Mastinator Blameless Postmortem

TL;DR

Background

What is a blameless postmortem?

Things go wrong. Ideally, they get fixed. A postmortem is a writeup to document what went wrong, how it got fixed, and--most importantly--how similar issues will be fixed in the future. But the keyword here here is blameless. Blame and the resulting defensiveness and anger make it more unlikely for the people who are blamed to participate in the solution. And this can be crippling, as the people that are ‘responsible’ for the problem and are often the ones most able to help with the solution.

Postmortems usually focus on technical processes, but I actually don’t have a lot of insight on the technologies involved here. If you’re interested in those, I recommend talking to @boyter@honk.boyter.org, or checking out their blog. Instead, this postmortem will focus on the social side of things.

Also, in the spirit of the blameless postmortem, please don’t go out and harass any of the people mentioned here, including me. It would be trivial, but very against the spirit of blameless postmortems, mastodon, and trying to make the world a better place.

What is mastodon and the fediverse?

In case you’re not finding this post from mastodon, mastodon is a federated twitter-like service. It is composed of ‘instances’ which are independently run servers, while a shared ActivityPub protocol allows mastodon, and other fediverse services, to communicate with each other.

Mastodon’s community is very privacy- and consent-oriented. Among its features include several post visibility options, which are:

What is mastinator?

As designed, mastinator was meant to be an automated method for validating ActivityPub implementations in the spirit of mailinator. It had side-uses to potentially create activity pub “mailing lists” to get all the posts from a set of accounts. Unlike gup.pe, it would not require people to explicitly post to the group. The usage flow for mastinator was as follows:

  1. Navigate to the mastinator home page
  2. Input an account name. This creates an account at @accountName@mastinator.com and navigates you to mastinator.com/inbox/accountName. This URL was publicly accessible.
  3. Request follows from a fediverse account
  4. If that follow request was accepted (either automatically or by request depending on the followed user’s account settings), the followed user's posts would appear on mastinator.com/inbox/accountName.

Mastinator was created by @boyter@honk.boyter.org, hereon referred to as boyter.

Who am I?

If mastinator.com’s apology is still up, you’ll see that it references an ‘individual’. So, uh, I guess that’s me. How did I end up in this situation? Mostly happenstance, but there are a few relevant facts:

What happened?

The Issue

Accounts followed by a mastinator account would have their followers-only and unlisted posts made publicly available at mastinator.com/inbox/mastinatorAccount. Users who accept follow requests usually expect their followers-only posts to be made available to a single individual, and do not expect those posts to be republished in a publicly accessible webpage.

This issue was exacerbated by the following:

In honestly, this was a fairly easy mistake to make. One of the weird things going here is that mastinator was not using the preferred mastodon API, which makes these visibility controls easily accessible. From boyter’s POV, everything in the response was being respected. But it would be just as easy to build with the actual mastodon API and neglect to check the visibility status.

The issue was mitigated by:

The Response

#fediblock

As a moderator of a very small instance, I wasn’t keeping up super closely with the discourse. My understanding is that mastinator made the rounds on #fediblock, the main way mastodon admins use to share information about bad actors. This includes both technically (spammers, DOSing) and socially (harassment, bigotry, and being jerks). I believe I got involved fairly late--most instances had already limited or suspended mastinator for their users.

Me

Reaching out

On a lark, I decided to reach out to boyter about this issue. From some confusion on #fediblock, it seemed the nature of the issue seemed relatively nuanced but also pretty easy to fix. This is the message I sent: 

Hey, boyter, found your project via a follow request. 
FYI, you have a privacy issue which will probably 
get mastinator pretty widely banned until its
addressed: Because mastinator accounts 'follow' users, 
their 'followers-only' posts will be made publicly 
available via the mastinator site. While it's
technically kosher, hiding those private posts is 
more inline with users expectations of what 'followers 
only' means.

Another thing that would go along way is if the profiles 
of these accounts would say more about what mastinator 
is and its intended usage. The text now is very
vague and makes it seem like something unscrupulous 
is going on.

