Originally published July 10, last updated July 12. See the update log below for details.
Join the discussions on infosec.exchange and Hacker News. If you're looking for more detailed analysis, check out the draft of Threat modeling Meta, the fediverse, and privacy
"Today, Meta is launching its new microblogging platform called Threads. What is noteworthy about this launch is that Threads intends to become part of the decentralized social web by using the same standard protocol as Mastodon, ActivityPub."
– What to know about Threads, Mastodon BDFL (Benevolent Dictator for Life) Eugen Rochko
Sexworkers aren't the only people who need to worry about their personal information getting exposed on Threads. People with harassers or stalkers they're trying to avoid, trans people at risk of being targeted by groups like Libs of Tik Tok, anybody with aspects of their life they'd rather not share with relatives and colleagues who are also on Instagram ... the list goes on.
And if Facebook's parent company Meta does indeed follow through on its plans to join the "fediverse", it's not only people who have joined Threads who have to worry. Mastodon (and most other fediverse software) wasn't designed with privacy and user safety in mind, so at least with today's software, there are a lot of ways that people's data can get to Meta without their knowledge and consent. Of course, Meta's not the only threat out there, but as I discuss in Threat modeling Meta, the fediverse, and privacy, Meta-related threats give a window onto broader threats.
The great thing about the fediverse is that people on different instances (servers) can communicate with each other, no matter what software they're using. So if and when Threads implements ActivityPub, people on other instances and on Threads will (at least to some extent) be able to follow and send messages to each other.1 But what about people who don't want their data to get to Meta or people on Threads?
Rochko's post is glibly reassuring on this front, suggesting that the only data Meta can get is "your public profile and public posts, which are publicly accessible." But this ignores other privacy risks. Here's a specific example.
Threads has rolled out the welcome mat to Nazi supporters, anti-LGBTQ extremists, and white supremacists, including groups like Libs of TikTok that harass trans people. If you're not familiar with Libs of TikTok, How Libs of TikTok Became an Anti-LGBTQ+ Hate Machine, Teacher targeted by Libs of TikTok sent death threats and lost his job, and Twitter account Libs of TikTok blamed for harassment of children’s hospitals are good introductions.
So unsurprisingly many trans people in the fediverse don't want any of their information shared with Threads. Even having your account name and instance name mentioned by a trans- or trans-friendly person on Threads could bring unwelcome attention from anti-trans people.
Suppose I'm a trans person concerned enough about this possibility that I've blocked Threads. This prevents people on Threads from directly seeing my posts ... but that doesn't prevent indirect paths. Here are two ways that my data could still get there.2
- Even if I only make followers-only posts, which aren't public and can't be boosted, if somebody who's following me replies, any of their followers on Threads will see my account name and instance.
- If somebody on another instance who follows me boosts one of my public or unlisted posts, people on Threads who are following them may be able to see everything I've said in the post, and any images I've attached – and further boost it. Even though my post was public before, it wasn't easy to find unless somebody already knew about my account. Once it's boosted to Threads, it's got a lot more visibility.
With today's software, the only obvious way to protect against #1 is not to have any followers on instances that federate with Meta.3 That could mean a "partition" of the fediverse – where instances that block Meta also block any instances that don't block – is the only way to mitigate the risk with today's software. #2 can be mitigated by instance admins turning on a setting called Authorized Fetch, although alas today most large Mastodon instances haven't done that and it's not the default for new instances.4
Of course, software's a moving target, so Authorized Fetch could become the default, and changes could be made to protect against #1 it might be in the future. Threat modeling Meta, the fediverse, and privacy goes detail on this and other issues, including highlighting software improvements needed to address other risks.
Unless and until that happens, though, Threads' arrival in the fediverse poses risks that can't be addressed by blocking.
And it's not only Rochko who's glossing over these kinds of privacy concerns. As Should the Fediverse welcome its new surveillance-capitalism overlords? Opinions differ! discusses, there's quite a debate about how to react to Meta's potential arrival, during which I've repeatedly heard guys confidently but very incorrectly say "anybody who's concerned can just block Meta, there's nothing to worry about." As this simple example shows, they're wrong.
So the next time you somebody say that, tell them that's not the case and give them the link to this post. And if you're one of the guys who's confidently been saying that ... you're wrong, so please stop.
1 We'll see how broad this interoperability actually proves to be in practice. It's not clear whether Meta will allow this communication for people on any instance, or limit it to instances that go through some approval process; and if approval is required, it's not clear what the criteria will be. Also, it's been reported that Meta will make instances that want to communicate with it sign some kind of legal agreement, which makes sense, but once again it's not clear what the agreement will be.
2 Based on Mastodon Migration's post, which in turn is based on input from Calckey maintainer Kainoa and infosec.exchange admin and security expert Jerry Bell. The "Leakage caused by Mastodon’s followers-only scope" and "Unauthenticated object fetching" sections of Ariadne Conill's 2019 post ActivityPub: the present state, or why saving the ‘worse is better’ virus is both possible and important discuss the underlying ActivityPub design issues leading to these holes.
3 In fact, replies-to-replies means even having followers on who have followers are on instances that federate with Meta.
4 By contrast, other fediverse software like Calckey turns Authorized Fetch on by default, and some smaller Mastodon instances whose admins prioritize user safety have turned it on.
July 12: added more info about Libs of TikTok and Threads rolling out the welcome mat to white supremacists and anti-LGBTQ+ groups – and included the link to the Hacker News post, where somebody said "Libs of Tik Tok just reposts stuff on twitter. Acting like they're a terrorist organization is ridiculous."
Mistress Matisse @mistressmatisse: If you’re a sexworker, think VERY carefully about joining Threads, because here’s what Mark Zuckerberg did to me: I had a FB account as Mistress Matisse, but FB scraped my legal name from somewhere else and then changed my displayed NAME on my account without notice/consent. Yep.
Screenshot used with permission from Mistress Matisse. And apologies for doing the image description this way, but the software I'm using limits image descriptions of featured images to 125 characters – which isn't enough!