Post AR5dYTlCLFYsb5FV3I by SpaceLifeForm@infosec.exchange
(DIR) More posts by SpaceLifeForm@infosec.exchange
(DIR) Post #AR1sGLZokbqsgStkbA by aral@mastodon.ar.al
2022-12-27T10:27:08Z
0 likes, 11 repeats
#fediblock #mastinator A site called Mastinator (https://mastinator.com) has started aggregating and republishing toots without permission. It creates accounts with your handle and follows you to get your toots (e.g., @aral@mastinator.com, which, just to make clear, is not me).
(DIR) Post #AR2PhYlv629nuk8ueG by guitarzan1328@mastodon.world
2022-12-27T15:03:02Z
0 likes, 1 repeats
@aral@mastodon.ar.al @aral@mastinator.com isn’t that basically Nitter for mastodon?
(DIR) Post #AR2PhZC9WV8nE6PrXM by maryjane@social.coletivos.org
2022-12-27T16:46:52Z
0 likes, 2 repeats
@guitarzan1328 Well you don't need nitter on mastodon, you can just put a .rss at the end of a mastodon account, and get an RSS feed, you can even do the same for hashtags.@aral @aral@mastinator.com
(DIR) Post #AR2PnJhK3RbQtrjmXw by boyter@honk.boyter.org
2022-12-27T10:31:27Z
0 likes, 1 repeats
@aral Actually it's just sucking them in into a publicly viewable inbox. Fairly similar to any other federated server, except every possible inbox already exists.Use case is if someone wants to follow accounts and get a RSS feed of that content, without having to join an existing server.
(DIR) Post #AR2PnKHprgoGj6owSW by sariash@mastodon.social
2022-12-27T10:40:22Z
0 likes, 1 repeats
@boyter @aral You can get rss feeds of every account with simply adding .rss to the accounts URL, there is no need for an extra service to do that - or do I miss something here? For example https://mastodon.ar.al/@aral.rss
(DIR) Post #AR2PnKy1KqYOpwYdDE by boyter@honk.boyter.org
2022-12-27T10:43:42Z
0 likes, 1 repeats
@sariash You can use this to aggregate multiple users across multiple servers in a single place. Build a list of infosec people for example. It's also potentially useful for those working on ActivityPub integrations since it will accept anything at any address. Useful for tests. Although have yet to add the key check for things that are added.
(DIR) Post #AR2PnLNXnwyE76V0zo by maryjane@social.coletivos.org
2022-12-27T16:47:53Z
0 likes, 1 repeats
@boyter you can also aggregate multiple RSS feeds from multiple users in a single RSS reader. @sariash
(DIR) Post #AR2PnMZzLAWDpzKT20 by boyter@honk.boyter.org
2022-12-27T10:45:32Z
0 likes, 0 repeats
There is nothing nefarious intended with the site I can assure you. I am also happy to add whatever copy text or otherwise you think it would need to maintain this.
(DIR) Post #AR2PnMaLJqnnr5UkaG by sariash@mastodon.social
2022-12-27T10:47:26Z
0 likes, 0 repeats
@boyter ah ok, I did miss the aggregation part, thanks for the explanation.
(DIR) Post #AR2Q2tqxuZIRNVg7gu by maryjane@social.coletivos.org
2022-12-27T16:50:45Z
0 likes, 0 repeats
@boyter The fact that it has a person's posts and a person's name in the format of a fediverse account can mislead users into thinking it is a real account. @sariash
(DIR) Post #AR2XtBMyjLucRRWtou by aral@mastodon.ar.al
2022-12-27T10:54:10Z
0 likes, 0 repeats
@boyter It should be opt-in.
(DIR) Post #AR2XtBkjJ2uXd6drqC by boyter@honk.boyter.org
2022-12-27T11:01:17Z
0 likes, 1 repeats
@aral how? It’s fairly similar to any other instance. I could for example create a mastodon instance and register multiple accounts. That’s not a no btw. I’m genuinely curious how you would propose to do this?
(DIR) Post #AR2XtC8prQC2prv7Pk by aral@mastodon.ar.al
2022-12-27T11:04:13Z
0 likes, 0 repeats
@boyter You could, yes. But if you set up an account in my name on your instance, I would call you out for impersonating me and using my name/identity without permission.If this is a service people feel is valuable, let them register their accounts for it. That way you know you have their consent and they won’t be surprised to find a @theirName@someSiteTheyNeverHeardOf following them and people being able to message them using that address.
(DIR) Post #AR2XtCaqBIawEj1U48 by boyter@honk.boyter.org
2022-12-27T11:14:34Z
0 likes, 0 repeats
@aral Once again though, there is no impersonation going on here. There is no ability for this to ever produce content. It only consumes and displays.To back up, I added your account under aral just for lack of a better name. I understand the confusion. I knew you would be tooting around now and wanted to confirm everything would work based on other servers. I suspect had I used another name this would be less of an issue.Are you familiar with mailinator.com by any chance?
(DIR) Post #AR2XtCywjfsRRUIjdg by aral@mastodon.ar.al
2022-12-27T11:31:49Z
0 likes, 0 repeats
@boyter It just feels like an episode many years ago when a site (that shall remain unnamed because I don’t need to stir that hornet’s nest right now; it was a very unpleasant affair and very unpleasant people) started aggregating RSS feeds & setting up author pages for people. So I’m wary of such things.It’s clear from your posts you have the best of intentions but, honestly, I don’t personally see the value in this and I’d rather not have my posts listed so I’m going to keep my domain block.
(DIR) Post #AR2XtDLHOdk2YkkZRw by boyter@honk.boyter.org
2022-12-27T11:49:09Z
0 likes, 0 repeats
@aral No bad intentions at all I can assure you.Also no problem if you see no value. It was just something I realised was very easy to implement. If I can do it (and I am a very average developer), someone else can, so perhaps there needs to be more thought about this generally. I don’t think block lists are going to scale. Especially since I made this such I could just point another domain at it, and entirely automate creating new domains which replicate the entire site.By all means keep the block in place though!
(DIR) Post #AR2XtDmZl9ZlvPWMzo by aral@mastodon.ar.al
2022-12-27T11:52:23Z
0 likes, 0 repeats
@boyter I hear you. And the next person/company to do it won’t be as thoughtful as you.Perhaps we have to start thinking about adding licenses to posts and other potential controls that give people more control over if/when/how their posts are aggregated or syndicated.
(DIR) Post #AR2XtEHltAWtUA7HcW by ArisuGunpla@mastodon.world
2022-12-27T15:09:45Z
1 likes, 0 repeats
@aral @boyter Are you serious @aral ? You are using social media. On the internet. Nothing you say here is private or even owned by you. As soon as you serve your content to a location outside your server, it's out. You cannot unpost. Are you going to rail against the wayback machine too? What if I retoot your post without your permission? What if I take a screenshot right now and meme you on Reddit??? If you don't want to spread something, don't post it!
(DIR) Post #AR2XtEkUAPUwvDYDNQ by jonpainterphoto@lawfedi.blue
2022-12-27T16:23:22Z
0 likes, 0 repeats
@ArisuGunpla @aral @boyter Oh, what a person creates or publishes on social media is definitely owned by them, unless the service requires them to surrender their IP rights. An author’s copyright to a work begins at the creation of the work.That’s why instances based in the US need to affirmatively create a DMCA contact to avoid liability for copyright infringement should one of their users violate someone’s copyright.
