Anonymous opt-out #878
Comments
|
this is so obvious, it's even strange that you need to explain it... |
|
So then put the tag in your profile. Or just don't make it public since that means the same people who could see it via the bridge can see it anyway. This is so obvious, it's even strange that you need to explain it... |
|
yeah, wear a sign. Or even better, hide. People around you can already see you, why do you complain about video surveillance ? Please don't ask me to consider your problems. |
|
LOL. It's not a yellow star. I don't; I recognize that I have no expectation of privacy in public. I won't; it is not a stranger's responsibility to consider my problems. |
|
The OP is the one who wants to hide, by the way. I only advised them how to do so. |
|
It isn't difficult to put #nobridge on your website. |
so requiring that people who want to use the service say so is not ok, because many people won't hear about it, so won't be able to state that they want to use it. But requiring that people who don't want to use it put #nobridge in their profile is ok, because... most of them will hear about it ? And then someone else makes another software that I don't want to use, and I have to put #noplop, then #nobs2, then #noai, then #nocrawl, then... don't you see why that line of thinking is a problem ? |
|
That has been the standard business for years. robots.txt exists also for that reason, to block certain bots - if they obey the rules. The Internet is open and public in general. Fediverse is fully open and public. Webmention is also a W3C standard. Which you can't even opt-out for. Anything you place out in the open, is out in the open to be read, shared, copied, used by others. If you don't want your comments, written text or whatever to be out in the open, go to platform X, where nobody without an account can read it etc etc. |
|
so basically, google being a giant assh*** means that you can be a tiny assh***, it's not a problem. Nice reasoning. For the rest, data that is publicly accessible is not public data. Plenty of things are publicly accessible and yet you can't use it. Download facebook's assets to copy their design for your website, and see how it goes. Even better, use a Disney character on your website, good luck with that 😃 (hint: no, don't do that, really) Another analogy: anyone passing by can see my garden, or in my living room through my windows. That does not mean that I would accept or be comfortable with someone installing cameras to observe everything I do there. The fediverse is a group of interconnected isles, where people can interact together and keep control. BS is... let's just say that it's not that. Now the good thing is that I don't have to convince you. Just @snarfed . He can take the multiple hints that he received those last days, or not. In that latter case, I'm afraid that his system will simply get defederated into near irrelevance, hopefully without adding too much weight on fediverse admins. |
|
One might be able to do something useful with hashes to anonymize opting out .. but then I guess you'd end up having to somehow protect against people maliciously opting-out third parties? (To effectively DoS the bridge or whatever.) The suggested opt-in model might be a lot easier, on balance. |
Even if he gets defederated, your content can still be taken elsewhere. What happens in your home is not public. If you think you own the control about anything you post online, dream further. |
|
This is a fascinating idea, and a good conversation, thanks all. I'm curious about prior art here. Does anyone know of existing systems that do something like this? Ie provide some opaque id, let a system compare a plaintext id against that opaque id (or some aggregation), but otherwise prevent them from checking if a given plaintext id is in the set? It sounds either difficult or impossible, since those two requirements seem like the same thing, but fields like zero knowledge proofs and homomorphic encryption regularly surprise me with the things they can do that seem impossible. |
|
I have very few functioning brain cells these days, but I wonder if any aspects of https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity would be applicable here? |
|
I think it is worthwhile to split this issue in two:
|
|
Regarding not trusting you with the handle: regardless of how it is stored or fetched when accessed, in the end, you will have a trivial way to brute force any and all Fediverse handles you encounter through instance directories, posts, likes, reshares, mentions or even normal web crawling. A malicious operator could test each found handle against its set and then record it in the clear if they want to go rogue. So assuming a malicious operator would probably not leave us with a usable service. At the same time, the confusion set is already of a decent size, hence it might not pose an additional privacy risk. People may want to opt out for various reasons, and the exact reason would not be recorded:
|
as said multiple times, that's not the point. Others doing it does not mean that it's ok.
as said multiple times, publicly available data != public data.
Exactly. Even if people can see it, it's not public. Same for what you do in public: it's definitely not available for anyone to do as they please, even if you do it on the street.
