Follow

If you're using Mastodon, you can put your new posts under maximum privacy by doing both of these:

1. Log in through your server's website, go to Edit Profile > Require follow requests, save changes. This means only people you approve can follow you.

2. Set your posts' privacy to "Followers only" when you post them (the setting with the lock 🔒 logo). You can make "followers only" default by going to Preferences > Other > Posting Privacy > Followers only.

However, only do this if you are okay with greatly restricting your audience by default. These settings will completely prevent non-followers seeing your new posts (unless you manually select a more public privacy setting when you write them).

Non-followers will not be able to search for followers-only posts, or see them in shares.

Also, bear in mind this privacy setting only applies to your new posts. If you've already posted something as public, that old post will remain public.

A couple of follow-on things to add to this:

- Mastodon does not (yet) have end-to-end encryption, so please don't post any sensitive information on here. Use an e2ee messenger app (such as XMPP with OMEMO switched on) for anything like that. The privacy settings on Mastodon are about adjusting your audience rather than guaranteeing absolute privacy.

- If you set your default privacy to followers only, this will also affect your boosts, and override their visibility settings. So, if you have followers-only as default privacy and boost a public post, the only people who see your boost are your followers. (This is apparently undocumented, thank you to @mastohost for spotting this!)

@feditips Caveat: what's not at all obvious is that the default post privacy setting also applies to boosts (and cannot be overridden like post privacy). If you set your default post privacy to followers-only, only followers will be able to see your boosts, regardless of the privacy setting of the post you boosted.

@meganeko

Oooh, interesting, I did not realise that. Thank you for that, great tip! 👍

@feditips I found out the hard way (it's not documented anywhere AFAIK) with some help from masto.host.

@feditips Also, use a server that has AUTHORIZED_FETCH or “secure mode” on. This increases the safety of the instance, meaning that no posts you make can federate to a blocked instance under any circumstance. Usually, a user from an instance that federates with both you and an instance you block can reply to your post and federate it to the blocked instance, but not with secure mode. #FediTips #MastoTips

@feditips What's the point? This is not designed for private messages.
IMHO simply treat everything you are writing as public, because that's what it is.

@murks @feditips another caveat: if you have set X of followers and your interlocutor have set Y (and X <> Y) then your's followers see only part of topic (also interlocutor's followers) and not whole topic (outside people who follow you and your interlocutor). With more people in discussion problem topic is more and more fragmented from point of view yours followers :D

@seachdamh @feditips I can see how this can get complicated quickly.
Also very funny is this "allow/reject follow" theater, as it prevents very little. Anyone can still read all public posts, so this is only a minor inconvenience.

@feditips And all the while remember that nothing is private on the fediverse. If you want to say something privately, do NOT say it on the fediverse. Imagine that the Pub in ActivityPub stands for Public.

If you want privacy, make sure you use an end-to-end encrypted system.

This post brought to you by the desire to make sure that vulnerable groups do not end up in jail or worse because they thought they were being “private”.

@aral @feditips Mastodon merged an end-to-end encryption API back in 2020, although it unfortunately doesn't seem to be used anywhere yet. github.com/mastodon/mastodon/p

@feditips
- For older posts could re-draft and post with new settings for older posts...

- I wonder if importing profile would respect a new profile with new settings after import...
Anyway probably good practise to go over all stuff at some time and delete lots of stuff and realise 'the point of what one is doing here' !
:)

and murks @murks -> it's not really all or nothing or just public totally (although yes do assume so), it's more keeping a little bit of boundary which Mastodon does have design for... like not seeing ALL followers publicly in list >_< ...which I think I recommend as default while still keeping functionality in a many good ways.

- It's good people can use Mastodon more openly but for dedicated focus and more quality follows (I think people quickly get lost in following everyone / too many good people) it still allows anyone to message you which is perhaps main part.

@freeschool @feditips Regarding following too many people, that is easy to prevent. Just look at their posts, see whether what they write is what you like to read. Consequently, if someone you follow writes too much stuff you don't care about, then unfollow, it's that easy.

@murks @feditips
- What if you like all of them / there are many / they are all mostly good?
- It's my guess it's far easier to follow then keep track and unfollow... but yes it's possible and good practice according to your own known abilities and limits (maybe you can do it but others are not as good to unfollow for example, or at least for me might be the case).
So only easy for some.

@freeschool @murks

Another option, is if you enjoy someone's posts but they boost too much stuff, you can mute just their boosts:

mstdn.social/@feditips/1085731

@feditips @murks
That's pretty good... does that apply in their profile when you look - guess not.
Often I wondered to just see their posts and not boosts...

@freeschool @murks

It applies to your main timeline, but not to their profile.

@feditips @mastohost For maximum #privacy, consider using a centralized messenger aimed at reducing #metadata, such as #Signal or @threemaapp. While federated services like #Matrix or #XMPP are great for independence from big tech, they're not a good choice if you're trying to hide with whom, when, how often etc. you're chatting.

@datenschutzratgeber @mastohost @threemaapp

Centralisation brings risks of being bought out by bad actors. Whatsapp was sold to Facebook by the same billionaire who now owns and runs Signal.

It's difficult to escape centralised services if this happens.

There's no perfect solution, but I wouldn't recommend going on centralised services because there's no easy way off them if they start eroding their privacy (which is something that has happened before).

@feditips @mastohost The only messenger that is end-to-end encrypted, has no central server AND protects metadata is Briar. Though, Briar isn't very beginner-friendly, since, as a peer-to-peer messenger, it requires both chat contacts to be online at the same time for a message to be delivered.