(DIR) Post #AR2XtFB4ZYlWFfzRom by tiago@social.skewed.de
2022-12-27T18:18:34Z
0 likes, 0 repeats
@jonpainterphoto @ArisuGunpla @aral @boyter This argument is quite misleading if you omit the important concept of fair use.If it were necessary to get explicit permission to copy social media posts, then no social media platform would be possible.This is true also for the web in general: if someone visits your website, you can't claim copyright infringement if its contents are downloaded.The DCMA provision is there for content that the poster does not have the copyright in the first place — and therefore fair use does not apply.If a site aggregates public social media posts, while preserving attribution, this clearly falls within the fair use scope.
(DIR) Post #AR2ZrXBErrzRPoNdiq by aral@mastodon.ar.al
2022-12-27T18:40:36Z
0 likes, 0 repeats
@tiago Fair use is an interesting one in this context: so if someone scrapes web sites for content and places them on their own site, then yes, you can very much argue copyright infringement (see for example AP v. Meltwater in the US, which wasn’t even for full content of articles).If they also create accounts using your name and post the content there, you might have other recourse too (although any legal action is complicated by jurisdiction)…@jonpainterphoto @ArisuGunpla @boyter
(DIR) Post #AR2aUoVeN89SSFep6G by tiago@social.skewed.de
2022-12-27T18:47:49Z
0 likes, 0 repeats
@aral @jonpainterphoto @ArisuGunpla @boyterYou just described the wayback machine from the internet archive.In the case of AP v. Meltwater it was important to argue about market value, for example, which does not apply to social media posts.The issue of impersonation is a different matter — it's unrelated to copyright. But if it's just a mirror of your account, I don't see a formal issue.(I'm not saying I like the service, BTW.)
(DIR) Post #AR2aox3UJCl4kb5T6m by jonpainterphoto@lawfedi.blue
2022-12-27T18:51:26Z
0 likes, 0 repeats
@tiago @ArisuGunpla @aral @boyter You’re confusing licensing with fair use. It is generally necessary to get express permission to license content on a social media site. Instagram does this in their terms of service. Mastodon, being a German non-profit, doesn’t use the word license, but the default privacy policy explains the way content uploaded will be used. I would expect this to create an implied license in the US.
(DIR) Post #AR2bFr0IupJ9nkQTiq by tiago@social.skewed.de
2022-12-27T18:56:20Z
0 likes, 0 repeats
@jonpainterphoto @ArisuGunpla @aral @boyter No, I'm not confusing it.The license granted to social media companies cover usage that goes *beyond* fair use. They do that to protect themselves, and leave no space for ambiguity.The Mastodon non-profit company has no relevance here whatsoever. Unless you use their own instance (mastodon.social), they have nothing to do with anything.
(DIR) Post #AR2bVRhGm3elwjxQo4 by jonpainterphoto@lawfedi.blue
2022-12-27T18:54:48Z
0 likes, 0 repeats
@tiago @ArisuGunpla @aral @boyter If I post one of my images to my instance, I’m effectively licensing Mastodon to move that content through the fediverse. That I’ve licensed it doesn’t relinquish my ownership. If someone pulls one of my images off of my website and uploads it to their IG page, and I haven’t put it on IG, that’s where the DMCA takedown comes into play.
(DIR) Post #AR2bVS51Lkeh8P4OpM by tiago@social.skewed.de
2022-12-27T18:59:08Z
1 likes, 0 repeats
@jonpainterphoto @ArisuGunpla @aral @boyter That's just completely wrong.There's no such thing as “effective licensing”. Either you have an explicit, written license agreement, or you have nothing.What makes mastodon, email, www, etc work is the fair-use doctrine.
(DIR) Post #AR2cMJLeXq5zOx3SDI by zleap@qoto.org
2022-12-27T19:08:42Z
0 likes, 0 repeats
@aral @aral Thanks for this.
(DIR) Post #AR2dipMCJk3103bsYa by jonpainterphoto@lawfedi.blue
2022-12-27T19:23:56Z
1 likes, 0 repeats
@tiago @ArisuGunpla @aral @boyter No it’s not. Instagram uses express language that’s going to zip it up in a court case. A mastodon instance creates a default privacy policy that describes the same process in plain language but doesn’t use the word license. A court is going to look at that within the context of the situation and is very likely to determine it creates a license.
(DIR) Post #AR2gDItJH61JC5l3I0 by jonpainterphoto@lawfedi.blue
2022-12-27T19:26:56Z
0 likes, 0 repeats
@tiago @ArisuGunpla @aral @boyter You can have implied terms in a contract, you can acquire an easement through estoppel. I’d be much more confident generally arguing on the basis of reliance on action than trying to argue boosting a post is for purposes such as “criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research…” unless the subject is news or education.
(DIR) Post #AR2gDJJtgFHsWYCHjM by tiago@social.skewed.de
2022-12-27T19:51:54Z
0 likes, 0 repeats
@jonpainterphoto @ArisuGunpla @aral @boyter *If* there is a written agreement of some sort, I would agree, but I doubt the text of the privacy policy would suffice for this purpose.Besides, granting rights to a single instance is not the same as granting it to the whole fediverse which is made of many different actors — a major difference from mastodon and Instagram. Example: I have my own instance, which has no license at all — and even if there was one, it's a moot point since I don't need to license to myself. So, what happens when you receive this toot? Or boost it? Can I sue you or your instance for copyright infringement? Of course not.There is definitely no license agreement at all between us — either explicit or implied.
(DIR) Post #AR2gpGDXfDJbuEJw0G by jeder@miau.jeder.pl
2022-12-27T16:25:05.496Z
0 likes, 0 repeats
@boyter@honk.boyter.org @aral@mastodon.ar.al you do realise it's DoA, right?, you don't have to "join an existing server" in order to get a rss of that accounthttps://mastodon.ar.al/@aral.rss
(DIR) Post #AR2gpGdQ7011CUQbL6 by boyter@honk.boyter.org
2022-12-27T19:42:33Z
0 likes, 0 repeats
@jeder That’s 100% true, for mastodon instances. However others do not have this. Plus what if I want to follow a group of people in RSS without a login?
(DIR) Post #AR2gpGzklxscJksR9M by jeder@miau.jeder.pl
2022-12-27T19:45:30.601Z
1 likes, 0 repeats
@boyter@honk.boyter.org misskey has this, pleroma/akkoma also has thiswhat if I want to follow a group of people in RSS without a loginyou download an rss reader and create a group
(DIR) Post #AR2owoNbqXkJWF8o7M by boyter@honk.boyter.org
2022-12-27T19:44:35Z
0 likes, 0 repeats
@maryjane I think if you are relying on the name and not the name + domain you are in for issues long term. Ideally run things under your own domain name to really prove ownership.
(DIR) Post #AR2owoisZSlAaD5nGq by maryjane@social.coletivos.org
2022-12-27T21:29:45Z
0 likes, 0 repeats
@boyter "Ideally run things under your own domain name to really prove ownership."Although the idea of we all having our domains is nice: 1 - not all us do2 - not all of us have a website3 - not all users know the correct domain each user with his own domain usesAnd we don't have to. Sometimes we can have our infra with our friends.The service in question can be confusing to new users.Are the accounts at least marked as bots?
