Synopsis: The article discusses the FBI’s seizure of the Mastodon server and emphasizes the need for privacy protection in decentralized platforms like the Fediverse. It calls for hosts to implement basic security measures, adopt policies to protect users, and notify them of law enforcement actions. Users are encouraged to evaluate server precautions and voice concerns. Developers should prioritize end-to-end encryption for direct messages. Overall, the Fediverse community must prioritize user privacy and security to create a safer environment for all.
Summary:
Introduction
- We are in an exciting time for users wanting to regain control from major platforms like Twitter and Facebook.
- However, decentralized platforms like the Fediverse and Bluesky must be mindful of user privacy challenges and risks.
- Last May, the Mastodon server Kolektiva.social was compromised when the FBI seized all electronics, including a backup of the instance database, during an unrelated raid on one of the server’s admins.
- This incident serves as a reminder to protect user privacy on decentralized platforms.
A Fediverse Wake-up Call
- The story of equipment seizure echoes past digital rights cases like Steve Jackson Games v. Secret Service, emphasizing the need for more focused seizures.
- Law enforcement must improve its approach to seizing equipment and should only do so when relevant to an investigation.
- Decentralized web hosts need to have their users’ backs and protect their privacy.
Why Protecting the Fediverse Matters
- The Fediverse serves marginalized communities targeted by law enforcement, making user privacy protection crucial.
- The FBI’s seizure of Kolektiva’s database compromised personal information, posts, and interactions from thousands of users, affecting other instances as well.
- Users’ data collected by the government can be used for unrelated investigations, highlighting the importance of strong privacy measures.
What is a decentralized server host to do?
- Basic security practices, such as firewalls and limited user access, should be implemented for servers exposed to the internet.
- Limit data collection and storage to what is necessary and stay informed about security threats in the platform’s code.
- Adopt policies and practices to protect users, including transparency reports about law enforcement attempts and notification to users about any access to their information.
What can users do?
- Evaluate a server’s precautions before joining the Fediverse and raise privacy concerns with admins and users on the instance.
- Encourage servers to include privacy commitments in their terms of service to resist law enforcement demands.
- Users have the freedom to move to another instance if they are dissatisfied with the privacy measures.
What can developers do?
- Implement end-to-end encryption of direct messages to protect sensitive content.
- The Kolektiva raid highlights the need for all decentralized content hosts to prioritize privacy and follow EFF’s recommendations.
Conclusion
- Decentralized platforms offer opportunities for user control, but user privacy protection is vital.
- Hosts, users, and developers must work together to build a more secure and privacy-focused Fediverse.
You must log in or register to comment.
The Fediverse serves marginalized communities targeted by law enforcement
Ohh no, no no no
Interesting no mention of encryption-at-rest (disk encryption), which is something I’d recommend for servers in general.
Encryption at rest only protects you if the system is off and someone takes the physical drive or disk file. Once the system is running the data is unencrypted.
Mostly true. It protects against access to the data when the encrypted volume is actively open.
Is it going to protect against physical access to active hardware in most cases? Probably not (though some might also l consider some layers such as immediately closing the volume and/or wiping keys if certain circumstances are net)
Is it still a good idea? Yes, as it offers reasonable protection for data (along with other layers) when one considers stuff like drive disposal etc.
I’m curious, how would you do this in such a way that it wouldn’t come at the expense of effecting your high availability?
If the server were on-prem or in the cloud… and the system crashed/rebooted, how would you decrypt (or add the passphrase) to the encrypted drive?.. cause the likehood of the kernel crashing or a reboot after and update is higher than an FBI raid… and it would get tiresome to have the site being down, while we wait for Bob to wake up, log in, and type the passphrase to mount the encrypted hdd.
You could use something like HashiCorp Vault, but it isn’t perfect either. If the server were rebooted, it could talk to Vault and request the passphrase (automatically) , but this also means that the FBI could also “plug in” the server (at their leisure) and have it re-request the passphrase. … and if Vault were restarted there’s quite a process to unseal (unlock) a vault - so, it would be as cumbersome as needing to type in the passphrase on reboot.
My point / question is: yes, encryption (conceptually) is easy, but if you look at “the whole life cycle / workflow” - it’s much more complicated and you (as an administrator) might ask yourself “does this complexity improve anything or actually protect my users?”
There are several methods available for encrypting server disks without compromising availability but the best I’ve used is Network Bound Disk Encryption in the form of tang and clevis utilities. The encrypted server consults a tang server (or multiple servers using Shamir’s Secret Sharing) for the decryption key and then boots without user intervention. You can put a range of controls and redundancies around tang servers but the idea is they are only available on the local network.
Before you say there’s no point encrypting a disk and then automatically decrypting it, think about the use case. The encrypted server will auto decrypt if everything is fine, but remain protected if that server is stolen or the decryption servers are shutdown or modified. It provides convenience while maintaining a level of protection. It also ensures disks are preemptively encrypted if they ever need to be returned for a warranty claim, which is a much more likely event.