A couple of things going on in this message (which makes it seem way more intentional about this than it actually was):

  1. Technically mastinator caught my attention via fediblock, but I was also followed by everyone@mastinator.com a few days ago. I wanted to communicate I was coming here on neutral ground, so, yes, I told a small lie of omission.
  2. I framed the problem as mastinator’s problem: it was getting banned. I don’t think this was necessarily a good approach, but later in this conversation this technique turned out to be useful.
  3. I tried to anticipate some of the common rebuttals: ie ‘technically kosher’. This helps highlight the actual issue, which is whether or not it's inline with people’s privacy expectations.
  4. I gave mastinator the benefit of the doubt. In this case, it was deserved. boyter’s intentions were not to actively cause harm, and we could skip past any sort of defensiveness to solving the problem.

I won’t post boyter’s responses directly out of respect for their privacy (which I will maintain even though they've waived it), but here’s the summary:

  1. boyter was fine with mastinator being blocked since it didn’t interfere with its functionality as a dev tool
  2. If I provided some copy, they would update the accounts profiles immediately
  3. They wanted to respect privacy, but the visibility values were not available in the response.

I won’t lie, internally I was irked by some aspects of this response. Why build something you think should be blocked? Copy isn’t hard to write, why not write it yourself? We also had some back and forth about the fact the visibilities weren’t in there != the posts being all public. My followers can attest to this via some angry subtooting, but that’s what followers-only is about. Externally, and to boyter, I remained friendly.

How to write a privacy disclosure

Here’s the copy I provided to boyter: 

Mastinator is a automated service that is intended 
to be used for <xyz>.  Accounts followed by mastinator 
will have their public, unlisted, and followers
only posts made visible at <url>

In retrospect, writing privacy disclosure copy isn’t intuitive and it’s not reasonable to expect people should know what to put in it. But the gist of it is you explain in clear terms:

  1. What the service is and why it’s useful
  2. What data will be collected
  3. How that data will be used
  4. Where to go to learn more

And then also, ideally

  1. How that data will be stored
  2. How long it will be retained
  3. How to opt out and/or delete your data

This disclosure is key to anything that might erode people’s sense of privacy. It allows them to make an informed decision about what will happen to their data, the risks they’re taking on, and clear actionable for both if they do or don’t decide to participate. The previous statement was thrown together in the moment, so taking some more time: 

Mastinator is an automated service that is intended 
to be used for <xyz>.  Accounts followed by mastinator 
will have their public, unlisted, and followers-only 
posts made visible at <url>. These posts will be visible
publicly for <amount of time> after posting.

If you would like to opt out either:

T. Do not accept this follow request and/or 
2. Block <accountName>@mastinator.com if you have already 
accepted this request

I did try to verify that this copy was now in the profile pages of the mastinator account, but I personally never saw it. My assumption here is because mastinator shut down before the change could percolate.

How to convince someone to turn down their service

After this I explained mastodon’s visibility controls and how mastinator was subverting them. We had some back and forth looking through some json, which I admit, I was a little frustrated about why I was doing this work for them (though I didn’t mind too much, since I was curious to learn more about mastodon under the hood anyways). Eventually it became clear that mastinator was not using the official mastodon API, and there was no easy fix. We also had some debate about the public/privateness. After a bit, I kind of gave up on making progress and posted this to exit the conversation: 

-sigh- Okay, so, I don't know that this is getting 
across very well, but to close off this conversation, 
right now there is an inadvertent disclosure caused
by publicly publishing followers-only and unlisted posts. 

It seems like the best way to fix it is to use the 
actual mastodon API, which should give you easy access 
to the visibility settings. 

I honestly think that the group-timeline viewing feature 
here could be pretty cool, so I encourage you to try to 
fix it.

Also, if you're interested in building tools for mastodon, 
I'd recommend hanging out here first and getting a feel 
for how it works and how people use mastodon, including 
things like privacy controls.

