Eugen is a user on You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.
Eugen @Gargron

Poll following recent discussions about DM privacy on Mastodon: Should the Mastodon webapp compose screen warn that DMs are stored on the server (accessible by admins)?

· Web · 114 · 45

@gargron i want to say "yes, but lightly, in a non-alarming way. it's common practice and we're honest about it"

@CobaltVelvet @Gargron +1
for a light blue rectangle, not a huge red one.
Kind of like what Mastodon has when sending over OStatus

@CobaltVelvet @Gargron Came here to say this also. Be clear that this applies to pretty much all other platforms as well, but that Mastodon wants to be more honest and transparent with users about it.

@CobaltVelvet @Gargron +1
Not only is common practice, but if you want persistent DMs there are very few alternatives

@Gargron Yeah, maybe it's something that could be added to the onboarding as well or instead? I think it's an important message that applies to pretty much every action on Mastodon, though especially important for DMs.

@Gargron Of course the warning could mention that it is the case for all social media platforms...

@Gargron The warning message could include a phrase like "Like most social media platforms [including <list of examples>]..." to reduce the scaring-off effect.

@Gargron If there's actually a not-vanishingly-tiny percentage of people surprised by that, it should be pointed out, I guess.

@Gargron those answers feel way more suggestive than "yes" and "no"

@Michcioperz I have created strong arguments for and against it.

@Gargron I think they shouldn't be part of the answers though, and should instead be listed outside of the poll. Just a pet peeve.

@Gargron Yes, but make sure it's clear that everything else does that too and there's no way around it.

@Gargron Just a text link to "what privacy means with masto" page and describe intricate and usually uninteresting details there?

@gargron When "we" with !fediverse will be a real alternative: Yes, of course. Every transparency is important.

@Gargron that scares me a lot

but why not? with a warning message should be OK

@jsalvador @Gargron

To do that you'd need a private key that is local to your client (i.e. not stored on your local instance) and you would have to authorize new devices you want to post from in a fashion that they get this key without the server handling it. It also prevents you from recovering your account if you lose the key.

Services such as Signal and Keybase do this, and as such are better suited for truely private communication.

@david @Gargron actually i don't mind if there is a truly private message system or a system with a warning messaging, but i'm sure there will be a lot of people asking for it and making a flame war

@gargron @jsalvador and why 'no'? Perhaps its not currently possible because it's not been implemented, but why would it be technically impossible to encrypt DMs? Users would have private and public keys and they could be used to encrypt and decrypt DMs. Perhaps an ambitious undertaking, put certainly possible?

@jsalvador @gargron I mean aren't secured DM systems such as Signal about end-to-end encryption, so they are capable of doing that.

@sciss i want a secure way to DMs on Mastodon, but @Gargron has the word on this...

@sciss @Gargron @jsalvador In-browser cryptography is really insecure for a number of technical reasons, so it wouldn't be feasible to implement

@Gargron Sory for the ignorance, What are DM's?

@Gargron yes (voted) but also advocating an additional splainer indicating most social media platforms do this
and some E2E suggestions

Thanks for having the integrity to seek community feedback on this @Gargron, doing this isn't the easy way.

I suspect the reason so much of the net feels like a corporation's backyard is because decisions to do what everyone else always did just game made unquestioned.

And that leads to everyone making the same assumptions and the whole thing being fragile to the same kind of failure.

Best wishes.

I don't see why not. Plus is it educates ppl who maybe never thought about it and it's such a small thing to do tjat encourages people to think about who has access to the things they post. I guess minus it might be interface clutter? Maybe "Yes, with a 'don't show this again' option"

@Gargron what having it be a option when you install the server and the user has a page in settings where the user can view the "privacy" settings on the node they are on so they can tell easily if the server owner can view their DM's

@ninja85a @Gargron How would Mastodon determine this "privacy" settings? The admin can tell the user whatever they want, and this is not the role of Mastodon to understand the security of where it runs. This feature seems to me hazardous at best.

OTOH implementing PEP would help users utilize strong cryptography from the client for DMs, making it easier to block admin envy.

