In just a short few months since Elon Musk’s $44 billion acquisition of Twitter, the social media network has undergone dramatic changes. It started with a dramatic wave of layoffs, including all-important content moderation teams along with software engineers. Then came the $8 Twitter Blue subscription tier, which paved the way for a chaotic sequence of events around verification. And that’s just the beginning.
In short, Musk’s purchase has changed everything. For many people, and in particular, the Twitter information security (InfoSec) community, it has all proved to be beyond the pale. Some of the biggest names from InfoSec Twitter, with followers in the hundreds of thousands, have upped and left the platform. Others from that, and other communities, have stayed, watching relatively quietly from the sidelines and hoping for the best.
There are a variety of alternatives to Twitter. Some have left to devote more of their time to Tumblr or Instagram, and some to Counter.Social, but the biggest beneficiary has been Mastodon. Founded in 2016, the non-profit, federated, minority-friendly network of communities has seen an influx of users. The InfoSec community, for example, saw a surge from under 1,000 to more than 30,000 within a month.
What is Mastodon and how does it work?
Mastodon might seem similar to Twitter. Users, for example, can still post short messages, but with a limit of 500 characters rather than Twitter’s 280, and you can still follow people with no obligation for them to reciprocate. But Mastodon structurally works in a fundamentally different way.
It’s similar in a way to email, a collection of separate instances (servers) that form a federated network. This is done using the ActivityPub social networking protocol. This provides a server-to-server federation protocol layer to allow decentralized websites to share data, and a client-to-server protocol enabling users to communicate with others.
Mastodon is part of the “Fediverse”, which is a whole collection of different services, including social networking, photo and video sharing, microblogging, and more. The platform was also established with minority groups and compassionate debate in mind, so you’ll find lots of posts sitting behind content warnings. These exist to protect users from seeing content that could cause offense or recall any trauma (such as something medical), with users choosing for themselves if they want to read such posts.
Mastodon’s federated nature means social norms and content moderation vary between instances. It’s up to the admin to decide the terms of the debate. While such freedoms can attract unpleasant people, it has positives, too, with admins deciding which instances it shares with and doesn’t. Entire instances can be blocked, for example, while individual users can also block instances. Both admins and users can also block individual users. It will soon become apparent if your local community is the one for you, and if it isn’t, then you can migrate to another. You can even join multiple instances from the get-go.
How secure is Mastodon?
Security depends on a number of factors including how secure the servers hosting each instance are, how often they’re patched, and whether any vulnerabilities exist. You can be sure hackers and cyber criminals alike will look closely at specific instances, and Mastodon more broadly. There are no large security teams as you’d find at Twitter, and so you’re placing trust in your own abilities if you run an instance, or the admin if not. Certainly do your own due diligence before joining any instance. Check for security and privacy policies, and ask the admin about anything that concerns you.
As for security matters in individual users’ hands, apart from ensuring that you choose a secure password, enable two-factor authentication (2FA) by accessing Preferences, then ‘Account settings’, then ‘Two-factor Auth’.
User verification is also a security matter, as there’s no official blue checkmark scheme on Mastodon. Impersonation is as much of a problem on the platform as it’s becoming on Twitter. Admins will spot many impersonators and can boot them out of instances. But you can safeguard your own identity by self-verifying. It’s not perfect but does establish some trust. The profile metadata verification feature links HTML on your website to the URL in your profile and vice-versa. Once this link is established, the web entry appears in green with a checkmark. An imposter could yet establish a website with a URL that’s similar-looking to yours, and a link to get a verification key. Mastodon isn’t perfect, but neither is Twitter, and it makes it harder for somebody to scam your brand this way.
You can also deploy a secondary verification process by using third-party services, such as one called PressCheck, established by the Financial Times (FT) technology reporter Dave Lee. This system allows journalists to create a profile with the necessary embedded code to get a green verification status on Mastodon. There may well be other third-party services for other professions.
How private is Mastodon?
Privacy on Mastodon is often discussed but misunderstood. Plenty of well-meaning articles and posts suggest there’s no privacy, and that people should stick with Twitter. Much of this discourse, however, centers around direct messaging and the fact the admin can read direct messages, as can the admin of the instance of the recipient, if different. But Twitter admins can read your direct messages too, and admins at your email provider can read your emails.
Neither Twitter nor Mastodon DMs are end-to-end encrypted, currently. Both are said to be working on introducing this at some point in the future, without any timescale. Mastodon makes it perfectly clear by showing a warning that states posts aren’t encrypted and that you shouldn’t share any sensitive information using the service.
Leaked today, exploited for life
How social media biometric patterns affect your future
If you want to share sensitive, confidential, truly private messages, then use a service specifically designed to provide that, such as Signal. Mastodon isn’t such an app, but it does provide some post privacy options when creating a new post.
A public post has visibility across the federated timeline, whereas unlisted ones remain visible to all but are opted out of discovery features of Mastodon, which rely mostly on instances users on your instance also follow. Followers-only is self-explanatory. Mentioned people only is Mastodon equivalent of direct messaging.
There’s one privacy point worth flagging, though, namely that any user you mention in such a message using their @username will also see the message. This is a feature, not a bug.
More broadly, choose your instances wisely. Check they have privacy policies and you’re aligned with them. “Treat the Fediverse and any Mastodon instance as a place to share information, connect, and collaborate in the same way you'd do those things in person in a town square or public coffee shop,” Melissa Bischoping, a director and endpoint security research specialist at Tanium, says. “In short, don’t use Mastodon to send sensitive, personal, or private information you wouldn’t be comfortable posting publicly anyway.”
Don’t delete your Twitter account
Although the temptation, if leaving Twitter for good, is to delete your account, you really shouldn’t. The process involves deactivating the account, which, if not used for 30 days, then deletes your presence forever. Once the account is deleted, your username is released back into the pool for anyone to snap up. Your name, reputation, brand, and so on, could be taken by someone who then pretends to be you or your organization for whatever purpose. This could be criminal, fraudulent, or for fun, but in each case, your reputation could suffer.
Twitter says impersonation isn’t allowed, nor is criminal usage, so you’d hope the accounts would get removed quickly. Given the cuts to moderation staff, this won’t work out well in practice. Users may be able to tell it’s not you by the follower count – or post content – but if the impersonator has paid $8 and has a blue checkmark then it could fool enough people.
So what should you do instead? Head to your Twitter account ‘Settings and support’ and look for the ‘Settings and privacy’ option. Select the ‘Privacy and safety’ option, and then ‘Audience and tagging’. Finally, flick the protect switch, and your tweets are now protected. This means only approved followers can see them, and to follow you requires your approval.
Block all existing followers if you like, delete all your tweets and messages, or just keep it running quietly in the background in case Twitter gets beyond the Musk years and emerges the other side a usable service once more.
