I'm building a new thing for the Distributed 'Net, and I'd love company!

Cavern is a new journaling protocol focused on user agency, with end-to-end encryption and local-first design at its core. It has a social model intended to restore some chill to online communication, embracing non-public posting and manageably small social spaces. Check out <> for a rundown and links to code and discussion spaces!


If you ever thought, "Hmm, this new 'Livejournal' thing all the kids are talking about is *pretty cool*, but what if it was also private from server admins and used a static site generator"... then wow, do I have the protocol for you!

But seriously, the coolest thing about Cavern is that you can host it on any HTTP server. And that means you don't have to "host" it so much as find someone with a domain name and a file server, which could be anything from a box in the basement to Amazon S3.

There's no server software to deploy!

There's a web of trust, but not the annoying key-signing-party kind; your desktop app should learn about some people's keys automatically via your friends, and will trust-on-first-use (TOFU) anyhow.

This is not intended for high-security, cloak-and-dagger social blogging. It's just enough to prevent casual abuses of power. (You *could* make your Cavern app be more distrustful, but you couldn't make other people do that.)

The combination of these (cheap file servers, end-to-end encryption) means it should be easy *and* safe to host other people's journals, or have other people host yours.

Self-hosting is a luxury that most people can't afford (in time, money, or knowledge). But if it's cheap and easy, a handful of people could host for thousands.

That kind of amplification factor is what we need for distributed systems -- a few tech-savvy enablers who don't have to do any maintenance or moderation work at all.

That's right, no moderation required!

That's because this is fundamentally a pull-based system. No push. You can write posts, you can comment on other people's posts, but you can't send a message to anyone who isn't already following you. If you want to do that, try email! That's what email excels at. (Stop reinventing email and its problems.)

So: No spam, because this isn't email.

But also no moderation, not in the usual sense. You are admin over your own journal, nothing more and nothing less. (This is just like on Livejournal or Dreamwidth.) Once comments are built out, you'll be able to delete, screen, block, etc. and won't have to beg some moderator to do the right thing.

The one thing you're not in control over, if someone else is hosting, is the domain name. You'll still want to pick someone who's not a *total* flake.

But Cavern identity is designed to be nomadic. There's a signing key built in that will automatically authenticate any move you make to a different domain name, a different host.

And there's a design for a "gossip" system for propagating these updates in a safe and efficient way.

I suppose you also can't control what other people are saying. You can keep them from saying it on your journal, but you can't keep them from saying it on *their* journal. You can't control who they talk to.

This isn't a federated system—there are no "instance policies". Everyone has to, and gets to, make their own choices. You could totally have shared blocklists, I guess. But they shouldn't be needed, since you'll be able to say "hmm, I want to follow this person's journal, but not those of their friends".

Look, I'll be honest though: None of this is without a catch.

- People could use this system for bad things (terrorism, CSAM, the usual bugaboos) without hosters knowing. With good privacy you *always* have that risk.

- It's currently polling based. That could be patched over with a notifications layer, but conversations might be high-latency in the first iterations.

- Oh, and uh... it's mostly not built yet? There's totally a working client, but comments, rich text, key gossip, and some other things are only lightly sketched out at this point. That's why I'm looking for some kindred spirits!

Some of the ideas I want to explore:

- To what degree can social media "go dark"—become invisible to those who would be onlookers? Can we avoid the social ills of public posts while still meeting new people and new ideas?

- What if posts could be marked as "feel free to relay this to others, but only under this special pseudonym + signature" so that Very Good Ideas could percolate freely and become extremely popular, but the author could *later* opt into being identified as the original source?

- How "sloppy" can post privacy be as long as people are assured there is always a short social chain between authors and readers? Maybe I'm always fine with people I don't know reading most of my posts as long as they're friends-of-friends-of-friends.

How far can this model be pushed? What if I didn't just publish journal entries, but also Freecycle-style "here are things I want to borrow and can offer to lend", and people were able to *locally* perform searches on that data in their local social network?

What else could a desktop app facilitate, if it effectively had a map of the user's local social graph? Meetups? Introductions for dating, jobs, hobby groups? Restaurant/business ratings where you could actually trust the reviews?

I'd love to get in touch with people who can help guide the design. This can be technical, but really the *social* aspects are the most important for me to get feedback on—what I want in a social network is not what everyone else wants!

There are tradeoffs like "how important is contact list privacy vs. being able to meet new people" and people will have dramatically different perspectives on that.

Wat would make it easiest for you to share input? Following the GitLab repo to get notified of issues and pull requests? A mailing list? IRC channel? Hashtags on Mastodon? Other?

@varx This is neat! Thoughts:

A lot of this depends on Users Not Being Assholes. This is probably fine for the intended use case. I fear what happens as it grows though - consider Facebook, which drifted culturally from "add your friends as friends" to "add literally anyone you've ever met as friends". Will the technology be enough to discourage that?

I think you're underestimating phones. All you really need client side is the ability to store files and upload and download them. If a device can run a web browser, it should have no problem with this.

