Mastodon's Privacy: Who actually holds your data in Mastodon
Mastodon is a decentralized social media application that has recently been gaining traction after Elon Musk acquired Twitter. Communities have been migrating from Twitter to Mastodon, leading to more than a doubling in Mastodon’s MAUs since the deal was announced. Mastodon has more than 2.5 million MAUs as of Nov 23, 2022.
One big driver for user migration stems from Twitter’s user's concerns with data privacy. This is not surprising, given Twitter's history of mistakes when it comes to guarding user data. So we were curious about how Mastodon's data collection, usage, and sharing stand against its privacy terms and against Privacy Laws worldwide.
Data elements used by Mastodon
The analysis can be found here.
How does Mastodon handle user data?
To better understand how data flows in Mastodon, we first need to understand how Mastodon works. Mastodon works on a federated architecture. This means that each server is run by an individual or organization, and those servers communicate with each other to serve their users. There is no central server and all servers in the network communicate with each other to serve their users.
This is important because, in a federated architecture, anyone can set up a server and start onboarding users, so it is important that the owner of the server is a trusted individual or an entity. However, analyzing only the data flow between the application and server is insufficient to get a complete picture of users' data. We also need to map data flows within an application.
Such a code analysis was done using the Privado scanner, which helped us trace the data flows of all data elements used in the application. An example of the data flows of the email addresses is given below:
So, once we have complete visibility of data flows within and among multiple applications in Mastodon, it ultimately all comes down to the question:
What do the Mastodon’s server admins know?
To understand how data flows in the Mastodon network, let us assume the following scenario:
You created an account at <span class="code">@primary.server</span> as <span class="code"> @email@example.com</span> and posted a few posts. Apart from that, you sent a few private messages to your friends, who have created their accounts at <span class="code">@friendly.server</span> as <span class="code">@firstname.lastname@example.org</span>.
Now, all the data that is generated through the following process, and servers that have access to that information are depicted below:
Note that “Public Server" is any other mastodon server in the Fediverse. Besides that, servers also store logs that might contain the IP address and the user's approximate location.
How to secure your privacy in Mastodon
Once we understand how data flows in the Mastodon network, combined with the fact that Mastodon does not support end-to-end encryption (E2EE) for communication, we recommend the following practices:
- Create an account on a server that you trust. This server has access to all your information on Mastodon.
- Do not share any personal information with users who are registered on servers you do not trust.
- Enable "Require follow requests" in your settings to filter out unwanted follows
- Mark posts unlisted or private when needed
- Never share any personal or sensitive information publicly on Mastodon.
Overall, we believe that the Mastodon application uses minimal data, does not share information with any third party, and transparently declares the data usage and risks of using the application. Therefore, we believe that the Mastodon application is safe to use, and as long as you have registered your account in a trusted server, there are minimal privacy breach risks.
We are currently auditing the code structure of the Mastodon’s code, and analyzing the privacy practices of the application, including, but not limited to the following factors:
- Personal data leakages via logs in the application and server
- Default data storage and encryption practices of Mastodon, along with variations among various servers
- Compliance with standard security practices.