Many of us at The Markup are active Twitter users who are witnessing a platform that has been such an important part of journalism descend into what Elon Musk might call a “ .” rapid unscheduled disassembly The of late sparked a migration of sorts, as some Twitter users have sought out a new home on Mastodon, an ad-free, “decentralized,” open social platform that launched in 2016. chaos We wanted to share what we’ve learned about the privacy, security, and culture of this platform as we parse these dynamics ourselves in real time. If you’ve been considering signing up for Mastodon, here are some things we have been thinking about as we take the leap: Privacy The server, or “instance,” you choose affects your privacy and what rules you’re asked to follow When setting up an account, users need to Your instance will be reflected in your username similarly to how an email address reveals its email provider (i.e., yourname@gmail.com or yourname@proton.me). choose an “instance.” Unlike email, on Mastodon you can move to another instance and take your followers with you, but it is possible your username won’t be available. Also, you should engage in some due diligence before picking the instance you will join. One of the most interesting aspects of Mastodon’s distributed design is that anyone with  intermediate technical skills (such as setting up servers or working with command line tools) can launch a server and host their own instance of Mastodon. The server software (which runs each instance) is open source and designed to be self-hosted. Mastodon does not set the community rules or privacy policies for the entire platform, but Mastodon’s parent nonprofit organization does maintain a that have all agreed to a baseline set of policies known as the “ ,” which, in part, requires “active moderation against racism, sexism, homophobia and transphobia.” directory of servers Mastodon Server Covenant Each instance has its own policies to define its community, including the default language, content moderation standards, topics, and general house rules. The administrators of your instance will have a lot of control over your content and your account, so depending upon how you are planning on using Mastodon, this choice matters a lot. Specifics around what types of behavior are considered abusive, how rules are enforced, whether the instances stall new membership, and conflict resolution among individual accounts vary among instances. You can find the contact information for who runs each server and the rules on the server’s “About” page. (Here’s the About page for , the server that is run by the nonprofit organization behind Mastodon.) mastodon.social You can change your follower settings and whether you want a post to be public or private. There is to retroactively make past public posts private, but you can always delete—or auto-delete—any of your past posts. no way Even if your account is currently “locked,” which means you must approve all follow requests, users can still view your public posts. Admins also control which other servers are blocked from interacting with its users, which is intended to prevent harassment or spam. One example of an instance with more detailed policies is (which is currently closed to new users). Friend.camp Its lays out clearly that users are putting their privacy in the hands of the server’s administrator, who promises not to look at users’ private data, noting, “You are just going to have to trust him on this.” privacy policy While not all instances use such clear language, this dynamic is basically the same on all Mastodon instances. You have no guarantee that admins won’t read or adjust any aspect of your account. It’s worth noting here that there is more than one type of “admin” user: one at the server level with the ability to read all of the user data users with administrative privileges, who help the community run smoothly but may not  have the ability to read private user data DMs differ significantly on Mastodon When you are sending a direct message to another user, you need to be careful, as Mastodon differs significantly from other platforms here. “Direct messages” are essentially posts that are only visible to the sender and any designated recipients. Any users you mention will get tagged into the thread and gain access to the contents of that thread going forward. DMs are private posts: Unlike Twitter, there is no separate inbox for direct messages on Mastodon. So even though your direct message will only be visible to the users you specifically mention (using their handle), you will see the message on your timeline. An “@” symbol below the message will designate it as a post between users mentioned, whereas an earth icon indicates a post is in public view. Left: Composing a direct message to a user. Note the “@” symbol indicating it is only visible to the mentioned users. Right: Composing a public post, which displays an earth icon, indicating visibility to all. Source: Newsie.social The privacy on Friend.camp warns its users about sending direct messages to users in other instances: “Any private message you send to someone on another server could be looked at by the admin of a different server.” DM’ing someone on a different server allows other admins to see your DM: policy When you are about to message another user in Mastodon’s web interface, it warns, “Posts on Mastodon are not end-to-end encrypted. Do not share any sensitive information over Mastodon.” Posts—DMs included—are not end-to-end encrypted by default: Gizmodo created a on everything you need to