Mastodawn

🅰🅻🅸🅲🅴 (🌈🦄)

Today, an unknown bot swarm started using my name, boosting my posts, and inserting itself into communities I helped create. I treated it like any other potential attack and started defending myself and our communities as best I could. This has taken up more of my day than most malicious bot attacks, because it had the air of legitimacy—despite taking the actions of a threat.

When the owner, @evan ¹, came in with the same justifications as the porn-scrapers and LLM-owners I regularly fight against—repeatedly doubling-down in the face of backlash²—I felt more and more sure of my response.

I now feel justified in calling for a #FediBlock of tags.pub (and probably his other projects), at least until a better opt-in consent model is built into the project.

¹ I'm including his name as he's a public figure associated with Activity Pub, and our whole conversation today is already a public record, but please don't dogpile; just defed or block as you see fit and call it a night (or day—I'm not your mom).

² Receipts: https://lgbtqia.space/@alice/116824281370893420

🅰🅻🅸🅲🅴 (🌈🦄) (@[email protected])

"Add this tag to your profile to opt out of our shitty service" is *not* a valid way to run your bot/app/etc. #NoBots #NoBot #NoTagsBot #HalfMyBioIsGoingToEndUpBeingOptOutsForYourShitServices #FuckBots

LGBTQIA.Space

Matt Blaze 12h ago

@alice Well, damn.

verifiedtransfem

@mods I imagine you're probably already aware of the situation at this point, but in the off chance you aren't.

Sorry if you got double pinged I did a silly with the last one and it wasn't linked to the relevant post

no_brainer 12h ago

@alice @evan I had to deal with the same shit yesterday. I also would support a #FediBlock of tags.pub
It should at least be opt in

I have general doubts that it’s made for a good purpose.

neobot_cat_ears

[lore expansion arc]11h ago

@no_brainer @alice @evan

This is exactly the problem. The goal may be to help smaller Fediverse instances federate more easily, but good intentions don't justify an opt-out consent model. When a service reaches into other communities by default, the burden falls on everyone else. Opt-in is the better design. One would expect a public figure stewarding Fediverse infrastructure to understand that. Yet here we are.

https://cosocial.ca/@evan/116825943308139215

Evan Prodromou (@[email protected])

@[email protected] @[email protected] They let people follow from small servers or non-Mastodon platforms: https://tags.pub/#why

CoSocial

〽️ɪɢᴜᴇʟ 6h ago

@no_brainer @alice @evan would some sort of "robots.txt" mechanism help here where accounts can signal if they consent to certain aspects and ethical instances respect those controls and any not ethical instance that rejects those controls could e.g be auto blocked by default by ones own instance for example.

no_brainer 6h ago

@bitbraindev @alice @evan You have to opt out by adding #NoTagsPub to your profile. But this is the wrong way!
I would like to ad a #YesTagsPub if I want to opt in!

〽️ɪɢᴜᴇʟ 6h ago

@no_brainer @alice @evan yeah agree. robots.txt basically works like this: "hey bots please do not index this website, thanks" and if anyone ignores that they can be called out publicly/blocked etc. but not having any mechanism like this whatsoever to begin with seems odd and is a missing part here. Enforcement would work through social pressure (like robots.txt)

@bitbraindev @no_brainer @alice @evan

See broader website hosting for why the honour system is no way to develop web standards.

〽️ɪɢᴜᴇʟ 2h ago

@fennix @no_brainer @alice @evan my point is that it's better than not doing anything at all (see OP post about what happens if you let things go unchecked completely)

@bitbraindev @no_brainer @alice @evan

The alternatives to relying on the honour system don't reduce to "do nothing". There aren't only two options. Advocating for a "trust us to be well behaved bro" model amidst the largest breakdown of that exact thing in web standards is, to put this politely, out of touch.

Naming and shaming, defederating the scumbags, etc., are all valid ways of dealing with these problems. Other more aggressive approaches unfortunately lead to closed off communities, which are counter to what many people believe the internet should be.

