A Mastodon server that focuses on left-leaning political activists, recently had an unencrypted copy of its database confiscated by the FBI.
The recent news that a copy of Kolektiva.social’s database was confiscated by the FBI as the result of a raid at the home of one of the organization’s administrators, should serve as a cautionary tale for activists taking advantage of Mastodon’s federated nature to form online communities. Specifically, you should should do some research into the security in place at an activist-focused server, as well as the servers privacy policies.
Actually, the same advice would hold even if you were joining a server for, say, people who like knitting, but if you’re a political activist it’s even more important because law enforcement loves to keep tabs on folks whose politics fall outside the mainstream.
I’m not alone in my thinking. In an article published yesterday on Electronic Frontier Foundation’s website, the organization’s executive director, Cindy Cohn, and its associate director of community organizing, Rory Mir, called the incident, “a wakeup call to fediverse users and hosts to protect their users.”
“Protecting user privacy is a vital priority for the fediverse,” they wrote. “Many fediverse instances, such as Kolektiva, are focused on serving marginalized communities who are disproportionately targeted by law enforcement. Many were built to serve as a safe haven for those who too often find themselves tracked and watched by the police. Yet this raid put the thousands of users this instance served into a terrible situation.”
According to EFF, it doesn’t matter that that the FBI wasn’t looking to gather information on Kolektiva’s users. Although the raid was connected to an investigation into a local protest having nothing to do with Kolektiva, and the admin’s computer was taken as part of the investigation of that protest and had nothing to do with Kolektiva, all of the information taken from the machine can be used by law enforcement, whether or not it pertains to the investigation that led to it falling into the FBI’s hands.
“Most users are unaware that, in general, once the government lawfully collects information, under various legal doctrines they can and do use it for investigating and prosecuting crimes that have nothing to do with the original purpose of the seizure,” Cohn and Mir explained. “The truth is, once the government has the information, they often use it and the law supports this all too often. Defendants in those prosecutions could challenge the use of this data outside the scope of the original warrant, but that’s often cold comfort.”
In this case, the fact that the database was on the computer at the raided home at all was a coincidence of timing. When the raid took place in mid-May, the admin happened to be doing maintenance work on an unencrypted copy of the database (which is encrypted on the server).
In a post, Kolektiva’s administrators said the confiscated database contained:
- “User account information like the e-mail address associated with your account, your followers and follows, etc.
- “All your posts: public, unlisted, followers-only, and direct (“DMs”).
- “Possibly IP addresses associated with your account – IP addresses on Kolektiva.social are logged for 3 days and then deleted, so IP addresses from any logins in the 3 days prior to the database backup date would be included. [The database was from the first week in May]
- “A hashed (“encrypted”) version of your password.”
About Kolektiva Social
Unlike social platforms such as Facebook or Twitter, where all users sign onto the same monolithic architecture owned by a single corporation, federated platforms such as Mastodon are a collection of independently owned and operated servers (also called “instances”), which are tied together to form the fediverse. This means that users are actually members of the server where they opened their account, although they can interact with users on other servers seamlessly.
Some servers are huge and host a community of millions of users. Most are much smaller, with thousands or hundreds of users, with some servers hosting only a single user (perhaps with a few family members along of the ride). Each server has its own rules about what content is considered acceptable, and each has its own system for content moderation.
Kolektiva got started sometime after August 2020, which is when Facebook purged some anarchist news organizations and left-wing activists as part of a larger ongoing ban that had been targeting far-right extremists and QAnon conspiracy theorists. This prompted a group of self-proclaimed anarchists to join the Mastodon fediverse with their own social media server.
According to the folks who run the server, “Kolektiva is an anti-colonial anarchist collective that offers federated social media to anarchist collectives and individuals in the fediverse.”
Since the server went online and connected to the fediverse, it’s become something of a haven for left-leaning political activists of all stripes. For example, after Instagram suddenly disabled the account of the Pacific NorthWest Youth Liberation Front last October, the network of youth collectives opened an account on Kolektiva and encouraged people to find them there or on their website.
According to stats found on the instance’s server, Kolektiva currently has 36,463 users, with 8,100 of them being currently active.
Privacy and Security
Although Kolektiva administrators handled the recent incident with the FBI badly (the data confiscation happened in May, but members of the instance weren’t notified until July 1, for just one example), the membership seems to fully understand the extreme need for privacy protection on a site with a membership that publicly proclaims themselves “anarchists,” which automatically draws unwanted attention of law enforcement.
“Folks saw a need for a social media platform that was not rife with censorship, shadow banning, and data tracking,” Franklin Lopez, an “anarchist filmmaker” and Kolektiva member told the website Mic in November, 2020. “This would be a platform that belongs to us, that is ad free, where we don’t track users’ habits or keep any of their data except for what they publish themselves.”
In yesterday’s article, the EFF seemed to recognize that security and privacy issues like the one that Kolektiva is dealing with are to be expected at this stage of the fediverse’s evolution due to the learning curves involved. They recommend that users investigate a server before they sign up for an account, to determine the degree to which that server has privacy and security precautions in place.
“Once you’ve joined, you can take advantage of the smaller scale of community on the platform, and raise these issues directly with admin and other users on your instance,” they added.
EFF’s advice for developers?
“While it would not have protected all of the data seized by the FBI in this case, end-to-end encryption of direct messages is something that has been regrettably absent from Mastodon for years, and would at least have protected the most private content likely to have been on the Kolektiva server,” they said. “There have been some proposals to enable this functionality, and developers should prioritize finding a solution.”