If you’ve got proper HA, then your secondary could still be up and running just but not receiving connections or running certain services (assuming a standard active/passive). Yes, one could still have a passphrase on encrypted boot and enter that via RA (DRAC,ILO, SSH preboot), or the credentials could be in a TPM etc.
None of those are foolproof, but protecting users’ data isn’t just about FBI raids, and disk encryption in general should still be part of the security toolkit because stuff like lost drives or improper disposal still happens.
Encrypting user data is pretty standard in the industry, and even required by law in the instance of servers hosting medical information in the US. Consumer software for disk encryption like you mentioned is substantially different from usual encryption solutions employed by data centers. Whole disk encryption is commonly done at a firmware or hardware level. For an example, iPhone embedded storage is fully encrypted and tied to the rest of the phone’s hardware. No user input required.
It wouldn’t have mattered if the guy had encryption any way because, as the article mentioned:
To make matters worse, it appears that the admin targeted in the raid was in the middle of maintenance work which left would-be-encrypted material on the server available in unencrypted form at the time of seizure.
Where does HIPA state the medical data must be encrypted on the machine? I am not an expert on HIPA put don’t remember seeing that when looking at it before.
A cloud host can just take a live snapshot which defeats this
Well yeah, with a cloud host your data is on call l somebody else’s hardware. The cloud host themselves do implement some form of encryption closer to said hardware (i.e. for the SAN arrays) so that a lost disk doesn’t mean exposed data.
I actually have a question about this - can’t anyone already see the posts and users’ data? Even a simple user account/script can query most stuff, like posts and comments, and you can indirectly query less easily available things like upvotes by compromising any connected server
One way to look at this is to separate the information available into what’s available locally and what’s available across the Lemmyverse (I am not familiar with others). The information that you mentioned probably are available on all the servers that pull the posts/comments from the community in question.
Info that is local only: IP address, email, password, usage information. Info available to the two participants’ servers: DM
I think the mitigations that the EFF article mention mostly protect the locally available information.
BTW passwords shouldn’t be stored anywhere. Best practice since forever is to only store a cryptographic hash of a user’s password.
Passwords also shouldn’t be re-used, in which case if they are stolen it doesn’t matter as much - since whoever stole your password likely doesn’t need it to access your stuff.
Or simply running their own server.
Yes
Disclaimer: I’ve never run a Mastodon or similar server, so the software may have more privacy built in, but potentially the issue would be account setup information that could be associated with public posts. Email addresses, IP address logs, etc. Those would be critical in matching public “anonymous” speech with real-world identifiable information.
The article also mentions that DM’s were available to the admin.
However it should be assumed that DM’s on lemmy or others are not secure in the first place. If you want secure chat, move to Matrix.
Why should such a thing be assumed???
The site tells you that its not secure when you go to send a message.
Because admin can inherently see it and, as this post proves, sometimes law enforcement can gain access as well.
Click a persons account name… then click “send message”
Read the bright yellow notice at the top of the screen.
Warning: Private messages in Lemmy are not secure. Please create an account on Element.io for secure messaging.
If there’s no way to verify that they aren’t. You should assume that they are. Basic security 101.
deleted by creator
I would love defederated identity management in the Fediverse that came with direct and encrypted DM capabilities too. I don’t use DMs but there’s no need for an admin or anyone else to see what’s in them either.
OpenPGP still exists. I’ve been saying this forever
haha yeah, for 26 years now. year of the OpenPGP any day now.
I agree with you, but the vast majority of people will always sell themselves out for convenience. If PGP caught on, you’d have iPhones with a built-in PGP messaging feature that sends everything unencrypted straight to apple before it sends the encrypted version.
And it’s the year of the Linux desktop 🤦♂️
You aren’t making any relevant point. Just showing how incompetent oss designers and the Linux desktop teams really are.
Stop trying to make PGP happen. It’s not going to happen.
I think this is a good discussion to link this: https://www.eff.org/deeplinks/2022/12/user-generated-content-and-fediverse-legal-primer
I just think the fediverse should start storing hashed and salted passwords instead of plaintext as a start
Now it’s stored without any hashing, really ?
I can only assume as I haven’t checked and I’m not sure anyone else reading this has checked either.
Oh do you’re just making shit up and passing misinformation then… Got it
Kolektiva.social
Kolektiva.social stored only hashed passwords. https://kolektiva.social/@admin/110637031574056150 .
Where is the source…
Imagine making a serious claim like this based off hearsay
Who can say if an instance of lemmy / kabob sells the data or the users …
nearly all your data is public, so there’s no need for anyone to pay for it. this is a public platform where everything is relayed unencrypted to other activitypub nodes. If I click your name here and try to DM you I even see this warning: “Warning: Private messages in Lemmy are not secure. Please create an account on Element.io for secure messaging.”
I mean, given there are companies that scrape user data and sell them to interested parties including governments, it seems highly likely that there will be entities that create instances just to collect people’s data in the fediverse.
Fediverse sounds like a gold mine for big data collectors .
The question is what are they goint to do with this data, training ai?
Maybe thats why Meta wants in
If you live in the modern world, your data has already been sold countless times.