Voted yes. I think it's better to strive to be a better platform rather than a superficially better-looking platform. Maybe have a read more that mentions that most other services do it too, and recommend Signal for secure communication?

@Gargron I don't know if that's necessary on the compose screen. I definitely think it should be transparent though, maybe in an FAQ or readily-availible post on privacy?

@Altruest @Gargron I definitely don't think a big blob of explanatory text on the compose screen would be good, maybe a link or something

@Gargron "Just like these other platforms, we store this on the server. The difference is we are telling you about it." Or something like!

@Gargron Hi Eugen, although it is common use by all the same sort of platforms. A one time 'cookie notice' that informs new users, or an addition in the TOS will put the users above the party (in this case Mastodon) and give open information about the flaws that other platforms have and not tell their users. As Mastodon is different this will make a big statement and I believe positive effect to people that want to know all. (no hidden benefits for mastondon). Greetings from Holland, Barbara

@Gargron Yes, especially if they're cross-instance. With anyone being able to set up an instance - I trust my admin, but can I trust the admin of honeypot.example isn't reading all the DMs sent to that instance?

@Gargron there's also a difference between it being technically possible at faceless megacorp and some guy whose server you're on being able to read them.

@Gargron if you do this, mention that this is just like every other social network, so people don’t start FUDing it up.

I would say yes but people that are using a DM system on any service shoukd assume that it all gets stored on the server

@Faveing @Gargron they /should/ but that doesnt mean most people /do/

Masto’s leans towards tech savy right now but some of the new people joining aren’t & we should try to make the platform welcoming & accessible to them too

@Gargron very useful to know, will use a different platform for sensitive communications

@gargron The way the options are phrased leads me to conclude that I have no idea what is the best option.

@Gargron ⚠ warning sounds a bit strong
but a little info box saying something to the effect of "direct messages are not encrypted and will be readable by admins and mods of both this instance the recipient instance(s)" (with maybe a link to a more thorough explanation for those interested) would be a good idea

from an end user perspective, I very much like being told what a feature really does instead of having to assume.

@Vann @Gargron
I think it should look similar to the warning you get if you make a followers-only post on a non-private account.

@Gargron I'd word it as "Remember: these messages are stored on this server..." etc.

Or maybe "Note on privacy:..."

As other people are saying, it shouldn't be signaled as a nefarious practice but as a privacy level to be aware of.

@Gargron Think of it as a "privacy usability feature" similar to onboarding, to help remind people every time they send a message in case it might change their mind that particular time.

@Gargron If possible, I would suggest linking to a list of native apps that do encrypt your messages. But doing it in the browser is pure security theatre.

@gargron That little closed envelope icon may create a false impression of privacy, so it's always good to play with open cards and remind users that they shouldn't use this for sharing very sensible information.

@Gargron thanks for seeking feedback! this is what makes this is a strong platform

@Gargron Not on the compose, but have a "these are the people who you are trusting" (optional?) section of the Onboarding or something.

@Gargron voted yes; agree with others that it should be unobtrusive and possibly dismissible. disagree with that it should say 'other sites do this too' - when websites do that when they ask for cookies, it feels very forced or showy to me. it would be nice if someone had no idea other sites did it, but to me it seems very smug, like 'oh here's a reminder how much everyone else sucks', which makes it seem more about gloating than being informative!

@Gargron 2nding the chorus of ‘yes but in a way that makes this clear that it’s standard across platforms’

Also what would be the technical feasibility of adding a ‘who are my admins?’ button to said alert? A surprising number of new users don’t seem to know

I agree that it should be a brief reminder that doesn't take a ton of screen real estate and maybe is permanently dismissable with a little icon:

ℹ️ ᴰⁱʳᵉᶜᵗ ᵐᵉˢˢᵃᵍᵉˢ ᵐᵃʸ ᵇᵉ ʳᵉᵃᵈᵃᵇˡᵉ ᵇʸ ⁱⁿˢᵗᵃⁿᶜᵉ ᵃᵈᵐⁱⁿⁱˢᵗʳᵃᵗᵒʳˢ [ᵐᵒʳᵉ ⁱⁿᶠᵒ] [ˣ]

A more thorough explanation can be found at the "more info" link.

