The threat model and economics of federated systems devolve to concentrating trust in the hands of a few, while missing out on the scale advantages of purely centralized solutions.
Federation results in the data of users being subject to the whims of the owner of the federated instance.
Administrators can see correspondence and derive social graphs trivially. They are also in a position to selectively censor inter-instance communication.
I am totally happy with picking someone I actually trust to have those powers over me. The thing I don't like is when a random manager I don't know from Adam has those powers over me.
Yeah, delegation is inevitable in social networks because it just cannot scale otherwise. Having some power over that delegation is better than almost none
I've seen this happen in reddit too - subreddits that get taken over by crazy powermods are abandoned in favor of one that is true to the original spirit of that sub. That's not a federated system, but it shows the power of communities that can easily fork
Is that inevitable though? A graph of independent but connected nodes could theoretically scale indefinitely in the case where I hold my data and you hold yours. If I want to add someone to my network, I can either get their direct address or navigate through friends-of-friends (graph traversal). The only necessary delegation would be a mailbox provider, but the contents of any messages could be encrypted.
Not that any of this is easy to engineer, but in my mind it seems viable.
It actually does exist already, in the form of Secure Scuttlebutt (https://en.wikipedia.org/wiki/Secure_Scuttlebutt). Friends connect directly to each other. When you want to get news about someone, you download from them directly, along with news from friends of friends. If both peers aren't connected at the same time it is possible to use pubs, which are kind of hubs accepting all content and distributing to whomever wants it. Pubs have no special functions apart from being a store-and-forward, so you're not associated to a pub in particular (you can be on multiple, or none at all) and no pub is more "important" than others. Nothing is lost when a pub closes.
Cryptography makes sure that only the intended reader can read (unless it's a public message), and that messages can't be forged.
The nice things is that it's all just a message passing infrastructure, and applications can and have been built on top of it, like a git repository system or a music sharing application. So, yeah, it is feasible.
The amount of data you have to store for even the network's current larval state does not to me suggest that †he current version is real practical to scale.
I don't know, people have been on it since the beginning and have only a few Gigs in their db, which is mostly non-text (pics, videos, audio, ...). You'd need to store them in any case. It's true that initial sync is way too slow but they're working on it.
Maybe a place for a hybrid identity solution as well? Where you could be "user@mastodon.social" but also have a more numerical/cryptographic id (like a GUID or Pub/Private key pair).
One to make it easy to find and connect as users, and the second to make it easier to move between instances.
Apologies for the confusion: I mean delegation of power on the "social" front of things; "social networks" shouldn't be interpreted as Facebook or Twitter but as the literal concept of humans forming a social network through any kind of system. And yes, I believe that it is inevitable in that everyone moderating everyone doesn't scale.
Your comment and replies to it makes good points about the technical side of this tricky problem. What I was getting at is the original social needs that drives the demand for these kinds of technical solutions to begin with. Those are very tricky things to figure out, especially since there are both "group needs" and "individual needs" that can be at odds.
If you think about a very popular federated system called email, it's pretty easy to see why the local controlling body is not only fine but in some cases a very desirable property.
And the "scale" argument for email centralization is obvious bunk for all properties of "scale" that aren't "some people can redefine what email is on a whim", but even without centralization google is still pulling that one off.
Matrix and XMPP, for example, provide methods for end-to-end encryption. The operator of the node has no way to see the content of the messages. Deriving the connection graph is not an issue exclusive to federated systems.
But most important, no one is ever bound to any federation system. This by itself should be strong deterrent of bad behavior by bad actors. If I don't trust one server I can always switch. In an extreme case of lack of trust I can set up a server just for myself and the federation devolves into a peer-to-peer system.
Either I am missing the point of the article or the author hasn't thought this through.
Matrix has e2e but it's a pain in the ass to use (every time you log on a different browser of from a different client you have to import keys and validate clients).
So most hub I have seen don't enforce users to use e2e and at least images are stored in the clear on the matrix server.
XMPP is still somewhat similar. But in any case it is an issue with the existing UX, not inherent to federated systems.
I am not claiming it is easier. I am not even claiming it is easier than in the current centralized solutions.
I am just saying that it is possible and that we don't need to throw the baby with the bathwater. It is much easier to improve on the existing federated solutions than trying to come up with some idealistic, absolutely-private decentralized technology.
