@thenexusofprivacy@infosec.exchange
@thenexusofprivacy@infosec.exchange avatar

thenexusofprivacy

@[email protected]

A newsletter about #privacy, #technology, #policy, #strategy, and #justice.

Currently at https://mastodon.social/@nexusofprivacy, but looking for a new home and so checking out infosec.exchange

This profile is from a federated server and may be incomplete. Browse more on the original instance.

thenexusofprivacy, (edited ) to privacy
@thenexusofprivacy@infosec.exchange avatar

FISA Section 702 Reauthorization: House GOP leadership pulls dueling FISA bills amid backlash!

https://www.cnn.com/2023/12/11/politics/house-gop-leadership-pulls-dueling-fisa-bills/index.html

Instead, a four-month extension is attached to the NDAA -- unless it gets removed. Dozens of civil rights and racial justice groups oppose extending FISA in the NDAA.

If you agree, call your Senators TODAY and with a simple ask: "DO NOT put 702 in the NDAA."

@privacy

thenexusofprivacy,
@thenexusofprivacy@infosec.exchange avatar

@drwho Not necessarily. In the short term, the huge split in the Republican party means that the NDAA's already not a slam-dunk, so throwing gasoline on the fire with FISA activism could potentially have an impact. It also adds to pressure on Speaker Johnson, who's under a lot of fire from Republicans for how badly he's handled this mess.

And even if they do the short-term reauth (which I agree is more likely than not), it's still very much an open question as to what happens next -- it could be anything from GSRA or PLEWSA (with significant reforms) to a straightforward longer-term reauth with minimal reforms as a "compromise" to the odious FFRA (which broadens the scope). So pressure now is also a preparation for the next battle.

thenexusofprivacy, to privacy
@thenexusofprivacy@infosec.exchange avatar

House Judiciary Committee advances FISA Section 702 bill with warrant requirements, 35-2

Sen. Ron Wyden says "This is great news for anyone who cares about protecting their privacy from government overreach."

So far the only coverage is @tonya_riley's paywalled Bloomberg News article

https://news.bloomberglaw.com/ip-law/house-panel-oks-bill-to-renew-rein-in-electronic-surveillance

The bill is H.R. 6570, the Protect Liberty and End Warrantless Surveillance Act, sponsored by Rep. Andy Biggs (R-AZ). It has a lot of similarities to the bipartisan Government Surveillance Reform Act (where Wyden and Sen. Mike Lee are the Senate sponsors). But there are other bills potentially moving forward as well.... (1/3)

#fisa #surveillance @privacy

thenexusofprivacy, to privacy
@thenexusofprivacy@infosec.exchange avatar

College Board shares SAT Scores with Facebook, TikTok, and others

https://gizmodo.com/sat-college-board-tells-facebook-tiktok-your-scores-gpa-1850768077

"Gizmodo observed the College Board’s website sharing data with Facebook and TikTok when a user fills in information about their GPA and SAT scores. When this reporter used the College Board’s search filtering tools to find colleges that might accept a student with a C+ grade-point average and a SAT score of 420 out of 1600, the site let the social media companies know. Whether a student is acing their tests or struggling, Facebook and TikTok get the details.

The College Board shares this data via “pixels,” invisible tracking technology used to facilitate targeted advertising on platforms such as Facebook and TikTok. The data is shared along with unique user IDs to identify the students, along with other information about how you use the College Board’s site. Tok, and a variety of companies."

#privacy @privacy

thenexusofprivacy, to random
@thenexusofprivacy@infosec.exchange avatar

Threat modeling Meta, the fediverse, and privacy

https://privacy.thenexus.today/fediverse-threat-modeling-privacy-and-meta/

There's very little privacy on the fediverse today. Mastodon and other fediverse software wasn't designed and implemented with privacy in mind. Even the underlying protocol that powers the fediverse has major limitations. But it doesn't have to be that way!

Meta's new product means that it's critical for the fediverse to start focusing more on privacy. Of course, 's a threat in many other ways as well; that said, the privacy aspects are important too.

For one thing, if Meta does indeed follow through on its plans to work with instance admins and others "partners" who to monetize their users (and their data), people in the region of the fediverse that's not Meta-friendly will need stronger privacy protections to protect their data. And Meta's far from the only threat to privacy out there; changes that reduce the amount of data Meta can gather without consent will also help with other bad actors.

More positively, there's also a huge opportunity here. Privacy's even worse on Facebook and Instagram than it is in the fediverse. So If the fediverse can provide a more private alternative, that will be hugely appealing to a lot of people.

Any way you look at it, now's a good time for the fediverse to take privacy more seriously.

The bulk of the article focuses on threat modeling, a useful technique for identifying opportunities for improvement. It's a long article, though, so if you don't want to wallow in the details, feel free to skip ahead to the section at the end on the path forward and the specific recommendations.

