#mastondon Friends!
-
@scottjenson I must request encryption, because even though I don't need it right now. ...
A - you never know when you might need it
B- if I did, I might feel really uncomfortable telling you the reason, so I'm gonna assume that I'm piping up for some of those folks.@morst No one is saying encryption is off the table. Just that I wanted to start with low hanging fruit (bucause the improvements are so much easier. Others are working on the encryption (it's a VERY hard problem)
-
#mastondon Friends!
There is a TON of improvements we could make to Private Mentions (often called DMs on other platforms) e.g.
* getting them out of the public timeline
* Having a stronger notification tied to the Private Mention tab
* (amount other things)But here is my MAIN question: How critical is it that these message are encrypted? I'm not against encryption! It's just complex and will take time. If we were to make some UX changes as a first pass WITHOUT encryption would you be OK with that (at least for now?)
If you MUST have encryption, that's fine, please do me the favor of replying explaining why you need it.
@scottjenson
Seems like another way to ask what you're getting at is "would you consider improvements to private mentions useless without encryption?"My answer to that would be no. There are plenty of other options for encrypted messaging.
-
#mastondon Friends!
There is a TON of improvements we could make to Private Mentions (often called DMs on other platforms) e.g.
* getting them out of the public timeline
* Having a stronger notification tied to the Private Mention tab
* (amount other things)But here is my MAIN question: How critical is it that these message are encrypted? I'm not against encryption! It's just complex and will take time. If we were to make some UX changes as a first pass WITHOUT encryption would you be OK with that (at least for now?)
If you MUST have encryption, that's fine, please do me the favor of replying explaining why you need it.
@scottjenson Please make UX improvements first. Adding complex encryption won't make a difference when people accidentally send a public toot thinking it's private.
-
#mastondon Friends!
There is a TON of improvements we could make to Private Mentions (often called DMs on other platforms) e.g.
* getting them out of the public timeline
* Having a stronger notification tied to the Private Mention tab
* (amount other things)But here is my MAIN question: How critical is it that these message are encrypted? I'm not against encryption! It's just complex and will take time. If we were to make some UX changes as a first pass WITHOUT encryption would you be OK with that (at least for now?)
If you MUST have encryption, that's fine, please do me the favor of replying explaining why you need it.
@scottjenson encryption is not trivial. Focus on the basics and get them nice and convenient. Then try to solve the encryption puzzle
-
#mastondon Friends!
There is a TON of improvements we could make to Private Mentions (often called DMs on other platforms) e.g.
* getting them out of the public timeline
* Having a stronger notification tied to the Private Mention tab
* (amount other things)But here is my MAIN question: How critical is it that these message are encrypted? I'm not against encryption! It's just complex and will take time. If we were to make some UX changes as a first pass WITHOUT encryption would you be OK with that (at least for now?)
If you MUST have encryption, that's fine, please do me the favor of replying explaining why you need it.
@scottjenson encryption not needed, I use a safe messenger if I need that. -
#mastondon Friends!
There is a TON of improvements we could make to Private Mentions (often called DMs on other platforms) e.g.
* getting them out of the public timeline
* Having a stronger notification tied to the Private Mention tab
* (amount other things)But here is my MAIN question: How critical is it that these message are encrypted? I'm not against encryption! It's just complex and will take time. If we were to make some UX changes as a first pass WITHOUT encryption would you be OK with that (at least for now?)
If you MUST have encryption, that's fine, please do me the favor of replying explaining why you need it.
@scottjenson I think encryptef messages are important, but I also think that lower-hanging fruit (e.g. improved UX) should be done first
-
@jochenwolters That's a very clear explanation thank you. I don't think many apprecaite just how hard it is to add encryption properly and it's like going to take a while. As we already have PMs in the product and improving them would be very helpful, it seems like we shouldn't wait.
Part of why I'm asking is that here are MANY ways to use PMs, many of which do not require encryption at all. Of course it would be very nice to have. But I just want to call out, even with encryption, you likely want to be very careful using Mastodon for organizing as your profile and public posts would likely leak a tremendous amount of personal info.
Again, this doesn't mean we shouldn't do it, just that microblogging makes it hard to proprely protect your identity.