AutistiCritic 11h ago

@alice @[email protected] Appreciate the words of caution - blocked their ass so hopefully, we won’t have any issues with them. Hope you have sorted it out as well. 🫤

Kirtai 🏳️‍⚧️11h ago

@alice

Sounds like he's a bit of a dick.

Darkas Vim 11h ago

@alice @evan How hard would it be to make this "service" opt in only? It would still be able to perform the stated intended function and prevent this unnecessary collateral damage.

The owner's unwillingness to do this makes it seem like some kind of content or info scraping scam.

If people are uncomfortable with it then don't do it. You're only pissing people off by continuing to go down your current path. Why do that?

CohenTheBlue 11h ago

@Darkasvim @alice @evan He's probably too lazy to get a large enough user base the right way (opt in) for what ever he's doing this for.

All platform bridge bots etc require that you follow them to participate in their function, it's a long established practice.

Petra van Cronenburg 5h ago

@Darkasvim In his comments, their owner shows absolutely no sense for empathic behaviour ... (even not for legal requirements for consent in the EU which has opt-in even for tracking).
And he names 3 bot instances (how much more will he have?). Blocked them.

@alice @[email protected]

DJGummikuh 11h ago

@alice I must admit, I understand the technical side of it. Especially considering that there are people here going "hurr durr, doing your own instance is the only true way to use Mastodon" and the like, discoverability of Hashtags is directly tied to the size of your instance.
Is their approach heavy-handed? Undeniably.
Does it solve an issue? I'd say so.
Is there a better approach? Honestly, time must tell, the fediverse still is pretty much in its infancy and a lot of contract still forms.

DJGummikuh 11h ago

@alice I mean we're on a 'social network' after all, there is a point to be made that everything we post publicly comes with an 'implicit default opt-in' to redistribution, which especially includes retooting. I'd see a line crossed if they were to copy-steal posts of others, but from what I saw in this discussion, this is not what they're doing. As long as federation holds, modification or deletion should be propagated to all participating instances, leaving 'you in control of your content'.

🅰🅻🅸🅲🅴 (🌈🦄)11h ago

@DJGummikuh opt-in to new "services" can't be assumed.

Just because I'm, say, open to flirting, doesn't mean that each new person doesn't have to get consent to do it.

DJGummikuh 11h ago

@alice I understand your position to this, but who decides whether this is 'the correct way' to interpet what social media means as concept for mastodon? I mean everything happening is a continuous negotiation between all participants, there is not (neither should there be) a single authority deciding what is right and what isn't. In this instance, however, I believe their approach genuinely steers the fediverse in a more inclusive direction than it currently is, which feels a win in my book.

DJGummikuh 11h ago

@alice and to go more specifically to your example: what I believe they are doing is not flirting with you; they are only taking your statement that you are available for flirting and making it visible for potential candidates which otherwise might not have had a chance to know about this prospect.

🅰🅻🅸🅲🅴 (🌈🦄)10h ago

@DJGummikuh if someone is looking for me, they'll eventually find me here. I don't need a dating service to opt me in without my permission.

What is so fucking hard about asking for permission?

It's the "no", right?

It's because it's easier to avoid "no" if you don't ask my permission.

This is the same mentality that makes us wear roofie-detection bracelets at bars.

*Unambiguous* consent needs to happen *first*.

DJGummikuh 10h ago

@alice Ok that is an interesting aspect. Obviously, roofie-detecting bracelets are proof for a failing system and victim-blaming, no argument here. But did you not give consent that your post is visible (and likable+boostable) for anybody looking for that hashtag by explicitly USING that hashtag on a public post? What is this bot doing beyond what you deliberately allowed by posting with these settings in the first place? (this question again is not rethorical, I really try to understand this)

🅰🅻🅸🅲🅴 (🌈🦄)9h ago

@DJGummikuh then re-read my post on it. I've argued every detail of this for like 9 hours straight today. If it's not clear enough after that, then I don't know what more I could possibly say.

🅰🅻🅸🅲🅴 (🌈🦄)10h ago

@DJGummikuh did you see the thread? It was *overwhelmingly* negative, and what's-his-name seemed intent on digging a hole to Fediblock land as fast as possible.