That's true, but cross-signing is right around the corner for Matrix [1], which will enable e2e by default in direct chats [2].
Encryption is useless for most public rooms, and actually counter-productive most of the time. If the room is public, anybody can join it, idle there and save the logs on their computer, or publish them. Activating encryption is just annoying: from the top of my head, you can't read what was posted before you joined (unless someone sends you their keys), search is client-side only, it's hard to link to attachments or reuse mxc: (matrix content such as images) from one channel to another.
The point is not the content but the connection graph as you mentioned
> Deriving the connection graph is not an issue exclusive to federated systems.
No it is not, but with a single large entity there is only a single entity that you have to trust. If facebook doesn't look at or leak the metadata then you're save.
In a federated system there are so many people operating the system that it is much more likely that parts of your communication metadata gets exposed.
I was playing devils advocate here. Facebook has shown that they are not very trustworthy. But in theory it is easier to contain the data if it is only held in a single central location vs. distributed over many federated servers.
"Easier to contain" in this case does not mean "more likely to be safe". There is no incentive whatsoever for any large centralized body to not exploit the data.
In any case, centralization is fragile. Even if there were some altruistic entity willing to run these services and not exploit it, it would still be a systemic risk.
I see that the author has a point, there are more people I have to trust with federated protocols.
But what's the state of instant messaging now? I have to trust Whatsapp, Telegram, Signal. That's still three entities that require my trust, and it's very difficult to verify any of their claims.
If I could at least have my federated Whatsapp instance that I use for family and friends, then I would at least know that none of the metadata created in these groups will be available to facebook, and I can find someone I trust in my group of friends, more than I trust Zuckerberg.
I'm not too sure about the scale argument from a technical point of view. But centralized platforms have scale problems too, such as moderation. Facebook and Twitter are basically unable to moderate their platform. With more instances there would be more people operating those instances and more people moderating as well. I think this is one of the reasons for twitters recent activity to develop a decentralized social media protocol.
>If I could at least have my federated Whatsapp instance that I use for family and friends.
You can use p2p solutions for family and friends (Retroshare, Tox etc.) But in reality pople prefer the benefits of having BigCorp behind the service, paying for availability and fixing bugs.
With Tox I cannot share an account between multiple devices - or that is I cannot switch seamlessly between PC and phone. That is dumb and I don't want that.
> Otherwise your devices would have to authorize each other, which is even dumber.
Not sure why that is so dumb, presumably if one device gets compromised other linked ones are also compromised but if one device gets compromised now it is still compromised.
Because if one device gets compromised, you want to regain control of your identity and deny access from compromised device. Also you want to prevent the hacker from doing the same. We have not yet invented a way to do it without central authority, which is also acceptable in terms of usability.
So say I use this on my phone, and someone steals my phone, my "identity" is compromised anyway. I have to create a new Identity anyway. User experience of sending everything to someone N times over is not acceptable either. If I want to talk to someone I don't want to have to send a message to each of their devices.
Federation is absolutely necessary to scale a system that needs discoverability and access control for heterogeneous data types from unrelated producers. There is no way to scale it in a centralized manner without having insanely large and complex data governance.
I wish the author had prefaced with the context and scope. It seems like this is really referencing something like a decentralized twitter.
So sure, in the context of the author maybe that's true but it's clearly generalizable about federation.
Once upon a time, there was this thing we call User Agent, and it would serve the interests of the user (you), and you could set your preferences instead of having someone else try please everyone on the planet.
You might consider EWW, the Emacs Web Wowser. I just tried loading the site (type `M-x eww` in Emacs, then paste the URL) and it worked like a charm. If the lines scroll off screen you can type `M-x to-tr` (which expands to `toggle-truncate-lines`) to make the lines wrap.
I personally didn't have that problem, if it's not a secret are you visually impaired? I'd also suggest getting "Dark Reader", it allows adjusting a specific site's contrast if need to be.
Working on federation now. Depends on what you mean by privacy.
If you have federation for a group in society like doctors, you can push policy down to the applications themselves, who can express and enforce it locally, while trusting identity from the Idp (identity provider). If you want more centralization, you can have the applications consume their policy from a UMA2 (or formerly xacml) policy service, but to me that level of central governance is dumb, imo. Provide tools for the edges instead.
