Hmm, read this article about Mastodon security/privacy and direct messages don’t seem that secure. Direct Messages (DMs) on Mastodon are stored in clear text on the Mastodon server. They’re not encrypted. That means that they could be read by whoever is administering your Mastodon serv... greghendrix.micro.blog

@greghendrix On the other hand, that's true for most communication we do over the internet: Twitter, e-mail, Discord, Slack, and so on. Server owners and administrators can always read your data. The only exception is end-to-end encrypted services, like Signal.

@greghendrix Agree with @sod’s point that it’s near impossible to avoid unencrypted communication without a specific app to do so. And in the case of email, unless all parties are using Proton/Tutanota it’s never fully encrypted either. It’s one of the reasons I would never use it for that purpose.

@greghendrix I think Mastodon makes it clear when you’re DM-ing someone

@greghendrix These are a good couple of questions. 😊 I'll try my best to answer them.

1. Yes, absolutely. Governments, for example. Last year, 23.9 thousand information requests affecting 54.9 thousand accounts were submitted, and Twitter handed out the information in ~38 % of the cases. They receive information requests from non-government folks as well. For example, during divorce proceedings, one party might be interested in what the other has been up to online.

Anyone who decides to compromise Twitter – as a whole or targeting individual accounts – may also be able to read DM's. Data breaches and leaks happen all the time. Depending on the vulnerability exploited, DM's won't be accessed in all cases. One from the top of my head that did involve DM's was the incident back in 2020. And the other incident in 2020. This year, the data leak affecting 5.4 million Twitter accounts involved personal data about anonymous accounts but no DM's.

Also worth noting is that "people that work at Twitter" is not static. You might decide that "hey, the current owner and the thousand of employees are 100 % good people and would never spy on behalf of a foreign country." Okay, that's fine. But what about the next owner and the employees of tomorrow? 😊

2. That's not a totally unrealistic scenario you're describing. Yes, the people owning your data can read it and decide what to do with it. For example, monetizing it, as Google famously did with Gmail until late 2017. (They read Gmail users' emails and displayed personalized ads based on the content.)

[B]ut is that different since Twitter is a company and the person running the game dev Mastadon server is just a person?

I don't know. I guess Twitter would have more money and resources to defend itself in court should it break any laws. 😊

When it comes to conversations online that are not end-to-end encrypted, I think about them as a chat with a friend in a public space, like a cafe or a park. You have reasonable privacy, but there's always a risk of someone overhearing your conversation.

@sod Thanks for the detailed response, it's very interesting. I'll read through the links you posted. People were talking about Mastodon at work and were put off by the server owner being able to read your messasges, but it seems like we already don't have privacy no matter what we do when using online services 😄

@greghendrix I wouldn't go as far as saying no matter what we do, but yes: privacy online is hard to get right. 😓 You are out of luck if the service provider has the keys to encrypt and decrypt your data.

To keep something secret from third parties, you and the person you're communicating with must be the keys' sole owners. That's end-to-end encryption. Element, Session, and Signal are three alternatives for sending messages end-to-end encrypted.