As people have started experimenting with Mastodon in the wake of the news that Elon Musk would be buying Twitter, some on the Fediverse have begun discussing how and whether Mastodon instance admins can “read your DMs.”
Without getting into all the reasons that “direct messages” on Mastodon differ from direct messages on Twitter (or indeed most other social platforms), suffice it to say that the content of any one-to-one messages you send on either Twitter or Mastodon is not end-to-end encrypted. This means that at any point during their storage and transmission, they could theoretically be read by anybody with access to the database on which they’re stored.
(I’m no security/cryptography expert, so forgive me if these details are broad and perhaps not entirely accurate; I think the point I’m about to make is not dependent on all the nuances here.)
Setting aside for a moment why one might think a Mastodon admin would be interested in one’s personal messages, given that it is technically possible, is this something one should worry or care about?
In answer to that question, I’ve been seeing a lot of cynical quips along the lines of “Oh, I guess people have never heard of Google/Facebook/Amazon/[insert advertising-based boogeyman here].” The point they are making is: Why are you worried about a Mastodon admin reading your private messages but evidently not worried about Google reading your emails and searches and browsing history every single day?
This is a facile and disingenuous argument. There is Privacy and there is “Privacy,” and a question of epistemology here. When Google starts serving me ads for, say, sneakers, this is because, in a strictly colloquial sense, Google “knows” that I’ve been looking into fitness equipment lately. But no single employee at Google knows anything about my browsing and search history, and there are elaborate safety mechanisms in place to ensure (or try to ensure) that that remains the case.
If Google employee #4,309 for some reason had it in for me and me specifically, there is almost certainly nothing they could do to gain access to any of my emails sent through Gmail.
I say “almost certainly” because, as someone was quick to remind me, this is something that has happened at Facebook:
In one instance described in the report, a Facebook engineer was on vacation with a woman in Europe when the two got into a fight and the woman wanted time alone. Using Facebook data, the engineer reportedly tracked her down at her new hotel and confronted her.
So yes, this can and indeed has happened. No data that isn’t end-to-end encrypted is really safe anywhere.
But the original point, making an equivalence between “Mastodon admin reading your DMs” with “Alexa ‘listening’ to what you say”, is absurd. In one case, another, specific person knows things about you that you consider private. In the other case, a non-sentient algorithm has become more finely tuned to advertise effectively to you.
Are both of these things bad? Of course. Is a Mastodon admin or a Facebook employee likely to care about you at all? Probably not. But it is perfectly consistent to consider one to be a privacy violation of an entirely different order than the other.
A coworker once said to me, “You should never keep anything more private than your grandmother’s chocolate chip cookie recipe in the cloud.” But if any data I consider private is going to be out there, I’d feel far safer with it on Facebook’s servers than on mastohost’s or a Raspberry Pi in someone’s living room.