Boyter responded with their thoughts on privacy, and the inadequacy of visibility controls as mastodon grows. And to be honest, they’re right. But I’ll let my past self respond here:

I think what you're failing to see here is that there 
are people using this /now/. And this tool is hurting 
them /now/. And frankly, mastinator as it is currently 
implemented is a bad actor.  There will be bad actors,
 there will be more of them, and they will be more 
 duplicitous. And yes, the current state of
things isn't good enough, as evidenced by all the people 
in mastinator/inbox/everyone whose private posts are 
showing up without their consent. There's a reason 
why 90%* of them...

are non-english, for example. 

I have my own thoughts about the right way to handle 
this problem, and they actually stem from discussions 
currently on going about how to protect our marginalized 
users from harassment. We don't need to cause /more/ 
problems to feel the need to fix them.

But I digress. Again, I do think mastinator could be 
a cool way to make and find groups of people, but until 
the visibility issue is fixed, it's a net negative
on the system and it's burning good will for the project,
and you.

If you really want to help improve the fediverse against 
the kind of attacks you're envisioning, honestly the 
best thing is to shut it down, talk about why you did 
and how the problem's going to get worse, and then stand 
it up with the issues fixed.

And then, to my eternal surprise, boyter did exactly that.

I never went into this conversation aiming to get mastinator shut down. I just thought I might give an objective explanation of the privacy issue and hope for the best. Honestly, what you’re seeing here is my composure slipping, but the rapport we have from earlier in the conversation--trying to debug, linking to docs, benefits of the doubt--meant that that slip of composure let them see into my perspective of things.

But honestly, most of the work here was done by me seeing into theirs perspective. Validating their fears about how bad actors might run wild on the fediverse. Seeing the good in their project. And it became clear that they want to make the fediverse a better place, so I explained to them how mastinator was hurting the fediverse, and also them, by ruining their reputation and preventing them from contributing in the future.

Should I have needed to do all that to get a harmful thing shut down? Maybe yes, maybe no. In a perfect world, we could all take a look at the harm and benefit of any tool and come to an agreement. But in the world that we live in, it probably will take this much work. Quantifying benefits is hard. Quantifying costs is hard. Deciding on the right balance is hard. Convincing people that you are engaging with this process. Working people into the right state of mind to engage with this process. All of it’s hard, and only some of it’s necessary, but all of it is worth doing.

Lessons Learned

Usually this section gets broken down into

And I’ve got to admit, boyter’s right. For the fediverse, there’s a lot in the third bucket.

What went well

Honestly, more than anything else, it’s kind of amazing that this conversation between me and boyter@ happened, and it couldn’t have happened without the fediverse. I think it’s a combination of both the technical side, so I could message them at all, and the broader culture of the fediverse, which aspires to take social media slowly, and that a DM doesn’t need to be an attack.

What went poorly

People are being left behind by #fediblock

Word of mastinator percolated quickly on #fediblock. This actually went well.

But, as of the time that me and boyter were discussing things, there were still a lot of posts on mastinator.com/inbox/everyone, and each one of those posts represented at least one, and up to an instance worth, of people who were unknowingly leaking their private posts to the world at large. And honestly, it made me kind of queasy to look at the sheer quantity of them while me and my several alts were safe.

If you read through the conversation earlier, you’ll also see that a lot of them were non-english. Not 90% like my past self said in the heat of the moment, but I’d say between 20-50%. And of those, a lot of them were east asian, where fewer people speak english as a second language. I don’t know the actual language demographics of the fediverse but I wouldn’t be surprised if it was skewed by the fact that #fediblock is largely english. This provides a definitive example of how #fediblock struggles to overcome barriers like language.

Without a doubt, there are others. And we don’t have good visibility on what they are.

How to be a good citizen developer on mastodon

There may already be a guide for this, but if there isn’t, we should make one. From this incident, three things definitely need to be on it.

  1. Use the mastodon API. It’s a semantic description of how mastodon should be used and makes it easy to be a good citizen
  2. Be a user first, a developer second. It came up in my conversation with boyter that they weren’t actually a mastodon user, they came from a different fediverse service. Without being a user first, it’s easy to miss things that are core to the experience like visibility controls. This expands to softer things, like learning the values of the people affected by tools, making sure those tools don’t harm the people here or their culture they’ve built, which is unique on the internet and hard fought.
  3. Lead with a privacy disclosure and minimize your privacy footprint. The mastodon community has spoken, it values its privacy. Collect only what you need. Don’t store it for longer than you have to. Give people tools preferably to opt in, but absolutely make sure they can opt out.