The users themselves don't have anonymity and their movements are all logged, but this is what facilitates the data subjects (patients) privacy in that scenario. So it's a question of, "privacy, for whom?"
On the normal internet, arguably, it's content providers who have all the privacy where viewers/users do not. The criticism in the article is federation doesn't invert this model, but that's not what it's for.
The radio/tv model where users can anonymously receive a broadcast signal is the conceptual model for most privacy thinking. This isn't how the internet works, and the only way this is possible is by adding noise to the channel the way Tor does it with onion routing, or some future way of obfuscating the origin of a request using ephemeral paths and end points.
Barring new cryptological link/network/transport layer protocols, we're basically stuck with the current privacy model of the internet until quantum computing becomes commercial.
Federation works with the current physical network hardware topology. Pure peer-to-peer solutions typically rely on some subset of up/down speed symmetry, physical proximity (to skip backbone routers and switches), or equal distribution of computing/battery power. None of these are equitably friendly with the hardware reality of today.
Yeah. I want to like Secure Scuttlebutt, which I think is the best current example of peer-to-peer social networking. But power usage and mobile data usage are an impediment to using it on mobile, and they don't currently have a viable multi-device story (as in, I want the same identity on my phone and my laptop).
I worry about this too; admins of popular ActivityPub instances have far too much power to silently censor things from tens of thousands of people.
I think federated systems might be the least bad of the available models, though. Technically, we just need to make it easy to switch hosting, like email with your own domain. Swapping out your email host is straightforward.
> admins of popular ActivityPub instances have far too much power to silently censor things from tens of thousands of people.
This is a tired line of argument. Centralized systems are no better. ActivityPub is not FreeNet, and if you want censorship resistance then you're using the wrong network on ActivityPub.
ActivityPub is about being able to build communities that still interact with other communities. And if one community doesn't want porn, hate, gore, and ideology X to be federated with it, and that instance becomes popular, perhaps it's popularity is because of the censorship, not in spite of it. So who are we as outsiders to dictate its members and its admins are ethically wrong for systematically censoring only from their community ideology X when building their specific community? We have as much of a moral right as to demand that church communities discuss the proper usage of BDSM rope knot placements for safety and maximum pleasure. That is: none.
> perhaps it's popularity is because of the censorship, not in spite of it.
I'd argue that content curation is usually seen as a plus, and censorship is a form of curation. What's missing in the equation is a distributed/federated reputation system, which I know Matrix gave a lot of thoughts about without finding an answer, and which twitter famously just launched a working group on.
Reputation such as the karma and up/down votes we get here are one of the ways to approach curation (tagging like #twitter does can be part of another approach).
The difference between local and remote in most AP software is minimal. Admins defederating is more a parental powertrip about which domains their users can or can’t read than anything.
If this sort of thing were really valuable and popular, we’d see browser extensions that do it. For the most part, those only block spam and trackers, and don’t break HTTP along ideological grounds.
I think it’s the “free hosting” part that is popular, not so much the “admin powertrip” part.
They also aren’t only censoring from their community. They are censoring their own users’ posts from the entire set of users on the instances they have blacklisted. The censorship cuts both ways.
If anyone with any sizable audience were using AP, they would not tolerate a hosting admin deciding who is allowed to follow them.
Why do you think browser extensions are the non-technical user's preferred option? I'm getting a headache just thinking about how to get a consistent mobile/desktop experience.
> If anyone with any sizable audience were using AP, they would not tolerate a hosting admin deciding who is allowed to follow them.
Well, at that point they can make a single-user instance (toss some euros at masto.host if not technical) and then they can get exactly the moderation experience they want.
What about readers who don't want some stranger deciding what they can or can't read?
Saying "well, you can just pay to run your own" is a silly response. Millions of people won't, and tinpot dictators will decide what does or does not show up in their feeds, simply by domain-association.
1. ActivityPub is not a censorship-resistant network. Criticizing it for not being censorship-resistant is obvious, so what is the motivation for the criticism? Evangelizing FreeNet, pushing for a different federating protocol, or just shitting on AP users? I've mentioned FreeNet (which is almost 20 years old!) as an actual censorship-proof network, but you haven't seemed interested, which is why I'm continuing to question your intentions.
