ActivityPub, the protocol that powers the fediverse (including Mastodon – same caveats as the first two times, will be used interchangeably, deal with it) is not private. It is not even semi-private. It is a completely public medium and absolutely nothing posted on it, including direct messages, can be seen as even remotely secure. Worse, anything you post on Mastodon is, once sent, for all intents and purposes completely irrevocable. To function, the network relies upon the good faith participation of thousands of independently owned and operated servers, but a bad actor simply has to behave not in good faith and there is absolutely no mechanism to stop them or to get around this. Worse, whatever legal protections are in place around personal data are either non-applicable or would be stunningly hard to enforce.
There are literally warnings when you try to DM someone on Fediverse apps that say it should not be treated as a secure medium:
Even on traditional centralized platforms I’ve never treated DMs as “private.” Anything not end-to-end encrypted cannot be considered private and never has been able to be.
Of course you can have encrypted group chats on Signal, if you’re not concerned about meta data. Or xmpp group chats with encryption if you want decentralization. You can keep your secret stuff secret and your public stuff public simply by using different apps.
@TiffyBelle
@Bloonface
And if other instance owners have access to the private messages of people on every instance, that is a shockingly large flaw. I’m not exactly sure how insecure private messaging would be here. Not that I have people to message. But it being centralized would be more secure if decentralization would allow a much larger number of people to have access to something that, really, should be private.
There are an overwhelming number of people I don’t think are savvy or cynical enough, call it what you will, to understand that just because they call something a private message - or just because it’s supposed to be a one to one interaction - doesn’t mean no one else can see it. I would think, if anything, an overwhelming majority of people who send a private message/DM on a social media assume that no one else at ALL has access to that information.
Yes, but as others have pointed out, this is no different than any other social media service that isn’t end to end encrypted. This ignorance is no more true here than it is on any other service.
The mechanism could be different (bad actor as an instance admin) but every private message from any other service you’ve used (minus E2E encrypted services as noted) could also wind up exposed.
Direct messages on most social platforms are a convenient function, not a privacy shield.
Folks not reaching the same conclusions you have on an issue doesn’t make it an echo chamber.
Now you sound like conservatives complaining about how reddit is just a liberal echo chamber. There’s plenty of threads around that have criticized various aspects of how the fediverse works.
Me too. Nothing that would be more than mildly embarrassing goes into a social media message, private or otherwise, here or on any other platform. Nor for that matter into an email. It’s fairly basic behavior these days.
I’ll go so far as to say the very public nature of the fediverse should probablly be more explicitly communicated at sign up time, but again, the nature of the fediverse is still such that it’s going to be up to individual instance owners to communicate that.