@scottjenson Thanks for the thoughtful response, Scott. I sincerely appreciate that! And I agree with everything you write.
Here's a little IxD detail in Mona 6 that's I find very useful. I hardly use the official Mastodon clients. So if they lack such a reminder, adding it should be a fairly minor effort with a huge upside in terms of setting the accurate security expectations with users.
-
#mastondon Friends!
There is a TON of improvements we could make to Private Mentions (often called DMs on other platforms) e.g.
* getting them out of the public timeline
* Having a stronger notification tied to the Private Mention tab
* (amount other things)But here is my MAIN question: How critical is it that these message are encrypted? I'm not against encryption! It's just complex and will take time. If we were to make some UX changes as a first pass WITHOUT encryption would you be OK with that (at least for now?)
If you MUST have encryption, that's fine, please do me the favor of replying explaining why you need it.
@scottjenson
I'm not here for encrypted messaging. -
#mastondon Friends!
There is a TON of improvements we could make to Private Mentions (often called DMs on other platforms) e.g.
* getting them out of the public timeline
* Having a stronger notification tied to the Private Mention tab
* (amount other things)But here is my MAIN question: How critical is it that these message are encrypted? I'm not against encryption! It's just complex and will take time. If we were to make some UX changes as a first pass WITHOUT encryption would you be OK with that (at least for now?)
If you MUST have encryption, that's fine, please do me the favor of replying explaining why you need it.
@scottjenson I hardly use DM, so wouldn't care if it wouldn't be encrypted.
-
#mastondon Friends!
There is a TON of improvements we could make to Private Mentions (often called DMs on other platforms) e.g.
* getting them out of the public timeline
* Having a stronger notification tied to the Private Mention tab
* (amount other things)But here is my MAIN question: How critical is it that these message are encrypted? I'm not against encryption! It's just complex and will take time. If we were to make some UX changes as a first pass WITHOUT encryption would you be OK with that (at least for now?)
If you MUST have encryption, that's fine, please do me the favor of replying explaining why you need it.
There’s a deadly footgun embedded in Mastodon’s “private mentions”—any account that is @ mentioned receives the message, even when they are not the intended recipient. For an example of how this plays out, check out the “Direct messaging does not work” section in this April 2025 blog post.
Referring to someone using @ mentions is part of the muscle memory of Mastodon users. (Convenience plays a major part, @ mentions provide autocomplete options once you type in a few characters.)
In the past, Eugen Rochko had defended this as behaviour that a user should expect. In other words, he considers this behaviour a sane default. Maybe. (A completely different UI paradigm only for “private mentions” will be tricky, it will go against user expectations—I understand that.)
But in that case, I think enabling end-to-end encryption for “private mentions” is kinda pointless.
-
There’s a deadly footgun embedded in Mastodon’s “private mentions”—any account that is @ mentioned receives the message, even when they are not the intended recipient. For an example of how this plays out, check out the “Direct messaging does not work” section in this April 2025 blog post.
Referring to someone using @ mentions is part of the muscle memory of Mastodon users. (Convenience plays a major part, @ mentions provide autocomplete options once you type in a few characters.)
In the past, Eugen Rochko had defended this as behaviour that a user should expect. In other words, he considers this behaviour a sane default. Maybe. (A completely different UI paradigm only for “private mentions” will be tricky, it will go against user expectations—I understand that.)
But in that case, I think enabling end-to-end encryption for “private mentions” is kinda pointless.
@dialecticalmusings Thank you. This has been mentioned by others as well. I can see how this behavior could be problematic.
-
@scottjenson Thanks for the thoughtful response, Scott. I sincerely appreciate that! And I agree with everything you write.
Here's a little IxD detail in Mona 6 that's I find very useful. I hardly use the official Mastodon clients. So if they lack such a reminder, adding it should be a fairly minor effort with a huge upside in terms of setting the accurate security expectations with users.
@jochenwolters Agreed! These are the type of fixes I'd like to consider IN ADDITION to continuing to work on backend encryption
-
#mastondon Friends!
There is a TON of improvements we could make to Private Mentions (often called DMs on other platforms) e.g.
