@jaz @benpate thanks for bringing this up, Jaz. I think one way to consider this is that people like me, Ben, Bonfire, and Mastodon can provide this technology, and communities and individuals will make decisions about how and when they use it.

Evan Prodromou 14h ago

@jaz @benpate In the interviews I've done with Fediverse users about bringing their personal connections, family and friends, to the Fediverse, they repeated again and again that they needed to have private messaging to do that, and this warning keeps them from doing it. If people don't connect with real-world relationships here, they aren't going to stay. This is existential.

@evan @benpate well, that warning would be more informative - but less readable - if it said "Direct messages on Mastodon, just like Twitter, Instagram, TikTok, LinkedIn and all your SMS messages, are not end-to-end encrypted. Do not share any highly-sensitive information over social media."

The gap here is people think the others /are/ private because they don't take the ethical stance of pointing this out.

Personally, I'd remove the warning.

@jaz @benpate That'd be the easier way to do it, for sure. But I think it's good to give people the privacy they need.

Can I ask another question? Would you be more inclined to support E2EE on a server where you control who uses it, like mastodon.iftas.org?

>I think it's good to give people the privacy they need

To be super clear, so do I. I just don't want to be the person giving it to them.

>Would you be more inclined to support E2EE on a server where you control who uses it, like mastodon.iftas.org?

Me personally, no, I will trust my highly-sensitive data to a very focussed, reputable org that does this for a living.

(I honestly don't remember who hosts that server. Every once in a while I have to go look it up.)

@jaz @benpate That's interesting, thanks!

@evan @benpate I'll put tongue firmly in cheek and ask you if you would recommend to a dear friend that they should use E2EE services to preserve the privacy of their most sensitive data from a company whose privacy policy is uncertain which country the service is located in, and doesn't publish any terms of service?

@jaz @benpate I don't understand who you are talking about. IFTAS, SWF, cosocial.ca, Emissary, toot.wales, Mastodon? Also using technology from that company, or preserving privacy from that company?

I think users should use E2EE messaging for as many conversations as they can. Using encryption technology that is open source, reviewed by security pros, and based on open standards is the best.

@jaz @benpate my question was in particular about operating a server. I think there's a higher level of trust between users and server operators when there's a real-world relationship, like a business, household, non-profit or club.

@evan @benpate for sure, real-world relationships between you and your encryption provider would be strong trust foundations.

@jaz @benpate I thought you were concerned from the other direction, as a server operator.

@evan @benpate I guess the clarification is I don't have real-world connections with the 15,000 people signed up on the service I operate.

Again, I am in favour of encrypted messaging services. I do not want to provide such a service personally.