Giver of skulls
AT has a lot of nice parts, and a lot of “wtf why” parts.
It makes sense: AT was designed to be “Twitter, but also federateable” rather than ActivityPub’s “Federateable, so you can build things like Twitter”. ActivityPub is modular and much more customisable than AT, which was built closer to existing social media concepts.
I’ve read somewhere that Friendica is working on an AT implementation, so I guess we’ll see how well federation actually works once that’s done.
I think integrating with SpamAssasin shouldn’t be that hard. The threshold may need to be set quite high and things like votes/boosts may need to be exempted in some way, but the Fediverse can take a lot of existing tools from email.
Luckily, we don’t need to do anything to support anything like DKIM and reverse PTR, because those technologies are built right into ActivityPub. We can’t add SPF, because ActivityPub allows for arbitrary servers to boost stuff so that replies and such get mirrored right. A DMARC-like “we’ve blocked 40% of your traffic” notification may also be useful so Fediverse servers can monitor if their servers are misbehaving.
What we might need is some kind of ActivityPub proxy that’ll parse and analyse incoming/outgoing traffic, pass them through whatever spam filter you like, and forward the ones that make it to actual server software. That way, we can write one tool that’ll work for Lemmy, Mastodon, Misskey, and all other kinds of servers.
It’s not centrally controlled, though. The main instance doesn’t automatically federate with everyone, just like Lemmy used to refuse federation unless other servers were whitelisted.
You can set up a network of Bluesky servers without ever federating with the main Bluesky server if you want. You’ll just have no users.
From what I can tell, all the spam is originating from Mastodon servers running ancient versions with only one original user that stopped posting a few years ago. There are a lot of Mastodon servers just hanging out there, effectively being free replacements for temporary servers set up for spamming.
I’ve started defederating from spamming servers because banning accounts doesn’t help. So far it seems to work, but no doubt there will be another wave of spam at some point.
The protocol isn’t designed to defend against these threats. It does, however, provide the tools to authenticate both the sender and the sender’s server, so Fediverse servers can set up their own spam filter policies relatively securely.
Unfortunately, very few Fediverse projects seem to have paid any attention to spam filters.
On Lemmy it dominated my feed for a few days. Haven’t seen anything on Mastodon.
I don’t get why the Fediverse decided to take on the legal risk and storage cost of downloading every attachment to local servers to be honest. This is why every Lemmy server had to deal with the stupid CSAM spammer rather than just the one server that was being targeted.
Cloud costs have a similar problem, though basic deduplication should work to prevent excessive storage costs. Only the minor egress costs of a couple hundred kilobytes of jpeg really count and they’re not all that bad unless you go with hyper expensive super redundant networks (Amazon, Azure, etc.)
I don’t think any watchdog cares enough about spam laws, let alone the Fediverse, for this to blow up in Discord’s face.
I think Japanese law (the law that’s relevant here) specifies things like email and fax as a source of spam, not social media. I don’t think you can qualify the Fediverse as “electronic mail” like that. Maybe it also applies to other communication methods, but I can’t read Japanese so I can’t verify the online sources.
I’m going off this translation so I’m not entirely sure. I do think the original spammed was arrested, though, so as long as Discord complies with law enforcement orders I expect them to be in the clear.
Comments, votes, replies, edits: yes.
IP addresses and last login time: no.
Fediseer has an API (https://fediseer.com/api/) but I don’t know if there’s an importer that can use it. I imagine turning the API into a list you can load into existing tools shouldn’t be too hard if you can write code.
There are thousands of servers with millions of accounts. You can’t subscribe to all of them.
I would suggest using common lists like those from Fediseer and Fediverse explorers like https://fediverse.party to find the most popular servers for each type, and then subscribe to accounts you like.
If you just want a filled global timeline, you’re probably looking for a relay. This website has a bunch. Make sure you defederate from problematic servers first, though (you can check Fediseer to see which ones may be problematic) or you risk getting a wave of spam or questionable content fed into your servers.
Scepticism is welcome, especially for companies founded by billionaires, but I don’t think it’s necessary to assume that federation will be killed off. They started out with no federation at all, then moved on to federating with the sandbox, and I’m quite certain they’ll open up real federation in time. There’s surprisingly little development power behind Bluesky, though, and its recent surge in popularity will no doubt have slowed down nice-to-haves like federation.
