Eight tips about consent for fediverse developers
An opportunity? A minefield? Both!
Join the conversation in the fediverse at infosec.exchange or lemmy.blahaj.zone!
"It’s funny, many of the “what you need to know about Mastodon” or “how to learn about the fediverse” pieces are focused on the technology and the implementation, when the hardest thing for people to understand about this context, if they’re used to traditional social media & tech, is that here we have an expectation of _consent_."
– Anil Dash, November 2022
"Design for and ask for informed enthusiastic consent.
Then we won't have to keep having these little chats."
– Esther Payne, Consent and the Fediverse Part Deux: The Opt-out two shuffle, February 2024
Many people in the fediverse (including me!) see consent as important. Of course, the fediverse isn't the only place where people think this. Consent is also an important concept for reducing sexual violence and abuse, where activists talk about moving from rape culture to consent culture. It's also a norm for experiments involving human subjects, and a key component of privacy laws such as Europe's GDPR and Washington state's My Health My Data.
While definitions of consent vary, there are a few key elements that are common. Here's how GDPR defines it – I bolded the key elements:
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
However, privacy laws typically don't require consent for most uses of public data. So there's a difference in opinion in the fediverse on whether it's important to get consent to use somebody's public posts for a purpose they didn't originally intend it for: adding them to a search engine, using them as part of algorithmic recommendation systems, "bridging" them to another social networks, using it to train artificial intelligence systems, and so on. Some think this is just fine, or that it's enough to assume consent and give people the ability to "opt out" and withdraw consent. Others think that these uses should require informed, affirmative, "opt in" consent.
As the last section of this article discusses, the good news is that this means there's a huge opportunity for fediverse developers here. Opt-in is overwhelmingly popular, and there aren't many opt-in alternatives today in the world of social networking. From a strategy perspective, focusing on opt-in can be a powerful way to add unique value to an underserved audience.
Less positively, though, that's not how everybody approaches it. So there's a long history of developers writing or proposing fediverse search engines, scrapers, bridges and other services that use people's public posts without opt-in consent ... and suddenly being in the middle of a firestorm of criticism and feedback. It's an unpleasant experience all around, including for the developers. Here's how it worked out for fedsearch.io
"Due to extreme backlash from the Mastodon community we decided to end the project."
Ryan Barrett similarly describes the response to Bridgy Fed's initial plans for an opt-out model as "the backlash I've received" (while also saying it was "probably warranted to some degree"). Jan Lehnardt's Adventures in Mastoland is a detailed retrospective on another episode where "Names were called." And sometimes it goes spectacularly badly ... one guy bragged that he was using an unstoppable method to scrape public data, didn't realize he was violating local laws, and got shut down by his ISP and kicked off his instance.
Bridgy Fed wound up shifting to an opt-in approach after the backlash – a relatively good outcome, although as Barrett says "it obviously would have been better to figure out beforehand." More often, though, the developers just withdraw the project. Sometimes, it's a bad enough experience that they decide the fediverse isn't for them.
So if you're a developer working on a fediverse app or service and want to get it right – or just don't want to be the center of the next firestorm – here are a few suggestions.
- Consent matters, even for public posts
- Get broad feedback before launching – and listen to it
- Honor existing opt-in and opt-out mechanisms
- Include an additional opt-in mechanism for your service if it's not just a search engine or profile discovery (or something very close to them)
- Make sure to communicate that you're taking an opt-in approach and honoring existing mechanisms
- DON'T say the things that developers who ignore consent typically say
- Be extra careful if you're a cis guy
- Look at opt-in as an opportunity for a potential competitive advantage
Consent matters, even for public posts
"Every time I am in public anyone can photograph (or video) me, but it doesn't make it any less sleazy if someone is following me, taking candids of me in a compromised position, and posting them elsewhere. I probably can't sue the photographer, but I also didn't consent, and most reasonable people would agree that I have every right to be mad. Only a dickhead would say 'well just don't go out in public'."
– somebody who gave me permission to quote them and asked to stay anonymous
It's true that privacy laws typically say that consent isn't required for most uses of most publicly avaiblable data (although there are exceptions). But most of the time, people aren't making a legal argument; they're saying you should get consent even though you're not required to. Posting publicly is specific consent for everybody to see the post, but not necessarily for other uses. As Laurens Hof of Fediverse Report highlights, on the fediverse
"we have clear documented examples that people explicitly say that 'no, my posts being public is not consent'."