In this case, if his "approach genuinely steers the fediverse in a more inclusive direction" the way it was just demonstrated, then I'll be blocking all those domains and going to exclusively "followers-only" posting.

I already have follow requests on because I get harassed by bots and scammers constantly. I don't want to have to lock down my posts to avoid opt-out "services" that I don't want in the first place.

DJGummikuh 10h ago

@alice yes I think the way he presented it was 'less than optimal' to put it mildly,though the general tone of the discussion (at least the part I saw) was heated and emotional, and usually nuance is the first victim in this climate.I truly understand your position; I also see the value in what they are trying to do. What becomes of the fediverse will be the result of the collective choice of its users, I just wanted to raise that it's not as black and white as partly depicted in the discussion.

🅰🅻🅸🅲🅴 (🌈🦄)9h ago

@DJGummikuh consent isn't a grey area—we know what good consent looks like, and this was *not* it.

I appreciate that you've been following me for a while now, but not understanding why consent is the important part of this is a huge red flag for me.

🅰🅻🅸🅲🅴 (🌈🦄)11h ago

@DJGummikuh seems like there should be an efficient way to semi-anonymously broadcast that a server has specific hashtags, and if a user on a single-user instance follows that hashtag, then their instance would know which servers it has to poll to get posts with that tag.

DJGummikuh 11h ago

@alice I don't think there is and that hinders discoverability of as of yet unknown persons massively. This is a direct function of the concept of federation, balanced against the load requirements of servers. We're firmly in the design philosophy territory of ActivityPub here, and social-graph forming via hashtags is a complicated issue, again predominantly disadvantaging small/one-user instances

DJGummikuh 11h ago

@alice always keep in mind that ActivityPub has no master servers, so an inclusive "Push" to all servers is as impossible as an inclusive pull, as there is no central registry maintaining a list of all federating servers. Cheating around that 'short-coming' with an approach like theirs releases pressure on this pain point for people running one-user instances, which in turn simplifies the life of people trying to push for more instance-diversity as opposed to everyone going to the big instances

DJGummikuh 11h ago

@alice again, I understand your underlying position of 'no usage of my posts without my explicit approval', but I'd wager a bot exclusively restricted to retooting (i.e. not using the gained reach for propagating their own messages) should fall short of any thorough definition of 'usage', at least in the context of a social media.

@DJGummikuh Interesting that I already had that douchebag blocked. Given that you’re advocating for the douchebag , presumably because you want to do the same, kindly fuck off. You’re blocked as well. @alice

🅰🅻🅸🅲🅴 (🌈🦄)10h ago

@DJGummikuh my nudes were being boosted by @[email protected] 😐

There was also a @[email protected], and several other hashtags that were turned into named bots for the sole purpose of boosting my posts.

This was the most "Invasion of the Body-Snatchers" implementation of a "service" I've seen. Though I admit it would have been worse if it had used my profile photo for the bots.

DJGummikuh 10h ago

@alice I fully expect there to be no discriminatory logic behind the operation of this approach. From my understanding this bot just takes the hashtag, generates it as an account and causes the posts to propagate. I'd be ABSOLUTELY with you that the bot attempting to actually impersonate you (e.g. by using your pic), therefore suggesting a direct relation between you and it, would clearly cross a line of immorality, but it doesn't, which feels a very deliberate choice to steer free of this topic

DJGummikuh 10h ago

@alice also, with your nudes being public, they already would be available without any controls, authorization or access control beyond deletion by you, even outside the fediverse altogether, so from a strictly judical standpoint, the bot does not tread on issues such as privacy or individual consent for access. I believe the actual discussion to be had in this specific case is the exact definition of what 'publicly available' is supposed to mean and entail

🅰🅻🅸🅲🅴 (🌈🦄)9h ago

@DJGummikuh you're still arguing that I deserved to be violated.

That's a *really* bad look.

DJGummikuh 9h ago

@alice no whether or not something is deserved or anybody's fault is not part of my argument. I see now that we have genuinely different understanding of what publicly posting content on mastodon allows other actors to do, and I do not have the authority to decide which position is 'right'. Voicing and explaining my opinion on that matter was the main goal, with the hope that it is of some value to you and others reading this.

Jennifer Moore 😷6h ago

I mean this is technically arguable yes, but "from a strictly judicial standpoint" is simply not the right standpoint. Consent and the law aren't a one-to-one mapping.

DJGummikuh 6h ago

@unchartedworlds that is correct but the problem is, the law (and to a degree the ToS of Mastodon) is essentially an agreed-upon understanding of what is and isn't tolerable. Everything beyond that very quickly descends into individual opinion, which is absolutely legal to have but becomes difficult to navigate when different opinions differ. Such as whether posting something public while allowing everybody to boost still allows you to then complain that somebody/something does exactly that.

DJGummikuh 6h ago

@unchartedworlds I think this also touches on the question what "rights" you retain to the Hashtags you use. Hashtags are predominantly a technical utility that allow you to categorize and tag your posts for specific topics. Using the name of that hashtag to name a bot does in my personal opinion not touch any legal limits, as they are neither copyrighted nor have an exclusive usage. It also (again, my opinion) does not tie the user to any kind of identity, as their usage is not limited.

DJGummikuh 6h ago

@unchartedworlds I think at its core this whole thing blew way out of proportion with a lot of the discussion being caused by completely different frames of reference. This also is an issue exclusive to the Fediverse - no centralized SoMe actually has this problem family, as even bluesky has master servers that theoretically allow synchronization of content - and therefore touches issus and motivations nobody ever really faced since the advent of search engines.

Jennifer Moore 😷4h ago

"This also is an issue exclusive to the Fediverse - no centralized SoMe actually has this problem family"

If the issue is "material shared in a particular context is transmitted onward into a different context without asking", then I disagree it's exclusive to Fedi - I've seen that area conceptualised and navigated on Twitter as well. Examples:

• People asking "Okay to retweet?" - not because they legally _had_ to ask, but out of sensitivity to whether the OP _wanted_ their post shared further. Often used for posts where a personal anecdote was shared and other people find it especially illuminating.

• Quote-tweets being used to focus attention on a tweet - widely considered an affordance which can be used for good or evil :-)

Or are you thinking of a _different_ issue?

DJGummikuh 4h ago

@unchartedworlds no, that's the point, I'm talking about a COMPLETELY different issue. Due to the federated, non-centralized nature of ActivityPub, if I'm on a single-user instance, and I post a message e.g. under the generic hashtag "linux", even if you follow the linux hashtag, you WILL not see my post unless your server and my server are federated. With this bot server, it would be (presumably, still trying to find out) enough that your server knows the bot server to find my original post.

DJGummikuh 4h ago

@unchartedworlds so this bot activity serves a purpose that not necessarily has any gain for the bot per se, it just simplifies populating otherwise non-federated instances to each other. This bot is NOT an aggregator bot "follow my bot instead the artist to get a digest of content"

DJGummikuh 4h ago

@unchartedworlds I'm uncertain (as I can't seem to find a definitive answer to that yet) if you even have to follow any account on the bot instance at all or if it is sufficient for your instance to have a single user to follow ANY account on the bot instance to allow you to find hashtag content on any OTHER instance the bot instance has crawled

Jennifer Moore 😷3h ago

Oh right, yes I see what you mean - the challenge of successfully federating.

Unni Leino 2h ago

@DJGummikuh
@unchartedworlds

There are more nuances than this, though.

First, 'public' does not equal 'okay to publicise' – the ease of access and amount of automatic visibility matters. For instance, I once spent a significant chunk of effort to get my deadname off my Wikipedia page, as it felt really uncomfortable to have it appear on the top 5 search engine results for anyone looking for my current work contact information.

Second, a regular boost is the result of someone actually thinking that the toot is worth boosting and that it is appropriate to do so. What we have here is a bot-like entity that does the boosting automatically, without any meaningful supervision.

'If it's technically possible, someone will do it' is certainly a pretty accurate description of the net. It's not a useful guideline for ethics, though.

🅰🅻🅸🅲🅴 (🌈🦄)9h ago

@DJGummikuh I feel violated by a tech bro's bot network using my name, sharing my nudes, and invading my community...and no amount of telling me it's okay is going to make it okay.

End of story.

🅰🅻🅸🅲🅴 (🌈🦄)10h ago

@DJGummikuh it's a bad solution that will be abused by bad actors to harm vulnerable people, and it takes control of my content (in this case, personal hashtags and photos of my naked body) out of my control.

DJGummikuh 10h ago

@alice does it, though? Genuine question here - when you post something as 'public' here, which forms of control do you expect to have beyond the ability to modify and delete your post after publishing? I agree, discoverability is a two-sided sword that helps surveillance as much as it helps social graph building, but what form of control does it remove from the author if it is restricted to boosting?

🅰🅻🅸🅲🅴 (🌈🦄)9h ago

@DJGummikuh it stole my hashtags, made new accounts in my name, and started boosting my content.

You know who else does that? Pornbots and scammers.

*I do not consent to bots using my work*

PERIOD.

Catherine is not complacent 3h ago

@DJGummikuh @alice that is a very deep hole you are digging. Perhaps you might want to contemplate why you feel the need to explain in such detail.

🅰🅻🅸🅲🅴 (🌈🦄)10h ago

@DJGummikuh we already have opt-in solutions for that. I'm registered with like a dozen of my most-used hashtags on multiple discoverability services.

But I chose those.

I chose to be listed as someone who talks about data privacy, LGBTQ topics, etc.

No one assumed I'd be okay with being listed there.

DJGummikuh 10h ago

@alice fair. And again, I do not have any capacity to judge authoritatively which is the right approach. I just felt inclined to point out that this is a workable, possible solution to a tangible problem with the underlying architecture of ActivityPub and not some pervert trying to make a buck, which is a consideration I felt lacking in a lot of the replies to your original thread.

Toni Aittoniemi 10h ago

@DJGummikuh @alice I somewhat hesitantly raise my voice also, that I’m not entirely against discovery aids, but at the same time if those are found to cause people harm, the community of fediverse can choose to come together block them on the server level.

But I do also call for some level of organic experimentation to be encouraged, as designs by committee are vulnerable to other kinds of abuse: capture by large actors working against the small.

DJGummikuh 10h ago

@gimulnautti @alice couldn't agree more! I am absolutely not against blocking people for doing something percieved to be immoral, even if it is just the perception of individuals. This is a vslid strategy to express dissent. I just find it important to raise that there are more nuanced sides to this story than the replies of quite some participants in this discussion suggest

🅰🅻🅸🅲🅴 (🌈🦄)9h ago

@gimulnautti @DJGummikuh again, *consent matters*.

There is *no* other argument here.

It's not consent if you violate trust first and then notify me that I was violated after the fact.

Toni Aittoniemi 6h ago

@alice @DJGummikuh It is not a question of understanding the issue. Merely notifying that while consent matters, absolute consent necessitates absolute prearrangement of details, potentially leaving no room for good surprises.

Where is the space for argument, or ’courtship’? And how open is that space? These are difficult questions, and people’s tolerance in those spaces and how they’re defined seem to differ somewhat.

ClickyMcTicker 6h ago

@DJGummikuh @alice If someone tells you they were sexually assaulted, do you ask them to describe the exact details of the assault to confirm *judicially* whether the assault was sexual in nature?

Because that’s effectively where you’re at right now, and it’s really not making you look good. The grave is getting dug, and you are the one digging it.

🏳️‍🌈 leberschnitzel 🏳️‍🌈9h ago

@DJGummikuh but there is already a solution for this, that he even mentions as "assumed consent": relays.
An easier way for new instances to find and connect to relays so their reach increases would do all that naturally and you could follow hashtags and find the original source, not fake bots

@DJGummikuh @alice even this approach can be done better. It would be easy to reply with a DM after a first tagged post it encounters from a specific user with something like

Hi, I am a bot that reposts tagged posts, if you wish to be included, like this reply

And add that user to an internal deny list until they give it a like.

Basically no barrier to opt in, and opt out by default.