The AT Protocol is designed very differently from ActivityPub, making it quite difficult to federate and join the network as a small player, unless you’re only providing content. Following users requires a significantly more beefy server than you would on ActivityPub. On the other hand, ATProto solves a lot of problems Mastodon has (no two servers showing the same list of replies, for one). This leads to a situation where feeding content (and thus producing value) becomes attractive, but consuming content (and thus taking eyes away from the main server) becomes more of a challenge, presumably one left to either bridges like these, based around ActivityPub-based servers like Mastodon.
I think it’s very difficult for a company to take Bluesky’s network, set up their own server, and out-compete them. There’s only one category of company that I would expect to be capable of this, and that’s “billionaires looking to revolutionise things”, which is exactly what Bluesky is all about. It’s possible that Threads will try to integrate with Bluesky, but I don’t think that would take away anything from BS. In fact, I think it would only drive up BlueSky’s value to see Facebook invest in another company’s technology like that.
All of the above makes me quite confident that the Bluesky team will be able to deliver on their promises, in time. They’re not federation-first, and I don’t think they ever claimed to be, but that doesn’t make them anti-federation per se. I do have my doubts about some of the weird cryptocurrency/web3 stuff sprinkled into the protocol, but for now none of that seems to play a central role.
And I mean, I don’t necessarily disagree - but I find it wild that the very same group would then not also want their social network to be inaccessible from the outside, so that it cannot simply be scraped like this bridge does.
I completely agree. “Public to everyone, but not for certain people described by a vague grouping” just doesn’t work. And I think tight-knit communities consisting of a few servers can be a wonderful thing! And to be honest, there are a lot of servers in the Fediverse that many people would not want federating with their comfortable community anyway.
if AP ever gets big, that’s a problem we’ll have to do deal with sooner rather than later anyways
That’s the problem, with Threads joining the Fediverse, it just became a problem we have to deal with now. The knee-jerk reaction seems to be to ban them from every server, which works, as long as Threads is the only “bad” player here. We can’t go into outrage mode every time a company joins. I follow Jerry (the admin of the wider Jerryverse) and I feel for him and his moderation team (if there are any beside him) every time stuff like this crops up.
Personally, I just go 🤷 in regards to the actual data-federation, and rather focus on moderation/administration tooling and automation.
I agree. I’m very happy with Mastodon’s “silence” feature, where users can opt to follow posts from other servers, but those servers won’t be advertised or featured in any standard timelines. I hope other services, like Lemmy, add the feature as well in time. It brings the power of federation to the internet without being overrun by massive servers. Perhaps these policies can be even more restrictive (i.e. also hide boosts and replies by default) but so far, silencing servers seems to do exactly what I would hope it to do. It still allows for moderation issues to crop up, but (re)sharing problematic content can easily be dealt with by moderation teams in the form of blocking individual accounts or warning/banning users that repost problematic posts.
I agree that enforcing this will be basically impossible, but I can imagine someone with more money than sense going after reposts ending up successful because they may be in the right, legally speaking. In the same way torrenting has had companies calculate damages by multiplying a fine with the number of people the content was shared with, Fediverse servers may rack up quite a fine if such a lawsuit ever succeeds.
The lines about reproducing works in EULA/TOS don’t exist to provide any (dis)advantage to the user, they’re basically legally required for the software to operate. Otherwise, websites like Facebook wouldn’t be allowed to share the image you posted with anyone but you. I don’t think anyone will object to the right for Facebook to show your friends the pictures you’ve shared with them, so I don’t think they’ll be struck by not complying with the law, either. If anything, Fediverse servers need a line like that, with an addition that any servers federating with the user’s server may also reproduce the work.
As for a sword of Damocles in the Fediverse: any EU-based Fediverse server (and there are many!) hosted by a company or organisation is in a lot of trouble if any data protection agency ever bothers to look into them. I don’t know any Fediverse server that has the capabilities to be GDPR-compliant. For servers hosted as a hobby by individuals, I don’t think this is a problem (there are legal exemptions for personal stuff) but the copyright thing is only a minor risk compared to the data privacy issues.
Often, Fediverse enthusiasts choose to ignore the laws that make their dreams very hard to achieve, but I can imagine a Threads/Tumblr lawsuit having devastating effects for the Fediverse at large, and nobody seems to care. I know the law is complicated and boring and I’m no lawyer myself, but the wishful thinking that legal issues will never crop up that I often see in open source communities can be a real risk. I’m reminded of Napster blatantly ignoring copyright on the internet because they wanted to bring new and exciting tech to the world; great aspirations, but how long will they last?
uBlock uses EasyList as its default source. You can use EasyList’s form to report unblocked content.
