Federation makes it very easy to accidentally mislead users about the security of a system and I wish people building federated systems would be more careful of this.
For example, here there are ‘follower-only’ posts. The user perception is simple: only your followers can see your posts. But that’s never enforced by the technology for any system that doesn’t use end-to-end authenticated encryption. In a centralised system, you trust that the service provider doesn’t look at these messages. When it’s ad supported and has a two-hundred page privacy policy, that trust is probably misplaced, but there’s only one place to audit.
In a federated system, *any* of your followers’ admins can potentially see these messages. Maybe you get all of your followers, but do you vet everyone with admin access on their instance?
Confidentiality in federated systems is *really* hard to do right. And message confidentiality is the easy part, keeping the connection graph confidential is even harder (that matters less for the Fediverse, but can get people killed if you get it wrong for messengers) and really needs designing in from the start. There are a few interesting projects that are trying to do this but don’t assume that it’s a thing that can be retrofitted to a protocol that was not designed with a different threat model.
David Chisnall (*Now with 50% more sarcasm!*)
npub13g…dk50d
2026-04-28 08:23:51 UTC
Author Public Key
npub13gcwraghdcw9xzkg3tky24feu0lzkhtlt57wpdn58y4m4tyr9qdsxdk50dSeen on
wss://relay.momostr.pinkPublished at
2026-04-28 08:23:51 UTCEvent JSON
{
"id": "5c1ce816eb51a2c2034663f8755d4d885f75fda03fa5727053fd060744e9da1a",
"pubkey": "8a30e1f5176e1c530ac88aec455539e3fe2b5d7f5d3ce0b674392bbaac83281b",
"created_at": 1777364631,
"kind": 1,
"tags": [
[
"proxy",
"https://infosec.exchange/@david_chisnall/116481368515252226",
"web"
],
[
"proxy",
"https://infosec.exchange/users/david_chisnall/statuses/116481368515252226",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://infosec.exchange/users/david_chisnall/statuses/116481368515252226",
"pink.momostr"
],
[
"-"
]
],
"content": "Federation makes it very easy to accidentally mislead users about the security of a system and I wish people building federated systems would be more careful of this.\n\nFor example, here there are ‘follower-only’ posts. The user perception is simple: only your followers can see your posts. But that’s never enforced by the technology for any system that doesn’t use end-to-end authenticated encryption. In a centralised system, you trust that the service provider doesn’t look at these messages. When it’s ad supported and has a two-hundred page privacy policy, that trust is probably misplaced, but there’s only one place to audit.\n\nIn a federated system, *any* of your followers’ admins can potentially see these messages. Maybe you get all of your followers, but do you vet everyone with admin access on their instance? \n\nConfidentiality in federated systems is *really* hard to do right. And message confidentiality is the easy part, keeping the connection graph confidential is even harder (that matters less for the Fediverse, but can get people killed if you get it wrong for messengers) and really needs designing in from the start. There are a few interesting projects that are trying to do this but don’t assume that it’s a thing that can be retrofitted to a protocol that was not designed with a different threat model.",
"sig": "9e77bafad183f58f3198d5cde5be6c53c7316f66f59ace1a5fce342102e6b1c91f2af06f8421b2d73ab215e2873e70b898f0e07cd2777e39e60093b64de3fbee"
}