Syncthing (possibly wrapped in a nice simple UI) seems like the obvious solution to the cross-device syncing thing, but I also find myself wondering if it's the solution to the drawbacks of polling too - drop the HTTP-first thing and just run Syncthing on the server and use that for both reading and writing. The underlying protocol doesn't matter that much for usability, the UI does. (Read "Syncthing" as "some protocol that works vaguely like Syncthing and also supports permissions probably".)

@varx (Technically at that point you wouldn't need servers at all, but then you're at the mercy of "at least one other friend must be online when I post this", and eh, that kind of sucks. Until we un-wtf residential internet connections, I agree with you that the homeserver model is probably the local optimum.)

@varx actually, having read some more, I don't think this is compatible with some of the privacy guarantees you're going for (e.g. not being able to download even an encrypted copy of a private post). Never mind!

@emily Yeah, the online-together problem is pretty bad, and something I've experienced with a couple of attempts at distributed tech (such as Retroshare) and of course the P2P connectivity situation has been dire for years. "Servers as pipes" is my best crack at the problem.

@emily I actually want to embrace this add-everyone behavior to some extent, and then let people choose. It's something I already do on Mastodon, where I follow people on the basis of a couple interesting posts.

What Mastodon doesn't have is a way to say "I've categorized [these people] as actual-friends, and [these other people/everyone else] as just online acquaintances" and then make posts that only the first group can see. That's what Livejournal and its descendants do, and it works great. Google Plus did this too.

Going beyond that, I want to be able to write posts that are visible to "all my acquaintances and also their acquaintances". But if one of my acquaintances (or friends!) is a biiiit too promiscuous in adding people as contacts, there's no reason I couldn't exclude them from that algorithm.

The Cavern protocol is actually entirely agnostic to all these details, and a client could choose to implement this.

@varx I would love to have Google+ circles but fediverse, that was a legitimately great idea and nobody stole it. I've considered trying to hack it into Mastodon. You could easily implement that on Cavern, and then do friends+acquaintances or more levels than that or disjoint interest-based groups or whatever.

@emily It's such a good idea! The first place I saw it was Livejournal, and I suspect Google Plus was actually inspired by that. There might be earlier prior art, but I'm not sure.

In Dreamwidth (the successor to LJ) you can make filter lists, which are just friends groups. A post can be shown to everyone, to all friends, or to one or more filter lists. It works OK, but it's not *quite* what I want.

My hope is that by making a protocol that supports the idea but doesn't specify *how* it's done, different apps can implement it differently:

- One app might just have "real friends" and "acquaintances", and that would likely be enough for a lot of people. Simple to use.

- I want to get more fine-grained, and would want to tag people, then say "this post is for people tagged 'friends', but not people tagged 'coworkers'".

And it would support "socially local" levels, so people can say "this is for all of the acquaintances that my friends have listed, *except* for Bob's acquaintances, he friends some really irritating people". If there's some jerk commenting on your journal, you'll know how you know them, and can see patterns like "wow, Bob isn't very discriminating" and take action on that. :-P

@emily I'm still working out the details of how to allow commenting by people you don't know directly, though. One irritating but workable possibility is that people's journals relay comments. Another is that apps do infrequent scans of all of those journals.

@emily Man, phones scare me.

Specifically, I'm worried that people are going to have local copies of all their friends' journals, then back them up unencrypted to cloud storage. Presumably Signal doesn't have this problem, and I should check into what they do about it.

But maybe there's also something to the idea of just not storing other people's stuff on the phone, at least not any more than a small cache. And if people want to risk their own posts being snarfed up, I guess that's their own problem?

@varx I went digging because I was curious: Signal encrypts its db locally with, with the encryption key stored in

I assume, but haven't verified, that Android keystore contents are not backed up to the cloud in plaintext, because that would be really dumb.

@varx and that's a big issue... You're not freeing the user. You're making them a prisoner.

By putting all the moderation burden systematically on the end user you de facto renders it close to useless.
Moderators are a vital part of a social media. They have to see all the disturbing shit, all the horrendous pics and terrifying videos... They take action against those who post that kind of things in order to protect their users. Most people can't handle the amount of horror you find in unmoderated spaces. Only the most twisted or the bravest can. But if every end user has to filter that themselves, then they also have to see those...
I remember an interview from an ex YouTube mod... at the time the bots weren't good enough to pre-sort obviously horrible and illegal content... The documentary ended by saying they took their life between filming and releasing. Moderating is hard. Not everyone has the ressources to do it.

I'm moderating my own glitchsoc instance, yes, but I started with the help of other mods by copying their block lists. I also have some energy and patience to do it. Most people don't. I chose to have mine rather than joining an existing one with a mod team. But I made this choice.

Saying there's no mods may seem like freeing the user, but in fact you're tying the burden of it to their ankle.

@Ariane @varx

Ariane, do you have experience with LiveJournal or Dreamwidth? Those are the kinds of unmoderated social media that Varx is trying to emulate here.