(DIR) Post #AR2tCNJMeat219pehU by jonpainterphoto@lawfedi.blue
2022-12-27T22:17:19Z
0 likes, 0 repeats
@tiago @ArisuGunpla @aral @boyter Hypo: Bob in LA writes and records a song, and posts the wav on his solo instance, "Hey, check out my song." I boost it.6 months later, 10 million people have downloaded the song from my instance. Realizing he's missing out on streaming money because everyone is getting it from me, Bob sues me for copyright infringement. My lawyers are likely to move to dismiss on the basis of 1) express license, 2) implied license, 3) equitable estoppel.
(DIR) Post #AR2tTXuiUGyVp7UVdo by boyter@honk.boyter.org
2022-12-27T21:59:03Z
0 likes, 0 repeats
@maryjane I guess the point is, whats stopping someone from being @maryjane or some other instance? Are you going to claim that handles are special? They were on twitter and other single sites? When it comes to fediverse its the combination that provides uniqueness.I don't think anyone is going to be able to claim a name is theirs when someone claims another on another site.You totally can have have your own infrastructure. That's the point of it all. If someone does something you don't like within the rules though, then don't federate with them perhaps?Accounts, don't actually do anything. They aren't bot's persay, more an existing inbox that anyone can message at. For example @justforexample will get this message, and you can view it here https://mastinator.com/inbox/justforexample/But you can use any @ to send things to it.
(DIR) Post #AR2tTYpR5OLSf21o36 by maryjane@social.coletivos.org
2022-12-27T22:20:29Z
0 likes, 0 repeats
@boyter "But you can use any @ to send things to it."Wait, so n00b question: what is stopping me from creating a: @fakehandle on your service, advertise it as if was from a real user, to get people to follow it and then spam it with cr*p or worse?
(DIR) Post #AR2tt1Ppw95AYtC9rs by maryjane@social.coletivos.org
2022-12-27T22:25:06Z
0 likes, 0 repeats
@boyter Also the point has nothing to do with if names are unique across the fediverse or not. You are not providing an instance for users.
(DIR) Post #AR2uXMZufsC1mO91Ie by tiago@social.skewed.de
2022-12-27T22:32:23Z
0 likes, 0 repeats
@jonpainterphoto @ArisuGunpla @aral @boyterThat's a different scenario than the one I had considered, since not only it involves alleged material losses, but also the text of the post is suggestive.What if Bob in LA had said: “Here's my new song. Under no circumstance you should boost this to your followers. I hereby disallow anyone to share this any further on social media.”You then boost it.What would your lawyers say?
(DIR) Post #AR2vDeo5I7TWTcwMPg by boyter@honk.boyter.org
2022-12-27T22:27:45Z
0 likes, 0 repeats
@maryjane I am providing every inbox without the need to login? The only difference between what is done here and any other instance is that you need to register on one.
(DIR) Post #AR2vDfCXpB2bhUNtXU by maryjane@social.coletivos.org
2022-12-27T22:40:02Z
0 likes, 0 repeats
@boyter you are providing aggregation of data, not a full account to interact with other users. There is a difference.
(DIR) Post #AR2vL25F9Bk4hBU16e by jonpainterphoto@lawfedi.blue
2022-12-27T22:41:20Z
0 likes, 0 repeats
@tiago @ArisuGunpla @aral @boyter “Let’s try to settle.”Argue mistake. Argue license based on the language in the default privacy policy that expressly tells people not to post something they don’t want out in public. Estoppel. If he waits long enough, doctrine of latches. The fair use argument is still weak.
(DIR) Post #AR2wGCrfjgGOdfOjce by jonpainterphoto@lawfedi.blue
2022-12-27T22:42:32Z
0 likes, 0 repeats
@tiago @ArisuGunpla @aral @boyter Fair use becomes a good argument if I quote sections of his lyrics in my law review article on why music shouldn’t be admissible as evidence in murder trials. Now it’s academic, used for critique, maybe 20%, and it doesn’t hurt his market.
(DIR) Post #AR2wGDLnveMm97Unaa by tiago@social.skewed.de
2022-12-27T22:51:42Z
0 likes, 0 repeats
@jonpainterphoto @ArisuGunpla @aral @boyter The strategies that you propose seem all circumstantial to me.I understand the strategic principle that if there is a stronger defense mode than claiming fair use it should be used.But I still think that fair use is the last barrier that needs to be crossed in the end.Otherwise there is a *lot* hanging on a few lines of a privacy policy intended for a different purpose.
(DIR) Post #AR2y61JzzvTRqouzOS by boyter@honk.boyter.org
2022-12-27T22:42:43Z
0 likes, 0 repeats
@maryjane So providing less functionality is your problem here? How is this any different from RSS, except instead of polling many servers it sits and consumes respecting what the 3rd parties are providing?
(DIR) Post #AR2y61jAULbh6sh5cm by maryjane@social.coletivos.org
2022-12-27T23:12:16Z
0 likes, 1 repeats
@boyter nope, my problem is you calling it a service like any other when it is not ;)"How is this any different from RSS"That was one of my initial points, and you where the one that said it served a different use case not me.
(DIR) Post #AR2zu7jqVviYBaSlaC by NEETzsche@iddqd.social
2022-12-27T23:32:32.619231Z
0 likes, 0 repeats
@aral Such a weird approach considering you can just reject delete requests
(DIR) Post #AR3Axez0T1NpelRWbo by kevingranade@tech.lgbt
2022-12-28T01:36:20Z
0 likes, 0 repeats
@tiago @jonpainterphoto @ArisuGunpla @aral @boyter indiscriminately aggregating and republishing content is nowhere close to fair use.That being said, the way this service is described makes it extremely likely to fall under whatever licensing is present to enable federation.
(DIR) Post #AR3Cz6k2wiy5wkGP9E by jonpainterphoto@lawfedi.blue
2022-12-28T01:59:04Z
0 likes, 0 repeats
@tiago @ArisuGunpla @aral @boyter Quite honestly, the fact that every time I log into my instance through Ubuntu, it tells me the URL for documentation and GitHub probably puts me on notice of at least the basics on joinmastadon.com. Fair use is non-infringement without being granted permission. It’s a carve out for specific purposes - generally academic or social critique, or education. It’s not medium dependent…
(DIR) Post #AR4xTQzJ1gI6TYlAUC by Jessica@fedi.absturztau.be
2022-12-28T22:14:08.346452Z
0 likes, 0 repeats
@aral @aral @puniko
(DIR) Post #AR4xW6bdGHzM8CxbdI by boyter@honk.boyter.org
2022-12-27T10:39:58Z
0 likes, 0 repeats
@aral You can also message any address on it directly to confirm this, for example @aral should get this (assuming my client works as expected).
(DIR) Post #AR4xW705nLYRM4P8l6 by aral@mastodon.ar.al
2022-12-27T10:57:08Z
1 likes, 0 repeats
@boyter Wait, so if someone sends a message to @aral@mastinator.com, it gets forwarded to my account?If so, you can see how people who have been blocked can use this to harass people, right? (Until the mastinator account is also blocked.)Setting up @aral@mastinator.com is definitely a no-no to begin with. That’s my name and my identity and I didn’t give you permission to use it.
