greghendrix
greghendrix
Hmm, read this article about Mastodon security/privacy and direct messages don’t seem that secure. Direct Messages (DMs) on Mastodon are stored in clear text on the Mastodon server. They’re not encrypted. That means that they could be read by whoever is administering your Mastodon serv... greghendrix.micro.blog
|
Embed
sod
sod

@greghendrix On the other hand, that's true for most communication we do over the internet: Twitter, e-mail, Discord, Slack, and so on. Server owners and administrators can always read your data. The only exception is end-to-end encrypted services, like Signal.

|
Embed
pimoore
pimoore

@greghendrix Agree with @sod’s point that it’s near impossible to avoid unencrypted communication without a specific app to do so. And in the case of email, unless all parties are using Proton/Tutanota it’s never fully encrypted either. It’s one of the reasons I would never use it for that purpose.

|
Embed
pratik
pratik

@greghendrix I think Mastodon makes it clear when you’re DM-ing someone

|
Embed
In reply to
greghendrix
greghendrix

@sod @pimoore @pratik Thanks for clarifying. I don't know much about the topic and had a couple of questions.

1) On Twitter, can other people besides people that work at Twitter potentially read your DMs? 2) If for example, someone started a game dev Mastodon server and then Facebook and Twitter imploded on the same day and the game dev community flocked to Mastodon and their server had most of the game industry using it. Wouldn't that open up possibilities for abuse with them being able to read everyone's DMs? They could sell people's conversations to companies that want to spy on their employees. On the other hand so could Twitter, but is that different since Twitter is a company and the person running the game dev Mastadon server is just a person?

|
Embed
sod
sod

@greghendrix These are a good couple of questions. 😊 I'll try my best to answer them.

1. Yes, absolutely. Governments, for example. Last year, 23.9 thousand information requests affecting 54.9 thousand accounts were submitted, and Twitter handed out the information in ~38 % of the cases. They receive information requests from non-government folks as well. For example, during divorce proceedings, one party might be interested in what the other has been up to online.

Anyone who decides to compromise Twitter – as a whole or targeting individual accounts – may also be able to read DM's. Data breaches and leaks happen all the time. Depending on the vulnerability exploited, DM's won't be accessed in all cases. One from the top of my head that did involve DM's was the incident back in 2020. And the other incident in 2020. This year, the data leak affecting 5.4 million Twitter accounts involved personal data about anonymous accounts but no DM's.

Also worth noting is that "people that work at Twitter" is not static. You might decide that "hey, the current owner and the thousand of employees are 100 % good people and would never spy on behalf of a foreign country." Okay, that's fine. But what about the next owner and the employees of tomorrow? 😊

2. That's not a totally unrealistic scenario you're describing. Yes, the people owning your data can read it and decide what to do with it. For example, monetizing it, as Google famously did with Gmail until late 2017. (They read Gmail users' emails and displayed personalized ads based on the content.)

[B]ut is that different since Twitter is a company and the person running the game dev Mastadon server is just a person?

I don't know. I guess Twitter would have more money and resources to defend itself in court should it break any laws. 😊

When it comes to conversations online that are not end-to-end encrypted, I think about them as a chat with a friend in a public space, like a cafe or a park. You have reasonable privacy, but there's always a risk of someone overhearing your conversation.

|
Embed
greghendrix
greghendrix

@sod Thanks for the detailed response, it's very interesting. I'll read through the links you posted. People were talking about Mastodon at work and were put off by the server owner being able to read your messasges, but it seems like we already don't have privacy no matter what we do when using online services 😄

|
Embed
sod
sod

@greghendrix I wouldn't go as far as saying no matter what we do, but yes: privacy online is hard to get right. 😓 You are out of luck if the service provider has the keys to encrypt and decrypt your data.

To keep something secret from third parties, you and the person you're communicating with must be the keys' sole owners. That's end-to-end encryption. Element, Session, and Signal are three alternatives for sending messages end-to-end encrypted.

|
Embed