Lemmy Português

cross-posted from: https://postit.quantentoast.de/post/18942

I thought this might be of interest to other users as well as admins.

I thought this might be of interest to other users as well as admins.

Why Protecting the Fediverse Matters Protecting user privacy is a vital priority for the Fediverse. Many fediverse instances, such as Kolektiva, are focused on serving marginalized communities who are disproportionately targeted by law enforcement. Many were built to serve as a safe haven for those who too often find themselves tracked and watched by the police. Yet this raid put the thousands of users this instance served into a terrible situation. According to Kolektiva, the seized database, now in the FBI’s possession, includes personal information such as email addresses, hashed passwords, and IP addresses from three days prior to the date the backup was made. It also includes posts, direct messages, and interactions involving a user on the server. Because of the nature of the fediverse, this also implicates user messages and posts from other instances.

To make matters worse, it appears that the admin targeted in the raid was in the middle of maintenance work which left would-be-encrypted material on the server available in unencrypted form at the time of seizure.

Most users are unaware that, in general, once the government lawfully collects information, under various legal doctrines they can and do use it for investigating and prosecuting crimes that have nothing to do with the original purpose of the seizure. The truth is, once the government has the information, they often use it and the law supports this all too often. Defendants in those prosecutions could challenge the use of this data outside the scope of the original warrant, but that’s often cold comfort.

What is a decentralized server host to do?
EFF’s “Who Has Your Back” recommendations for protecting your users when the government comes knocking aren’t just for large centralized platforms. Hosts of decentralized networks must include possibilities like government seizure in their threat model and be ready to respond in ways that stand with their users.

First of all, basic security practices that apply to any server exposed to the internet also apply to Mastodon. Use firewalls and limit user access to the server as well as the database. If you must keep access logs, keep them only for a reasonable amount of time and review them periodically to make sure you’re only collecting what you need. This is true more broadly: to the extent possible, limit the data your server collects and stores, and only store data for as long as it is necessary. Also stay informed about possible security threats in the Mastodon code, and update your server when new versions are released.

Second, make sure that you’ve adopted policies and practices to protect your users, including clear and regular transparency reports about law enforcement attempts to access user information and policies about what you will do if the cops show up – things like requiring a warrant for content, and fighting gag orders. Critically, that should include a promise to notify your users as soon as possible about any law enforcement action where law enforcement gained access to their information and communications. EFF’s Who Has Your Back pages go into detail about these and other key protections. EFF also prepared a legal primer for fediverse hosts to consider.

In Kolektiva’s case, hosts were fairly slow in giving notice. The raid occurred in mid-May and the notice didn’t come until June 30, about six weeks later. That’s quite a long delay, even if it took Kolektiva a while to realize the full impact of the raid. As a host of other people’s communications, it is vital to give notice as soon as you are able, as you generally have no way of knowing how much risk this information poses to your users and must assume the worst. The extra notice to users is vital for them to take any necessary steps to protect themselves.

What can users do? For users joining the fediverse, you should evaluate the about page for a given server, to see what precautions (if any) they outline. Once you’ve joined, you can take advantage of the smaller scale of community on the platform, and raise these issues directly with admin and other users on your instance. Insist that the obligations from Who has Your Back, including to notify you and to resist law enforcement demands where possible, be included in the instance information and terms of service. Making these commitments binding in the terms of service is not only a good idea, it can help the host fight back against overbroad law enforcement requests and can support later motions by defendants to exclude the evidence.

Another benefit of the fediverse, unlike the major lock-in platforms, is that if you don’t like their answer, you can easily find and move to a new instance. However, since most servers in this new decentralized social web are hosted by enthusiasts, users should approach these networks mindful of privacy and security concerns. This means not using these services for sensitive communications, being aware of the risks of social network mapping, and taking some additional precautions when necessary like using a VPN or Tor, and a temporary email address.

What can developers do? While it would not have protected all of the data seized by the FBI in this case, end-to-end encryption of direct messages is something that has been regrettably absent from Mastodon for years, and would at least have protected the most private content likely to have been on the Kolektiva server. There have been some proposals to enable this functionality, and developers should prioritize finding a solution.

We’re in an exciting time for users who want to take back control from major platforms like Twitter and Facebook. However, this new environment comes with challenges and risks for user privacy, so we need to get it right and make sure networks like the Fediverse and Bluesky are mindful of past...

We’re in an exciting time for users who want to take back control from major platforms like Twitter and Facebook. However, this new environment comes with challenges and risks for user privacy, so we need to get it right and make sure networks like the Fediverse and Bluesky are mindful of past...

Synopsis: The article discusses the FBI's seizure of the Mastodon server and emphasizes the need for privacy protection in decentralized platforms like the Fediverse. It calls for hosts to implement basic security measures, adopt policies to protect users, and notify them of law enforcement actions. Users are encouraged to evaluate server precautions and voice concerns. Developers should prioritize end-to-end encryption for direct messages. Overall, the Fediverse community must prioritize user privacy and security to create a safer environment for all.

Summary:

Introduction

• We are in an exciting time for users wanting to regain control from major platforms like Twitter and Facebook.
• However, decentralized platforms like the Fediverse and Bluesky must be mindful of user privacy challenges and risks.
• Last May, the Mastodon server Kolektiva.social was compromised when the FBI seized all electronics, including a backup of the instance database, during an unrelated raid on one of the server's admins.
• This incident serves as a reminder to protect user privacy on decentralized platforms.

A Fediverse Wake-up Call

• The story of equipment seizure echoes past digital rights cases like Steve Jackson Games v. Secret Service, emphasizing the need for more focused seizures.
• Law enforcement must improve its approach to seizing equipment and should only do so when relevant to an investigation.
• Decentralized web hosts need to have their users' backs and protect their privacy.

Why Protecting the Fediverse Matters

• The Fediverse serves marginalized communities targeted by law enforcement, making user privacy protection crucial.
• The FBI's seizure of Kolektiva's database compromised personal information, posts, and interactions from thousands of users, affecting other instances as well.
• Users' data collected by the government can be used for unrelated investigations, highlighting the importance of strong privacy measures.

What is a decentralized server host to do?

• Basic security practices, such as firewalls and limited user access, should be implemented for servers exposed to the internet.
• Limit data collection and storage to what is necessary and stay informed about security threats in the platform's code.
• Adopt policies and practices to protect users, including transparency reports about law enforcement attempts and notification to users about any access to their information.

What can users do?

• Evaluate a server's precautions before joining the Fediverse and raise privacy concerns with admins and users on the instance.
• Encourage servers to include privacy commitments in their terms of service to resist law enforcement demands.
• Users have the freedom to move to another instance if they are dissatisfied with the privacy measures.

What can developers do?

• Implement end-to-end encryption of direct messages to protect sensitive content.
• The Kolektiva raid highlights the need for all decentralized content hosts to prioritize privacy and follow EFF's recommendations.

Conclusion

• Decentralized platforms offer opportunities for user control, but user privacy protection is vital.
• Hosts, users, and developers must work together to build a more secure and privacy-focused Fediverse.