Sure, bad actors will use public posts for whatever purpose they want without getting consent – people should take into account that posting publicly means that bad actors can use their data however they want. But this isn't a justification for you to use data without consent. As privacy scholars Daniel Solove and Woodrow Harzog, say in The Great Scrape: The Clash Between Scraping and Privacy
"Privacy law regularly protects publicly available data, and privacy principles are implicated even when personal data is accessible to others."
Get broad feedback before launching – and listen to it
Like I said, opinions differ, and some of the most prominent voices in the fediverse think that opt-in consent isn't needed in these situations. So if you just listen to them, you might get lulled into a false sense of security and think that the approach you're taking is just fine – even if many others don't think it is.
And it's not enough to get feedback; you also have to listen to it. Lehnardt, for example, notes that "I did get some early feedback that folks would consider this a crawler," but went ahead anyhow. In fact, when I look at the heated discussions around the contentious non-consensual examples, there's very often feedback very early on from people saying "this should be opt-in", sometimes even with specific suggestions how ... but the developers ignore it. Don't be like that!
Bridgy Fed's experience, as intense as the backslash was, is still a far more positive example. Barrett got feedback before launching and is incorporating it. Mastodon similarly listened to the loud feedback on their initial opt-out beta release of search, and the final release was opt-in. More of this, please!
Honor existing opt-in and opt-out mechanisms
Over the years, several existing mechanisms for specificying opt-in and opt-out have developed. Unfortunately there isn't any good documentation for these, but here are the key ones that I know about:
- the indexable attribute (used by Mastodon, Pixelfed, Piefed, and other platforms) described in FEP 5feb says whether public posts should be listed in search results.
- the Mastodon discoverable flag on a profile that says whether that account wants their profiles and posts to be featured in discovery algorithms, suggested, or recommended
- hashtags on account profiles like #noindex, #nosearch, #nobot, and #nobridge are often used to signal opting out.
I might well have missed some here, which is another good reason to get broad feedback!
Include an additional opt-in mechanism for your service if it's not just a search engine or profile discovery (or something very close to them)
If your app or service matches existing opt-in mechanisms, honoring them is probably good enough. But if you're doing something more – like bridging to another network – you're likely to get pushback if you don't include a separate opt-in mechanism. A few options for how to do that:
- tootfinder.ch (the original fediverse opt-in search engine) and the Fediverse People Directory ask people to add text to their profile, and then submit their profile address via a web form.
- fedi.directory asks people to DM or mention to the curator. Trunk provides a handy form to help with constructing the DM.
- Bridgy Fed is planning on sending a DM to people when they're first followed from Bluesky, giving them the option to reply to opt-in.
- Anil Dash suggests having an account that people can follow to opt-in
- Various apps require people to log in with their fediverse account to use them, and this mechanism could be used for opt in as well (although I haven't seen anybody do it that way yet)
Remember that as well as providing a way for people to opt in, you also have to give them a way to opt back out if they change their mind.
There may well be other options that work better for your case ... yet another reason to get broad feedback!
Make sure to communicate that you're taking an opt-in approach and honoring existing mechanisms
There's been such a history of developers releasing non-consensual implementations that people may well jump to the conclusion that you're yet another example – even if you're not. It's not your fault that others have repeatedly poisoned the well, but the sad reality is that they have. As Lenhardt says in Adventures in Mastoland
"There is a difference between what a thing is vs. what people perceive that thing to be. For success, it is important for whoever makes the thing to respect both of these positions."
So it's not enough to do things the right way. You also need to make sure to communicate that you're doing things the right way. As part of the feedback stage, start by telling people that you're trying to take an opt-in approach, and ask if there's anything more you should be doing. If you can find people who are outspoken about opt-in consent to vouch for you, that'll be a effective way to dampen any pushback.
Once you launch, make sure your landing page – or onboarding phase of your app – emphasizes that it's consensual. Include, or link to, a detailed description of the existing signals you're honoring, and any additional mechanisms you're implementing.
DON'T say the things that developers who ignore consent typically say
"In so many discussions about fediverse and activitypub we end up retreading the same point where some dude condescendly tells you that if your posts are public, then it’s “technically” possible for anyone to see and grab it
and I just desperately want the basic concept of consent to be understood without needing to explain it over and over again"
– Bri Seven, March 2024
The upside of so many developers having poisoned the well is that they've helped create a good roadmap of things to say that really irritate people who want opt-in consent in these situations.
Some of these things are true but stuff people already know. Others may be your opinion, but people pushing for opt-in consent typically disagree. In either case, you won't change anybody's opinion by saying these things. Instead, you'll just give the impression that you don't care about consent; and you'll very likely come across as condescending as well – and potentially sexist and anti-trans.
That's likely to increase the pushback. If that's your goal, great, go for it! If not, though, it's best to avoid stuff like this.
