Mastodon Security and Privacy
You may have heard of Mastodon, a social network that’s gained over a million active users in the past month alone. In this article, we’ll give you the basics on what Mastodon is and what you need to know about security and privacy on Mastodon.
What is Mastodon?
Mastodon is open-source software used for setting up self-hosted social networks. Mastodon has a number of microblogging features, which is why many people label it a “Twitter alternative.” The rapid influx of Mastodon users is due to the turmoil at Twitter in the wake of that company’s recent change in ownership.
The basic idea behind Mastodon is that anyone can set up a Mastodon server (or “instance”) that they control, define policies and rules for that server, and allow other people to join.
In a sense, then, there isn’t just one Mastodon like there’s one Twitter or one Facebook. There are multiple Mastodons, plural—like little independent social networking communities. However, if you’re a member of a Mastodon instance, you can still interact with users in other Mastodon communities and view their content, which is why people think of Mastodon as a single social network.
Mastodon security and privacy considerations
Is Mastodon secure? Does Mastodon protect its users’ privacy? As with many things in cybersecurity, the answers aren’t black and white.
To begin with, let’s look at how Mastodon works:
- Users access their instance via a web browser or a mobile app. The instance itself is managed and moderated by the server’s admins—not by a central Mastodon administration or content moderation team.
- Mastodon is open-source and crowdfunded. There are no ads.
- The software’s creator has said that Mastodon is designed to be decentralized and to discourage virality.
All of that has implications for user security and privacy—some good, some not so good. Here are a few things to think about:
- A major problem with social networks (we’re looking at you, Facebook) has always been the collection and monetization of user data. Mastodon’s funding model makes this less of a concern. A quick check of the App Store Privacy Label for the Mastodon iOS app reveals the following self-reported developer privacy statement: “The developer does not collect any data from this app.” That’s a good sign!
- However, just because there is no central business collecting user data doesn’t mean that individual server admins can’t engage in some form of data collection. In addition, it’s conceivable that a third-party could engineer a way to scrape data from public-facing Mastodon accounts (although the decentralized nature of Mastodon instances should make this harder to do).
- Mastodon uses basic encryption to protect direct messages between users, but not end-to-end encryption. Communications are potentially visible to server admins. That’s a big privacy concern!
- Mastodon’s decentralized nature makes it a bit of a Wild West in terms of privacy policies. Server admins set their own policies, which means there isn’t a universal privacy standard that users can count on if they decide to join Mastodon.
- Content moderation is also decentralized; what’s acceptable and allowed varies by Mastodon instance. This has the potential to expose users to explicit content or cyberbullying if the Mastodon community they join is lightly (or poorly) moderated. In fairness, however, and especially given Twitter and Facebook’s failures with preventing abuse on their platforms, Mastodon’s distributed moderation/administration model could actually end up being more effective at curbing bad behavior.
- The fact that Mastodon has no central administration or verification tool—and that anyone can set up a Mastodon instance—means that it’s hard to know if an account is really who they say they are. Bad actors could use the platform to perpetrate fraud and phishing attacks.
- As with any public-facing social platform, users who expose details of their lives online open themselves up to threats based on open-source intelligence (OSINT).
Mastodon security and privacy tips
All things considered, Mastodon has some pros and some cons when it comes to security and privacy. If you’re thinking of checking out the platform, here are some tips to keep you safe:
- Take basic steps to secure your Mastodon account just as you would with any other account. Use a strong, unique password and enable two-factor authentication. Mastodon supports app-based 2FA (another good sign!); you can find 2FA settings at Preferences > Account > Two-factor Auth.
- As mentioned above, Mastodon direct messages are potentially visible to server admins. No one should consider Mastodon a secure messaging option. Think of Mastodon DMs as public messages targeted to one person; if you want to message someone securely go off-platform and use an end-to-end encrypted messaging app.
- The fact that Mastodon doesn’t have centralized content moderation is a concern for parents. To be frank, this isn’t a platform that should be used by kids without supervision (though again, in fairness to Mastodon, you could reasonably say the same thing about most social platforms!). This isn’t to say that Mastodon is completely inappropriate for children—just that some degree of parental oversight is needed.
- Be aware of the threat of social engineering from other users. Don’t assume that a person on Mastodon is who they say they are; take all claims with a big grain of salt. Be especially wary of investment offers, crypto or forex schemes, and other common pretexts for online scams. Never give other users sensitive personal information—and be cautious when visiting websites that they’ve linked to.
- Be mindful of your digital footprint. Remember that in general, it’s best to minimize the amount of online information about your life, work, and friends network. You can control this to some extent on Mastodon by restricting who follows you, how discoverable your account is to strangers, and how much information about your Mastodon network is publicly visible. Do this at Preferences > Profile > Appearance.