@varx I do not and am not interested in them. I just brought a point that is extremely important to consider.

On the top of my head a simple solution which would give the choice would be to be able to subscribe easily to someone's moderation rules, be able to subscribe to multiple people moderation rules. I can totally see people making moderation accounts that target specific content types and then the regular users just subscribe to them depending on what they want to see or not.

@Ariane I understand what you're saying, and I may have made a mistake by using the phrasing "no moderation required".

Better phrasing: "It requires as much moderation as your living room". You'd only be moderating a space that includes people you invited to that space, or people who your direct friends brought in.

That's *very* different from the sorts of global spaces that YouTube and large Facebook groups provide, where literally anyone can show up and start griefing. That's exactly what I want to design away from.

@Ariane Or to put it another way: No moderation *of the kind* you have to do on Facebook or Mastodon.

It's the kind of moderation you have to do as the host of a social event, which I think most people don't even think of as "moderation".

@varx Definitely, moderating a discord server has nothing to do with moderating a big mastodon instance. Here I can see that it would indeed work. That's an interesting concept indeed, but even for social groups rather than networks, sometime moderation is required (sometimes people go off rails) and it's good to have good moderation tools. My favorite one is "Delete everything between this time and this one by those users".

But yeah you're pretty much doing what Matrix does already if I understand correctly. That can be a good source of inspiration.

@Ariane Yeah, even on Dreamwidth, sometimes you have to tell people to chill out (just like you might at a party). One of the tools that site provides is "screening", where you can just make a whole comment subtree invisible.

Time-based bulk operations sounds great too! I'll note that as a suggested tool. (Technically, the protocol itself is agnostic to *how* that kind of moderation is done; I just want to make sure it's possible for implementations to do it. But it's good to have a list of "this would be a good idea" for implementations.)

@varx Thanks for the clarifications and thanks for being receptive to my concerns.

I wish you lots of success :moving_butterfly:


Maybe the better phrase is "everyone moderates their own journal"? With maybe something about "and has the power to decide who can participate"?

Interesting. Just curious what itch this scratches? What is the use case?

@ScottMortimer @varx

A lot of us learned a hard lesson when LiveJournal, which had felt like a safe space for building community, was bought out by a Russian corporation, and suddenly we were faced with the reality that our private conversations with friends were in the hands of an entity with no vested interest in civil liberties at all.

@ScottMortimer @varx

In the leadup to this, there were also a number of hamfisted attempts by the people who ran Livejournal to clamp down on what I guess could broadly be described as "indecency." E.g. Harry Potter slash fiction was suddenly banned as child pornography, and LJ communities that listed anything having to do with sexual abuse were shut down without warning... including communities to support survivors.

@ScottMortimer @varx

This happened around the same time that Facebook was slowly eating the entire social media ecosystem of the internet, and a lot of LJ users just started posting all their thoughts on Facebook, effectively replacing one unscrupulous corporation with another.

@ScottMortimer @varx

However, a few of us took a different path and moved to alternative blogging sites using the same software as Livejournal. Dreamwidth was the big one, and for those of us who made that move, it has continued to scratch the same itch.

@ScottMortimer @varx

Experientially, Dreamwidth provides just about everything I am looking for in social media (although I really wish that more of my friends were still on there), but it relies on centralized site administration, which introduces a couple of a huge problems.

@ScottMortimer @varx

First, it's extremely fragile. There are just a handful of people running the site, and they are largely doing it for no other reason than that they want the site to exist. They are good people, and I trust them as people, but the whole thing could collapse on relatively short notice if the right kind of disruption occurred at the top level.

@ScottMortimer @varx

The other big problem with Dreamwidth is that there's no encryption beyond https. Socially, it's a safe space for talking about whatever you want to talk about: medical problems, identity stuff, mental health, activism. But in reality it wouldn't take much for all of that private information to end up in the hands of the police, a hacker, or an unscrupulous corporation ready to sell it to the highest bidder.

@ScottMortimer @varx

So even though Dreamwidth has avoided the kind of toxic environments that Twitter and Facebook users tend to assume are intrinsic to social media, a lot of the same deeper privacy issues apply.

@ScottMortimer @varx

My understanding is that Cavern is an attempt to create the kind of social atmosphere that we had on Livejournal and that some of us still have on Dreamwidth, but without the security and privacy problems.

@dynamic @ScottMortimer Yes, basically this—longer-form discussions and journalling, but with privacy controls (including protection from server admins) and more user agency (never losing your stuff if a server goes away,being able to switch servers, etc.).

Also for blogging where you want people to read your stuff, but maybe aren't interested in blaring it from a megaphone on a mountaintop like you do on Twitter or a regular blog.

@varx Ooh nice! This looks very similar to the sort of mechanism/protocol I have been thinking about for limited media sharing with family & friends, without the aid of centralised services (where my photos are now) or dynamic servers (which rules out NextCloud or similar)..

My driver for this is primarliy limited bandwidth from home, so I want content in the cloud, but better protected than just dumping files on S3/Azure...

Count me as interested :D

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.