Mastodon: Add a "Local timeline" privacy option

It's possible but undesirable as it would promote users siloing and piling onto the same instance. This centralizes what should be a de-centralized distributed system. Users should not be afraid of migrating accounts due to missing out on particular content, this defeats a major point of federation.

Well, I would like to have this to toot when I'm doing an update without "spamming" federated timelines, as this only concerns my instance and not other ones.

As a user (not admin) I would very much like the ability to occasionally post content only to users of my instance. This feels like an obvious missing feature to me.

I see your criticism, yiskah. Two thoughts:

1) I don't think the existence of such a feature would lead to a sudden huge movement toward local-only posting. People, myself included, love Mastodon's federation; it's one of its key strengths and differentiators.

2) Allowing that some instances did choose to turn insular... why not? A few instances of many. The software can be used different ways by different people with different needs/wants/desires.

My own use case: marginalized identity, and fear external (originating outside Mastodon) harassment. I want to participate more openly (posting selfies I wouldn't want widely disseminated, for example) but hesitate to do so on an essentially worldwide basis.

But my instance? It's small, well run, and I feel enough trust there. Local posting reduces tens of thousands of randos to tens of hundreds of self-selected people who tend to be more like me, sympathetic to me, supportive of me.

Is my local-only content totally safe from bad actors? Of course not. But there would still be an overall increase of safety and trust (less randos) and I'd be able to feel pretty OK about the risk profile of sharing sensitive content when the occasion arises.

I think this is a critical feature of federation: choosing how far to broadcast certain stuff. Otherwise certain sensitive or insular groups (think: an instance for a church, or for an addiction support group) will be forced to completely de-federate and/or block all other instances, which is an overreaction.

Essentially, Facebook is currently great at creating hidden/secret/private groups and networks like Google+ have recognized this need (with Circles) -- without this ability, privacy controls will not be fine-grained enough and sensitive users/use-cases will not find Mastodon useful.

Unsuscribe

Le 11 avr. 2017 à 23:17, zyphlar notifications@github.com a écrit :

I think this is a critical feature of federation: choosing how far to broadcast certain stuff. Otherwise certain sensitive or insular groups (think: an instance for a church, or for an addiction support group) will be forced to completely de-federate and/or block all other instances, which is an overreaction.

Essentially, Facebook is currently great at creating hidden/secret/private groups and networks like Google+ have recognized this need (with Circles) -- without this ability, privacy controls will not be fine-grained enough and sensitive users/use-cases will not find Mastodon useful.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

More use cases in support of this:

1. A family instance: parents want to tell the family something.
2. A school instance: a notice for all students and faculty in a school.
3. Any instance: administrative messages affecting people on that instance (“server will be down for maintenance between the hours of X and Y today’’).

Federation happens user-to-followers, not server-to-server, so stuff like this is hard. Like, you want to post something to your followers, but only followers from your own instance?

No, the idea is it's a public but unfederated post. In the same way that posts from people you don't follow appear on the PTL of your instance, but limited to the instance itself.

@Gargron The idea is that it would be useful for admin announcements and similar intra-community stuff. It would be a public toot, just prevented from federating to any other instance.

As far as implementation, my thoughts are that with this setting:

• the toot would appear in the local timeline on the instance (possibly also in the federated timeline on local instance only)
• when the toot is sent to another instance via federation, it would be marked in the same way as a "private" toot - i.e. followers would see it, but it wouldn't be put into the federated timeline on that instance.

@kepstin, regarding your second bullet, I'm not sure why a hypothetical local-instance-only toot would be federated at all? The point would be that it's only local, and not sent out everywhere.

I don't think the local-only toot can/should really be "private" to the instance completely (after all, you could still browse the user's profile or use e.g. mastoview to see it), so the main purpose of this would be to make it not go into the federated timeline on other instances.

If someone's explicitly following another person, they might be interested in seeing even their "listed locally only" toots.

This also fits in with the position of the option in the list in the mockup in the first post. Preventing followers on other instances from seeing the toot is simultaneously more private that private and less private than unlisted.

I don't think the local-only toot can/should really be "private" to the instance completely (after all, you could still browse the user's profile or use e.g. mastoview to see it), so the main purpose of this would be to make it not go into the federated timeline on other instances.

