Privacy on the fediverse

This page is the online version of a proposal for an February 2024 NLNet NGI Zero Core submission.

Abstract: Can you explain the whole project and its expected outcome(s)

The fediverse is a decentralized, open, social network ecosystem, with tens of thousands of instances (servers) running a wide variety of compatible software. While the fediverse potentially provides a privacy-friendly alternative to surveillance capitalism-based social networks, there has not yet been any organized effort to focus on privacy across the fediverse. As a result, most fediverse users today actually have less privacy than Twitter or Facebook users.

This project pursues two complementary paths to improving privacy on the fediverse

1. Collecting, documenting, and sharing best practices and resources for protecting privacy on the fediverse to individuals and instance admins, and software development teams. There’s a lot of low-hanging fruit, with minimal technical risk, that can have a big impact.
2. Identifying opportunities for breakthrough improvements that capitalize on the fediverse’s inherent advantages, leverage industry-standard practices like Privacy by Design, and build on current strengths.

Have you been involved with projects or organisations relevant to this project before? And if so, can you tell us a bit about your contributions?

Yes, I’ve done detailed analysis of the state of privacy and other aspects of safety in the fediverse for the last year – see articles like “Threat modeling Meta, the fediverse, and privacy” and “Steps towards a Safer Fediverse.” I’ve also focused extensively on privacy over my career, including designing and implementing privacy-friendly social network and news aggregation software, co-chairing the ACM Computers Freedom and Privacy conference in 2010, speaking at the 2022 FTC Public Forum for Commercial Surveillance and Data Security, and running The Nexus of Privacy newsletter. And, I’ve been on the fediverse since 2011, and written extensively about various software platforms and cultural issues.

Requested amount: €15000

Explain what the requested budget will be used for?

All the project funding goes to human labor

Phase 1: Researching and documenting current best practices and available resources: 120 hours at €75/hour = €9000

Phase 2: Identifying breakthrough opportunities, based on findings of Phase 1 and existing non-fediverse tools and academic research: 80 hours at €75/hour = €6000

Compare your own project with existing or historical efforts.

As mentioned above, there has not yet been any organized effort to focus on privacy across the fediverse. The approach taken by this project is based on techniques that other software ecosystems have successfully used to provide incremental improvements to privacy or other cross-cutting functionality (like security or accessibility) that hasn’t been designed in from the beginning.

- start by providing immediate value across the ecosystem with relatively-low investment and minimal technical risk, while identifying gaps that do not currently have straightforward solutions

- prioritize areas for more ambitious projects, balancing factors including value, complexity, and interest level of different actors in the ecosystem

What are significant technical challenges you expect to solve during the project, if any?)

In phase 1, the biggest technical challenge will be finding ways to communicate information simply given the extremely complexities of the ecosystem. The software diversity of the fediverse, while a huge strength, also makes things much more complex; best practices for instance admins are very different depending on what software they’re using, and different people on different instances have very different choices of settings.

One significant challenge in phase 2 is that while some fediverse software platforms (Bonfire, for example) have been designed with privacy in mind … most fediverse software today has not. As a result, some potential breakthroughs may be hard to implement on some platforms without compromising usability. Consent-based social networking is a good example of this; while it’s a very powerful approach to protecting privacy, not currently available on any social networks, it’s not at all obvious what needs to be done to get it to scale to the entire fediverse.

Describe the ecosystem of the project, and how you will engage with relevant actors and promote the outcomes?

Key actors include:

• Software platforms (and potentially apps). During the research and documentation phase, an initial pass through documentation and code will be followed by posting draft recommendations for each platform on the fediverse (from the Nexus of Privacy account and in various Lemmy/KBin communities), as well as interaction with team members on the fediverse and potentially in chat rooms.
• Channels for communicating best practices and recommendations to individual users. In addition to the platforms, key partners here include IFTAS - Federated Trust and Safety (a non-profit), the Fedi.Tips unofficial guide to the fediverse, and fediverse-oriented publications like Fediverse Observer and We Distribute.
• Privacy and digital rights education and advocacy organizations, both to review recommendations and to promote the results. Privacy and digital organizations I have existing connections with many US-based organizations (I’ve worked with and volunteered for EFF for years, for example), as well as a handful of EU-based advocates, and plan to leverage these for broader connections.
• Instance admins who want to provide better privacy for their users.