Make it harder to spy on people's DMs

I'd vote to simply remove it. Even the instance administrators should not have access to DMs. The instance owner could easily enough access the database directly if that information is required for something.

Personally, this goes a bit into the face of what federated software stands for; you're supposed to be in control of your data, or at least have it be controlled by a particular trustworthy group instead of a big untrustworthy business. If it's made this easy to access sensitive data, you might as well ditch the fediverse altogether, because it would have the same privacy issues as big platforms like twitter.

It's dangerously Before Coffee time, but I'll respond

Personally, this goes a bit into the face of what federated software stands for;

You've been mislead. Security and privacy are not part of the fediverse (which is now over 10 years old). Control and agency over your own data, not being subjected to engagement algorithms and targeted ads or having your data easily monetized by billionaires -- yes, but security and privacy are impossible to promise.

you're supposed to be in control of your data, or at least have it be controlled by a particular trustworthy group instead of a big untrustworthy business.

That is exactly that we are striving to provide

If it's made this easy to access sensitive data, you might as well ditch the fediverse altogether, because it would have the same privacy issues as big platforms like twitter.

Sensitive data does NOT belong on the fediverse. Please don't tell people this is a secure space. We don't have E2EE. User blocks are evaded with a private browser tab.

If you need to share private/sensitive information I urge you to use Signal, Threema, Telegram Secret Chats, even iMessage. Don't use the Fediverse. It's just a fancy email server in a dress and we learned long ago that email isn't secure either. (Please don't mention PGP; it's terrible)

We've also had people request the ability for admins to read Chats because they want the ability to for users to report abusive content to instance admins. I'm not a fan of this at all. Chats are a chance for us to start building security and I don't want that opportunity undermined. We do have plans for E2EE there.

We've also had people request the ability for admins to read Chats because they want the ability to for users to report abusive content to instance admins. I'm not a fan of this at all. Chats are a chance for us to start building security and I don't want that opportunity undermined

You mean like it was done in pleroma!2937 (merged)?

(not a fan of this either, but just pointing out the opportunity is already undermined)

Ooof. Well, I guess that will all be pointless once we have E2EE and the admins have no way to decrypt the messages because the key only exists on the user's client.

notify the user

Then someone would just use a db query to get around that, or remove said notification code, if they were indeed malicious. This doesn't really protect anyone, and I think we already have enough false-sense-of-security features lying around on AP implementations to add another one of such diminishing return.

way too low a barrier

The barrier is "make someone an admin". For instances using in-db config (like mine, now) any admin has access to the entire instance config and can do things much more drastic than reading two people's pillow talk in DMs. If you do not trust someone to abuse the "view private statuses" toggle, you likely do not trust them with admin in general.

I think the ease of seeing private statuses is a good thing; it sheds light on just how easy it is for admins to see what is on their servers, so that the concern is more concrete for users and not just something that can be done "in theory". (I mean, even without the feature, we knew it wasn't theory, with instances such as rareome that promoted all incoming statuses to public, but you get my point.)

If I want privacy, I don't entrust any AP software—not Pleroma, not Mastodon, not anything I'd come up with—nor do I trust the network. I tell people to contact me on XMPP or use PGP if they truly care. Most I've used DMs for, is to keep trivial talk between myself and other users, off of the main timelines. It's more of a "scope" thing than a "privacy" one to me.

And I think that's just it. People need to know how to use these tools responsibly. It's a social problem moreso than a technical one. I don't advocate to idiot-proof the software.

The barrier is "make someone an admin".

I'm not talking about the security model, I'm suggesting something completely orthogonal: don't make this a single click to just read people's DMs. I can't think of a legitimate use for this except to drive the point home that there's no E2EE. (The "replace airbags with iron spikes to encourage safe driving" approach.)

If I want privacy, I don't entrust any AP software

I agree completely. An "employees only" sign doesn't stop anyone going into a room, but it does make someone pause. It's the difference between one-click ordering and making someone type their credit card information and shipping address every time: you eliminate impulse buys if you do the latter. "Are you sure you want to delete this?", etc.

I would like to eliminate the "Click hear to read DMs" button, maybe make the admin reauth or something so it's not a single click. A privacy curtain in a changing room instead of just a sign that says "No peeking". (Right now, there's not even a sign.)

If you want a legitimate use of seeing DMs relatively easily see https://catboy.cafe/ (certificate expired, TOFU tells me it's fine).

And reports are still garbage, among other things, a lot of folks seems to not tag the offending posts (MastoFE isn't great at that tbh).

And you're not really supposed to go around into AdminFE on each and every user so in terms of actual UI I don't really know what more you would like, we're not putting a "Here's all the messages on the instance, including private ones".

Make it harder to spy on people's DMs

Child items 0

Activity