this post was submitted on 19 Oct 2024
2 points (100.0% liked)

Privacy

1 readers
9 users here now

Everything about privacy (the confidentiality pillar of security) -- but not restricted to infosec. Offline privacy is also relevant here.

founded 1 year ago
MODERATORS
 

The official Mastodon app (and most other Fediverse apps) do not collect any data about you.

When you sign up on a Fediverse server, it asks for the minimum amount of information (an email address and a password) and none of this info goes to the app or app makers.

This is in stark contrast to other social networks which seem to collect lots of personal info. See the attached image for a comparison of the privacy policies of various official social network apps.

#Privacy #FediTips #Fediverse

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 1 points 3 months ago (1 children)

@[email protected] May I have permission to use this image? If so, how would you like it credited?

[–] [email protected] 1 points 2 months ago* (last edited 2 months ago)

@wcbdata

The image is just screenshots of the Apple app store, I don't have any copyright over them so you don't need my permission. All I did was put them together and label each screenshot.

(But thank you for asking first! 🙏 )

[–] [email protected] 1 points 3 months ago
[–] [email protected] 1 points 3 months ago (1 children)

@[email protected] most users on instagram, X ond other:

video/mp4

[–] [email protected] 1 points 3 months ago

@[email protected]

I think it's because they're not seeing this happening directly.

If someone came up to them in the street and started following them around 24/7, filming them, recording their location, demanding their financial and medical details, stealing their browsing history, asking if they are pregnant etc they would feel differently.

Because this surveillance happens within their phone, at some level people can pretend it isn't happening.

[–] [email protected] 1 points 3 months ago

@[email protected] @[email protected] Guy I work with wants me to use WhatsApp. Said no, that’s meta and they’re snoopers.

[–] [email protected] 1 points 3 months ago

@[email protected] What's really amazing is that you don't need to use the official app. Unlike Reddit and Twitter/X that have killed off third-party support, the Fediverse can be accessed through numerous apps.

Decentralisation is the future!

[–] [email protected] 1 points 3 months ago

@[email protected]

Talking security, I keep hoping that XMPP will become the DM system because it uses end to end encryption and has been around for years. No need to reinvent the wheel. Plus it can be connected to the ALSO de-federated chat servers 😁

If only I knew JavaScript to make a bridge...

[–] [email protected] 1 points 2 months ago

@[email protected] and that is the reason i never use apps on my phone for anything unless i have to

if there's a web interface i use that

linked in keep suggesting i verify myself, but you can only do it with the app on your phone, yeah right, not going to happen

[–] [email protected] 1 points 3 months ago
[–] [email protected] 1 points 3 months ago (1 children)

@[email protected] Question: how and who does the audit as to what kind of data being collected?

[–] [email protected] 0 points 3 months ago (1 children)
[–] [email protected] 0 points 3 months ago (1 children)

@antdesros @AndikaCJ @james

The official Mastodon app is open source, outsiders with the necessary programming knowledge can see all of its workings at any time:

https://github.com/mastodon/mastodon-ios

https://github.com/mastodon/mastodon-android

If it was spying on people, it would be very easy for outsiders to spot it.

The same goes for most third party Mastodon apps as they are mostly open source too.

[–] [email protected] 1 points 3 months ago (1 children)

@[email protected] @[email protected] @[email protected] As @[email protected] pointed out though, the app is different to the server (for the fediverse), which is very different to X, BlueSky, Threads etc, where the app is also run by the same company as the server.

Tracking is undoubtedly possible by instance operators, who can see my 15 most recent connected IP addresses, for example, and find out who else uses the same IP addresses. That’s built-in to the moderation system of anyone using Mastodon. That’s - undoubtedly - tracking a user; especially since my mobile app is pinging the instance every so often for new messages.

I am all for the fediverse, but I’m all for being honest and pragmatic about any issues it has. A privacy comparison between the Apple App Store self-reported claims really isn’t an honest comparison of “the fediverse” vs other social media.

[–] [email protected] 1 points 3 months ago* (last edited 3 months ago) (2 children)

@james @antdesros @AndikaCJ @Cal

That's the whole point though: separating the app and the server is a really good thing.

When the app and the servers are run by different people using open standards, it gives end users the ability to combine a non-surveillance app with a server run by people they trust, or even set up their own server.

Services which spy on you through the app anyway and/or force the user to use a particular server, are taking away this power from the user.