(DIR) Post #AR4xoEMx8Y6jQAjkno by Jessica@fedi.absturztau.be
2022-12-28T22:18:28.966515Z
0 likes, 0 repeats
@aral @mother instance block mastinator, reposting without user's consent, creates accounts in your name without your permission, and leaks follower-only posts to public, and can be a source for harassment. pls mommy
(DIR) Post #AR51KqDiF8GXwWelAO by puniko@mk.absturztau.be
2022-12-28T22:57:55.814Z
0 likes, 0 repeats
@Jessica@fedi.absturztau.be @aral@mastodon.ar.al @aral@mastinator.com :paimon_good:
(DIR) Post #AR5bgb1P1oK3WgZUHY by jeena@toot.jeena.net
2022-12-29T05:45:18Z
0 likes, 0 repeats
@aral @boyter I also wonder how it is different to the web archive https://web.archive.org/web/20171101172551/https://mastodon.ar.al/@aral
(DIR) Post #AR5d7VQU2XWDwehLdI by FinchHaven@mastodon.sdf.org
2022-12-27T14:46:07Z
0 likes, 0 repeats
@boyter @aral "Once again though, there is no impersonation going on here. There is no ability for this to ever produce content. It only consumes and displays""It only consumes and displays"That is the most duplicitous, disingenuous reply I've seen since I left TwitterYou're scraping content from a Mastodon account and presenting it under the same name, but on your own instance/server"there is no impersonation going on here"Really?Have you run all this past an attorney?Buckle up
(DIR) Post #AR5d7VrQQN4NIDIrcu by jeena@toot.jeena.net
2022-12-29T06:01:22Z
0 likes, 0 repeats
@FinchHaven @boyter @aral I'm more and more confused, are you saying that because someone can watch @chrisweredigital via my own PeerTube instance https://tube.jeena.net/w/4c7LuJvofQ853KvfYoxfb5 that I'm impersonating Chris?
(DIR) Post #AR5dYTlCLFYsb5FV3I by SpaceLifeForm@infosec.exchange
2022-12-27T10:36:16Z
0 likes, 0 repeats
@aral Dropping the fake that you know of.Is the one on d25.community also fake or just someone with the same name?
(DIR) Post #AR5dYUC8j571wdr12u by aral@mastodon.ar.al
2022-12-27T10:42:16Z
0 likes, 0 repeats
@SpaceLifeForm That was me when I’d set up a Mastodon instance for DiEM25 (which they flat out rejected… one of the reasons I left. https://ar.al/notes/farewell-not-goodbye/)That said, I don’t know if there’s a way to remove old accounts. I was running a bunch of tests six years ago and all those accounts are still findable.
(DIR) Post #AR5dYUbfCBWrDnnOpU by SpaceLifeForm@infosec.exchange
2022-12-27T10:55:09Z
0 likes, 0 repeats
@aral I been thinking about this is terms of authenticating yourself, and one thing that keeps swirling in my mind is some kind of encrypted base64 encoded pubkey that you can put into your profile that is based upon the instance domain.And some kind of signing on a post.Where one can include a signature, and people can verify it via the pubkey.Also you could then say: I did not write that post. That came from an imposter.Of course the fakers could do the same thing once they know the method.Still thinking on this.
(DIR) Post #AR5dYUyLppg2MAPWC0 by jeena@toot.jeena.net
2022-12-29T06:06:13Z
0 likes, 0 repeats
@SpaceLifeForm @aral I think that is called GPG signature
(DIR) Post #AR5hCNYN8bQEnCy1a4 by SpaceLifeForm@infosec.exchange
2022-12-29T06:47:04Z
0 likes, 0 repeats
@jeena @aral Which has a single point of failure (the keyserver) and also a dependency upon email.
(DIR) Post #AR5pVi9dZDMToy7vRA by jeena@toot.jeena.net
2022-12-29T08:20:13Z
0 likes, 0 repeats
@SpaceLifeForm @aral I mean just from a principal point of view, PGP is solving the problem you're describing.Also there are many key servers and you can revoke your keys and you can put your key on your own website or give it to someone on a USB stick or during a key-signing-party, etc.I'm also not saying it's perfect, but it's something to build on which has to some degree proven it works, even though the UX might be terrible.
(DIR) Post #AR6SJJN1mfbtgyT6bQ by opal@ap.maladaptive.art
2022-12-29T15:34:54.153764Z
0 likes, 0 repeats
@jonpainterphoto @tiago @ArisuGunpla @aral @boyter i know you study law so im not trying to discredit you, but e.g. from https://cr.yp.to/softwarelaw.html theres a side of the copyright debate that argues fair use that copyright law cannot restrict. that example applies specifically to software but i'd say people may grant rights implicitly to proxy the content (send to other instances) by virtue of the software taking the initiative to disperse those posts to other serversthere's also the question of registered business vs personal-use or amateur-run instances; do those require the same legal language as instagram and other services? other federated services have existed forever—email, nntp, and others which do store user-submitted data at least semi-permanently. how does that content fall?havent read the whole thread so if im bringing up redundant points, sorry
(DIR) Post #AR6StaWLUsNdJ97nrk by opal@ap.maladaptive.art
2022-12-29T15:41:30.473097Z
0 likes, 0 repeats
@kevingranade @tiago @jonpainterphoto @ArisuGunpla @aral @boyter just to add (not accepting or refuting what you said, cus i genuinely dont know when it comes to things like this) but mastinator *may* fall under safe-harbour as far as dmca is concerned, dont know about AU law where it seems to be hosted, or EU law where a lot of copyright holders may be complaining about this servicemastinator acts as a proxy but https://law.stackexchange.com/questions/4119/legality-of-proxy-sites-and-dmca gives an overview of what actually needs to be done in order to have immunity from copyright claims
(DIR) Post #AR6T7te9BUf0gCb3fk by rigo@mamot.fr
2022-12-27T20:04:53Z
1 likes, 0 repeats
@ArisuGunpla @aral @boyter so part of the issue here is that the expectations have been badly managed because the service hasn't made crystal clear that it is a mirror. The wording about this needs urgent improvement. And it should only list public messages.
(DIR) Post #AR6T9HhfEAZba0u55s by boyter@honk.boyter.org
2022-12-27T20:08:43Z
1 likes, 0 repeats
@rigo Totally. If you have some copy that you think would clear it up let me know and ill add it in.
(DIR) Post #AR6TAEvt0w0THD0lxA by rigo@mamot.fr
2022-12-27T20:09:37Z
1 likes, 0 repeats
@boyter you don't want to pay my rates 😅
(DIR) Post #AR6TDAaZcX6EfoRK08 by piratepost@poliverso.org
2022-12-29T10:45:48Z
0 likes, 0 repeats
@ArisuGunpla I have the clear impression that #mastinator constitutes an automated processing of personal data (because yes, such processing also includes personal data) and this operation is not done with the consent of the owners of that personal data, and therefore violates the rules of the GDPR@aral@boyter
(DIR) Post #AR6TDB5lkY3MEZ2Ecq by boyter@honk.boyter.org
2022-12-29T10:53:26Z
1 likes, 0 repeats
@piratepost sorry but your understanding is totally false. It never reaches out to consume or scrape data from any instance or website. It only operates within the rules of ActivityPub, and indeed the federated network itself. It makes a signed follow request, and if the instance accepts it then data is sent. That data is only ever sent if the poster ops into doing so, which I might add is in their own control, and if their instance allows it, which the instance admin is in control of. Both of those might be the same person in some cases. How do you think people, on other instances get your posts?
