threat-landscape

Spot the Fed: Mastodon, the Fediverse, and why you can’t run servers like it’s 1999

Decentralized technology has become an increasing topic of interest to technologists and enthusiasts seeking alternatives to the “walled garden” of many online communities and platforms. Spinning up a web service has become much easier with DevOps tooling, automation, and cloud services. However, the internet is more complex a place than it was twenty years ago. Technology has become much easier to deploy and more widespread than many imagined, but this spread has been met with challenges that threaten user safety, security, and privacy for all.

In this article, I unpack a few insights from the talk I presented at PEPR (Privacy Engineering Practice and Respect) ’23.

The evolution of decentralized tech

In the 80s and 90s, the internet was primarily an information-based medium; most people went online because they wanted to learn about something or find something. The risks were relatively mild and not very well known by the public. This general ignorance extended to many regulators and lawmakers who often have been caught unawares by the risks of technology.

Fast forward to today and we see an internet that looks quite different. Most users access the internet to connect with family, friends, and other communities (many of which they may not have interacted with in real life). This has raised several challenges ranging from misinformation and disinformation to harassment and abuse. Increasingly these risks have also hit the public sphere, most users are aware of security and privacy threats (if not knowledgeable about them) with much reliance being placed on the underlying platforms they use. Lawmakers have been attempting to ensure this integrity by passing legislative action and regulation to set the bar for security and privacy standards across their jurisdictions.

It’s within the context of these increasing challenges that we are introduced to the concept of federation. Federation provides a new paradigm for thinking about web services. Traditional web applications or software-as-a-service solutions rely on a single organization that runs the service through their own resources be that a social media platform or sales leads and engagement systems. Federation allows this trust to be optional by providing users with the option of choosing admins that are perceptively closer to them.

Federation vs on-prem

Smaller organizations and individuals can choose to run their own versions of federated services in the same way that businesses can run on-premises applications. Unlike their enterprise counterparts, however, each individual instance can integrate and federate with other instances running the same service. Each instance contains its own user base, rules, and administrative permissions while being able to access the rest of the larger network.

This can radically shift the trust paradigm that most users must face today. Instead of delegating their trust to a more distant entity like a corporation, users can choose to delegate that trust instead to individuals or organizations closer to them. This provides a new opportunity for changing the relationship individuals have with their data courtesy of the increasingly easy methods of deploying technology.

Challenges

While technology has become much easier to deploy, the way the world has changed in the past twenty years has increased the non-technical challenges service owners must face. The problems that were once the challenges of the Microsofts, Googles, and Metas of the world are now the problems of a single person that decides to run a service.

Technical challenges

Deploying technology has become easy, but it is nowhere near automatic. Instance admins are still required to tackle challenges around reliability, system integrity, patching, and operations. There are many resources that exist to tackle these problems but can easily overwhelm a single individual as their instance grows.

Financial challenges

Many smaller instances are often self-funded; meaning if the individual running the instance decides not to pay for the instance anymore, the server could be shut down without notice to the end users. While users may have more confidence that an instance is being run closer to them, the funding model becomes less certain among individually run instances.

More challenging still is the impact of larger organizations that join the network with differing policies and procedures that have the potential to swing the norms and culture of the network as a whole. Many Mastodon users were worried and concerned when learning that Meta’s Threads product would integrate with Mastodon servers across the world and were concerned about how that would impact them as users.

Legal challenges

Running an online service can be both expensive and risky. By running their own services, instance admins may inadvertently expose themselves to legal liability through a number of different channels. Users may submit data access or deletion requests in line with privacy regulations. Content moderation is a fast evolving and increasingly high risk area with many changes being proposed to the legal frameworks around them. Additionally, people may upload copyrighted content that places the instance owner in violation of copyright laws without their knowledge.

These cases are the more normative ones and don’t include the “black swan” events like the uploading of CSAM or data that results in serving of a National Security Letter. Large tech companies spend millions of dollars in legal costs to manage and respond to these inquiries.

Policy challenges

Futhermore, running online communities can be challenging. While we have had online communities through web forums and IRC servers for the past twenty years, a new challenge arises with managing the interactions between various communities. These individual circles are no longer isolated; admins and moderators now have to face challenges on how to ensure their users are behaving well on the internet and protecting their users from malicious behavior. The knowledge of how to manage these complex interactions doesn’t exist in a consumable, shared format.

How to Make Decentralization Better

If we are to consider decentralized services as a future idea, it requires technologists to consider the challenges of limited technical and non-technical resources. The industry, as a whole, has done a great job in bringing complex technological solutions to succinct principles and frameworks that can be easily implemented. These solutions should expand to the process and non-technical components. The AT Proto Project has been exploring this by looking into sharing content moderation models between instances. The Mastodon project provides a reasonable starter template for terms of service. The spirit of federated technology is bringing control to smaller players, but this control should also include reasonable defaults.

We also must consider technical and user consistency, ensuring that instances are easily able to stay up-to-date without too much technical challenge or knowhow. Users should also be able to interact in a unified way between different instances without falling victim to poor or inaccessible design.

 

As we think through the bigger picture of what it means to build services for everyone, it’s important to consider players of all sizes. In order for us to have an internet that provides every player with a voice and home, we must consider how we develop at scale: both large and small.

 

Download a PDF of Spot the Fed presentation here
[Download a PDF of this presentation here!]

Tariq Yusuf is a Kalles Group Senior Consultant with expertise in technology policy, digital privacy, and security with 8+ years of experience in the technology industry. He specializes in the intersection of privacy, engineering, legal, and policy, taking a cross-functional approach to problems facing both technology and society. He completed his Master in Jurisprudence from the University of Washington School of Law and received his Bachelor’s in Computer Science from the Paul G. Allen School of Computer Science at the University of Washington in 2011.

Your future is secured when your business can use, maintain, and improve its technology

Request a free consultation