Mastodon (Social Networking Software)

Check this box to affirm you have no conflict of interest.

on

Website

Short description

Mastodon is decentralized social networking software which allows you to publish content to the internet that is readable by other ActivityPub clients.

Why I think this tool should be added

1. Mastodon has a solid history of security updates. In the handful of circumstances where major security vulnerabilities have been found, they coordinate patch releases quickly and cleanly. Historically they have also backported these security patches to older feature branches. This makes it easier for less experienced server hosts who may not feel comfortable upgrading to the latest releases right away to keep their instances secure. Mastodon also has an update notification system built in to the web interface, making it much more likely for server administrators to be aware of critical security patches available for their instance.

2. Mastodon is largely usable with most content types. While it is primarily a microblogging platform, Mastodon easily handles longer posts, image posts, video posts, and most other posts you might encounter when following ActivityPub users who aren’t on Mastodon. This makes your Mastodon account an ideal “central hub” for following anyone regardless of the platform they chose to use. In contrast, if you were only using a PeerTube account, you would only be able to follow other video channels, for example.

3. Mastodon has fairly comprehensive privacy controls. It has many built-in features which allow you to limit how and when your data is shared, some of which we’ll cover below. They also develop new features with privacy in mind. For example, while other ActivityPub software quickly implemented “quote posts” by merely handling links to other posts with a slightly different embed modal, Mastodon is developing a quote post feature which will give you more fine-grained control when your post is quoted.

Section on Privacy Guides

Social Networks

My current notes on choosing an instance:

To benefit the most from Mastodon, it is critical to choose a server, or “instance,” which is well aligned with the type of content you want to post or read about. While censorship in Mastodon does not exist on a network level, it is very possible to experience censorship on a server level depending on your server’s administrator.

It is critical to understand that Mastodon is not a single, unified service in the way that X (Twitter) or Facebook are. Each server is its own legal entity, with its own privacy policy, terms of use, administration team, and moderators. While many of these servers are far less restrictive and more privacy-respecting than traditional social media platforms, some can be far more restrictive or potentially worse for your privacy. The Mastodon software does not discriminate between these administrators or place any limitations on their powers.

We do not currently recommend any specific instances, but you may find advice within our communities. We recommend against mastodon.social and mastodon.online, because they are operated by the same company which develops Mastodon itself. From the perspective of decentralization, it is better in the long-term to separate software developers and server hosts so that no one party can exert too much control over the network as a whole.

If you are greatly concerned about an existing server censoring your content or the content you can view, you generally have two options:

1. Host Mastodon yourself. This approach gives you the exact same censorship resistance as any other website you can host yourself, which is fairly high. Mastodon even integrates with the Tor network for more extreme scenarios where even your underlying hosting provider is subject to censorship, but this may limit who can access your content to only other servers which integrate with Tor, like most other hidden services.

   Mastodon benefits greatly from a large and active self-hosting community, and its administration is comprehensively documented. While many other ActivityPub platforms can require extensive technical knowledge to run and troubleshoot, Mastodon has very stable and tested releases, and it can generally be run securely without issue by anyone who can use the Linux command line and follow step-by-step instructions.

2. Use a managed hosting service. We don’t have any specific recommendations, but there are a variety of Mastodon hosting services which will create a brand-new Mastodon server on your own domain (or occasionally a subdomain of their domain, but we recommend against this unless registering your own domain presents too much of a burden to your privacy).

   Typically, Mastodon hosting providers will handle the technical side of your instance, but they completely leave the moderation side up to you. This means that you will be able to follow any content you like, although on the flip side it may expose you to more spam or unwanted content because you will not have the dedicated moderation team many larger instances will have.

   This often represents a better approach than self-hosting for most people, because you can benefit from greater control over your own instance without worrying about technical problems or unpatched security vulnerabilities.

   You should look closely at your hosting provider’s terms of service and acceptable use policies before registering. These are often far more broad than typical hosted instance rules, and they are far less likely to be enforced without recourse, but they can still be restrictive in undesirable ways.

I mean.. this has to be a no brainer right? I see no problems with Mastodon and the decentralized nature of any social media that is not beholden to SVs maniacal management.