(DIR) Post #AR6TOeKvMNdi7SasSW by cloy@techhub.social
2022-12-27T15:21:41Z
0 likes, 0 repeats
@aral @boyter Isn't there already a profile flag in mastodon for this - "do not index"? Its what we use to only index the posts from people that want to appear in a search engine. (Also I can guarantee you there are many 3 letter agencies that already grab and index all the open content regardless of settings unless private) - opt-in / opt-out by default is up to the instances.
(DIR) Post #AR6TOeiJxOM3I1XYvY by boyter@honk.boyter.org
2022-12-27T19:35:36Z
0 likes, 0 repeats
@cloy Reminder that there is no indexing going on. It only has the ability to follow people. The difference is that its inbox is public, and anyone can view it.
(DIR) Post #AR6TOf5iYP4OSaUFOa by cloy@techhub.social
2022-12-27T19:48:09Z
0 likes, 0 repeats
@boyter - well of course there *is* indexing going on, just perhaps not by this particular app :) - anyone who thinks otherwise is super naive. I know of at least three groups scraping mastodon content. For me the question is do we want it publicly known that content is being pulled (and educate peoples behavior to that effect) or just to cause enough fuss to brush it under the rug so that the only people to do it are in secret / moral free / bad actors / governments?
(DIR) Post #AR6TOfXMtbBhqLQKUi by opal@ap.maladaptive.art
2022-12-29T15:47:06.968143Z
0 likes, 0 repeats
@cloy @boyter yeah, so this becomes an issue of "how do we stop web indexing of our profiles", irrespective of mastinator existing. and i'm anti-web, so i definitely support anything that makes activitypub feel more like its own network, and less like spam results on search engines from fifty instances who have the same post lol
(DIR) Post #AR6TOg9IcZWrjzAccK by cloy@techhub.social
2022-12-27T19:50:33Z
0 likes, 0 repeats
@boyter there's even a flag in the public API to indicate you don't want your content indexed (my point being the devs knew this would be an issue) - not that I would trust a bad actor to respect that.
(DIR) Post #AR6TOhAkoeHqumrIWW by cloy@techhub.social
2022-12-27T19:51:31Z
1 likes, 0 repeats
@boyter security through obscurity went out the window the moment elon took over birdsite and there was a mass exodus here is my main point. Think the app is fine. People are just expecting a level of privacy that just doesn't exist on the internet. Putting your head in the sand and ignoring that fact is totally counterproductive - you can shout at the tide as much as you like.
(DIR) Post #AR6TW35XjP48ufvZi4 by opal@ap.maladaptive.art
2022-12-29T15:48:28.726259Z
0 likes, 0 repeats
@cloy @boyter mastinator claims NEVER to save any content outside of a user's browser session, so that in itself isn't indexing (in any reasonable sense for our concern) but i can totally see a script squatting an inbox and uh... following everyone to index them. seems more difficult than just scraping public webpages
(DIR) Post #AR6U32By5KJBgnf58q by boyter@honk.boyter.org
2022-12-27T20:04:04Z
0 likes, 0 repeats
@cloy Even a good actor might not respect it. From memory thats a Mastodon specific flag.
(DIR) Post #AR6U32g6HIPZCFl96m by opal@ap.maladaptive.art
2022-12-29T15:54:24.373888Z
0 likes, 0 repeats
@boyter @cloy pleroma and its forks support it~ wowaname@mahin> curl -sH'Accept: application/ld+json' https://ap.maladaptive.art/users/opal|jq .discoverablefalse
(DIR) Post #AR6U4Otp93IgP8pIA4 by cloy@techhub.social
2022-12-29T15:53:20Z
1 likes, 0 repeats
@opal @boyter - indexing every instance is SUPER easy - there's a public facing restful API to do it - try: https://ap.maladaptive.art/api/v1/timelines/public?local=true - that returns all the local feed items on your server. It's official, and documented, which means you don't need to scrape.
(DIR) Post #AR6U8ahlC88cB1BKSG by opal@ap.maladaptive.art
2022-12-29T15:55:26.604580Z
1 likes, 0 repeats
@cloy @boyter yep :> ive been on fedi back when pleroma still supported ostatus, and people were following me via the rss feed, so im well aware of it all
(DIR) Post #AR6UGLi4pTC1zI1sEC by cloy@techhub.social
2022-12-29T15:55:30Z
0 likes, 1 repeats
@opal @boyter - according to the docs on the API that discoverable field is for users not appearing in searches rather than users not appearing in public feeds. There's a seperate flag, "do-not-index" that controls indexing. It's unofficial though.
(DIR) Post #AR6UItZhtINXb5KQ7M by opal@ap.maladaptive.art
2022-12-29T15:57:18.683318Z
0 likes, 0 repeats
@cloy @boyter oh okay thanks, maybe internally pleroma just uses it to set the "no index" metadata on the user's profile, because to me it seems like it does something similar
(DIR) Post #AR6Um1fqrEO5785pQm by cloy@techhub.social
2022-12-29T16:00:49Z
1 likes, 0 repeats
@opal @boyter - it took me about a day to write a fulltext fediverse indexer that uses the API to fetch all "federated posts" from a server to find new servers to index, and then all "local" posts on each server to do the indexing. The fact this will / can exist isn't the issue. The bandwidth is negligible, and my home PC can easily keep up by estimating how often to refresh a server... The big question is whether someone should expose it. My thoughts being that one day someone less scrupulous than I will put it public, so am personally in favor of having someone trustworthy and open to conversation and dealing with abuse issues to get traction there first.
(DIR) Post #AR6UuCJNBweoQETXHc by opal@ap.maladaptive.art
2022-12-29T16:04:01.091495Z
0 likes, 0 repeats
@cloy @boyter by default everything on malart is under a permissive licence, so from that perspective i cant say it will bother us. but then again im speaking as someone who used to have a locked account, i think it was actually detrimental to me overall because i became a lot more xenophobic. was a venty part of my life though so i had to say bullshit somewhere
(DIR) Post #AR6Uubt26V2Jk4Lrpw by cloy@techhub.social
2022-12-29T16:03:13Z
1 likes, 0 repeats
@opal @boyter - https://github.com/w3c/activitypub/issues/221#issuecomment-300205759 is an interesting thread from the origional implementers on the topic.
(DIR) Post #AR6VDsNT10poODm22i by cloy@techhub.social
2022-12-29T16:06:08Z
1 likes, 0 repeats
@opal @boyter - well there's no licencing needed if it'S either "like google" (fair use), or just indexes words to posts - mine literally used the end users browser to fetch the actual post contents - it just stored a list of words to server+post_id
(DIR) Post #AR6VIDI7CVOAPWL3Y0 by opal@ap.maladaptive.art
2022-12-29T16:08:23.179892Z
0 likes, 0 repeats
@cloy @boyter ya im just saying, anyone can mirror my posts with attribution idc at this point
(DIR) Post #AR6VgZ7hgIHB4V53xY by cloy@techhub.social
2022-12-29T16:12:11Z
1 likes, 0 repeats
@opal @boyter - I think this is the crux of the discussion, that level of consent. Most don't realize (or perhaps want to) that public posts are actually... completely public and rely on a social contract to enforce a lack of misuse... which I find very naive. The platform has exploded, I ran an instance for a short while until I figured how expensive that could get, and plenty of russian / chinese IPs hit the API endpoints. Clever ones just use a proxy service (like serpAPI do) so you can't even block the IPs.
