Drama on Fediverse
Fediverse
Fediverse is hypertext vector Fidonet decentralized social network. Nodes exchange data using a common protocol ActivityPub, which unites this entire zoo. Nodes can have their own unique software, rules, etc. Anyone can become a member of Fediverse by registering on any of the existing nodes or creating their own. There is the most popular software – Mastodon and the most popular node – https://mastodon.social. Fediverse has become especially popular shelter of cryptoanarchists since Musk's purchase of Twitter. At the time of writing the number of users exceeded 11 million. and continues to grow.
Integration
After RSS and successful integration with Telegram, it seemed logical to develop Awakari in the direction of integrating social networks. Facebook, Instagram and the like obviously have no interest in providing data to anyone. Another thing is Fediverse, where anyone can write their own server simply by implementing the open ActivityPub protocol. Thus, Awakari began to work as a proxy service that, on behalf of its users, automatically finds and follows accounts in Fediverse. As soon as the account confirms the follow request, it independently begins sending out its new activities (posts) to its new subscriber.
In practice, the follow mechanism in the ActivityPub protocol has one nuance. The most popular implementations, such as Mastodon, have the ability to automatically approve all incoming follow requests. On the one hand, this allows you to gain a large number of subscribers and be more popular with the account user. On the other hand, the user may not know that in this way he has already agreed to the processing of his data (posts) by anyone, anywhere.
Alarm Signals
At some point, people began to notice Awakari among their subscribers and began to wonder what kind of animal it was. Sometimes they even went to the main site, found contacts and asked questions. Typically, after an explanation of how it worked, they were satisfied with the answers. At times, representatives of LGBT-specific nodes were concerned about the privacy of their users. They were interested in the potential of using Awakari to target specific people. It is also worth noting here that radical left sentiments are popular in Fediverse, often unacceptable: “climate denial” (literally), “enterprise”, Trump and the like.
From such feedback I also managed to find out that shortly before this there was scandal with some service”Content Nation“. The only author of Content Nation is a certain backend programmer Sascha Nitsch (!). The service itself did not do anything particularly criminal, but suddenly not to the taste of Fediverse users. After which some users decided, for fun, to feed Content Nation with illegal content and complain about the same service. The consequences of such jokes threatened the author with 1 year in prison in Germany.
Awakari differs from Content Nation in that it does not display content from third-party sources on its domain. That is, feeding him obscenities is not so easy. Additionally, Awakari is not a “scraper” but instead uses the common and polite follow mechanism to retrieve content. Therefore, up to a certain point, it seemed that everything was not going so badly.
Wrong door
Later, I once again received feedback that it would be nice to make Awakari clearly notify the Fediverse user that he is subscribed to it. Since many services have automatic approval of follow requests, this seemed quite logical. The effect was the opposite – Awakari began to attract the attention of users who, without understanding what was what, began to complain quite actively. In some cases, the GDPR and wishes to consult with lawyers “yesterday” began to be mentioned:
Having understood the issue a little, I can say that the appeal to the GDPR was inappropriate, since when registering on Mastodon nodes (and other types of services), the user automatically agrees that the node will work as Public Morozov and send activities to all subscribers, who, in turn, can do whatever they want with it.
…Your posts are delivered to your followers, in some cases it means they are delivered to different servers and copies are stored there. When you delete posts, this is likewise delivered to your followers. The action of reblogging or favoriting another post is always public…
… We make a good faith effort to limit the access to those posts only to authorized persons, but other servers may fail to do so. Therefore it's important to review servers your followers belong to. You may toggle an option to approve and reject new followers manually in the settings. Please keep in mind that the operators of the server and any receiving server may view such messagesand that recipients may screenshot, copy or otherwise re-share them. Do not share any sensitive information over Mastodon…
Strictly speaking, otherwise Fediverse simply cannot and will not work. You can make sure that the nodes work this way and not otherwise by looking, for example, at the live stream in Mastodon:
However, ordinary users were not convinced by this and there was some surge in negative reactions. Awakari's integration with Fediverse was even paused for several hours until a solution was developed.
What also added fuel to the fire was that in addition to general-purpose ActivityPub integration, Awakari also has Mastodon-specific integration, which listens to this same Live Feed for public posts (additional incoming traffic). This resulted in some users who did not have Awakari among their followers to have their posts appear in the Awakari results. This, again, does not violate anything if the post is clearly marked as “indexable” and Google processes them quite well, but what is allowed to Jupiter is not allowed to the bull…
A little later there was also a small surge of support, with people from different nodes also speaking out in defense of Avakari. Particularly interesting is the opinion of one user from the Japanese misskey node:
Postmortem
Damage
Minor. Blocking on some small nodes. Simple within hours integration with Fediverse. No decrease in incoming traffic from Fediverse was noticed.
Risk
Average. The likelihood of a worse outcome is small, but the consequences can be significant. High degree of uncertainty.
Cause
Attracting the attention of the general public without well-developed mechanisms for refusing data processing in Awakari (opt-out).
Measures
Don't spam users with follow notifications. All necessary information should be included in the service description, accessible to Fediverse users for reading.
Make Awakari more socially friendly, looking more like a social network than a search engine, so as not to intimidate users from the Fediverse.
Mastodon: Only process accounts and posts explicitly marked as “discoverable” and “indexable”. Request follow only if the account is manually verified.
Accounts with the tag “#nobot” in the description should not be processed in any way at all.
Posts with the tag “#nobot” should not be processed.
As a result of the measures developed, a document appeared for source owners who do not want Awakari to use them: https://github.com/awakari/.github/blob/master/OPT-OUT.md. The solution is not yet ideal, but something is better than nothing.
PS
History repeated itself with the startup “Maven”who took everythingwhat was bad, including messages that were considered “private” by Fediverse users. Despite the fact that, unlike me, there is a whole team working there, sponsored by Twitter and OpenAI (no, no, I’m not jealous), this in no way saved them from stepping on the same rake 2 days later.