Yes, some randos could still stumble upon it via mastoview or a potential instance public timeline feature. So be it. Seems hard to avoid.

If someone's explicitly following another person, they might be interested in seeing even their "listed locally only" toots.

But I might be interested (ok, I am) in that outside follower not seeing (easily, by default) my instance-only toots. I made them local (home instance only) for a reason. My intent would be "only people on my instance can (easily, by default) see this."

Maybe I question the point of adding local posting if it only partially works as the average user would expect. To me it's pretty clear that "local" does not mean "also on all federated servers." Local means local. Local, in the way I am describing, gives the user another tool to control a toot's audience.

(In a related case I was very surprised that "private" toots do not go out to federated followers, only local ones. I think a lot of users expect otherwise. But that's a different issue and I am not privy to the history that lead to that situation. Just seems similar.)

Yeah I know it can be hard to reconcile a wishlist item like this with the
actual technical way the software works, but Facebook or Google+ or even
Twitter style privacy settings are what we're looking for I think (i.e. no
web browsing allowed, no federation if desired, etc.) Mastodon is going to
need ways to prevent dogpiling and it's going to need ways for individuals
(not just admins) to wall themselves off from harassers or stalkers both
inside and between instances. So the time to figure out how to achieve
better privacy controls than the other guys is now, not later.

On Mon, Apr 17, 2017, 3:20 PM A.Jane notifications@github.com wrote:

I don't think the local-only toot can/should really be "private" to the
instance completely (after all, you could still browse the user's profile
or use e.g. mastoview to see it), so the main purpose of this would be to
make it not go into the federated timeline on other instances.

Yes, some randos could still stumble upon it via mastoview or a potential
instance public timeline feature. So be it. Seems hard to avoid.

If someone's explicitly following another person, they might be interested
in seeing even their "listed locally only" toots.

But I might be interested (ok, I am) in that outside follower not seeing
(easily, by default) my instance-only toots. I made them local (home
instance only) for a reason. My intent would be "only people on my instance
can (easily, by default) see this."

Maybe I question the point of adding local posting if it only partially
works as the average user would expect. To me it's pretty clear that
"local" does not meant "also on all federated servers." Local means local.
Local, in the way I am describing, gives the user another tool to control a
toot's audience.

(In a related case I was very surprised that "private" toots do not go out
to federated followers, only local ones. I think a lot of users expect
otherwise. But that's a different issue and I am not privy to the history
that lead to that situation. Just seems similar.)

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/tootsuite/mastodon/issues/861#issuecomment-294611614,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAC9MkCw_KDMZDB7oFjKTEy_5OUai-Baks5rw-WdgaJpZM4MzHEo
.

Hi, I registered mostly to say I would love that possibility to become a reality. Fediverse is nice, little community are nice too. That I love in mastodon is the possibility to interact with a "little" group of person, and thoses only. Sometimes I wish to speak to peoples of my instance only too.

I'd like this feature a lot. The toot would appear only in the local timeline and not to remote federated ones. This can be useful for users of a thematic instance, and It would still allow to choose to send toots worldwide, or to followers on any instance.

This feature is essential for local administration discussions, as right now the only way for an admin to post a message to local users is to post it globally. This results in matters of local governance turning into global discussions, which is very undesirable.

Just had some good discussion about this on the Discord. I put together a rough sketch of some UX options here, the consensus in discussion previously was that the 'tabs' option is clearer than the 'switch' option.

Mastodon Local.pdf

We also discussed a concerning edge-case regarding mentioning off-instance users in local toots. In some cases, this is at best confusing (A direct local toot to an off-instance user will never arrive) and at worst may leave users open to abuse (by allowing them to be easily talked about and linked to, before switching a conversation to federating)

As such it seems reasonable that mentioning an off-instance user in a local toot should always be treated as an error and prevent posting. This allows the behavior to remain consistent across privacy types.

i'd love to see this. i totally respect that it's a complex ask, too, but i think this would help foster safer spaces for those who need or want them, and also it would build a lot more community. building smaller communities that can also interact globally might help nurture the close-knit family feeling that's sort of faded away a bit as the userbase has grown exponentially. (the growth isn't a bad thing! i see this more as adapting to the needs of as many people as possible.)

gonna nudge this in the hopes it'll happen sometime :)

This issue thread came up in conversation on a node im on and im happy to see it being discussed.