And if you're already bought in to the idea that the
should focus more on privacy, and just want to know how you can help make it happen, it also suggests specific actions you can take -- and there's a section with some thoughts for

Here's the table of contents:

  • There's very little privacy on the fediverse today. But it doesn't have to be that way!
  • Today's fediverse is prototyping at scale
  • Threat modeling 101
  • They can't scrape it if they can't fetch it
  • Different kinds of mitigations
  • Attack surface reduction and privacy by default
  • Scraping's far from the only attack to consider
  • Win/win "monetization" partnerships, threat or menace?
  • A quick note to instance admins
  • Charting a path forward
  • Recommendations

This is still a draft, so as always feedback is welcome. And thanks to everybody for the feedback on previous drafts!

https://privacy.thenexus.today/fediverse-threat-modeling-privacy-and-meta/

thenexusofprivacy, to fediverse
@thenexusofprivacy@infosec.exchange avatar

How to choose the right Mastodon instance

https://privacy.thenexus.today/choosing-a-mastodon-instance/

An excerpt:

...

One of the challenges for newcomers to Mastodon is that you're faced with a major decision you face when signing up: what server (aka "instance") to choose? Different instances have different focuses: are geographically focused (sfba.social), identity-based (tech.lgbt), interest-based (mastodon.art), professional (infosec.exchange), a group of friends (friend.camp), or even lipogrammatic (oulipo.social, which doesn't allow the letter 'e' in posts). Others are "general purpose", without a specific focus – like mastodon.social, mastodon.ai, and hachyderm.io. The choice isn't irrevocable – you can migrate your account to another instance and keep the list of who you're following and who's following you – but it's still daunting.

Newcomers are often told that it doesn't matter what instance you're on, or encouraged to join mastodon.social (the "flagship" instance, which is the default for mobile apps and spreadmastodon.com). This is really horrible advice, because what instance you're on has a big effect on your experience – and for most people, mastodon.social is not a good place to start.

...

[This is an an updated version of the post I originally did last November. I've tried to double-check that the links all still work, please let me know if I missed any!]

@fediverse @fediverse

thenexusofprivacy,
@thenexusofprivacy@infosec.exchange avatar

@daveley Great question. A rew reasons:

  • mastodon.social's so big that the Local and Federated timelines aren't very useful.

  • smaller instances (even if they're not special-interest focused) are more likely to have a good community.

  • many other instances have "silenced" mastodon.social (because of its long history of moderation issues -- or just because of the volume), so people on other instances are less likely to connect with you.

All that being said, I wasn't trying to say that mastodon.social was terrible - it's the advice that's horrible. It's just that for most people it's not the best place to start.

@fediverse @fediverse

thenexusofprivacy, to fediverse
@thenexusofprivacy@infosec.exchange avatar

Just kidding, it's actually a picture of the 1985 Reagan / Gorbachev "trust but verify" meeting.

Speaking of meeting with , though, a couple of suggestions for whoever's talking with them ...

It would be great if Meta got a consistent message about how toxic their approach of having discussions only under has been. If you all draw a hard line and refuse to have discussions with them until they're ready to disclose their plans more broadly,, they can find a way to do that if they want to.

They might say no of course, even after they've gotten the feedback from their potential partners that their approach is toxic to the . If so, that's good calibration.

And I'm sure you know this already but it's worth repeating: just like any other big company, Meta will put their own interests above yours. The people you're working with may well be awesome -- it's their job to get you to like them, and they're probably quite good at it. But they're not the ones who are in charge. If and when it becomes expedient for Meta to discard you or screw you over, that's what they'll do.

And a suggestion to , whether or not you're meeting with Meta:

No matter what your position is on the - now's a very good time to have discussions with your community about the issue. Tensions are high and there are a lot of rumors floating around. Now's a good time for instance admins to discuss with their communities summarizes and links out to several good examples of community discussions -- including the outstanding thread -- you could use as a template or starting point.

@fediverse @fediverse @fediversenews

thenexusofprivacy, (edited ) to lgbtq_plus
@thenexusofprivacy@infosec.exchange avatar

We're here, we're queer, we're federated: How queer, trans, and non-binary people helped create Mastodon and are shaping today's fediverse

https://privacy.thenexus.today/here-queer-and-federated-on-mastodon-and-the-fediverse/

Happy !

This is a draft version, so feedback is very welcome!

@lgbtq_plus

.

thenexusofprivacy,
@thenexusofprivacy@infosec.exchange avatar

@UngodlyAudrey thanks, glad you liked it!

thenexusofprivacy, to fediverse
@thenexusofprivacy@infosec.exchange avatar

Should the Fediverse welcome its new surveillance-capitalism overlords? Opinions differ!

https://privacy.thenexus.today/should-the-fediverse-welcome-surveillance-capitalism/

Contents:

  • Two views of the fediverse
  • The case for "Trust but verify"
  • Wait a second. Why should anybody trust Facebook, Instagram, or Meta?
  • Why the Anti-Meta FediPact is good strategy
  • We're here, we're queer, fuck Facebook
  • A few words about digital colonialism
  • Now's a good time for instance admins to discuss with their communities
  • In chaos there is opportunity!

