Mastodon: Your DMs can be read by the admin(s) on your specific instance.

Twitter: Your DMs can be read by the entire Twitter Corporation.

@tinker That last part almost certainly isn't true and I think we all know it.

A better argument is: "But you can be your own admin, meaning only your third party might lose your DMs, you're in exactly the same boat as twitter."

@Elucidating @tinker how about "by the Designated Agents of the Twitter Corp"

Who knows what rules they use to decide who gets to be in that group? Certainly not me

@riking @tinker I think this isn't a fruitful argument, because any argument you can make about Twitter you can make about the admin of a 3rd party instance, only moreso.

@Elucidating @riking @tinker No, not really. Your Twitter DMs can be read not only by any employee with database access, but also by the NSA and other spying agencies who have partnered with Twitter.

You absolutely cannot say the same about every single instance in existence.


@riking @tinker

How and why should anyone trust that statement? I'm not saying this to be contrarian, I genuinely think it's mostly the same thing.

@trwnh @riking @tinker

An example: lots of instance admins acted in unison to identify and ban instances and users who spread child pornography last year. They did this for their own reasons, but as a sum total of action it was largely indistinguishable from a centrally managed action.

I've implied elsewhere that nothing stops dishonest actors from starting Masto instances. The cost of failing is insignificant. There is no penalty for being revealed a fraud.

@trwnh @riking @tinker
Again, I think that this is more of a category error and we should label it as such. Mastodon's condition is at worst, just as bad as twitter. At best it's substantially better.

That's progress and we shouldn't cede the point to folks who want to try and claim Mastodon is uniquely bad in this fashion.

@Elucidating @tinker I would say it essentially is true. Everything you write on Twitter is readable by everyone the corporation allows or directs to read. That is already a lot of people, and you have no choice in the matter.

Mastodon is NOT a private platform either of course. Tooters should have minimal expectation of privacy. However their is a much greater measure of control in who sees your messages, plus it isn't driven by surveillance based marketing.



I mean, all it'll take is one (inevitable) fash psyop and we're going to have to have better taking points.

@msh @tinker

I mean, seriously. We're going to see someone run a Masto instance under false pretenses and get traction. It's gonna be a dire challenge to the narrative Mastodon users want to project.

Let's just hope it's to the detriment of the fash not on their behalf.

@Elucidating @tinker this has already happened to a certain degree...remember the attempt by Hiveway to somehow tart up Mastodon with blockchain and raise capital for their "new thing". Also, though not overtly fascist, caters in some ways to such a crowd with their antisocial federation policy and tone.

The nature of federation brings back the kind of self regulation/containment that existed in pre-internet publishing, where crackpot ideas were recognizable and limited in reach.



I agree. I'm more concerned about people misrepresenting their intent and capturing identifying details about users in a kind of Honeypot scenario.

@Elucidating @tinker that sort of self - containment works to limit damage in those cases too. An instance's rep can quickly turn bad when it is caught doing evil. It isn't perfect of course but you won't as easily get Cambridge Analyitica type scenarios where things like honeypot "quizzes" can reach tens of millions of people.

There are many more mitigation options in a distributed scenario. I have my own server for a reason. And alts like #pleroma making self hosting more accessible helps.

@tinker I think that's a good point, two minor thoughts:

The reason that Twitter is an issue is that you effectively have no relationship with them. You're probably just a low value content creator, they have a plethora of those. If you were a customer you might have some weight, you're not.

Also DMs can be read by the admins on your instance and the person you're sending it to's instance. You have to trust all the admins in that set.

@maarteuh @tinker Indeed. Any third-party hosted service that doesn’t implement end-to-end encryption.

@tinker ...damn best delete all the "primetime pics" i sent to the other brand accounts, shit shit SHIT

@tinker that is not true - and they might be safer with such a big corporation (with clearly defined policies for access and very knowledgeable devops) than with a random Mastodon admin (who may or may not be running all security updates every night). Sais this random admin :-)

@arjenpdevries - Fair. Flip side as well, folks can spin up their own instance and control at least half of the conversation.

@arjenpdevries Mastodon isn't a private messaging tool (there's no (auditable) end to end encryption) but you can't pretend it's "safer" to blindly trust a company run by surveillance marketing. It's not "safer" at all, it's defective by design.

Any big corps get hacked on regular basis… "knowledge devops" is not a valid argument. Especially when those companies practice mass surveillance for money.


@devnull @tinker well, I agree that surveillance capitalism is a flawed model. However - the large corporations in this mass surveillance economy will spend huge resources to keep their data to themselves. The model requires trust - which is fragile.

An analogy: Do you trust just anyone on the street with your money? No, you put it in the hands of a large corporation called a bank.

PS: I definitely think decentralized social media are the future!

@arjenpdevries @devnull - But my data is not insured (can’t be insured) the way my money is. Corporations are easily breached. My data easily accessed. If my money is stolen at a bank, I still keep it because the bank is insured. Not the same for my data.

@arjenpdevries The bank is supposed to give me my money back if they get hacked and someone steal my money because of it.

Marketing companies sell your data to anyone they want, and will give you nothing, even if they're breached.

It's not comparable at all.

Trust isn't an issue, most people blindly trust those companies and don't give a shit about their own privacy/the privacy of others. All they see is "$stuff is so convenient!". Look at facebook…


Not by the Twitter corp, but by "our commercial partners for advertising purposes(tm)".

There. :blobcoffee:

@tinker *Mastodon: and the admin of the possibly-remote instance you're sending the DM too, which would more likely be the issue.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.