In its current design, ATProto doesn’t really solve the queer.af problem. Hosting your own Bluesky server (currently only available for the sandbox network) on a domain that disappears later will have your account disappear just the same.
Nostr sort of fixes this (when a relay goes down, the stuff you posted on it disappears but your account will still work) and ATProto has some provisions for decentralised accounts, but in its current iteration, these provisions aren’t activated (yet).
Of course, there are many federating protocols. Matrix and XMPP for chat and SMTP for email seem to be the popular non-ActivityPub ones. However, in terms of federated microblogging, I would argue that ActivityPub is the de facto standard at the moment. Bluesky may have a couple of million users for ATProto (mostly on one server), but then Threads brings just as massive a user base to ActivityPub. Flipboard is also bringing in a susprisingly large amount of users, and Gitlab will soon implement ActivityPub for federated project management.
I think the people mad about these massive networks joining the Fediverse want to shield their little social networks from the big bad internet. They don’t want the Fediverse or any part of it to succeed and become mainstream, because that brings in the toxic waste of opinions and trolls that the wider social media is known for, and their tiny servers don’t have the moderation capacity to deal with that.
There’s a solution for this, of course: you can whitelist servers you trust, perhaps based on lists signed off on by smaller projects. If you fear the influence of Threads and Bluesky, you can set up your little inner circle with the tools already available today.
On the one hand, the ability to share is implied in the platform and the publication settings of the software you’re using.
On the other hand, copyright still applies. You need to pass a minimum threshold of originality (which can be quite hard for Tweet-length content) but creative works in any form are copyrighted, and are subject to intellectual property laws.
Now, I don’t think any lawyer will recommend you to sue someone reposting your social media posts. However, the ideals of the Fediverse are in direct conflict with laws and regulations around the world, from intellectual property laws to privacy laws.
If you post a coptrightable original work, you decide who’s allowed to reproduce that work. You don’t have the legal right to repost stuff you found online, no matter how common that may be on social media; you’re not allowed to reproduce a work unless you provide permission.
This is why Facebook and Twitter have those “you give us the unrevocable right to reproduce your works” lines in their terms of service. The Fediverse lacks such terms, because it’s not one single server. Like with many other problems, the Fediverse overlooks and ignores the real legal conundrums by pretending it doesn’t exist.
In my opinion, the standard controls on services like Mastodon should be sufficient: you decide whether you share a post with a server, with the tagged people, or with everyone. The default, the latter option, should be expected to include bridges and all other kinds of online services. However, I can’t think of a legal basis for this.
The best I can think of is the fact ActivityPub is a push-based protocol, so your server is the one uploading content to the bridge. However, this type of technical implementation detail isn’t accepted as a legal defence in other cases (imagine hacking becoming legal for any request/response protocol!).
Assuming the comments pass the originality threshold, you’re actually not allowed to just copy someone else’s work and repost it. Copyright still applies to written work, and the EULA of most platforms only provide the service you’re posting to with the right to reproduction. By default, you’re not allowed to reproduce copyrighted works, which would be any piece of original (enough) writing.
Practically, though, no court is going to care. The law may be on the side of the copyright holder, but actually suing reposter will take a lot of money and the damages you can collect will be absolutely minimal.
It’s open source, so forking it and making it opt-out shouldn’t be too difficult. Your bridge, and possibly server, will probably be blocked everywhere if you run a public instance, though.
I think the best solution to this would be to host a version that only interacts with a whitelist of accounts, so that you and your friends can follow Bluesky people without spamming a thousand duplicate profiles into the federated profile search bar. I’m not sure how well thst works for the Bluesky side, but I’m sure it can be made to work.
The inclusion of some kind of web3 identifier that never seemed to get used for web3 things comes to mind. The methodology of most federation work also seems to indicate that hosting an alternative server may require significantly more resources compared to an ActivityPub server, though this may be outdated information.
I also don’t particularly like their moderation strategy. It seems very Nostr-like, and it’s more about hiding things than actually blocking things.
They also felt like they needed to invent their own notation language to describe their protocol, which makes reading the protocol spec kind of weird.
They also decided to use Javascript’s 53 bits of integer precision as an upper bound for their protocol. I certainly wouldn’t have designed my cross-platform protocol around the programming language I happened to choose.
Lastly, Bluesky offers a flag to suggest clients hide your profile and posts, but doesn’t have the ability to hide that data. With ActivityPub, you can simply refuse to list posts and maintain some amount of privacy (especially combined with enabling follow requests), but AT doesn’t seem to care much about that.