* getting them out of the public timeline
* Having a stronger notification tied to the Private Mention tab
* (amount other things)But here is my MAIN question: How critical is it that these message are encrypted? I'm not against encryption! It's just complex and will take time. If we were to make some UX changes as a first pass WITHOUT encryption would you be OK with that (at least for now?)
If you MUST have encryption, that's fine, please do me the favor of replying explaining why you need it.
@scottjenson Any UX improvement would be great.
Maybe it is possible to integrate something like XMPP or MLS later for encrypted DMs? They could both federate too.
-
#mastondon Friends!
There is a TON of improvements we could make to Private Mentions (often called DMs on other platforms) e.g.
* getting them out of the public timeline
* Having a stronger notification tied to the Private Mention tab
* (amount other things)But here is my MAIN question: How critical is it that these message are encrypted? I'm not against encryption! It's just complex and will take time. If we were to make some UX changes as a first pass WITHOUT encryption would you be OK with that (at least for now?)
If you MUST have encryption, that's fine, please do me the favor of replying explaining why you need it.
@scottjenson I think all of these ideas stem from how, on every other platform, DMs are a fundamentally different "thing" than posts. I worry that a dedicated interface and separate notifications reinforce that expectation away from the technical reality. They make private mentions look more like DMs, but they still don't act like it. So then when those posts aren't encrypted, or you tag someone and they get a notification about it, you're even more surprised.
-
#mastondon Friends!
There is a TON of improvements we could make to Private Mentions (often called DMs on other platforms) e.g.
* getting them out of the public timeline
* Having a stronger notification tied to the Private Mention tab
* (amount other things)But here is my MAIN question: How critical is it that these message are encrypted? I'm not against encryption! It's just complex and will take time. If we were to make some UX changes as a first pass WITHOUT encryption would you be OK with that (at least for now?)
If you MUST have encryption, that's fine, please do me the favor of replying explaining why you need it.
@scottjenson A UI change first would go a long way in alerting you if you break your intended private mention by including more than 1 at sign or any hashtags. This can be a source of great angst.
-
#mastondon Friends!
There is a TON of improvements we could make to Private Mentions (often called DMs on other platforms) e.g.
* getting them out of the public timeline
* Having a stronger notification tied to the Private Mention tab
* (amount other things)But here is my MAIN question: How critical is it that these message are encrypted? I'm not against encryption! It's just complex and will take time. If we were to make some UX changes as a first pass WITHOUT encryption would you be OK with that (at least for now?)
If you MUST have encryption, that's fine, please do me the favor of replying explaining why you need it.
@scottjenson I think that every message not meant as a public broadcast should be end-to-end encrypted, regardless of the app or service that people use to send it. People shouldn’t have to worry if the information they’re exchanging is private and secure or not. It should be table-stakes these days, just like HTTPS is for websites. When you create a website, you don’t ask yourself if it’s sensitive enough to need it, it’s just common practice to generate an HTTPS certificate for everything.
-
@scottjenson I think that every message not meant as a public broadcast should be end-to-end encrypted, regardless of the app or service that people use to send it. People shouldn’t have to worry if the information they’re exchanging is private and secure or not. It should be table-stakes these days, just like HTTPS is for websites. When you create a website, you don’t ask yourself if it’s sensitive enough to need it, it’s just common practice to generate an HTTPS certificate for everything.
@scottjenson That said, if it’s much easier to make the other improvements, it might be worth it to ship them without waiting on E2EE to be ready (but it should still be worked on).
Also, some Fediverse services do support E2EE, like @HolosSocial.
-
#mastondon Friends!
There is a TON of improvements we could make to Private Mentions (often called DMs on other platforms) e.g.
* getting them out of the public timeline
* Having a stronger notification tied to the Private Mention tab
* (amount other things)But here is my MAIN question: How critical is it that these message are encrypted? I'm not against encryption! It's just complex and will take time. If we were to make some UX changes as a first pass WITHOUT encryption would you be OK with that (at least for now?)
If you MUST have encryption, that's fine, please do me the favor of replying explaining why you need it.
My two cents: (sorry, long text)
A revamp would help a lot, I don't think it needs to be encrypted but it could be good if it were.
