There is no "taking back your words" on the web. Nor on the Fediverse.

Why we are reluctant with complex privacy models.

On our mastodon instance and by mail, we get a lot of questions about features.

Since Flockingbird is still in concept phase (i.e. vapourware), those are not really feature requests, but really ’information requests“. “will I be able to…” kind of questions.

For example groups. “Will I be able to join a group and share information within that group alone”? (paraphrased).

Our stance is that we need to keep this simple. Predictable, easy to use and with clear consequences. Ease-of-use is a security feature. A privacy feature.

“Ease of use”, not because that allows “your hypothetical grandmother” to use the software, but because complexity makes mistakes more likely. “Big Tech” has been caught, abusing this idea several times already: by making “privacy settings” needlessly complex, they trick people into “agreeing” to share data, or accept far more trackers and cookies than one expects.

But this problem is seen in action in many Open Source software too. Not deliberately, but because of needlessly complex flows. GPG, Tor, private chats, email, and so on. Make one tiny mistake, and you can go to jail. Accidentally paste your key.crt instead of the key.pub and your entire history of encrypted gpg messages has been revealed. Privacy and security compromised. Entirely. Security is hard. Sometimes the complexity really is required, but quite often it is a result of features being bolted on top. Configuration options added, backwards compatibility that devs don’t want to break, and so on.

The fediverse has no way to “retract”. Sure, you can delete a toot, but that is no guarantee that it is gone. Centralised social media makes “deleting” a little easier, but there still can be screenshots, mirrors, or backups that forever store your personal “Cofveve”. Mastodon has lots of fine-grained settings that allow you to block, hide, granularily share, etc data. Most of it is secure in theory, but requires you to understand all settings and their consequences well for it to work as you expect¹. “For followers only” really does nothing, when anyone can follow you. Blocking a person means they cannot visit your profile when logged in, but they can do so just fine by logging out. As fediverse member you need to learn all these caveats. And even then it is easy to accidentally share something that you deemed private. You did realize that the server-admins and moderators of your friends’ instance can read your picante-pictures sent to that friend, did you?

Once a toot, profile, bio, avatar or accidental picture is federated, there is no “taking it back”. Deleting it is merely a suggestion; there’s only hoping that all the servers with a copy are willing (and able, they may not be malicious, but rather unstable, offline, or buggy). There’s no guarantee. What’s more: once you shared that picture with bob@masto.example.com, the admins and hoster of masto.example.com can access (and backup, or leak) your picture if they wish. Hackers who break masto.example.com will have access to this image too. Even if your own instance at pleroma.example.secure is 110% secured with firewalls, immutable BSD servers or whatnot: once shared, you should consider it public-ish. On centralised social media, you only need to trust the company behind the platform. On federated social media, you need to trust both your instance’s admin/hoster and the admin/hoster of the recipient.

With Flockingbird, your online profile contains positions, jobs, contact details and other attributes. Each of which can have a visibility for public, private or community. This is complex enough as it is. Such data makes “getting it right” even more important.

Which is why we have to answer “this is not planned” or “we probably won’t have that feature” quite often. Because KISS, Keep it stupidly simple, is a security and privacy feature.


¹Edit: We wrote “Most of it is rather insecure. “ behind Mastodons privacy settings. They are not. Mastodon is secure, your privacy is safe and guaranteed so far as you’d expect. It is only “insecure” in that you can easily get some setting or intention wrong and share more than you expected to share. We edited the article to resemble that.