I think the value of federation is that it is decentralized and allows for diverse, distinct groups to exist, not only that it distributes the server load onto thousands of different community run nodes. Allowing for nodes to have "private" discussions allows for the distinctness of the node to develop.

I don't believe this would discourage ultra-private communities however. If anything, a node that wants to have the option to be private _sometimes_ would be pushed towards not federating if it meant they couldn't.

I'd love to help out as I learn more about mastodon. I'll check in on this when im up to speed.

thx y'all

If anything, a node that wants to have the option to be private sometimes would be pushed towards not federating if it meant they couldn't.

Absolutely!

Since version 1.6 it's possible for new users to auto-follow e.g. an admin account. This partly solves the case in the original post. If somehow it would be possible to let pre-1.6 users auto-follow the admin, it would be a lot easier for admins to inform their users. Of course it must always be possible for users to stop following admins.

I've had few trouble lately because of messages being visible for other instances, in that case, instances that use other systems, and not Mastodon, and doesn't respect CW.

I would like to post sometimes just for my instance, otherwise, I would have to do what, block people from other instances, or even block whole instances (when/if possible) because of a couple messages?

I think that this feature is still needed, even if we can make users auto-follow admin accounts, this not apply to current users and so we still need to federate posts, and it's only for the specific case of a local instance status report sent by an admin.

An other case where this is useful, and it have been already said, is when you want to send a specific post, related to your instance-subject, and we want to everyone in the instance (and maybe remote followers, as others instances that aren't running Mastodon would federate it) to see it.

Maybe we can work on something, we may just need a bit more talk on what would be needed to be done for that.
From my perspective, this feature shouldn't be so hard to do, if it was just a bit of JS, I'd have already created a PR but unfortunately Rails is a scary stranger for me...

Thanks to everyone sharing their though on this feature!

This is still needed, be it for admins to users communications or for community-only posts.

I'd also still like to see this issue implemented too.

Right now, when there's an instance issue, my instance is setting up chats on other services for our members to discuss it. We shouldn't have to rely on other social network services to manage and moderate this social network.

And, as always, I recognize that I'm a non-tech person making a very tech-intensive request, but y'all have been great with making the impossible happen for the improvement of the fediverse. <3

If anyone is part of a Secret Group on facebook, the value of this feature becomes apparent. This is a great way to provide smaller, safer spaces to marginalized groups without requiring admins to fully disable federation. Overall, providing this feature would IMO actually improve federation and reduce "siloing".

Similar to the idea that devon suggested, a good use for instance-only posts are instances that wish to be like a private commons where the users can optionally connect to the broader fediverse (unlike the siloed forums of yesterday, where each forum was always a separate account with little to no cross-pollination). This technically could be done today with an agreement between members of an instance to lock their account, follow all the other users on the instance, and post followers-only, but this is unrealistic and unmanageable once you have a significant number of users on your instance.

I like the idea of the OP which as I understand it is an admin option to do a local broadcast about issues only relevant to the server. (e.g. maintenance downtime)

It might be more useful if this was something handled through the admin interface, though, and with a pin function (which users could unpin from their column) so that it could attach it to the top of the local timeline feed so that important announcements don't get swept away in the timeline.

Regarding some of the use cases for normal conversation/users, it seems like the assumption is the local timeline is a discussion group, and that posts should have a "group only" privacy setting. That may work ad hoc on some smaller instances, but as @PubliqPhirm pointed out, it becomes unrealistic as more users join.

I know this has been dormant for a while, but I think Switter is a good use case for why a "local timeline only" posting option is potentially useful.

The concern here is not so much privacy expectation, but giving instances the ability to be good neighbours when their content policies differ from much of the wider Fediverse.

Right now there's no visibility setting that allows Switter users to discover each other in their local timeline without also broadcasting to the wider fediverse..

Obviously "local only" wouldn't stop users on other servers who may follow a Switter user from boosting a post that violates their local content policy into the timelines of their instance, but that would be an issue for local admins to handle with those users boosting the content, not with users from another server violating it inadvertently because someone follows them.