Since anyone can set up an instance, any admin can look into people's DMs if they're really motivated to do so, and normal users don't know that. For example, my family wouldn't like knowing that I have access to their DMs if they're in my instance. We may not like the idea that our friend that has an instance have the possibility to look into our messages. Also criminals can be admins of instances, as well as states, the police, and secret agents may create popular, appealing instances to gain access to people's private messages and posts. We don't see many women exposing themselves in the Fediverse but we can guess what could happen if some decide to do so in an instance where an unethical admin falls in love with her and start reading her private messages.
Another reason for encryption is to protect administrators in certain situations, but it's a double-edged sword. Without access to private messages, admins can't hand them over to law enforcement as plain text. This means they won't be able to provide data on real criminals, which some may dislike because they want to help put criminals in jail. On the other hand, in jurisdictions where minorities (e.g., LGBT+) are persecuted, admins who support their communities may be required to provide private information, such as direct messages, about their members to the police. If the texts are not encrypted, this could be a difficult situation because admins would release information about their friends and allies. These communities should, of course, be taught to use other means of private communication. However, the potential dilemma some admins could face may cause them to prefer enabling encryption.
Another reason may be that admins want to protect members from the admin's own weak cybersecurity skills. For example, imagine a family community where someone creates an instance for the Smith family or a group of parents creates an instance for their teenagers. This allows teens to post photos and other content in a less wild environment than Meta or TikTok. As it becomes easier for non-tech people to create a #Mastodon instance, they may prefer an encrypted messaging solution in case something bad happens (such as a hacker gaining access to the database), since most of them aren't cybersecurity experts and use default configurations. At least if DMs leak, they're encrypted.
These are just the first examples that came to my mind.
If Mastodon choose not to offer encryption, it could at least explain to people what to expect from DMs. It could also provide icons or links directing them to information on how to communicate safely, maybe even actively suggest a solution, such as XMPP, if it would like to promote the development of certain protocols or messengers.
Or maybe if users indicate in their profiles which private messaging apps they use, people who try to DM them may see a QR code or an icon/link to join them on a specific app?
Another thing, I'm currently using Friendica and Friendica allows us to install add-ons (web version). There is a pluggable add-on called "Converse.js" that allows people to use encrypted #XMPP chat inside Friendica's interface to communicate securely instead of using normal DMs. Mastodon could integrate a similar plugin so interested users could activate end-to-end #encryption for sending messages, if they want. Maybe if it uses existing third-party solutions like Friendica does, the Mastodon team won't have to do everything from scratch.
One last thing: other Fediverse platforms face the same demands. If projects decide to develop an encrypted messaging solutions, it would be good if it could be implemented across the entire #Fediverse. Since that would take a lot of time, just a revamp of Mastodon's DMs in the meantime could be enough.
-
@benpate Could not agree with you more! Do you have any ideas on how to improve threads? Any products that do it well for example? Branching threads are a bit like merging PRs, the dependency tree can get crazy complex!
Yeah, it’s a sticky problem, and better designers than I have struggled with it. I did a tour of different solutions, but didn’t come away with any slam dunk answers.
It probably depends on the use cases you anticipate most.
I settled on something close to Reddit, showing nested replies + a “focus” widget that follows a single thread “up” to the original post.
I can share some screenshots/drawings if you think it would help to visualize.
-
#mastondon Friends!
There is a TON of improvements we could make to Private Mentions (often called DMs on other platforms) e.g.
* getting them out of the public timeline
* Having a stronger notification tied to the Private Mention tab
* (amount other things)But here is my MAIN question: How critical is it that these message are encrypted? I'm not against encryption! It's just complex and will take time. If we were to make some UX changes as a first pass WITHOUT encryption would you be OK with that (at least for now?)
If you MUST have encryption, that's fine, please do me the favor of replying explaining why you need it.
@scottjenson For me it's the expectation of privacy for private messages that makes encryption a requirement, not an option. Depending on the jurisdiction of the instance, authorities might be trivially able to get all content, including private messages. Also, instance admins might snoop around for whatever reason they think is valid. Encryption by default is the only way to guarantee privacy expectations. 1/2