@fediverse @fediverse

thenexusofprivacy,
@thenexusofprivacy@infosec.exchange avatar

"Should the Fediverse welcome its new surveillance-capitalism overlords? Opinions differ!" ⬆️
has links to perspectives from @vantablack @Seirdy @fancysandwiches @alice @viennawriter @oblomov @mcp @fosstodon @darnell @PoliticaConC @tchambers @deadsuperhero @ianbetteridge @dangillmor @smallpatatas @gcrkrause and more ... like I say, opinions differ, but no matter where you are on it, I appreciate the time everybody's put into articulating their positions.

Thanks also @cendawanita @jo @edendestroyer @ophiocephalic @oliphant @admin1 and @damon for the feedback and discussions!

BTW in the last section when I'm discussing Mastodon's moderation issues, one of the things I mention is the lack of an ability to control who can reply to tweets ... so apologies in advance if this generates a bunch of notifications! I left the acknowedgments out of the main post to try to limit the damage, we'll see how well it works.

https://infosec.exchange/@thenexusofprivacy/110594384248698967

thenexusofprivacy,
@thenexusofprivacy@infosec.exchange avatar

Thanks @darnell , glad you like the analysis! I also think it's an opportunity as well as a threat, and I agree that right now it looks like most large instances won't block, and most of all I agree that we'll have to wait and see what happens!

@fancysandwiches when Darnell and I discussed this before he pointed to some things they've said that certainly might imply that -- although also might not (which is back to the wait and see). It's certainly true that somebody like Oprah would have an IT department capable of running it and would see the advantages of being able to do that. But we don't really know,
all they've said is "decentralized".

thenexusofprivacy,
@thenexusofprivacy@infosec.exchange avatar

@sibrosan Or, if an instance that's about to launch has a long history of discrimination, hate, violance, abuse, and contributions to genocide, you can announce your intention to defederate from them even before they launch.

Like I said in the post, opinions differ!

@Kryostar @fediverse @fediverse

thenexusofprivacy,
@thenexusofprivacy@infosec.exchange avatar

@sibrosan Like I say, opinions differ.

Why do you think so many trans and queer people -- who are very likely to be directly impacted by transgressions of the rules -- come to a different conclusion and advocate preemptively blocking?

See the "We're here, we're queer" section of https://privacy.thenexus.today/should-the-fediverse-welcome-surveillance-capitalism/#were-here-were-queer for more on that perspective.

@Kryostar @fediverse @fediverse

thenexusofprivacy,
@thenexusofprivacy@infosec.exchange avatar

@sibrosan The server rules on your server explicitly prohibit transphobia.

So why do you see enforcing the rules by not federating with another server that's got a long history of transphobia as "bias"?

@Kryostar @fediverse @fediverse

thenexusofprivacy,
@thenexusofprivacy@infosec.exchange avatar

@sibrosan Thanks for the explanation!

@Kryostar @fediverse @fediverse

thenexusofprivacy, to fediversenews
@thenexusofprivacy@infosec.exchange avatar

Don't tell people "it's easy", and six more things KBin, Lemmy, and the fediverse can learn from Mastodon

https://privacy.thenexus.today/kbin-lemmy-fediverse-learnings-from-mastodon/

Reddit's strategy of antagonizing app writters, moderators, and millions of redditors is good news for reddit alternatives like KBin and Lemmy. And not just them! The fediverse has always grown in waves and we're at the start of one.

Previous waves have led to innovation but also major challenges and limited growth. It's worth looking at what tactics worked well in the past, to use them again or adapt them and build on them. It's also valuable to look at what went wrong or didn't work out as well in the past, to see if there are ways to do better.

Here's the current table of contents:

  • I'm flashing!!!!!
  • But first, some background
  1. Don't tell people "it's easy"
  2. Improve the "getting-started experience"
  3. Keep scalability and sustainability in mind
  4. Prioritize accessibility
  5. Get ready for trolls, hate speech, harassment, spam, porn, and disinformation
  6. Invest in moderation tools
  7. Values matter
  • This is a great opportunity – and it won't be the last great opportunity

https://privacy.thenexus.today/kbin-lemmy-fediverse-learnings-from-mastodon/

Thanks to everybody for the great feedback on the draft version of the post!

@fediversenews @fediverse @fediverse

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • uselessserver093
  • Food
  • aaaaaaacccccccce
  • test
  • CafeMeta
  • testmag
  • MUD
  • RhythmGameZone
  • RSS
  • dabs
  • KamenRider
  • TheResearchGuardian
  • KbinCafe
  • Socialism
  • oklahoma
  • SuperSentai
  • feritale
  • All magazines
    •