(DIR) Post #AR6YNB2DJjn2irxXZA by jonpainterphoto@lawfedi.blue
2022-12-29T16:41:57Z
0 likes, 1 repeats
@opal Fair use questions in the US require a court to examine: 1) nature of the use, 2) nature of the work, 3) amount used, and 4) effect on the market. No single category is dispositive. E.g. I can quote a portion of a song in my law review article in a review distributed to 100k people. The link you posted is talking about a limit to a company’s ability to restrict use through licensing. SoftCo can’t restrict patching or backup, it can prevent you from making 100k copies and distributing.
(DIR) Post #AR6YOCUlNB3nXenjJQ by opal@ap.maladaptive.art
2022-12-29T16:43:05.656435Z
0 likes, 0 repeats
@jonpainterphoto good info thanks
(DIR) Post #AR6jUNMsxXkAUsGPCK by clov@travelpandas.fr
2022-12-29T12:37:29Z
0 likes, 0 repeats
@boyter I assume — because "sucking them into a publicly viewable inbox" is not a big deal to you — you never considered the fact that your service actually violates several laws around the world. @aral
(DIR) Post #AR6jUNoXIjrTsdCUIS by clov@travelpandas.fr
2022-12-29T14:18:32Z
0 likes, 0 repeats
@boyter I've looked at the conversations around, read the criticisms you're getting, both legal and moral, and the positions you're supporting. I won't go back on them.Because the thing that bothers me about this whole story is that, although you claim to have good intentions, from beginning to end everything gives the impression that you are forcing the hand of others.If you want my advice: just shut it down.@aral
(DIR) Post #AR6jUOEPkWYtAtJ9dI by boyter@honk.boyter.org
2022-12-29T18:47:11Z
1 likes, 0 repeats
@clov Which is fine. I have no problems or issues with your stance. Difference of opinion is a healthy thing.However do remember I am also responding, and talking about it. Will someone who actually has bad intentions do the same?
(DIR) Post #AR6jXDueZRKa2ZPrGa by devnull@mamot.fr
2022-12-29T12:39:50Z
0 likes, 0 repeats
@jonpainterphoto> unless the service requires them to surrender their IP rightsWhich is illegal in at least some European countries. You CANNOT force people to do that. Just because US tech companies do so doesn't mean it's legal everywhere… Thaï have a long history of violating the law for profit, or whenever they see for…Actually you can't even give up *all* your authorship rights freely, but you can *freely* give just some of them.@ArisuGunpla @aral @boyter
(DIR) Post #AR6jXEPUim07aDqUL2 by devnull@mamot.fr
2022-12-29T12:39:50Z
1 likes, 0 repeats
@jonpainterphoto So neither being a public post OR some shitty abusive ToS from advertising silo, would make your posts "not yours anymore"Also, some handles (not only full names) are unique enough to be considered to be PII. Copying and publishing them without consent is not not impersonating people but also a GDPR violation… You cannot process PII without either a legitimate purpose or explicit, unambiguous, purpose-specific, freely-giver and time-limited consent.@ArisuGunpla @aral @boyter
(DIR) Post #AR7XNrSJgz9Zr0JeYS by clov@travelpandas.fr
2022-12-29T21:02:01Z
0 likes, 0 repeats
> However do remember I am also responding, and talking about it. Will someone who actually has bad intentions do the same?— @boyter Every.Freaking.Time.
(DIR) Post #AR7XNsSLyKmExPLCFc by clov@travelpandas.fr
2022-12-29T23:14:19Z
0 likes, 0 repeats
@boyter if your intentions are really sincere, tell me. When you started developing a service whose goal is to copy ALL the messages of ALL the users of a target network, how did you think the public would react to seeing content that they intentionally limited in scope (a.k.a private messages) being exposed to the public?
(DIR) Post #AR7XNtN4ZS9BnJsUeu by clov@travelpandas.fr
2022-12-29T23:28:30Z
0 likes, 0 repeats
@boyter How can I believe for one second that your intentions are honourable, when the service you put online does not respect privacy?
(DIR) Post #AR7XNu6RqkRY436jNw by boyter@honk.boyter.org
2022-12-29T23:39:40Z
0 likes, 0 repeats
@clov I guess you cannot. I have no control over what you believe. You can however chose to judge based on actions. I will list some below.I have done active outreach to high profile people discussing this. I have responded to every request (I think) I have gotten with what was done and why I did it. Without restoring to personal attacks, aggression or hostility even when that was presented to me.I have modified the service in response to shortcomings that were identified.I have reached out to find out how to implement better protections.I have also made suggestions on problems that exist within the current implementations, along with suggestions on how to resolve them.I continue to ask how things could be improved, discussing and assisting where possible.I also point out, that were I wanting to be evil I could have done none of the above, ignored everything and started implementing the work around.I have also been the first to suggest just blocking it if you have a problem with it.None of the above in my opinion are the actions of someone dishonorable.
(DIR) Post #AR7XNuj5X5LrztBac4 by clov@travelpandas.fr
2022-12-29T23:41:29Z
0 likes, 0 repeats
@boyter please don't deflect my question:How do you think people would react to a service that violates their privacy?
(DIR) Post #AR7XNvHpRv8njdRKlM by boyter@honk.boyter.org
2022-12-29T23:44:13Z
0 likes, 0 repeats
@clov I don't believe that it does. If you allow your posts to be federated, then once they leave your server you no longer have control over them.If you want privacy, don't use a federated service, disable the federation or use an allow list of instances to federate with.Possibly consider matrix as well which offers much better privacy controls.
(DIR) Post #AR7XNw4kW2GyBMKP0y by clov@travelpandas.fr
2022-12-29T23:45:26Z
0 likes, 0 repeats
@boyter How do you think people would react to a service that violates their privacy?
(DIR) Post #AR7XNwYsi0NLgoQSyu by boyter@honk.boyter.org
2022-12-29T23:47:59Z
0 likes, 0 repeats
@clov I don't believe that it does. If you allow your posts to be federated, then once they leave your server you no longer have control over them.If you want privacy, don't use a federated service, disable the federation or use an allow list of instances to federate with.Possibly consider matrix as well which offers much better privacy controls.
(DIR) Post #AR7XNxiUPlehGtveb2 by clov@travelpandas.fr
2022-12-29T23:48:41Z
0 likes, 0 repeats
@boyter How do you think people would react to a service that violates their privacy?
(DIR) Post #AR7XNyhSl4QcK0SLdQ by clov@travelpandas.fr
2022-12-29T23:49:38Z
0 likes, 0 repeats
@boyter you can't aswer that simple question, don't you. Do you give a fuck about privacy?
(DIR) Post #AR7XNzdFIEeJDDUUhU by boyter@honk.boyter.org
2022-12-29T23:51:41Z
0 likes, 0 repeats
@clov I have answered several times. I 100% care about privacy. If you also care about privacy, don't post your content publicly. Especially using a platform that broadcasts it.Included below again.I don't believe that it does. If you allow your posts to be federated, then once they leave your server you no longer have control over them.If you want privacy, don't use a federated service, disable the federation or use an allow list of instances to federate with.Possibly consider matrix as well which offers much better privacy controls.
