Seeing a Mastodon admin first hear the word "subpoena" is like watching an infant totter toward a porcupine.
Mastodon didn't answer CyberScoop's questions about this, which is a red flag, because they've been around long enough and have the resources to formulate a response. This is also a red flag: "CyberScoop spoke with several Mastodon instance administrators whose member numbers ranged from the dozens to the tens of thousands about how they would handle a law enforcement request. Most ran their instance as a hobby and none had a legal background." [...]
Bell would "seek assistance from a lawyer" [...] Let's be absolutely clear that Bell has never dealt with this before and is not prepared at all, and is clearly thinking he'll be dealing with US requests. [...]
Dr. Mark doesn't understand what social media law enforcement requests even are (let alone what they might include). [...] he only seems to think he'll get content requests for posts. Law enforcement requests can also include non-content, such as IP addresses, connection history, communications, and more. Just look at Microsoft's recent law enforcement requests report to see why the Mastodon issue is making me scream into a pillow.
yeah my instance is just me so I'm...less...concerned. But I have a list of things to do before I'd ever open it up to anybody else joining.
That reminds me of a tweet I saw by @rahaeli a month ago: Mastodon servers should register contact info for DMCA (if in the US) and GDPR. (Cc @jerry)
https://copyright.gov/dmca-directory/
FYI
tbh law enforcement requests as hobbyist host are fairly simple; you comply, because you have no resources to say no. You could ask a lawyer what your options are, and for a fee they'll tell you that you have to comply or leave the country π€·
Best you can do is not having things they want to have, so don't log too much, try and use end to end encryption, store user data encrypted with the user password if possible, etc. And tell your users to behave, lol
When it's "the law" it's easy. But when it's the Swiss "law"? or the Russian? Or it is a pretend law? Or etc? I find it interesting to think about that:) But I had half a brain, I have a good excuse.
And I don't want you and your server get into trouble.
oh that's easy, foreign entities will be forwarded to the local police, I only accept authoritative requests :) if they disagree with that they're free to try firewall me out of their country
A good plan is to just not collect logs in any way. Can't be forced to produce information you don't have.
https://twitter.com/rahaeli/status/1593819064161665024?s=20&t=0wxbVX1LyDSYm_gEgcSaPQ
"Bell .. is clearly thinking he'll be dealing with US requests."
If Bell is in the US, I can't imagine why Bell wouldn't just tell non-US requests to F right off.
Because his server is hosted in Germany, which I am told is a completely other country with different laws and stuff.
Given my experiences of some rando handling just the "admin some software" side of Mastodon well before the current Twitter dumpster fire, this seems about what I'd expect.
To be clear: I'm not talking about moderation, I'm talking about backups, data loss, and recovering cleanly.
This is fine.
Everything will just move out of the United States and that'll make them immune to US law.
I mean, Sealand's still got that server room, right?
I mean, I think it's safe to assume that anything not on local storage can be viewed by law enforcement (and numerous third parties) at any time. If anything, Mastodon might be marginally safer, in that hosts are not actively monetizing data to anyone with two dimes to rub together, nor are they building special "Click here to pinky-promise it's a real emergency, and we'll waive the 4th Amendment" portals for cops. It's almost a "security by obscurity" in that cops would have to actually go to the trouble of talking to someone and securing their cooperation and/or a search warrant manually before they can read your PMs. Which isn't much, but still more than the competition. Seems kind of unfair to single them out for that.
true
This makes me think of email servers. I havenβt run my own email server in years but I never got a subpoena when I did. Do small email operators get a lot of legal requests now?
Email is less likely to attract that kind of attention: it's (mostly) person-to-person rather than public-broadcast and the assumption (valid or not) tends to be that the server operator is just providing transit rather than long-term storage.
But if someone you're providing service to attracts the attention of the feds or, say, the Church of Scientology, you can absolutely expect to be talking to lawyers, yes.
There is an awesome resource on the legal issues that a Mastodon instance might face here: https://twitter.com/rahaeli/status/1593819064161665024 and here: https://denise.dreamwidth.org/91757.html written by a pro who's had to face them. These people don't know what they're getting into.
...jinx? :) Seriously within under ten seconds.
One of the people who run Dreamwidth (remember them? yes, they're still somehow alive) wrote a very long guide to the potential issues of running a Mastodon server: it's extensive and clearly from bitter experience. It absolutely decided me that I would not be offering even friends and family accounts on my own self-hosted instance and I'm still mulling over whether even a single-user owner-operated instance is in any way a defensible risk.
I'm not reading all this stuff, how is running a small Mastodon instance different from running an old fashioned BBS, a web forum, etc.? Or even this very blog, which accepts comments (okay, blog comments don't have a DM equivalent)? Sites that don't accept any user content can still end up with an attorney or Johnny Law knocking on their door. These are not reasons not to do it. Not knowing how to be a good technical steward of a service to others, or not wanting to put in the effort to do a good job, those are good reasons not to do it.
I'm not reading all this stuff
Okay then, enjoy?
"TL;DR: Ignorance is bliss."
He did say βLadies and gentlemen, make some noise for the richest man in the world,β . But what did he expect with a statement like that? All praise the money!
He's also reportedly no longer the richest man in the world.
Mastodon admins should all join the Republican party. Then they can refuse to comply subpoenas without consequences. π
Eric Holder was probably the best example of refusing to comply without consequences, and he was firmly on the other side of the aisle.
How is this different from jwz.org/blog ? Anyone with a blog that accepts comments could get law enforcement requests, demands, or subpoenas. The path of least resistance will be that people who get such demands will just hand it over, so no one should assume that their Mastodon instance will protect any confidential information and Mastodon DMs should be avoided.
Yes, of course! All things that share any superficial features are exactly the same, and people should simply not say, do or be things that might get them into trouble. You are very smart.
But not as smart as you, evidently. This is the kind of reply I used to get on Twitter; Mastodon is a more pleasant place. Anyway, thanks for the mixtapes.
The EFF offer to help: https://www.eff.org/deeplinks/2022/12/user-generated-content-and-fediverse-legal-primer