Most people have generally agreed for the past few years that some form of social networking should be recommended on the site. I noted this here back in May 2022, but nobody has submitted a PR in the time since: Reconsider Social Network and Social News Aggregator recommendations · privacyguides · Discussion #195 · GitHub

Since this has been previously discussed over the past 3 years in various threads, I don’t see this specific recommendation as too controversial and I’ve already written the PR for its addition:

This thread is just sort of a last chance for people to add any talking points I may have missed.

I am also planning other social network related changes here but they will need more community discussion before we go forward with them: List Element under Social Networks + IM/RTC Page Changes

Well, I voted. It should be added. People do ask what else can I use and they know jack about Mastodon. Atleast this way they can learn about it themselves when I point them to PG.

While there might not be as strong privacy protections for posting as centralised platforms, the ability to be pseudonymous can’t be discounted. Most major platforms do require personally identifiable information to sign up (mobile number and or ID). That alone sets it apart and should at least be a reason for it being listed.

6 posts were merged into an existing topic: Social Media Category

Jonah one of the criteria you put in place is that you can have private accounts, but AFAIK Mastodon doesn’t support this.

It does and I included instructions on how to do so already, unless you understand private accounts to mean something else?

I split up the dicussion on adding the category it self to here for sanity: Social Media Category - #7 by jonah

A post was merged into an existing topic: Social Media Category

sorry should have read the page in full, instead I just had looked for private profile option in my instance.
I have a few more thoughts.

Your proposal advise against mastodon.social and mastodon.online, because chosing it will encourage centralisation. Yet, you also say that the official mastodon app is recommended because they have a great track record on security updates.

Which does bear the question : Why should I not use their app for security reasons yet not use their instance ?

I also think we shouldn’t idolize Mastodon and mention where it fails. One instance is that network-wide censorship does exists because instances that do not follow a moderation baseline acceptable to the majority will be banned. https://news.ycombinator.com/item?id=28495086

Account migration should also be briefly mentionned, perhaps with an external guide and mention posts aren’t ported over.

The official app is a front-end for the Mastodon instance itself. Community-derived alternatives do exist, but security update frequency may vary.

You technically don’t even need to install the official app since Mastodon can also become a PWA (which are far better IMO)

Overall I see no issues with recommending Mastodon, but minor comments:

Visibility controls protect against the Public Exposure threat, which is not mentioned at the top. Although, these can of course be bypassed if your adversary creates a fake profile meaning it doesn’t really protect against Public Exposure effectively either, and that the measures are more like trying to make private something not designed to be private. ^[1]

I’ll note in transparency that I am not entirely convinced by my following arguments myself but do feel like it is worth mentioning. I think that

1. If the approach is censorship as the privacy benefits are controversial (as noted on github), then the only threat listed should be Censorship and not Surveillance Capitalism too.

The protections against surveillance capitalism are either account-related ^[2] or privacy-policy-related, both of which are explicitly omitted due to varying depending on the instance. So what protects against surveillance capitalism? I am assuming it is because Mastodon is not adtech / surveillance capitalism itself, in which case:

2. It seems contradictory to specifically exclude some benefits that are given by the instance (account-related) from the requirements, but include other benefits given by the instance (policy-related) in the threats.

1. especially considering that unlike other public exposure concerns involving third parties, you are fully in control of what you post/share in the first place and aren’t limited to requesting third parties to hide or delete your information after it has been shared. ↩︎

2. I also think that if sign-up not needing personally identifiable information is not a requirement due to it being instance-specific, it should not be mentioned in the description and very first paragraph, but rather at a later point, as the focus should be on anti-censorship. ↩︎

I think the threats we mention at the top should be relative to the typical tools in that category, and from a certain perspective even regular social media can protect you from mere public exposure, strictly speaking, so this isn’t an added benefit here.

One doesn’t even need to use the app daily or often, but maybe occasionally. Mastodon supports RSS, so one can put people’s accounts and hash searches into their favorite RSS reader and manage from there.

I’d rather use nostr, as mostodon admins still can censor you.

Thoughts?

I recommend against adding Mastodon for reasons below.

Social media handles are a prominent public identity thing, and allowing others to host it will cede control over your public persona to another person and/or entities that may target the host infrastructure itself. Might be relevant to note this for the users, will matter in certain threat models especially for famous personalities.

Not completely. Providers comply with local laws, which seem to be getting tighter everywhere. Providers in states with less free speech might also be forced to censor content or refuse to allow federation to certain servers.