know about sending DMs on Mastodon. thorough guide Apps and Security Mastodon offers two-factor authentication, and you should definitely enable it. On the Mastodon web interface, go to Preferences > Account > Two-factor Auth. You can then scan a QR code using an authentication app, such as Google Authenticator, to complete the setup. In addition to the platform’s own app, there are many different ways to access Mastodon on a phone via apps like Tusky and Metatext. (You can find a list of third-party apps on the Mastodon website: .) https://joinmastodon.org/apps You can think of the apps as different web browsers, in the same way you can view a particular webpage through the Safari, Chrome, or Firefox browser. The third-party apps have their own privacy policies and can/do collect your data for a variety of purposes (including to serve you targeted ads). Read each app’s privacy policy carefully (e.g. ), as the app is a party that can access your data and possibly share or sell it. https://metabolist.org/privacy-policy Accessibility The iOS screen reader, VoiceOver, initially could not be used to compose new posts in Mastodon’s iOS app. On Oct. 30, Mastodon , “We’ll try to do better,” in response to a blind user who raised the issue. tweeted A to the iOS app released on Nov. 20, appears to have fixed the problem with VoiceOver. subsequent update Still, the Mastodon iOS app currently only allows users to listen to alt text through a screen reader and does not the alt text. Using third-party apps such as Metatext and Husky or accessing Mastodon via a web browser are solutions for now. display workaround The Mastodon web interface includes a text box for writing accessible image descriptions. Its latest version alerts you with a nudge that reads, “no description added,” if you haven’t included alt text. The interface also offers an option to extract text from an image using optical character recognition (OCR). The Mastodon iOS app does offer computer-generated image descriptions when alt text is not included, but the results are predictably rudimentary and not a viable replacement for human-written image descriptions. If you access Mastodon via a browser, no computer-generated alt text is included. Etiquette Mastodon, and the “ ” ecosystem of decentralized services that it is part of, have been around for a while now. There’s a large community of users and administrators who have spent years defining the vibe for these social spaces. fediverse Keep that in mind when learning the norms and etiquette on a platform that has some important that set it apart from its advertising-driven counterparts. “anti-viral” features For example, you can enable “slow mode” on the Mastodon web interface, which makes you click a button before more posts show up in your timeline rather than being overwhelmed by the never-ending firehose of tweets that may have kept you glued to your phone far longer than you had intended. Your Mastodon timeline is just a reverse chronological feed of the people you follow, or the posts from people on your instance only (and not across all of Mastodon). There’s no mysterious algorithm optimized for your attention. You should also on the other cultural dos and don’ts on Mastodon, such as the widely used “content warning” field, which allows users to clearly label sensitive, triggering content and offers followers an opportunity to choose whether to see that content. get up to speed How We Chose Our Server So how did The Markup choose which server it should use to join Mastodon, especially as servers for the are gaining traction? Our starting point was simple: Where are other similar newsrooms? journalism community Many have yet to take the leap, but we saw , , and had chosen newsie.social. STAT Chron ProPublica Like many, it outlines standard policies against discrimination and harassment as well as misinformation. First, we checked out the server’s . rules The policy is fairly pared down compared to other social platforms, and that has to do with the fact that Mastodon isn’t monetizing its users’ every move. Information collected is said to be used to keep the server functioning. Second, we headed to the server’s . privacy policy Without end-to-end encryption, it doesn’t make sense to use Mastodon for tips, and we’ll continue to direct people to all the other ways they . Finally, we decided to avoid communicating any sensitive information—like responding to tips—via the platform. can share tips with us We ultimately felt good about the server’s policies and wanted to be in the same place as other newsrooms like ours, so we set up shop there at . newsie.social/@themarkup For now, this account will be an experiment. We can’t say what it will look like in a few months, but we’re excited to try something new alongside our readers. Existing on social media while critiquing it has been part of what we do since day one. Mastodon will be no different. We hope to see you there: . newsie.social/@themarkup By , , , and Jon Keegan Rachel Auslander Dan Phiffer Maria Puertas First published here Photo by on camilo jimenez Unsplash

Every dollar you donate helps support The Markup’s work.

Too Long; Didn't Read

Questions about cloud security? Get answers here.

Mastodon: What You Need to Know About Its Privacy and Security

Too Long; Didn't Read

People Mentioned

The Markup

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

Mastodon: What You Need to Know About Its Privacy and Security

Too Long; Didn't Read

People Mentioned

The Markup

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES