Mastodon: Option to decide for each toot which servers it may be sent to

I don't understand the issue, if you send a private message to a user, it's sent to the user's instance. Unless you use third-party clients that encrypt your sensitive content locally, you can't prevent instance owners to read their database's content (or to provide a false way to encrypt messages server-side).

Do not post nudes on Mastodon they are not encrypted and absolutely cannot be guaranteed not to be leaked.

Seriously. The OStatus protocol as a base really cannot be made to protect your nudes

The reason they are called "Direct Posts" and not "Private Messages" is because they are by no means private. Just because they don't show up does not mean they are private. Please please please don't use Mastodon DMs for things you wouldn't want a stranger potentially seeing. Use XMPP or Discord or something

Discord isn't a good example, it's a proprietary software.

Note above that I said "private", not "direct" messages. Private means all my followers can see my toot. But I might have 100 followers and not know exactly on which servers they are. I might want to still only show my sensitive content to those from my own - or a list of trusted - servers. This is e.g. an incredibly important feature for antifascists or other underground groups who want an easy way to communicate, but cannot let their info get into the wrong hands.

Also, I can assure you that "don't use Mastodon for xy" is never going to work. Users share nudes in particular over any kind of communication channel, so you cannot handwave your way out of this, people ARE going to use it for that.

With Twitter or Google, I can trust a huge company to keep my data safe because I know it would be a fucking shitstorm costing them lots of money if any of that data leaked out. With Mastodon, there is nothing comparable. Of course an admin can always recover the data from the database, that is what this is about: trusting specific server admins is the only thing we got.

Since servers encrypt their OStatus communication towards each other via SSL, I don't see why Mastodon cannot protect sensitive data? That is, if users can choose which servers may see my information. Which is what this issue is about.

I'd wager Mastodon should never even offer the possibility for private or direct messages if it isn't going to give users a way to actually keep this information safe, by trusting at least their own server admin.

I think this may be something @Gargron should explain. We had a controversy a while back about people posting nudes and sensitive information in private posts and this being a big deal that we wanted to discourage it. The way that Gargron put it "OStatus as a protocol is built for publishing information out into the world, not concealing it."

The data is SSL but it's not End-To-End PGP etc.

If you have activist friends who need to avoid government interception please have them use something like Signal and encrypted XMPP. Not Mastodon. For now, regular private posts always stay local and unless you tag a user on a remote instance will not be delivered off of your server. If you have an instance being use for stuff like this that needs to not widely federate, for now you can use a whitelist system to only federate to servers you trust.

In what way is OStatus different from eMail, regarding the privacy considerations? The way I see it, both are transport encrypted but not end-to-end, and in both cases you need to trust the server admin of your own and of the remote server to not look at your data even though they could. Is this any worse on OStatus? If it isn't, well, then we only need to fix what I propose in this issue here: giving you control over which other servers your info can be sent to.

The info that private posts are local is interesting, is the description wrong then? Because it says "Post to followers only" but that kind of implies that all followers are gonna see it, not just local ones.

The downside of Signal is phone numbers, which reveals people's identities easily. The problem of encrypted XMPP is that it's either a mess and not MUC-compatible (OTR), a mess and unusably complicated to maintain (PGP), or not really widely available (OMEMO). And all of those are ways to interact with people you already know, not like Twitter where you slowly grow into a community of like-minded people. Therefore, Mastodon will definitely be used (just like Twitter) for these purposes, so I'd say there should be effort put in to at least make that as safe as possible (and warn users about what Mastodon cannot give them in security).

On all that I do agree with you. With private posts we never specified in the UX that they stay local because it's something I guess back then everyone knew and there was only like four instances anyway ^^;; definitely a mistake. In general private posts do need to be reworked to play nicer with federation. I agree that with specifically private posts having a trusted domain list for that instance would be a good system. I also think making privacy limitations clear is really important​ and I'm still uncomfortable with people using Mastodon to disseminate stuff they don't want the government intercepting.

This sounds like a great deal of implementation complexity for very little gain. People may abuse a platform for use cases for which it is ill-suited. In that situation, it's not the platform that's the problem.

Related to custom federation levels (at the very least, for private posts) #712.