@datenschutzratgeber @feditips @mastohost @stereo I hear a lot of times matrix's downside is: it produces lots of metadata. Yes - it might be true. BUT: To me it heavily counts, WHO has access to this metadata.
It's only the operators of the homeservers, participating in a room. Right?
Well - I can control, who's that, by beeing my own operator. And I can create rooms, not anybody from any other server can participate.
Metadata CAN be a mess. To me, it mostly isn't.

@datenschutzratgeber @feditips @mastohost @stereo to complete the thread of hints:
Use different Matrix-IDs and maybe even servers for different purposes. Same as you do with E-Mail. Use at least one "real private" account and one, to participate in public / larger rooms.

@datenschutzratgeber @feditips @mastohost
El único sistema de mensajería que está encriptado de extremo a extremo [end-to-end], no tiene un servidor central, Y protege los metadatos es Briar. Sin embargo, Briar no es muy amigable para los principiantes, ya que, como mensajero entre pares [peer-to-peer], requiere que ambos contactos de chat estén en línea al mismo tiempo para que se entregue un mensaje.

>The only messenger that is end-to-end encrypted, has no central server AND protects metadata is Briar.

Clearly you have not checked out @session

@BobIsMyManager and many more won't if they read. even trying to say but this is a better and useful blockchain this time there just isn't really a good spin to node currency rewards.

getsession.org/blog/crypto-cra

getsession.org/blog/how-sessio

@controlfreak I get that, but I don't think that really compromises the security/privacy/anonymity of the messenger

@datenschutzratgeber
The purple circle should really be the one for E2EE, as you can't really call yourself a private messenger unless you have it.
@feditips @mastohost

@BobIsMyManager @feditips @mastohost Good point. (In this case, by “privacy-friendly” I just meant that the respective app doesn't intentionally spy on or track its users.)

@kas @mastohost @feditips I haven't heard about it yet, but it definitely sounds interesting, especially this statement: “The same communicating party that is the sender in one queue, can be the recipient in another – without exposing this fact to the server.”
github.com/simplex-chat/simple

Though, I haven't fully understood yet how it works in detail. (Unfortunately, too many FOSS projects are not that good at explaining how they work. 😬)

@datenschutzratgeber I know many people reluctant to give up WhatsApp. Is it not e2ee, or is it just fundamentally untrustworthy because of Facebook?

@k Both WhatsApp themselves and Signal claim that WhatsApp is end-to-end encrypted. We cannot be sure whether that is true, because WA's source code is not publicly available.

Even if WA was actually encrypted, the users' (unprotected) metadata are much more valuable (for Meta or the NSA), as Edward Snowden explained in “Permanent Record”.

@k A message might not reveal much more than the fact you're wishing someone all the best, but metadata reveals, for example, how close your relationship with the recipient is.

@datenschutzratgeber
@k also dont forget that Whatsapp is linking, scanning and selling your address book, and assumes you and all your contacts comply to that. This in combination with all the Meta Data from when, who and where something was send is already huge (dont forget Status Messages, Attatchments or Links/Link Previews etc that might not even be encrypted at all).

@datenschutzratgeber @feditips @mastohost another messenger I really like is anonymous messenger which works in a similar way to briar but much simpler. It is p2p and uses .onion addresses as user ids...really cool!!

All data stays on your device which has an encrypted vault:)

f-droid.org/packages/com.dx.an

#fdroid #anonymousmessenger #briar #privacy

@datenschutzratgeber @feditips @mastohost Can WhatsApp be called E2EE when it can add a hidden recipient at any time?
At least with Matrix you can always choose a client+server combo that you trust. If either option is forced onto you, I don't think you can make any long term guarantees about privacy or security.

@csepp @feditips @mastohost Since WhatsApp is not open source we don't know whether it's end-to-end encrypted. (I should probably have changed the right circle's outline colour.)

@datenschutzratgeber @feditips @mastohost

Briar fails the "open industrial standard" so a silver #4opens project. is the a path to fix this issue?

@datenschutzratgeber @feditips @mastohost BTW: that Ven diagram is wrong. Both matrix and XMPP use central servers. Yes, they have multiple as they are federated, but each user has their home server which is the linchpin of both their access to the network as to their privacy.

@attilakinali @datenschutzratgeber @mastohost

I think by "central server" they mean a single instance network like Signal or Whatsapp.

@feditips @datenschutzratgeber @mastohost I think you mean "no single entity controlling everything". But that's a very weird way to put it.

Just to make it clear what I'm getting at: A lot of people equate federated with decentralized. It is not. Federated is still centralized. It just has multiple centers. It still has entities in control of what you can and what you cannot do. Or just plain sell your data. Unless you run your own instance you don't know what's going on.

@attilakinali @datenschutzratgeber @mastohost

"It still has entities in control of what you can and what you cannot do. "

That's not true, anyone can set up their own instance on a decentralised network.

For example, I have an instance at social.growyourown.services with one member (me).

@attilakinali @datenschutzratgeber @mastohost

The currently used terms are:

Centralised - single instance

Decentralised - unlimited instances

Distributed - no instances (peer-to-peer)

I don't think it matters that much what we call them, as long as we can agree on common terms to use.

@feditips @datenschutzratgeber @mastohost You have a weird understanding of these words.

Centralised = One single entity is in control

Decentralised = No single entity is in control and multiple entities have equal power with no difference between them, allowing easy movement.

Federated = Multiple entities have their small little fiefdoms. While it is possible to move between them, it comes at a cost

Distributed = there are no entities in control at all and everyone is equal.

Sign in to participate in the conversation
Mastodon 🐘

A general-purpose Mastodon server with a 1000 character limit.

Support us on Ko-Fi Support us on Patreon Support us via PayPal