I'd be careful about wording. "may be readable" is a bit of a soft sell but I chose that on purpose, other wordings I thought of make it sound like common practice.

@Gargron i voted no because i'm afraid too many privacy-related warnings will cause alert fatigue. we should warn them of this privacy issue when they pick an instance instead

@alys @Gargron Yes, or having it in the settings somehow. Being warned every time feels unnecessary.

@Gargron @shellkr yeah. i don't want it to backfire and cause people to ignore more serious privacy concerns. i mean, you're trusting the instance admin in quite a few ways.

@Gargron the lowered barrier to entry cuts both ways, a regulated company that wants to remain a thing™ is still beholden to bad press and the law, whereas private individuals spinning up masto are less capable to both spot and punish bad actors and also protect against external threats.

That's not a criticism of Masto putting this stuff in the hands of everyone, but I find the like for like comparison a bit off. Federation does change the risk profile for the average user.

So long as it does not cause a major code rework on short notice for you.

@Gargron also give recommendation to use secure communications service outside mastodon platform.

@Gargron I vote second option, but I think phrasing is important. I'm pretty sure phrasing exists that flags this as a problem for most unencrypted communication.

@Gargron BTW, this is something critical to add to the new privacy policy

@Gargron I'd argue that a 'better' solution in the long term would be more general education about where your data ends up and who can see what.

For example:

Your local instance operator see your:

Follower list
Following list

They don't see your:

Remote instance operators see your:

DMs to people on that instance


@Gargron If it's not end to end encryption and has no optional self deleting messages, it is not worth using. Many hacks into companies don't even get published, so your information could get stolen and no one but the underground would know.

@Gargron People might say that I'm "paranoid" about privacy. Well I am. And I have good reason I should be. Especially after what happened to facebook, who's saying no one else has done it? I knew for YEARS, people around me knew for YEARS, but like I said some hacks never get published. Many sites sweep things like that under the rug. Other sites could have the exact same problem. Such as google. Google does every little trick it can to track your location, so anyone that even glances...

@Gargron ... at your google account can see every place you signed on from when you have location enabled. But please, I'm just to privacy concerned.

@gargron if a disclaimer is written, it should almost certainly link to more in depth information and secure alternatives.

@Gargron imo, it's more of an argument for people to spin their own. If it's that much of a concern, domains are pretty cheap. (Maybe the mastodon of the future is essentially p2p)

@Gargron if an admin starts reading the messages, nothing will stop him/her from disabling that warning. This warning is simply useless.

@Gargron I don't think this poll is fair: I wanted to choose both options. It's not a matter of 'moral obligation' but of availability of better options, e.g., a client-side encryption layer. Still, UI is important. OTOH, such a warning should be written to clearly explain that this is a global risk, not just Mastodon's DMs. See how is handling it...

@Gargron I'm for the initial splash message in instance sign up. Also some blogger press about it would be good from you and/or other contributors. So voting yes

@Gargron I am worried that this feels too much like a "disclaimer".

Maybe it would be good to have a primer of "this is what happens to your data if you do X" as a means of educating people.

Any opinions?

@Gargron I think users should be notified the first few times and then the software should offer a "don't tell me again" checkbox after the 4th box or so.

That would prevent a "I didn't read the text what happened" issue happening on mastodon.

Having a certain level of both privacy and transparency is what makes mastodon different from other social networks. Maybe a "Learn more" link could show an easy understandable explanation

@Gargron I think as much transparency as poss is best. Of course that data has to be stored somewhere, but letting users know where and why is important.

I eould love the idea of incorporating public / private keys for sensitive content like DMs and private threads.

There's a project called pass that has cool group gpg functionality

Something similar could be a really rad feature!

@Gargron If the concern is that they'll go back to other platforms, just make sure to mention that other platforms do this too.