Ledger

Everything You Need to Know About Mastodon's New Privacy Settings

In version 1.3 of the Mastodon software, the Mastodon development team made changes to how post privacy settings work—particularly, with respect to the private post setting. In this post, we'll take an in-depth look at Mastodon's privacy features, and answer a few common questions about the change.

Okay, so, give me a recap. How do Mastodon's privacy settings work?

Mastodon has four privacy settings. These are:

public
Your post can be seen or reblogged by anybody, and will display on the public timelines
unlisted
Your post can be seen or reblogged by anybody, but won't display on the public timelines
private
Your post can only be seen by people who follow you (or anyone mentioned in the post), and can't be reblogged
direct
Your post can only be seen by people who are mentioned directly in the post

Something you may not know about Mastodon's privacy settings is that they are recommendations, not demands. This means that it is up to each individual server whether or not it chooses to enforce them. For example, you may mark your post with unlisted, which indicates that servers shouldn't display the post on their global timelines, but servers which don't implement the unlisted privacy setting still can (and do).

Servers don't necessarily disregard Mastodon's privacy settings for malicious reasons. Mastodon's privacy settings aren't a part of the original OStatus protocol, and servers which don't run a recent version of the Mastodon software simply aren't configured to recognize them. This means that unlisted, private, or even direct posts may end up in places you didn't expect on one of these servers—like in the public timeline, or a user's reblogs.

It is important to note that regardless of your post's privacy settings, server administrators can still read every post you send out. You should only ever post personal or confidential information on instances whose administrators you trust.

Wait, so you're telling me that my “private posts” weren't really all that private??

Sort of. Mastodon can't force a server to respect its privacy settings, but it can control which servers have access to its posts. Before the 1.3 update, Mastodon servers avoided the problem of other servers not respecting their privacy settings by simply not sharing their private posts.

An exception to this is that Mastodon servers would always share their posts with any users mentioned in the body of the post. You may have seen this warning pop up when you were about to make a private post mentioning someone else:

Your private status will be delivered to mentioned users on icosahedron.website. Do you trust that server? Post privacy only works on Mastodon instances. If icosahedron.website is not a Mastodon instance, there will be no indiciation that your post is private, and it may be boosted or otherwise made visible to unintended recipients.

This lengthy explanation is Mastodon's complicated way of saying We have no control what happens to this post once it leaves our servers.

So what changed?

Not sharing private posts with other servers worked back when most Mastodon users were all on mastodon.social, but now that there are over 1000 Mastodon instances, most users have friends and followers on a wide variety of servers. Many of these users complained about not being able to see their friends' private posts because they weren't federating.

In an attempt to fix this problem, as of the 1.3 update, Mastodon now will share your private posts with every server that follows you, regardless of whether or not that server supports privacy settings. The name of “private posts” has also changed to “followers-only” in the user interface to indicate that these posts are no longer truly private.

This change has fixed things so that followers on other instances can now see your private posts, but it also creates a problem where, if their server doesn't support Mastodon's privacy settings, that post may not appear to them as “private”. Consequently, your private posts may show up on their public timelines and receive replies and reblogs from complete strangers.

This sounds like a bad idea.

It might be. But the 1.3 update also introduces new features to allow you more control over who follows you and which servers have access to your posts. The new “Authorized Followers” section in your user settings can be used to automatically block users from following you for servers that you're not sure that you can trust. There are a few important things to note about this feature:

  1. This will remove any followers from the instances you select, but it will also make you unfollow everyone on those same instances. This is because this feature actually works by blocking and then unblocking all of the users on the instances you provide.

  2. If your account isn't locked, there is nothing to stop the users removed by this feature from immediately re-following you and regaining access to your posts.

This still sounds like a bad idea.

If you're really not comfortable with this change, you should petition your instance's administrator to hold off on the update until better features are in place. (Of course, this means you will also miss out on the other features which Mastodon 1.3 provides.)

There are a number of proposed changes which would give you more agency over who has access to your posts in the future:

Letting users opt out of the new behavior
It was proposed that users should be allowed to opt in or out of this new behavior through user settings, although at the moment this hasn't been implemented.
User-level instance whitelisting
If Mastodon allowed users to whitelist only select instances (such that users from other instances were blocked), they could limit their followers to only those instances that they knew supported Mastodon's privacy settings without locking their account. However, users from other instances still wouldn't be able to see their posts.
Supporting lists
Instead of making private posts that are sent to all of your followers, Mastodon lists would allow you to send posts only to the subset whose servers you knew would respect your privacy.
Asking instances before sharing private posts

Right now, Mastodon has no way of knowing if an instance supports its privacy settings beforehand or not. If instances communicated this information, then Mastodon could choose to only share private posts with those instances that promised to respect them. (Of course, there would be no way of ensuring that an instance fulfilled this promise, but instances which didn't would quickly find themselves being blocked.)

Communicating to the development staff that these features are important to you is the best way to ensure they are made priorities and quickly implemented. The current project manager for Mastodon is @maloki@mastodon.social, and you can (respectfully!) contact her with any questions you have about these new features.