2. How do you treat users who want instance blocks and censorship for their community? Are they just wrong and haven't seen "the light"? Should we begin demanding churches host seminars on the two forms of Satanism, show 2girls1cup in high schools, and go to historical black colleges and shout the N word over and over? Because that's the meatspace equivalent of "no instance blocking" on ActivityPub, and local communities in society has found it healthy to limit content and speech to appropriate places. The indigenous and black ActivityPub instances aren't there to have "race debates" questioning their existence; they want to just talk with other cool people. Blocking helps protect them from groups of assholes who want to exercise their "free speech" by shouting slurs.
The rest of your posts haven't been convincing, either, because it's unclear what you're arguing for, besides just generically criticizing the protocol.
> The difference between local and remote in most AP software is minimal. Admins defederating is more a parental powertrip about which domains their users can or can’t read than anything.
> I think it’s the “free hosting” part that is popular, not so much the “admin powertrip” part.
Strongly disagree. Using highly charged words like "powertrip" make me think you've had a particular experience color your world view. Most folks I know don't want gablins and freespeechextremist filling up their boosts & timelines, and I can count on 1 finger in 2+ years of Mastodon of a user who later felt like they "missed out" because the instance they originally signed up for blocked another interesting instance -- which was rectified by them simply signing up on another instance and using Mastodon's move feature. That's not a high barrier and doesn't require alarmism.
> If this sort of thing were really valuable and popular, we’d see browser extensions that do it. For the most part, those only block spam and trackers, and don’t break HTTP along ideological grounds.
That ship has long sailed. It's not worth fighting. HTTP(S) is broken today on many different competing ideological grounds, the most obvious of which is The Great Firewall, and the most mundane of which are company ACLs/Firewalls (which usually give an ideological reason why they are banned - like "no games at work").
> They also aren’t only censoring from their community. They are censoring their own users’ posts from the entire set of users on the instances they have blacklisted. The censorship cuts both ways.
Yes, that's the point of doing an instance block. I don't see how this relates to the thesis of your argument (and I've honestly forgotten what you're arguing for).
> What about readers who don't want some stranger deciding what they can or can't read?
This is a ridiculous question, and betrays the amount of thought put into your argument.
Everything you read, except you reading your own original unpublished writings, is somehow manipulated by someone else. Full stop. "Why was it written", "who affected how it got published", "who put it into a book / online", "who affected how I acquired the book / visit the website", "who influenced me to not read a different book", "who edited this book or article".
The answer to this question is equally ridiculous: run your own instance, or get off ActivityPub and go back to the deceptively-open centralized silos where everyone is, go to the ideologically-pure FreeNet where almost no one is, or do <something else>? And don't forget to subscribe to every newspaper and buy every book -- don't let one's own lack of time cause accidental self-censorship.
Being able to migrate away from a service requires a common protocol (as it is the case for email) or it would require a lot of individual migration processes for all the intricacies of the different providers.
ActivityPub is the common protocol. We just need better server software support so that you can migrate your id to a new host without that new host getting confused by the inbound messages from federated instances trying to talk to your old host.
It is not in either of those platforms’ interest to allow others to interoperate with them, or to allow users to leave their apps and use those of others. Instagram goes so far as to ban links in everything except one field on your bio.
They intend to own your connections to your friends and customers, and extract rent over it. It’s a terrible thing.
I think the answer should be closer to P2P. As in something that anyone can spin up like torrents on a seedbox or $2.5 VPS or some old PC in the corner, with no accounts or anything tied to the server.
I disagree with many of the premises laid out here.
> Federation results in the data of users being subject to the whims of the owner of the federated instance
In the largely unfederated world we have right now, that boils down to one single owner per platform. The promise of a federated system is that you can always set up shop on another system of the same platform, without losing access to your relationships. And that other system could in theory even be run by yourself.
> Administrators can see correspondence and derive social graphs trivially. They are also in a position to selectively censor inter-instance communication.
Again, right now we're putting that trust into a single entity for the whole network instead. An entity whose interests we know for sure are not aligned with their users, but with their customers. Giving participants in a network the choice which administrator they want to work with is not strictly worse than that.
> All the privacy issues, none of the scale advantages.
Social networks are not a place for privacy. Not in a federated world, and certainly not in the unfederated model we have right now. Once more the case can be made that the current system is worse, because not only is your communication and metadata not private, but the unfederated systems we have often demand, or at least can correlate from context, your real-world identity. A federated system can at least do away with that issue to some degree.