journalists, artists, web designers, communicators,... routinely post public online content that is definitely not public data. A friend of mine posts his photos on his website, and won a trial against a big American film corporation because they used one of his photos without credit for a blockbuster promotion. A small Belgian photograph against an American big studio, a photo publicly available on the web, and he won. If you think that what is publicly available on the web is public data, dream further. |
|
Hopefully discoverable opt in #835 (comment) may obviate some of this. Users and admins can just block the bsky.brid.gy domain, which has the same effect as asking me to opt out. If someone requests to follow them via Bridgy Fed, it will attempt to send them a DM, which will fail, and so they'll never be bridged. |
|
"Users and admins can just block the bsky.brid.gy domain, which has the same effect as asking me to opt out..." How can users just block the bsky.brid.gy domain when I (as a mere Mastodon user) have repeatedly searched from the "Search or paste URL" field on my profile page and have yet to see any sort of Mastodon/Fediverse instance name returned? I am not an instance admin. I can only block those domains which return a Fediverse-compatible domain name page from my search. I will also note that "bsky.brid.gy" does not return any response from the Server search page at FediDB, here: https://fedidb.org/network |
|
@MadokVaur good question. The Bluesky bridge hasn't launched yet, it's probably at least a month away, which is why you're not finding any bsky.brid.gy profiles. How to block domains as a user varies across different fediverse software, but if Mastodon only lets you do it after you've found an existing user on that domain, then you're right, you can't block it as a user yet. If so, that's definitely an unfortunate surprise. The Mastodon docs don't explain this very much, https://docs.joinmastodon.org/user/moderating/#block-domain , but you might be right. If so...ugh. |
|
Thanks for your reply "The Mastodon docs don't explain this very much..." There's a lot the Mastodon docs don't explain. But I digress... |
|
I still hope that all the massive safety issues will be fixed but if this bridge goes live before addressing them then i will be doing everything i can to agitate for wide #FediBlock of brid.gy in order to protect all my lovely trans comrades |
|
Well, I've blocked many, many instances in 14 months on three different Mastodon instances as a user, so I'm quite familiar with how to do it. And my instance admins are pretty on top of most situations so I'm not concerned from that direction. Probably busy today with that burst of Japanese Misskey spam. Did some domain blocking there, just in case. |
|
You might be right it's quite long time since i used mastodon. but atleast with sharkey users can only mute instances not block them |
Quite the contrary. Requiring some developer who you don't know to do what you want instead of what he wants is not okay. You can decide how the bridge software that you develop works. |
robots.txt predates Google by about a decade. You don't even know the beginning of the stuff you're talking about. |
|
I appreciate the debate, but let's try to keep this issue focused on anonymous opt out, please, everyone. |
dude that's called hashing |
|
@reyafyi hashing alone only gives you the first part there, not the second. |
|
It is not possible to be able to check if an ID is in a set, without being able to check if the ID is in the set. What even... |
|
As a Mastodon user, you can block a domain even if you don't yet have access to a post on it by importing it as a block list.
@MadokVaur FYI |
|
Will the bluesky bridge examine each fediverse reply to a fediverse post before sending all those replies to bluesky? Suppose:
Will the bluesky bridge check all 100 replies and only send replies from accounts who have opted-in? That is an issue that was used as justification for needing opt-out -- is the plan to send requests for each reply and only send on the ones the bridge already has opt-in for? IMPORTANT POINT ABOUT BLOCKING BRIDGE DOMAIN |
|
I still think that the second part of the problem (untrusted bridge operator) is not solvable completely and hence any effort in that direction is LARP'ing with many drawbacks. If you still insist, one such workaround would involve:
I think any anonymized/hashed list not backed by the respective instance operator of the domain would open the possibility of trivial DDoS of a bridge as already mentioned. |
|
@bantryblues let's keep this issue focused on anonymous opt out. I've filed a separate issue, #894, for your questions. |
|
@snarfed thanks for opening the new issue! the reason I mentioned it here was someone suggested blocking the domain as a solution to this issue - but I should have started a new issue and just referred to it here. |
|
Bridgy Fed is currently opt in for the fediverse. I plan to add DM prompts for discoverable opt in - #1148, #966 - but I don't plan to switch it to opt out in the fediverse anytime soon. Also, we haven't yet seen a technically feasible solution here yet, ie "It is not possible to be able to check if an ID is in a set, without being able to check if the ID is in the set." (#878 (comment)). So, I'm closing this as obsolete. Happy to hear more thoughts if anyone has any though. |
|
It's likely already supported (implicitly). If an individual user either blocks the entire bridge domain or mutes the service account, their home instance will take care of permission management for this without even notifying Bridgy Fed of those actions. It also normally shouldn't send any activities towards the bridge if there's a domain block, but I don't know if that's usually a hard filter or just a result of there being no connections or interactions with bridge content (in which case this could differ if Bridgy acted as ActivityPub relay at some point, i.e. for instance-wide opt-in by admins. In that particular hypothetical case users may indeed have to undo the opt-in by blocking the service account individually). |
I would like to opt-out from your service but I am not comfortable with giving my account name or my instance domain for you to put in some sort of list somewhere.
The fact that you are collecting a list of vulnerable queer people that dont want to be harassed by bluesky is deeply unsettling and I cant trust you to not use that list in any way that could cause harm to vulnerable queer people on the fediverse.
It would be safer if this could be handled in a anonymous way where you cant have any access to plaintext usernames or instances that want to opt out of your service.
The text was updated successfully, but these errors were encountered: