#mastondon Friends!

@scottjenson I think that every message not meant as a public broadcast should be end-to-end encrypted, regardless of the app or service that people use to send it. People shouldn’t have to worry if the information they’re exchanging is private and secure or not. It should be table-stakes these days, just like HTTPS is for websites. When you create a website, you don’t ask yourself if it’s sensitive enough to need it, it’s just common practice to generate an HTTPS certificate for everything.

@scottjenson That said, if it’s much easier to make the other improvements, it might be worth it to ship them without waiting on E2EE to be ready (but it should still be worked on).

Also, some Fediverse services do support E2EE, like @HolosSocial.

https://holos.social/e2ee

@scottjenson

My two cents: (sorry, long text)

A revamp would help a lot, I don't think it needs to be encrypted but it could be good if it were.

Since anyone can set up an instance, any admin can look into people's DMs if they're really motivated to do so, and normal users don't know that. For example, my family wouldn't like knowing that I have access to their DMs if they're in my instance. We may not like the idea that our friend that has an instance have the possibility to look into our messages. Also criminals can be admins of instances, as well as states, the police, and secret agents may create popular, appealing instances to gain access to people's private messages and posts. We don't see many women exposing themselves in the Fediverse but we can guess what could happen if some decide to do so in an instance where an unethical admin falls in love with her and start reading her private messages.

Another reason for encryption is to protect administrators in certain situations, but it's a double-edged sword. Without access to private messages, admins can't hand them over to law enforcement as plain text. This means they won't be able to provide data on real criminals, which some may dislike because they want to help put criminals in jail. On the other hand, in jurisdictions where minorities (e.g., LGBT+) are persecuted, admins who support their communities may be required to provide private information, such as direct messages, about their members to the police. If the texts are not encrypted, this could be a difficult situation because admins would release information about their friends and allies. These communities should, of course, be taught to use other means of private communication. However, the potential dilemma some admins could face may cause them to prefer enabling encryption.

Another reason may be that admins want to protect members from the admin's own weak cybersecurity skills. For example, imagine a family community where someone creates an instance for the Smith family or a group of parents creates an instance for their teenagers. This allows teens to post photos and other content in a less wild environment than Meta or TikTok. As it becomes easier for non-tech people to create a #Mastodon instance, they may prefer an encrypted messaging solution in case something bad happens (such as a hacker gaining access to the database), since most of them aren't cybersecurity experts and use default configurations. At least if DMs leak, they're encrypted.

These are just the first examples that came to my mind.

If Mastodon choose not to offer encryption, it could at least explain to people what to expect from DMs. It could also provide icons or links directing them to information on how to communicate safely, maybe even actively suggest a solution, such as XMPP, if it would like to promote the development of certain protocols or messengers.

Or maybe if users indicate in their profiles which private messaging apps they use, people who try to DM them may see a QR code or an icon/link to join them on a specific app?

Another thing, I'm currently using Friendica and Friendica allows us to install add-ons (web version). There is a pluggable add-on called "Converse.js" that allows people to use encrypted #XMPP chat inside Friendica's interface to communicate securely instead of using normal DMs. Mastodon could integrate a similar plugin so interested users could activate end-to-end #encryption for sending messages, if they want. Maybe if it uses existing third-party solutions like Friendica does, the Mastodon team won't have to do everything from scratch.

One last thing: other Fediverse platforms face the same demands. If projects decide to develop an encrypted messaging solutions, it would be good if it could be implemented across the entire #Fediverse. Since that would take a lot of time, just a revamp of Mastodon's DMs in the meantime could be enough.

@scottjenson

Yeah, it’s a sticky problem, and better designers than I have struggled with it. I did a tour of different solutions, but didn’t come away with any slam dunk answers.

It probably depends on the use cases you anticipate most.

I settled on something close to Reddit, showing nested replies + a “focus” widget that follows a single thread “up” to the original post.

I can share some screenshots/drawings if you think it would help to visualize.

@scottjenson For me it's the expectation of privacy for private messages that makes encryption a requirement, not an option. Depending on the jurisdiction of the instance, authorities might be trivially able to get all content, including private messages. Also, instance admins might snoop around for whatever reason they think is valid. Encryption by default is the only way to guarantee privacy expectations. 1/2

@scottjenson Yes, this makes automated scanning for spam and harassment impossible. Here's how to fix it: when a user reports "bad" private messages, a warning box pops up, informing the user that the unencrypted content will be sent to the admins. After user OKs that, that is exactly what happens. It's an acceptble compromise, in my opinion. 2/2

@scottjenson Hi Scott, I believe the option is complex, honestly.