I don’t really see an issue? Assume it’s public and don’t do shady shit. Nobody cares if you look at legal porn.
True, but would you be comfortable with your data being leaked to the internet for everyone to see? If not why make an exception for few agents.
Unless I’m being investigated, I’d rather have legal protection for all my data and should be the only person allowed to access it.
So you’re suing all these companies that share your data with 3rd parties?
deleted by creator
Why do you think all these dipshit red states are trying to make porn sites go ham on the identification and gathering data just to watch porn? Could it be because they have ulterior motives and wanna target gay and other “sinful” people?
this is pretty tangential, but I live in one of those states, I don’t agree with the law, but I’m pretty sure their ulterior motives are securing votes. The reason people like those laws is that they think the laws protect children (they don’t, they make the internet more dangerous.) But those people pushing the laws really don’t give a fuck about gay people watching porn
deleted by creator
While I agree with the overall sentiment towards privacy, I do wonder what is you opinion on how society can go against people who try to groom kids and teens online or who share CSAM online?
deleted by creator
But it is not “maybe”. Many criminals have been caught and were able to be convicted because the proof was on their hard drives. This goes for several crimes that would be a lot harder or impossible to solve or proof otherwise. Cyber bullying, organised drug criminality and human trafficking, non-consensual pornography and CSAM, for example.
You are basically saying to give these criminals a safespace is an acceptable price for not having to fear some hypothetical sudden change in law that maybe could happen and maybe affect you. I was just hoping that at least people who seem to think about privacy laws and know about the technology would be able to think of a solution that helps everyone and not just themselves.
deleted by creator
So you trust Reddit, Facebook and Twitter? That snoo has been gone a long time.
deleted by creator
If a website has a “sign up for google” or facebook comments, you use them.
deleted by creator
This is why I joined a Swiss server
Lemmy.ml is in Swiss?
Switzerland*
And no, I was referring to Mastodon.
If you federate with other instances they have a copy of your public facing account data. That’s how ActivityPub works and it’s very far from ideal.
But if it’s public law enforcement agencies can just browse/scrape the website to collect the data, or am I missing something?
The only actual confidential data stored off instance that I can think of is DMs, if you message someone on another instance (which is why you shouldn’t use DMs for any sensitive communication unless they’re e2ee).
The other major issue is whether they delete your data when you delete it from your home instance, or if you edit your post, whether they update their version in a timely manner. ActivityPub sends edits and deletion signals to federated instances, but if they have since defederated without purging your instance’s data or is keeping backups, then they could well have posts you think you deleted or display a version of your post that’s out of date (you should assume all versions of an edited post are kept, some platforms keep them all by design presumably to try and mitigate edit-trolling).
Things like PMs, your subscription lists,and upvote/downvotes aren’t possible (or are difficult?) to scrape, but are shared across federated instances. Those things were considered private on Reddit, so a lot of folks might assume they are also private on Lemmy.
You sure subscription lists are synced ? I can’t see why they would be.
https://mylemmy.win/post/89871
Any instance admin, proper or rogue, gets a ton of information that users won’t normally see.
LOL no public social media can function without “public facing account data”. I’m not not worried about that. I’m worried about things like IP address, login info, account metadata, etc
because of kolektiva the FBI has my nudes saved on a hardrive somewhere 💀
i suddenly want to join the FBI
If you posted them on the Internet, the NSA already had them.
Because of the nature of the fediverse, this also implicates user messages and posts from other instances.
When they say ‘messages and posts’, the posts are publicly available, by messages do they mean comments?.. or is this saying that private messages between users are also in this data?
I guess I’m still ignorant about parts of how the fediverse works. If I private message someone on our .world instance, that data is stored on Ruud’s server only, correct? But if I private message someone on another instance, that data is stored on both servers?
edit I just read the mastodon post, it says:
- All your posts: public, unlisted, followers-only, and direct (“DMs”)
Shit.
Lemmy DMs are not private and the software even tells you to use matrix.
They’re semi-private, in that users can’t just see other user’s DMs. However instance admin have the capability - the instance admin can see everything in their instance.
Just like on Reddit, Twitter, Facebook, etc. The only difference between them and Lemmy is scale. If a worker at any of those wanted to see your pm, they could and have.
Damn Kollektiva.social got raided?? Do they no longer exist because the feds took all their shit?
Kollektiva.social
It’s https://kolektiva.social (one L in kolectiva) and the site is still up, and their admin gave this comment on the raid.
“The raid was part of an investigation into a local protest.”
There should be a killswitch command completely erasing all data.
There’s maybe some unnecessary data being kept on the instance but I mean, if you’re gonna pull illegal shit this is not the platform for you.
And what if what’s legal now becomes illegal tomorrow? Don’t fall into the “If you have nothing to hide, you have nothing to fear” trap.
If that’s your counter then why are you here? This convo, right here, can be used against you. Why even get on the Internet?
It would be easier to just not store the IP in the logs. Or offer options to store all, none or a portion of it. This could be toggled for debugging or during at attack.
Then they could EASILY charge with obstruction of justice. They are already being corrupt fascists…
