Notices by The Nexus of Privacy (thenexusofprivacy@infosec.exchange)

And here's another example. Frank Hecker discussed he analogy between Bluesky's approach and certificate authorities (CAs) in browsers on Bluesky; so did @cwebber here on fedi. Good points by both! But ...

The Bluesky discussion included discussions of verification as a security measure (and the risks of ad hoc security functionality), power dynamics, and other possible approaches like petnames, Trust over IP, using DV/IV/OV/EV SSL certificates, and other interesting topics.

The fedi discussion was almost completely developers discussing situations where people overrode the browser's (or OS's) list of root CA's. Is that really the key point here?

Again, don't get me wrong: the point Christine is making in the original post is a good one -- my frustration relates to where the discussion went from there. I'd use somewhat different language than Christine (since Bluesky's initial implementation does involve mutliple independently-run verifiers I'd consider it at least somewhat decentralized, but power centralizing) but that's not the important thing here. I certainly agree that this implementation approach very much fits the pattern of Bluesky introducing something that's architecturally decentralized but initially almost completely centralized operationally, with vague plans for more future operational decentralization and no discussion of pwer dynamics. Like I say, there's a lot to critique here!

But there's also a lot to learn, and at least from the discussions I'm seeing on fedi, people are generally taking a pass on the learning opportunities.

The fedi discourse on Bluesky's verification is very frustrating Don't et me wrong, there's a lot to critique with Bluesky's approach of combining their own platform-level verification with initially annointing a handful of third-party verifiers:

• community-oriented verification, along the lines that @rudyfraser.com suggests, would be much more power-distributive and equitable

• as @ngerakines.me notes, Bluesky's approach is missing something critical: consent

• as @DataDrivenMD points out, the current framework functionally disenfranchises community organizers who lack social networks with access to mainstream media and other institutions that are designed to exclude marginalized people

• just like on Twitter, he people initially verified are overwhelmingly cis, white, and male;

• the three initial external verifiers include the anti-trans NYTimes and one of their subsidiaries

• Bluesky hasn't said anything about their process for making decisions about who's "notable" enough for them to verify and how they decide somebody's "authentic".

To be fair, I am seeing a bit of discussion of some of these issues here. But I'm not seeing anything about consent, or community moderation, or equity. Instead, the vast majority of what I'm seeing is people saying hat the approach of external verifiers (run by entities other than Bluesky) and the Bluesky app attaching privileged semantics to the annointed ones isn't "decentraized."

Is that really the important thing here?

#bluesky #verification #fediverse

Hahaha from Cory's latest

"The reason Bluesky is so centralized is that it's really expensive to run an alternative Bluesky server that provides a home for users who have left the main server (a "relay" in Bluesky-ese)."

No that's not even remotely what a relay is and no relays aren't the expensive thing to run.

@laurenshof

@dansup It's the classic "good problem to have but still a problem." With the growth rates of pixelfed.social and Pixelfed in general -- as well as Loops -- I can certainly see why you're feeling like you're in over your head.

So my advice in general is to prioritize safety and moderation even if it means doing less. Defer UX improvements and maybe even onboarding until you've made progress on safety. Close registration on pixelfed.social until you have a mod team in place and a path to paying them that makes it sustainable. Like I said in another thread, the opportunity won't go away.

@dansup I certainly agree that developers like you have a big role to play in helping the fediverse accelerate privacy and safety features.

With Pixelfed's momentum you have some great opportunities to show leadership here by prioritizing safety.

• as a coder, lead by example. Implemement moderation roles and a dashboard. Prioritize fixing open safety- and moderation-related bugs.

• as somebody who's started an initiative that's getting funding, you can be a role model by diverting a lot of it to moderators on pixelfed.social and other instances you run, moderators in the community, and safety-focused developers in the Pixelfed and the broader fediverse communities.

Those are only a couple of ideas, there are other ways as well.

Yeah …https://infosec.exchange/@thenexusofprivacy/113867969234998558 . scott@carfree.city @inquiline

Yeah really. "Oops, I should have posted support for the authoritarian white supremacist from my personal account not the corporate account" isn't the answer people are looking for, and neither "I know it's a fascist dogwhistle but am not changing it".

@protonprivacy you as a foundation and as a company really need to be treating this as an existential crisis. At this point there is absolutely no reason for anybody to trust you. What are you going to do to try to change that?

@Infoseepage @thisismissem

Also, the changes Meta is making to Facebook's feed algorithm "will make it more likely to recommend extreme and polarizing content".

Here's an excellent Bluesky thread on that from Laura Edelson (Chief Technologist at the Civil Rights Division in the Department of Justice):

https://bsky.app/profile/whiskeyocelot.bsky.social/post/3lfd3ohs7vk2v

An excerpt:

"The return to an algorithm that drives more politics and more extreme rabbit holes is a return the Facebook of 2016-2020. This has some business upsides, by both cutting costs and juicing user engagement (aka, ad revenues). But it has very, very serious downsides for users and for communities.

Because the hate speech policies and the algorithmic changes that were rolled back this week were developed in response to very real offline violence, including genocide in Myanmar, that were fomented on Facebook. This is a plan to go back to that algorithm and those policies."

#threads #meta #FediPact

It's worth highlighting how much organizing there's been here in the 18+ months since Meta first announced their plans to embrace, extend, and exploit the Fediverse.

@jat23's Closing the Door to Remain Open: The Politics of Openness and the Practices of Strategic Closure in the Fediverse is a great overview.

And from June 2023, the "Why the Anti-Meta Fedi Pact is good strategy for people who want the fediverse to be an alternative to surveillance capitalism" section of Should the Fediverse welcome its new surveillance-capitalism overlords? Opinions differ! talks about the importance of the #FediPact.

And speaking of leaks @caseynewton on Platformer and Sam Biddle in the Intercept have details on the new Meta guidelines and the guidance they're giving moderators

CW: some really sickening examples of anti-trans hate speech now explicitly allowed by Meta

https://www.platformer.news/meta-new-trans-guidelines-hate-speech/ (partially paywalled, but the examples are visibile even without logging in)

https://theintercept.com/2025/01/09/facebook-instagram-meta-hate-speech-content-moderation/

#Meta #Threads #FediPact

On @404mediaco , @jasonkoebler reports that "‘It’s Total Chaos Internally at Meta Right Now", with employees very upset about the changes -- and highlights that these didn't go through the usual processes of broud employee feedback.

https://www.404media.co/its-total-chaos-internally-at-meta-right-now-employees-protest-zuckerbergs-anti-lgbtq-changes/

The paywalled article also has a lot of quotes from internal discussions. Meta's clearly leaking like a seive right about now ....

#meta #threads #FediPact

And here's an excellent roudup of the changes by Ina Fried on @AxiosNews, including a good quote from @JenniOlsonSF

https://www.axios.com/2025/01/09/meta-moderation-transgender-women-hate

"Between the lines: Even the language of the new policy itself suggests animus against gay and trans people.

• The policy uses the words "homosexuality" and "transgenderism" — the former is an outdated term, and the latter is used nearly exclusively by opponents of transgender rights.

• "For a legitimate company to employ intentionally anti-LGBT dog whistle language in such a dehumanizing and overly bigoted way in its own hate speech policy is beyond comprehension," said Jenni Olson, senior director for social safety at GLAAD."

#meta #FediPact #lgbtq #lgbtqia

And from @juliaangwin.com's newsletter:

"This week, Mark Zuckerberg revealed his true colors in what can only be described as a pledge of allegiance to incoming president Donald Trump. In a video message, he declared that Meta was abandoning fact-checking and dialing back on content moderation — a clear capitulation to right wing demands for less “censorship” of their speech that was often found to be in violation of Meta’s prohibitions against hate speech and incitement to violence.

As I wrote in my latest New York Times Opinion piece (gift link), the billionaire Facebook founders’ actions show us what it looks like when a mature company stops innovating on its products and instead seeks to maintain its market power through political influence."

https://buttondown.com/JuliaAngwin/archive/heavy-lies-mark-zuckerbergs-crown/

And here's her gift link to the NYTimes article: https://www.nytimes.com/2025/01/08/opinion/mark-zuckerberg-trump-meta-lobbying.html?unlocked_article_code=1.nk4.bvEF.EXfKAyCs6FzR&smid=nytcore-ios-share&referringSource=articleShare&utm_source=JuliaAngwin&utm_medium=email&utm_campaign=heavy-lies-mark-zuckerbergs-crown

(Julia Angwin's also at @Julia, but is more active on Bluesky)

#meta #FediPact

"The Ministry of Empowerment", a great essay from @zephoria on Meta

https://www.zephoria.org/thoughts/archives/2025/01/08/the-ministry-of-empowerment.html

"Fuck you Facebook. That was the first thought I had when I woke up this morning. Followed by: What ministry is Mark Zuckerberg volunteering to manage for the dictators of the world? All I could think of is how Orwell’s Ministry of Love is about hate. So what are we creating here? The Ministry of Empowerment to ensure the oppression of the most vulnerable? Lovely. But maybe you, dear reader, have a better Ministry name for their new organizational identity?"

#meta #threads #FediPact

With today's news that Meta is getting rid of fact checkers and changing its policies to allow more hate speech directed at trans and queer people, seems like a good time to resurface these detailed instructions on how to block Threads.

https://privacy.thenexus.today/how-to-block-threads-on-mastodon/

If you want even more protection, your best bet is to move to an instance that's blocking threads -- see https://fedipact.veganism.social to check the status of your instance. And I agree with @kissane's recommendation in the excellent Untangling Threads

"I think the nearest thing to reasonably sturdy protection for people on fedi who have good reason to worry about the risk surface Threads federation opens up is probably to either…

• block Threads and post followers-only or or local-only, for fedi services that support it, or
• operate from a server that federates only with servers that also refuse to federate with Threads—which is a system already controversial within the fediverse because allowlists are less technically open than denylists."