If you require privacy, and there should absolutely be a place for that in a civilized society, you need to use an end-to-end encryption scheme for point-to-point data exchange. There are fundamentally opposed design goals that apply for such systems.
> Considering that one of the main goals of decentralized systems is privacy preservation, and thus, control distribution, we must develop better models than “the most popular federated instances gain full control over the users interactions”.
Control distribution is absolutely achievable within a federated context, while privacy preservation will always depend on (in this case: unwarranted) trust. Just because you can't reasonably achieve one, it doesn't follow that the other is a fool's errant. I would also argue that the quoted sentence at the end here is a bit of a straw man, because taking away that power from the individual instance is - or at least should be - the actual design goal of a federated system.
Don't get me wrong, a network design should do what it reasonably can to prevent and mitigate abuse, but I believe advertising inflated privacy expectations to end users is fundamentally dishonest. What they get is not privacy. What they get is some degree of control and independence. Which incidentally is one of the reasons why no federated system has really taken off yet in the mainstream: those are not big enough selling points on their own, and they're certainly not enough to motivate people into taking the huge social hit from moving onto an empty new platform. So far, only fringe groups have taken up these decentralized offers - groups who frankly almost nobody wants to have associations with.
> Reliability & Discoverability being the main two.
I agree very much with the problem being discoverability. None of the open networks really tackle that aspect, but it's not a problem coming from the fact that these are federated.
What I'm about to say you may already know, but for the benefit of other readers:
> groups who frankly almost nobody wants to have associations with
I'd caution you about this claim; Gab, Spinster, Glindr, some of the less savory Japanese instances probably fit what you're saying. If you want to be less charitable about most people's broadmindedness, toss in the furries. But from what I've seen, a large chunk of Mastodon users tend to just be LGBTQ. For this group, the control/independence is a lot about knowing what you can expect your moderators to take seriously (both in terms of allowed content and protection against harassment). I'd question the term "fringe" for this group.
There's also been a movement away from Twitter onto Mastodon of Indian users upset by Twitter's acquiescence with Indian government demands. In that case, it's not so much about privacy as making legal demands a game of whack-a-mole.
Otherwise I totally agree with what you're saying.
I think this probably doesn't need to be said but LGBTQ people on Mastodon are not an example of what I meant. To make it extra clear, I also didn't mean to imply that just any group with a strong presence on such networks is automatically "fringe" or worse...
It's just by my (admittedly subjective) impression large-scale, community-wide adoption of decentralized networks has been mostly by radicals or militants, because they have increasingly been banned from mainstream social nets. They had an easier time taking the hit from jumping to a new network, because they had been ostracized.
Valid, valid. I think it's interesting to think about how groups that are in between the "mainstream" and the "fringe"--not banned necessarily, but those with more variant needs from their networks--can serve as an "indicator community" (https://www.britannica.com/science/indicator-species) of social ecosystems' function.
I don't see the problem. Fully decentralized platforms like Bitcoin are too inconvenient to use. Not everyone wants to download the full blockchain and you still have to find someone to exchange your dollars to BTC. So what happens is that most people sign up on an exchange which is effectively a federated system which merely communicates with other exchanges over the common Bitcoin protocol.
agree. federation doesn't seem to have been the initial plan of the internet. some sort of POSSE with content-agnostic subscribing mechanism would be far better. (and yes that subscription mechanism could be in a blockchain acting as a discoverability mechanism and a backup).
NNTP (newsgroups) and SMTP (email) both are federated systems. Long before domain names were convenience identifiers for just websites, you would be part of an organizational domain, be it your company, your university or your local ISP (before the advent of large national consumer providers). Those were much more than just a pipe to the larger internet, they would run applications which you would use, and which federated to other organizations.
i guess there is a difference between "dumb" federation the way nntp/smtp does it and e.g. matrix where account data and subscriptions are kept in the servers.
Federation results in the data of users being subject to the whims of the owner of the federated instance.
Administrators can see correspondence and derive social graphs trivially. They are also in a position to selectively censor inter-instance communication.
I am totally happy with picking someone I actually trust to have those powers over me. The thing I don't like is when a random manager I don't know from Adam has those powers over me.