[–] [email protected] 1 points 3 months ago

@[email protected] @[email protected] @[email protected] @[email protected]

p.s. As for IP addresses, it's impossible to use anything online without giving some form of IP address. That's how the internet knows where to send stuff. It would be like trying to order something to be delivered without giving any kind of delivery address.

That doesn't mean you have to give your own IP address, the Tor network and VPNs let people hide it.

[–] [email protected] 1 points 3 months ago

@[email protected] @[email protected] @[email protected] @[email protected] Yes, but it’s dishonest to claim “This is in stark contrast to other social networks which seem to collect lots of personal info.” as you did in the root message. A typical Mastodon server collects a lot of personal information from me (because it kind of has to, to work). Don’t compare a standalone app to a “social network”.

And it’s more dishonest to then show “a comparison of the privacy policies of various official social network apps.” - because that’s not what those policies are. They show the social network privacy details (because they’re one and the same). It’s not a fair comparison.

The point you appear to make is that the fediverse keeps no information about me at all. This is not true.

Is the fediverse better because it isn’t correlating my IP address with ad brokers to work out who is in my household and where I live? Yes.

[–] [email protected] 1 points 3 months ago (1 children)

@[email protected] It seems to be that Bluesky is benign here, with diagnostics arguably being excusable, and the other ones just counting data submitted to the server (which Mastodon would then "collect", too)

[–] [email protected] 1 points 3 months ago (1 children)

@[email protected]

It is worrying that BlueSky is already collecting data they don't need.

"(which Mastodon would then "collect", too)"

No, they wouldn't. The makers of Mastodon's software and the owners of Mastodon servers are totally separate things.

Most people are on third party Mastodon servers which have no connection to the makers of Mastodon's software or the official apps.

This is one of the points of decentralisation, to avoid having any kind of central control point.

[–] [email protected] 1 points 3 months ago (1 children)

@[email protected] Right, that was my point. BlueSky is also technically decentralized and I am saying that maybe this data collection listed here is not by the app itself, but by the relevant server.

[–] [email protected] 0 points 3 months ago (1 children)

@FediTips I don't know if this is the case but I also don't see any reason to believe otherwise.

[–] [email protected] 1 points 3 months ago* (last edited 3 months ago) (1 children)

@anselmschueler

The reason to believe otherwise is to compare the entry for Mastodon and BlueSky.

According to their app store entries, Mastodon collects nothing, BlueSky collects something.

This is the point of my original post with its comparisons of screenshots from app stores.

[–] [email protected] 1 points 3 months ago (1 children)

@[email protected] As I understand app developers are given some latitude in how they fill in these boxes, so what I was considering was the possibility that the BlueSky developers interpreted the requirements for this information differently.

[–] [email protected] 1 points 3 months ago

@[email protected]

Ahh okay... that's an interesting point. It would be good to have more info on that.

[–] [email protected] 1 points 3 months ago

@[email protected] Twitter now automatically opts you in to using your data to train their LLM. And you cannot opt out, which is why many are moving over to Blue Sky.

[–] [email protected] 1 points 3 months ago (1 children)

@[email protected] I'm not sure to understand from where that data comes from. Do you have the original link somewhere ?

[–] [email protected] 0 points 3 months ago (1 children)
[–] [email protected] 0 points 3 months ago (1 children)

@baralheia @FediTips Nice, wouldn't have known. Thank you a lot.

[–] [email protected] 1 points 3 months ago* (last edited 3 months ago)

@spokeek @baralheia

Yup, they're all Apple app store screenshots taken today. For example if you search for instagram app store you will get a link to https://apps.apple.com/app/instagram/id389801252

[–] [email protected] 1 points 3 months ago (2 children)

@[email protected] well bsky at least does not seem to sniff browsing history… but the others 😰

[–] [email protected] 0 points 3 months ago (1 children)

@mariuszklimczak @FediTips Yeah I was thinking that same thing. Bluesky at least looks like reasonable stuff their own service might want to make recommendations to you.

[–] [email protected] 1 points 3 months ago* (last edited 3 months ago)

@edward_jazzhands @mariuszklimczak

They don't need to gather that through the app though if they really are a decentralised network.

(But they are much more reasonable requirements though than Threads etc, yes!)

[–] [email protected] 0 points 3 months ago (1 children)

@mariuszklimczak @FediTips Some of the others get even more "fun" when you notice the "sensitive data" category popping up here and there.