Encryption is tricky but I also think it provides layers on top of the communication that might make it feel larger than a quick "dm"? I can't speak to others obviously but Mastodon should consider what solutions you are providing and if they make sense for the platform.

Encryption is useful, but does it make sense for Mastodon? Is that the direction the social media tool is moving? Encryption-focused 1:1 communication?

@scottjenson @neal

As a related issue: replies to "followers only posts" being "my followers only" is a strange behavior.

I think if there was a "replies can only restrict the audience compared to the audience of the replied post, not expand it" constraint, that would solve both issues

@scottjenson @benpate is there a reason private messages need to support threading? Most DMs on other platforms are flattened to a single thread for simplicity.

If threading is still necessary, iOS’s design for replies to specific messages in iMessage feels easy to follow for me

@scottjenson I'm not against interface improvements, or even doing that first, but I'm all in on encryption.

Mastodon is all about privacy and putting users first. When I DM someone the whole point is that the message is only for them. I prefer that administrators not be able to see.

@phillycodehound @scottjenson I love Signal, but there is something to be said for being about to communicate with fediverse people directly in the fediverse.

@jackryder all fair questions! All I can say is that there are many within the community that are quite adamant that DMs must be encrypted. The most common reason is that they don't want admins to spy on their posts.

My concern is just that setting up E2EE is rarely a simple process. I expect it to be a ux challenge to make it easy.

@scottjenson Encription should be an option, not a must.
Not everything should be hidden, and by reducing the cpu time you'll reduce the carbon footprint, too.

(I'm talking about end-to-end encryption here, not about user's AAA or inter-server comms).

Personally, I hate this modern trend of hosting public blogs via HTTPS. Not everything should be encrypted!

@scottjenson I appreciate the response and transparency.

I believe I understand the fear for concern and secrecy. I don't believe there will be a simple & straight forward solution. As you said, "just setting up..." is often a lot trickier than we anticipate.

I'm not familiar enough with the stack to know what would need to change. I imagine there are quite a few underlying systems that would need at least partial rework and that alone would cause for a trickle down effect on literally everything. Ouch. I wouldn't envy sitting in on those prioritization calls.

Personally, though I don't mean to sound diminishing to the population I would do exactly what it looks like you guys are doing. Checking the temperature and prioritizing the needs. Kind of glad to see people actually asking.

@scottjenson
Signal is my go-to when I feel there's a need for #Encryption. If it was available in Mastodon for private messages, I'd probably use it.

I don't think the Fediverse is on the radar of the current administration here in the US yet, but they might be someday. What happens when law enforcement types show up at a Masto admin's doorstep? Do they give up all the data willingly? Even without a subpoena or judge's order?

@scottjenson
It would be nice to know my private conversations really are private, regardless of the legality of a search.

Until then, all my Private Mention conversations here are benign, boring stuff kept away from the public eye. Knowing it's not truly private, I carefully consider what information I share.

*My apologies if my responses have done nothing more than regurgitate common knowledge. Hopefully this is the type of input you're seeking.

@jesseplusplus @scottjenson

Hey Jesse ~ great point. It would probably depend on how people use it. And private/direct messages are probably different from comment threads on public posts.

For public messages (like this one) it feels like people have the expectation of real threads.

For private messages, I agree with you & have been considering iMessage's method: showing everything chronologically, with 1) a note if something is a direct reply and 2) the ability to "zoom" in on replies.

@scottjenson count me in "use secure messengers for private communication". I know people will keep trying to use social media for it no matter what, but in my mind it's a misuse, and shouldn't be a priority for fixing. (I didn't do any research, just speaking from vibes!)

@scottjenson I'm excited that you're asking this question!

My preference is for usability improvements first. Other platforms already do encrypted private messages, and adding it won't make Mastodon easier to use. I think that's the core problem for the platform: removing barriers to sticking around without taking the cop-out of just copying what people are familiar with on other platforms.

My primary use of private messages is to ask people for email or Signal addresses when I only know how to contact them on Mastodon.

Secondary would occasionally be a “You OK?” message in reply to someone's post.

Apart from those, I think of Mastodon as a public space. Private communication isn't what it's for, and the UI shouldn't centre it.

@scottjenson

I'm probably just one more vote on a "me too" pile, but it's not critical to me that social timeline 1:1 messaging be *encrypted*. It's important that I (the generic user) *understand* whether it is or isn't and behave accordingly.

If you have to pick a focus, I do strongly prefer that 1:1 or 1:few comms have a distinct workflow apart from regular/public timeline appearances, though. It makes mishaps less likely, like forgetting or mis-clicking "private" in that dropdown.