I also suggest that admins be able to configure a global default visibility setting for posts and sensitivity setting for media posted on their instance.

Obviously "local only" wouldn't stop users on other servers who may follow a Switter user from boosting a post

Well, no, they wouldn't receive those posts even if they follow the Switter user... Which is my main issue with the desire for this feature: It violates the expectation that if you follow someone, you get their posts. This is so integral to Mastodon: "You can follow & interact with anyone regardless which server they are on!" If this is implemented, then we'll get a situation like "You have to sign up on Switter to interact with Switter users" and voilà, we have growing silos. :(

@Gargron Oh that's a good point. I hadn't thought of it being implemented like that. My expected behaviour was that "Local" would fall somewhere between "Public" and "Unlisted" and apply to the public timelines where the post appears; visibility to followers would be the same as "Public" or "Unlisted". That might not be what everyone expects though.

It would be nice if there was some way to allow Switter users to post publicly to each other without the end result being a silo, either defacto because they're widely silenced or suspended, or self-imposed, because they don't have adequate controls for their content visibility. They're trying to be super nice and respectful, which is great, but part of their purpose is to be able to advertise services, which means they need discoverability too.

Actually, I always wanted this feature to still allow remote followers to see those local posts, like an unlisted post but that still appears in the local timeline.

The end goal isn't to lock a post on an instance, as it kills the social and sharing experience.

It's been a year since this issue have been created, a lot of comments pointed the fact that it's a good feature that should be implemented, if remote followers can still see those posts. Maybe the basic idea wasn't explicit enough and leading to misunderstanding and then to a full year of discuss.

Tldr : Local post are "unlisted post" that are still listed in the local timeline (and so in remote followers timelines)

I'm hitting this issue as well, not as an admin but as a user of an instance that revolves around a local community. The problem is this: when we have matters to discuss that only concern the local community it means that we spam the timelines of all the remote followers with things they have nothing to do with. So to use Mastodon for such a community is not ideal and yet that's where I see the most of the potential. Hence I think it would be important to find some kind of solution for this use-case.

Local post are "unlisted post" that are still listed in the local timeline (and so in remote followers timelines)

Is that actually what everyone here would be okay with? I had the impression this was more about not letting a post leave your server at all, this is how the glitch-soc tried implementing it as well.

@Gargron when i say "local post," I mean it in the way you describe: instance-only posts.

However, I thought that this would include the users who are following you by default. It is my impression that many users feel this way-- followers can see everything that isn't a direct message, and every other permission change (instance-only, unlisted, public/federated) would all be in addition to that basic "followers see everything" idea.

I don't understand why "followers see everything" is a criteria. They don't see direct messages as @jmfcodes points out already. And when someone does an "instance post" he doesn't want remote people to see it for a specific reason (mostly I would say because it concerns just the local instance, for example, what do I care if admin X on instance Y is doing a server maintenance which doesn't affect me?)

it doesn't have to be so that the messages don't federate, but only that they don't appear in the timeline of remote users

My point of view was that those "local posts" would still federate but wouldn't be shown in the Federated timeline. Outside of the instance, they would only appear in followers TL.

The concern for a lot of users was that feature would lock users toots in one instance and kill the federated concept of Mastodon, and so be against the project philosophy.

I've suggested that we could add an option to choose to not federate a "local post", but as I said, a lot of people here were against this feature.

Now, I think the choice is now down to @Gargron, if a "local post" can not be federated if the user want it to. And, the "local post" still makes sense and a lot of users still want this feature, even if it's federated.

The concern for a lot of users was that feature would lock users toots in one instance and kill the federated concept of Mastodon, and so be against the project philosophy.

I see the concern, here's an idea, federate the messages unlisted and let the user on remote instances choose if he wants to see the "local" messages from other instances in his timeline.

Pleroma has a chat feature that is used for instance-specific communication, but I think it uses a different message delivery mechanism to avoid the federation issues. Maybe that's a possible solution.

Instead of instance private messages I would need private group communication (#139). Should be a solution here too with a group with all the locale User, but more flexible?