(DIR) Post #AR7XO0cZcDhoHQBTI8 by clov@travelpandas.fr
2022-12-29T23:53:47Z
0 likes, 0 repeats
@boyter Are you kidding me ??I'm not talking about public messages, I'm talking about private messages!
(DIR) Post #AR7XO1KB06aGSeaIFs by boyter@honk.boyter.org
2022-12-29T23:54:51Z
0 likes, 0 repeats
@clov Show me where a private message has been posted publicly and I will 100% ensure it cannot happen ever again.
(DIR) Post #AR7XO2RIr5sXv2vV0C by clov@travelpandas.fr
2022-12-29T23:56:20Z
0 likes, 0 repeats
@boyter by following accounts, your unmarked drone reveals private messages.
(DIR) Post #AR7XO3Co0TsOIN9R2m by boyter@honk.boyter.org
2022-12-29T23:57:37Z
0 likes, 0 repeats
@clov Please, pick an account on the service, post a private message, and I will update the code to ensure it never happens again. Should only take me 5 mins to do.
(DIR) Post #AR7XO4PxV3zY3SJSBU by clov@travelpandas.fr
2022-12-30T00:01:35Z
0 likes, 0 repeats
@boyter I have a better idea : how about you explaining me why your bot send follow request to private accounts ?
(DIR) Post #AR7XO5SpbrsrIefGIi by boyter@honk.boyter.org
2022-12-30T00:03:44Z
0 likes, 0 repeats
@clov It does not send follows to any account without explicitly being asked to by someone.If it follows someone its because someone else added them to be followed.
(DIR) Post #AR7XO6EgjwAHh53TtY by clov@travelpandas.fr
2022-12-30T00:04:51Z
0 likes, 0 repeats
@boyter despite the fact that the account is private?
(DIR) Post #AR7XO6o8c8WNT1dn9M by boyter@honk.boyter.org
2022-12-30T00:05:40Z
0 likes, 0 repeats
@clov If someone knows the address how can it be private? The service does not know, it only submits the request.
(DIR) Post #AR7XO7RUFpzrR43DU0 by clov@travelpandas.fr
2022-12-30T00:06:27Z
0 likes, 0 repeats
@boyter you're kidding?
(DIR) Post #AR7XO9AXpndIn68iLw by clov@travelpandas.fr
2022-12-30T00:09:22Z
0 likes, 0 repeats
@boyter how long you used any AP service before making you own?
(DIR) Post #AR7XO9zam0SxLQ1Tv6 by boyter@honk.boyter.org
2022-12-30T00:09:50Z
0 likes, 0 repeats
@clov Several years.
(DIR) Post #AR7XOAqPbciVzEjfFY by clov@travelpandas.fr
2022-12-30T00:10:30Z
0 likes, 0 repeats
@boyter so you known what a private account is?
(DIR) Post #AR7XOBcciNHWOlIAOe by boyter@honk.boyter.org
2022-12-30T00:13:50Z
0 likes, 0 repeats
@clov I'll throw this back at you. Show me how to identify a private account, either through webfinger or a request to the user information and I will ensure I don't let those follow requests ever happen.
(DIR) Post #AR7XOCPXmUPgqUBEeG by clov@travelpandas.fr
2022-12-30T00:17:52Z
0 likes, 0 repeats
@boyter in short: you don't known.
(DIR) Post #AR7XODYnVZPSPTW8i8 by clov@travelpandas.fr
2022-12-30T00:23:18Z
0 likes, 0 repeats
@boyter how could you claim your service is privacy friendly and also admit you don't known how privacy features works?
(DIR) Post #AR7XOEH6qor4cuFWmO by clov@travelpandas.fr
2022-12-30T00:31:07Z
0 likes, 0 repeats
@boyter You don't even know what a "follower only" message is…https://honk.boyter.org/u/boyter/h/HLLQYyN3bQrd6Cr71NCome on.
(DIR) Post #AR7XOEuSUWKYawex72 by clov@travelpandas.fr
2022-12-30T00:48:01Z
0 likes, 0 repeats
@boyter Another question:What's happend when someone give your service my handle (precisely)?
(DIR) Post #AR7XOFxKbKDrq90lEG by boyter@honk.boyter.org
2022-12-30T00:54:52Z
0 likes, 0 repeats
@clov So if they pick an inbox, and submit it to be followed the following happens.1. The handle is checked to ensure its of a valid form.2. If it looks valid it is enqueued to be processed. This can fail if the queue is full, in which case the user is told to try again later.3. On a schedule the oldest item on the queue is pulled, and checked to see if the inbox that is requesting it contains anything that might be used to abuse someone. If it fails this test the message id discarded. No notification is sent to the front end for this by design to prevent people knowing that this happened, although the name is logged to ensure it was not a false positive match.4. If the previous step passes, a webfinger request is made against the server to obtain the users details. It then queries again to get their inbox, and lastly posts a follow request to the inbox, by crafting the appropiate json and signing using the private key for the inbox.5. The message is discarded. Mastinator as mentioned is ephemeral, it does not record these follow requests.The entire process is rate limited fairly heavily to avoid overloading any server.
(DIR) Post #AR7XOHnpjboVZGaChc by clov@travelpandas.fr
2022-12-30T01:00:07Z
0 likes, 0 repeats
@boyter did you stop using your follow-bot?
(DIR) Post #AR7XOIyrM6EBDkkWWm by boyter@honk.boyter.org
2022-12-30T01:01:22Z
0 likes, 0 repeats
@clov There has not, nor has there ever been a follow bot implemented by me for this.
(DIR) Post #AR7XOKTNo6Enqi2Pk8 by clov@travelpandas.fr
2022-12-30T01:03:25Z
0 likes, 0 repeats
@boyter what about @everyone@mastinator.com ?
(DIR) Post #AR7XOLifAm3RiOC8CO by boyter@honk.boyter.org
2022-12-30T01:05:03Z
0 likes, 0 repeats
@clov It is a regular account like any other. I added some users to it when I deployed the server to verify everything worked. I suspect some other people may have as well.
(DIR) Post #AR7XOMEvEprJKRHtTs by clov@travelpandas.fr
2022-12-30T01:06:33Z
0 likes, 0 repeats
@boyter you never used @everyone@mastinator.com to send follow request to targeted accounts?
(DIR) Post #AR7XOMqqxoCTE52BbU by boyter@honk.boyter.org
2022-12-30T01:08:25Z
0 likes, 0 repeats
@clov No. I picked a random sample based off accounts I knew posted a lot so it would get activity.I had verified my implementation against honk, but not against Mastodon where all of those accounts are.
(DIR) Post #AR7XONZAJ3e5RVlZfk by clov@travelpandas.fr
2022-12-30T01:12:09Z
0 likes, 0 repeats
@boyter Did you ask your list members if they would consent to having their data automatically collected by an automated service?
(DIR) Post #AR7XOO2aXfBIulX4XA by boyter@honk.boyter.org
2022-12-30T01:15:51Z
1 likes, 0 repeats
@clov No. If you allow follows, and accept them that is consent. Otherwise why would you allow such a thing inside a federated system where following people is a core part of the system. Especially when the ability to disable / block this sort of thing is in the power of the user.Had I noticed anyone requesting if they could follow before doing it I would have implemented something similar.