#FediPact #meta #threads

Yes, Em's instructions will work for individual accounts. I've got more details and talk about about the limitations of this approach in https://privacy.thenexus.today/how-to-block-threads-on-mastodon/#from-profile

@fembot @Em0nM4stodon

Well, there are certainly a couple of companies who claim to be listening to voices via devices. For example:

"What would it mean for your business if you could target potential clients who are actively discussing their need for your services in their day-to-day conversations? No, it's not a Black Mirror episode—it's Voice Data, and CMG has the capabilities to use it to your business advantage.”

Of course they might be exaggerating but Google took the reporting seriously enough that they removed one of them from their Partners Program.

And of course that doesn't mean it's necessarily via a phone, and even if they (or somebody else) are getting it via an iPhone they're not necessarily getting it via Apple, and even if they're getting it from Apple it's not necessarily because Apple's misusing Siri QA logs.

You'd think Apple wouldn't want to take the risk of damaging their brand by misusing the data like that. Then again you'd also think Apple wouldn't want to take the risk of damaging their brand by non-consensually recording conversations between doctors and patients and sharing it with contractors, ... and it sure looks like they did that. So who knows, the only thing that's completely clear in all this is that Apple decided it was better to settle the lawsuit than risk further discovery and publicity.

Here's the original reporting (paywalled)
https://www.404media.co/heres-the-pitch-deck-for-active-listening-ad-targeting/

https://www.404media.co/mindsift-brags-about-using-smart-device-microphone-audio-to-target-ads-on-their-podcast/

And here's a non-paywalled summary

https://www.techtimes.com/articles/307372/20240904/cox-media-group-reveals-active-listening-software-spies-user-convos.htm

@inquiline @fivetonsflax

Just announced: "A New Social", a new non-profit focused on building cross-protocol services and tools for the open social web, is now leading development of Bridgy Fed.

https://www.anew.social/hello-social-web/

Exciting stuff! Bridging is an important approach that hasn't gotten enough attention, and this work really complements the other multi-polar efforts. Original Bridgy Fed developer @snarfed.org is CTO, and @quillmatiq is the CEO and Executive DIrector.

The press release has supportive comments from @mike, Emily Liu of Bluesky, the Threads team at Meta, @andypiper of Mastodon, Evan Prodromou of @swf, and @jaz of @iftas.

Bridgy Fed has set an important precdent here by prioritizing consent with their opt-in model, and it's really paid off. In fact the threats from Bluesky's current tolerance of anti-trans harassers and the multiple datasets of scraped Bluesky data are exactly the scenarios that advocates of an opt-in approach warned about -- an opt-out approach would have left people on fedi exposed by default. So let's hope that this focus on consent doesn't get lost as things more forward!

@fediversenews

#BridgyFed #bluesky #fediverse

I'm disabling Bridgy Fed on this account (at least for now) -- if you're at risk of harassment, consider doing the same

Harassment has increased significantly on Bluesky over the last week (which tends to be what happens when a site's moderators find an excuse not to take actionn against a coordinated anti-trans harassment campaign, but that's another story). Bluesky blocklists provide some protection, but unfortunately there's no way for fedi accounts to subscribe to Bluesky blocklists or labelers. So there's basially no protection for bridged accounts.

I haven't yet hard any reports of harassment getting directed at bridged accounts ... but then again if somebody on Bluesky who hasn't opted in to Bridgy fed is spewing hate speech in bridged posts replies, we wouldn't necessarily know about it. So, better safe than sorry.

If you're currently bridging to Bluesky consider doing the same! You can disable Bridgy Fed by blocking @bsky.brid.gy@bsky.brid.gy -- here's the FAQ https://fed.brid.gy/docs#opt-out

Here's the bug I just filed in the Bridgy Fed Github. https://github.com/snarfed/bridgy-fed/issues/1632

Bridgy Fed's development is very resource constrained right now; as far as I know it's still just @snarfed.org working on it part-time, and they've had their hands full just keeping up with the increased load. So, not sure how quickly they''ll be able to respond.

EDIT updated with the FAQ on how to opt-out, as well as the correct instructions.

#BridgyFed #bluesky #trans

Bluesky-social-network, Bluesky's Relay will never not be the only one.

It depends on how you define Bluesky-the-social-network. If it's just in terms of Bluesky-the-AppView, then you may well be right. If it's defined as "the people currently using Bluesky", I think it's very likely we'll see alternate Relays and AppViews within the next year. Time will tell!

as in, this is significantly different from early Mastodon days when there was only one Mastodon instance.

Agreed. So we'll see how Bluesky and the ATmosphere evolve. My perspective is that Mastodon evolved in a way where Mastodon gGmbH had enough influence that aribtary decisions by Eugen led to innovation basically flatlining -- and Mastodon's dominance within the fediverse, combined with SWICG's inaction, has held everything back. So there's room for Bluesky and the ATmosphere to do better ... or to hit the wall in different ways. Once again, time will tell!

@rysiek @damon