I concur with what appear to be a few similar ideas here:

Local + followers might be a better compromise to avoid siloing.

so yeah, I had this idea that one could do @instance.social which would make it possible to target specific instances, e.g.

@local.instance the server is going down for 5 min

foreign:

@mastodon.social how would you rate your server?

or multiple servers:

@local.instance @maki.taki we'd like our two communities to have a regular meeting, what do you think?

Why has is this feature so contentious? Many users of marginalized groups who participate in instances that are considered "Safe spaces" would love to post publicly within the instance, but may not necessarily want to publicly post on the entire federated timeline.

Example: An LGBT group

With current settings, you can either choose to blast the entire federated timeline with your posts, unlist your posts completely, which means people literally can't even find your content, or post only to followers, which is pretty much the same thing. I don't want random people seeing posts that are geared toward a specific audience.

This invites instances of abuse, harassment, doxing, etc from outside groups who see these posts, don't agree with them, etc. It's not so much about "Siloing" content, it's more about giving users the ability to control who can see their content.

FB allows groups to be public, private, or even secret. There are public LBGT groups, there are private LGBT groups, and there are secret LGBT groups. Users of course want to be able to control who can see their content. I don't want a group of homophobic neo-nazi's to see LGBT content and be able to share it, comment on it, etc. For marginalized groups, this control is ESSENTIAL to creating a safe space for users to comment and participate openly.

Why is it such a controversial feature to simply give people the CHOICE to do what they want?

With current settings, you can either choose to blast the entire federated timeline with your posts, unlist your posts completely, which means people literally can't even find your content, or post only to followers, which is pretty much the same thing. I don't want random people seeing posts that are geared toward a specific audience.

I'm kinda surprised this option doesn't exist. They say federation is better for privacy and safety compared to a single domain service like twitter, but still, you HAVE to share the contents on your group/server with the whole federated universe. Or have a private profile.

It just doesn't make any sense to me

As for siloing? That's a bugbear. People who want to silo don't federate. We're on Mastodon so we can engage in the world at large. And sure enough, the local toots we make are only of local interest. Rather than seeing it as a siloing feature for large instances, I just don't think it would benefit those instances much. At that scale you're already posting publicly, more or less, and such an instance is probably closer to general-interest than a close community.

LGBT or Kink Groups may want to federate to share some content with other LGBT or Kink groups, but give users the option to silo their content. This is about USERS, not about admins. Admins can choose to do whatever they want with their instance. But USERS should have an option to solo their own content if they wish. This is a privacy issue. It's a safety issue. And it should be an option. Not providing an option is silly.

You're making a set of assumptions about what the purpose of an open source platform should be. But the fact that it's an open source platform means that people can and will use it how they want to use it. In a kink group, I don't want my photos being shared to literally anyone in the world on Mastodon that's browsing the federated timeline. I want them shared to people in the instance. Is it public? No, it's not. It's private in the sense that only people in the kink instance can see the photos. Unlisting doesn't work, because you can't tag content if it's unlisted, so nobody can find it.

"Well I don't see the point, so I'm not in favor" is a silly approach to development. Tons of people want this feature, and if you don't, then you don't have to use it...

@caliboy557 please don't put words in my mouth. I don't know how you came to this conclusion, but it has nothing at all to do with what I have said.

Edit: I've removed my original comment. I no longer depend on mainline and participating in good faith discussion is an even worse experience than I feared. Good luck.

Then you're in favor of giving individual users the ability to silo their content? If so, good!

I just see so much of this "But this is how we want people to use the software" stuff, and that's not how everyone is. Facebook is a classic example of this. They're insane. They want everyone to be open and connected. So much so that they'll take a completely unconnected instagram account, with a different e-mail and phone number attached to it, and blast all your personal contacts on FB to add you. Maybe I don't want clients at work adding my personal instagram? Or maybe I don't want my personal friends adding my business instagram? Privacy is such a moving target, because companies that deal in the free exchange of information don't understand why people wouldn't want to be 100% open with random strangers about every aspect of their life. And that's just not how most people think.

Give people the tools, and let them make their own decisions about how they want to use them. That's always been my philosophy.