(DIR) Post #AR7XOOn1l0KPEnG9uy by clov@travelpandas.fr
2022-12-30T01:17:43Z
0 likes, 0 repeats
@boyter Do you have a way to known if a targeted account is a citizen of an European Union member?
(DIR) Post #AR7XOPNBaZFf2wB2HI by boyter@honk.boyter.org
2022-12-30T01:23:11Z
0 likes, 0 repeats
@clov Not unless there is something returned from the user endpoint https://mastinator.com/u/test or the webfinger endpoint https://mastinator.com/.well-known/webfinger?resource=acct:test@mastinator.com
(DIR) Post #AR7XOPt5fwlwdt6W0W by clov@travelpandas.fr
2022-12-30T01:28:30Z
0 likes, 0 repeats
@boyter if a targeted user is an european citizen, did you ask consent to having their data automatically collected by an automated service ?
(DIR) Post #AR7XOQX9H0oae7qVRg by boyter@honk.boyter.org
2022-12-30T01:29:35Z
0 likes, 0 repeats
@clov Yes. By asking for the follow. If they accept that then they are consenting to distribute their data. They even then post it directly.
(DIR) Post #AR7XOR8N2caaVZGESm by clov@travelpandas.fr
2022-12-30T01:31:50Z
0 likes, 0 repeats
@boyter Why are you talking about "accepting follow request" when you claim not to use any follow-bot?
(DIR) Post #AR7XOReH806s6WBiC0 by boyter@honk.boyter.org
2022-12-30T01:36:00Z
0 likes, 0 repeats
@clov The only way a follow request can ever occur is if someone goes to an inbox and requests it. Of course the process after this is automated, how else could that work?Let me explain it this way. A follow request works in 100% the same way your Mastodon instance works. Both are triggered by a user requesting it, after that its automated. In the case of mastodon probably though sidekiq jobs.
(DIR) Post #AR7XOSLAYWQAFYFy3E by clov@travelpandas.fr
2022-12-30T01:41:34Z
0 likes, 0 repeats
@boyter How do you inform European citizens about the purpose of the automatic collection of their data when you ask for their conscent?
(DIR) Post #AR7XOT3TtlrmSyzM7U by boyter@honk.boyter.org
2022-12-30T01:45:05Z
0 likes, 0 repeats
@clov The same way every other instance does, by making an agreed request "I would like to follow you". Consent is them accepting it and then posting towards it.Every Mastodon instance notifies you about the follow, and allows you to reject it. You can also turn off automatic accepts and manually approve everything.
(DIR) Post #AR7XOTgpXTLGR1OmS8 by clov@travelpandas.fr
2022-12-30T01:55:50Z
0 likes, 0 repeats
@boyter Is the server hosting collected data inside the EU?
(DIR) Post #AR7XOUCjcqrY1yKGBM by clov@travelpandas.fr
2022-12-30T02:05:17Z
0 likes, 0 repeats
@boyter If I ask you to send me every data you collected about me including details about who transmit my coordinates to your service, how do you handle my request?
(DIR) Post #AR7XOUnbPmLxsJZheC by boyter@honk.boyter.org
2022-12-30T02:15:15Z
0 likes, 0 repeats
@clov Needs custom code, although the moment it was deployed anything gathered would be gone. Or possibly gone anyway since its all ephemeral and everything is removed as new things come in.As I have mentioned several times, nothing is ever stored.So technically, its not possible without actually also destroying the data you want.
(DIR) Post #AR7XOVasSZliL8d3S4 by clov@travelpandas.fr
2022-12-30T02:22:12Z
0 likes, 0 repeats
@boyter OK. I'm asking you.
(DIR) Post #AR7XOVzKzdKnZ04aZs by boyter@honk.boyter.org
2022-12-30T02:24:32Z
0 likes, 0 repeats
@clov Like I said not actually technically possible.If you know the inbox it landed in you could check it yourself. If its not there, its already gone.What you are in effect asking for is a search across the system, which is a big no no.
(DIR) Post #AR7XOWOVU3T2p3qgoC by clov@travelpandas.fr
2022-12-30T02:32:15Z
0 likes, 0 repeats
@boyter The maximum legal deadline for responding to this type of request is 1 month.
(DIR) Post #AR7XOWwBSqPEVVbaIi by clov@travelpandas.fr
2022-12-30T02:32:58Z
0 likes, 0 repeats
@boyter Are you aware that, on most AP services, follow requests are automatically accepted by default and that therefore, legally, this has no value as consent in the context of automated data collection?
(DIR) Post #AR7XOXQJeoVc0xheGe by clov@travelpandas.fr
2022-12-30T02:57:04Z
0 likes, 0 repeats
@boyter It was a rhetorical question: you have already explained your point of view on the matter and I still maintain that your approach is wrong.Next question.
(DIR) Post #AR7XOXxdevADgJIGCu by clov@travelpandas.fr
2022-12-30T02:59:32Z
0 likes, 0 repeats
@boyter What is the purpose of your service?
(DIR) Post #AR7XOYSToFplDxitHM by boyter@honk.boyter.org
2022-12-30T03:28:52Z
0 likes, 0 repeats
@clov Mostly to test your own ActivityPub implementations. Since its fully ephemeral, and accepts anything you can even use CURL to submit things if you like. Will be more useful when I stop responding to people asking about it and add the rest of the types.EG curl --location --request POST 'https://mastinator.com/u/curly/inbox' \-header 'Content-Type: application/json' \-data-raw '{ "@context": "https://www.w3.org/ns/activitystreams", "actor": "https://mastinator.com/", "id": "NOTETHISMUSTBEUNIQUE", "object": { "content": "Hello!", "conversation": "empty", "id": "NOTETHISMUSTBEUNIQUE", "published": "2022-12-20T06:03:41Z", "summary": "", "to": "https://www.w3.org/ns/activitystreams#Public", "type": "Note", "url": "https://mastinator.com/" }, "published": "2022-12-20T06:03:41Z", "to": "https://www.w3.org/ns/activitystreams#Public", "type": "Create"}'
(DIR) Post #AR7XOYu89Rx4bieyNU by clov@travelpandas.fr
2022-12-30T03:41:01Z
0 likes, 0 repeats
@boyter What is the goal of your service?Who needs a service that reproduces contents that are, if I follow your arguments, already public?
(DIR) Post #AR7XOZKiYbDdwB6Coq by boyter@honk.boyter.org
2022-12-30T03:51:39Z
0 likes, 0 repeats
@clov Validating your ActivityPub implementation is one reason. Another would be to follow accounts totally anonymously. Third would be to aggregate multiple follows into a single RSS (which is possible in some feed readers but not all).
(DIR) Post #AR7XOZjX4L4JB8i1Uu by clov@travelpandas.fr
2022-12-30T04:01:34Z
0 likes, 0 repeats
@boyter Why do you need a follow-bot?
(DIR) Post #AR7XOaA7TUKsVb9FwG by boyter@honk.boyter.org
2022-12-30T04:03:52Z
1 likes, 0 repeats
@clov For the 3rd time it is not a "bot". It's a piece of code that implements the follow functionality that ActivityPub allows. Anyone building on ActivityPub will need to implement this functionality eventually. It is there to validate that this functionality works, both from a follow and following point of view.