[–] [email protected] 0 points 3 months ago (1 children)

@pstewart

Yeah... what exactly is that? 🤔 I tried looking at Apple's info page and it just describes it as "Sensitive Info". 😬

[–] [email protected] 1 points 3 months ago (1 children)

@[email protected] Apple defines it on their developers' site: "racial or ethnic data, sexual orientation, pregnancy or childbirth information, disability, religious or philosophical beliefs, trade union membership, political opinion, genetic information, or biometric data."

[–] [email protected] 1 points 3 months ago* (last edited 3 months ago)

@pstewart

Good grief... 😬

That is just dystopian. That kind of info could get people arrested (or worse) in countries with repressive regimes. 😞

[–] [email protected] 1 points 3 months ago

@[email protected] A reminder that the App Privacy section in the Apple App Store is self-reported. Apple doesn’t appear to check, other than “providing resources” to help app developers “fill out this information accurately”. https://support.apple.com/en-us/102399

[–] [email protected] 1 points 3 months ago (1 children)

@[email protected]

Isn't that a well known thing though? Most people here on Mastodon already know that Mastodon is privacy respecting, alongside most Fediverse apps. Don't get how thats a tip.

Also, they are operated by huge greedy companies, of course they'll collect data.

It's the sad truth.

[–] [email protected] 1 points 3 months ago (1 children)

@[email protected]

No, not everyone knows.

For example someone replied to this post as follows:

https://infosec.exchange/@SpaceLifeForm/113335684010093335

[–] [email protected] 1 points 3 months ago

@[email protected]

It SHOULD be common sense though, right?

[–] [email protected] 1 points 3 months ago

@[email protected] not to even mention every action you take becoming training material for an LLM, ready to be accidentally reproduced / hacked! 😨

[–] [email protected] 1 points 3 months ago (1 children)

@[email protected] what fediverse apps do collect data? (Besides Threads of course)

[–] [email protected] 1 points 3 months ago

@[email protected]

None that I'm aware of, but there are so many apps available that it's difficult to know about all of them.

Main thing is to check an app's app store privacy section before you install an app (which is where the info in this post came from).

[–] [email protected] 0 points 3 months ago (1 children)

@FediTips Looks like Bluesky is second-best in terms of not collecting user data.

[–] [email protected] 0 points 3 months ago

@jerrymacgp

It is definitely not as bad, but it's a bit weird they are collecting anything as they are supposed to be decentralised.

[–] [email protected] 0 points 3 months ago

@FediTips

And is this also the case if one uses the service via browser rather than in the app?

[–] [email protected] 0 points 3 months ago (1 children)

@FediTips As much as I agree with the thrust of your argument, aren't you comparing apples with oranges?

It seems you're comparing an app that's used to connect to a (typically) third party server with apps that are used to connect to first party servers and thus have to disclose everything those servers collect.

Wouldn't my instance need to collect data roughly the same as the Bluesky app, no matter which app I choose?

[–] [email protected] 1 points 3 months ago* (last edited 3 months ago)

@Cal

That's the point. The fediverse separates the app maker from people running lots of indie servers, so info isn't centralised in any one place. It means people can choose who to trust with their info or even set up their own server.

Plus servers collecting the absolute minimum amount of info means there isn't much info kicking around anyway (except what users choose to post).

The fact the BlueSky app collects any info is a red flag as decentralised networks are supposed to avoid this.

[–] [email protected] 0 points 3 months ago (1 children)

@FediTips

Those who comment that Bluesky apprears to collect little data... It's likely we should read this a "Bluesky appears to collect little data **YET**."

Facebook started out sort of OK, and incrementally corroded user privacy to become an egregious surviellance-capitalism ad firm with an afterthought side hustle in social media.

Bluesky has raised $21 million (not a lot) from two funding rounds. Those investors expect an above market rate of return for their investment.

https://en.wikipedia.org/wiki/Bluesky#Company_history

It's always important with any for profit service to ask - "How do/are they - going to make money?"

Bluesky wants to do this by selling services. We'll see if that works.

From the Bluesky blog:

https://bsky.social/about/blog/7-05-2023-business-plan

[–] [email protected] 1 points 3 months ago* (last edited 3 months ago)

@egalitaire

Yup, totally agree.

BlueSky have set themselves up to enshittify by being a for-profit backed by VC money. They'll tempt people in and then gradually ramp up the problematic behaviour as the drive for profit increases.

That's why I'm steering clear of BlueSky, they seem to want to turn themselves into another Meta.