- "I don't need consent because it's public"
- "Posting publicly gives implied consent to use the data"
- "It's easy for bad actors to use the data without consent"
- "This is how ActivityPub works"
- "You don't understand how ActivityPub works"
- "You shouldn't post publicly if you don't want your data used this way"
- "Your position is inconsistent because ..."
Some are perfectly fine things to say in other contexts, especially if you're trying to warn them not to share anything on the fediverse they want to keep confidential. As Hrefna points out, ActivityPub does indeed "makes assumptions that are fundamentally opposed to the kinds of protections that people seem to be seeking." But in a discussion about whether or not to get consent, even the ones that are true the miss the point – just because ActivityPub leaves open possibilities for you to do something without getting consent, that's not the only option.
And don't jump to the conclusion that people don't understand. As Esther Payne says in Consent and the Fediverse Part Deux: The Opt-out two shuffle:
"Many people do understand how the Fediverse and ActivityPub (the protocol) work. That isn't why folks are angry and threatened."
Similarly, maybe people are being inconsistent, maybe they aren't. If the are, so what? People are often inconsistent in their views on privacy. But the situation I hear this in the most is the incorrect claim that people who haven't completely locked down their account are being inconsistent by objecting to a specific use of their public post. That's nonsense. So if you're wrong, and their position really is consistent, this isn't just useless for convincing people – it'll make you look like you don't know what you're talking about.
Be extra careful if you're a cis guy
Almost all of the developers who have released or proposed non-consensual implementations have been cis guys. And in many of the discussions, it's been primarily trans, queer, and non-binary people and women who have been pushing back against non-consensual implementations – while some of the loudest voices defending the non-consensual implementations have been cis guys. Again, this isn't your fault, but it's something you have to deal with. So even if you're doing everything right, being a cis guy makes it more likely that people may well assume the worst.
And many cis guys often only primarily interact with other cis guys – or worse, only pay attention to feedback from other cis guys. If you've made it this far in this post, you're hopefully not like that, but in any case it's yet another reason to make sure you're getting broad feedback – and listening to it.
Also if you're a guy saying something like "you don't understand how this works" to a woman who actually does understand how it works, it's sexist. Ditto if you're a cis person saying something like that to a trans person who actually does understand. And if you're a cis peson or guy telling trans people and/or women not to post publicly unless they're okay with you and others using their data without consent ... well, let's just say this is the kind of situations where words like "predator" sometimes get used and people mention analogies to the attitudes towards consent in rape culture.
More positively, though, especially if you're a cis guy whose relatively privileged – white, abled, good tech skills, not destitute – it's a great opportunity to experience with how marginalized people often experience the world: assuming your actions reflect bad intent, making sure to avoid saying things that will get taken badly. So view it as a learning opportunity!
Look at opt-in as an opportunity for a potential competitive advantage
"The reality is that most tech companies haven’t devoted any effort at all to making opt-in easy."
– me, in Consent, Automated Systems, and Discrimination, November 2022
Discussions about consent are certainly a distinctive feature of the fediverse. One way to look at consent is as a nuisance that makes developers' lives more difficult. After all, developers building apps on Bluesky and Nostr and other networks where everything is public and there aren't any pesky expectations of consent don't have to deal with these considerations. And many apps and services are more useful the more content they have; it's easier to get more content if you just use it without consent.
Then again, a different way of looking at consent is as a feature that that creates an opportunities. Opt-in is enormously popular, as the extremely positive response to Apple’s App Tracking Transparency (and the poll showing over 70% support for Washington state's opt-in My Health My Data bill) show. Big tech and advertising companies' business models are based on using people's data without consent, so they focus making opt-out as annoying and difficult as possible and trying to introduce "consent fatigue." Many people don't want that.
And opt-in systems can lead to better results. For example, as Anil Dash says in How you could build a search that the fediverse would welcome
"A search system that requires people to opt-in to also makes it far easier to identify whether an account that tries to follow the search bot is a real person or not, significantly reducing the impact of common spamming and manipulation techniques."
Of course, today's opt-in mechanisms are far from ideal. Having to edit your profile and sending a DM is kind of klunky; Bridgy Fed's approach sending a DM doesn't work for people who ignore DMs from accounts they don't follow. So there's certainly a lot of room for improvement here, first for individual apps and services and then hopefully at the software platform level.
Still, there's clearly an opportunity here – for the fediverse as a whole as well as for individual developers. It's not the only opportunity out there; if you're the kind of developer who doesn't want to go that route, Bluesky and AT Proto or Nostr might well be a better option for you. But if you decide this is an interesting direction, hopefully this article will get you started in the right direction!