Where we got lucky

We got lucky mastinator wasn't intentionally a bad actor.

As mastodon grows, if we want mastodon to be available for everyone, there will be bad actors. Right now, we are skating by on security through obscurity--nothing here is really high value enough to be spammed or scammed or gamed. But if you dream about your friends and family choosing mastodon, pixelfed, and so on over their centralized counterparts, it’s a reality we’ll have to confront.

Mastinator was an unintentional lapse--imagine how much easier it would be for a deliberate actor.

We got lucky that boyter was willing to turn mastinator down.

I wasn’t privy to boyter’s interactions with the community at large, but by the post on mastinator.com, it probably wasn't all sunshine and roses. Now I don't think that the hostility was unwarranted. Nor would I say that any defensiveness was justified. But the truth of the matter is that defensiveness makes people unlikely to cooperate.

Is it fair to expect that people who decide to build these tools not incur harsh words from the people who are hurt by them? Is it fair to expect people who are harmed by these tools not to express their anger? No. But again, the world we live in is one where these actions decrease the likelihood of these issues getting fixed. What the solution is, I can't say.

Beyond #fediblock

The purpose of the ‘what went poorly’ and ‘where we got lucky’ sections is to look closely at these issues and see how we might build--both socially and technically--to prevent them in the future. I won’t claim to have a solution for all these issues, but while you’re here, allow me to get up on my soapbox.

There was another discourse going on, before it all got swamped by quote-toot debates. People of color on mastodon are subject to more harassment than their non-POC counterparts. Their concerns were dismissed because the majority were unaffected by this harassment. People complaining about harassment often were met with responses like “well then find an instance with better moderators”, “that’s just what it’s like”, and so on.

Mastinator affected the majority.

And not only that, it showed which people were slipping through the cracks of our current bad-actor response, and there were a lot of them.

The proposal that I liked the most (and that I'm desperately looking for the original post for) was a referral system. In order to federate, you must be referred to by another instance in good standing. For example, if a new instance X is spinning up, they might request that existing instances A, B, and C vouch for them in order to reach all of the instances that A, B, and C are federated with in the broader fediverse. If X then turns out to be a bad actor, in order to protect the whole fediverse, only three instances need to take action, as opposed to all of them. And if, say, instance C, refuses to play ball, the handful of instances referring C can defederate C instead.

Yes, this no longer gives every instance the right to talk to every instance by default. But instances that believe strongly in access everywhere can opt out and use the current federation model. Instances can also choose their own risk-tolerance: how many jumps away are you willing to have contact with? Maybe just two or three, maybe you set it to one jump and use it as an allowlist. Maybe you set it to infinity and take in the whole network.

This method also matches how most ‘legitimate’ instances on the fediverse come into being. A real human hangs out on an existing instance for some time, and then by chance or madness, decides to embark upon the journey of running their own instance. Their existing instance can then vouch for this new one if that user was a member of good standing.

But the real call to action here is listen to our marginalized users. They are (unfortunately) the smoke-test for whether the fediverse is capable of protecting people from the most determined bad actors. Ignoring the complaints of these people is just setting up the whole of the fediverse for failure in the long term.

There is a question here of whether it was the right thing to turn down mastinator. Seeing those posts on inbox/everyone makes me believe that it was, but is this just kicking the can down the road? I don’t really believe that keeping mastinator up would have spurred people to act faster in building the kind of tools necessary to protect everyone, not just the majority, from bad actors, but unless something changes, that is the direction we’re heading.

Update

Mastinator is back up, but is no longer following users: 

POST Follow: Implemented. Not enabled to avoid abuse. 
Current plan is to have it done by one single account, 
which never retains any content, is labeled a bot
with its purpose clearly stated and rate limited per 
domain. And issue an unfollow if an accept is returned. 
With the existing blocks in place should reduce the 
potential for abuse.

I have not personally tested to see if the followers-only posts are publicly available, but it seems this is not as necessary.

longform privacy mastodon tech