I'm hitting this issue as well, not as an admin but as a user of an instance that revolves around a local community. [SNIP] So to use Mastodon for such a community is not ideal and yet that's where I see the most of the potential. Hence I think it would be important to find some kind of solution for this use-case.

This is the post here that I think hits the issue, especially given the relatively recent move to refer to "communities" rather than "instances", because the thing about communities is that _typically they have ways to talk amongst themselves_ in addition to speaking with the outside world. If we want people to view instances as communities, they should be able to do the things that communities do.

ETA: Which is why I actually don't necessarily favor the idea that a user's remote followers can still see those posts. I'm open to convincing on that particular point, but I think it's more important that the Local-Timeline-Only feature exist at all.

this issue is over two years old now. @Gargron now would be an awesome time to listen to users.

I'm hitting this issue as well, not as an admin but as a user of an instance that revolves around a local community. [SNIP] So to use Mastodon for such a community is not ideal and yet that's where I see the most of the potential. Hence I think it would be important to find some kind of solution for this use-case.

This is the post here that I think hits the issue, especially given the relatively recent move to refer to "communities" rather than "instances", because the thing about communities is that _typically they have ways to talk amongst themselves_ in addition to speaking with the outside world. If we want people to view instances as communities, they should be able to do the things that communities do.

[...]

I think this is a good articulation of the difference in perspectives that's effecting a bunch of issues here :)

I don't see how increasing users' options for refining visibility of their content can hurt.

Trying to revive this issue.

Instances are a type of a comunity. It will be great to mantain conversations only in it.

I think that one of the distinctive features of mastodon is having 3 timelines, but the absence of being able to post exclusively to the local timeline is a huge gap that needs to be filled.

Think about people who use instances as safe heaven. They need to choose between have only followers in the current instance or not posting some opinions.

I kown that people tend to have more prejudices when are on restricted spaces and allowing to users in instances have closed conversations is a source of concern, but this toots will not be totally closed in the instance as:

• Anyone searching users toots would find them, if the account is not closed.
• When a user of the instance boost one of this toots it would appear for his followers, even for those are outside the instance (a warning for this must appear when boost button is clicked).

What I am asking for is one level more of privacy, not secrecy.

Even if there are "secrecy" features added to Mastodon I think that's a
good thing. Currently when I tell a marginalized friend about Mastodon, I
have to include a few paragraphs about how the magic of federation also
decreases security, and I warn them against treating DMs as actually
private, etc.

What users post belongs to them, if they make an informed choice to do
something with their data we should be respecting that as much as possible.
Keeping data out of the hands of stalkers, Nazis, or malicious indexers
seems like a pretty reasonable request.

On Mon, Mar 2, 2020, 11:50 AM arturdesouza notifications@github.com wrote:

Trying to revive this issue.

Instances are a type of a comunity. It will be great to mantain
conversations only in it.

I think that one of the distinctive features of mastodon is having 3
timelines, but the absence of being able to post exclusively to the local
timeline is a huge gap that needs to be filled.

Think about people who use instances as safe heaven. They need to choose
between have only followers in the current instance or not posting some
opinions.

I kown that people tend to have more prejudices when are on restricted
spaces and allowing to users in instances have closed conversations is a
source of concern, but this toots will not be totally closed in the
instance as:

• Anyone searching users toots would find them, if the account is not
  closed.
• When a user of the instance boost one of this toots it would appear
  for his followers, even for those are outside the instance (a warning for
  this must appear when boost button is clicked).

What I am asking for is one level more of privacy, not secrecy.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/tootsuite/mastodon/issues/861?email_source=notifications&email_token=AAAL2MWIGR64SNNMXDAW7EDRFQEYRA5CNFSM4DGMOEUKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOENQWJVI#issuecomment-593585365,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAAL2MWQU4F2V477DOAO4FLRFQEYRANCNFSM4DGMOEUA
.

The option to post to local timeline & users would be very beneficial. I was considering Mastodon for all members of a local sports association and set up an own Mastodon server for it. While there would be definitely stuff to discuss within the association (e.g. when to meet, unimportant or internal stuff), the members certainly would like to communicate with everyone else in the world/Fediverse, too.

For me, this option is necessary to make Mastodon interesting for us. Please consider this enhancement.