Mastodon: Add ability to hide source application
Revealing the source application of toots could be considered (low level) unwanted information disclosure. Some users might like showing which apps they're using while others might argue that it's nobody's business which app a toot was sent from.
For Twitter, there are actual tools that gather this data and show which applications a user uses to what percentage – or even at which times of a day, which can be used to gather information about this user. There are crazy people on the internet and they use this kind of OSINT to find patterns in application usage (combined with other patterns) in order to doxx people.
Example: At which times of a day is a user probably at home (tooting from desktop) and when are they probably not (tooting only from phone for a while)? For how long are they leaving home each day and at which times? How many different devices (applications) does this user own? …
If a user decides not to reveal the application, it should be hidden from both API and the web interface.
- [x] I searched or browsed the repo’s other issues to ensure this is not a duplicate.
- [x] This bug happens on a tagged release and not on
master(If you're a user, don't worry about this).
jomo
All 8 comments
for the record, this is how we could tell which Trump's tweets were from Trump and which from someone else: http://varianceexplained.org/r/trump-tweets/
MightyPork
on 29 Sep 2017
I think the RFC 6973 could be of use here. One of the main recommendation of this RFC is to reduce the data sent about users.
Sylvhem
on 1 Oct 2017
How about not recording it at all?
User-Agent strings will be sent to servers, but I see no point in all the "sent from web" "sent from pidgin" "sent via airplane" etc to be in the UI, all it does is to provide people potentially with the ability to gather data.
teknokatze
on 2 Oct 2017
It's been a year since I filed this issue and coming to think of it again, I fully agree with @Sylvhem and @ng-0. I don't see any real benefit of this information being recorded and/or exposed.
I'd be happy to submit a PR that removes this.
@Gargron do you have any thoughts on this?
jomo
on 27 Sep 2018
@jomo I think there's a separate request to expand the from-client abilities to include muting by app source, so that you could mute "Moa" or "Mastodon Twitter Crossposter". (#8271) The problem is that right now, iirc, client names don't federate, and this info shows up only for local users. That was perhaps the biggest historical use of the source field, for 3rd-party Twitter apps to be able to mute crossposted tweets from Facebook or YouTube or other sources.
From a technical standpoint, application is already nullable and in fact applied to all remote statuses. I think application sources should be reworked to meet the following:
1) Always federate application, so that eventually they can be used as a muting criteria in a separate issue
2) Allow users to selectively remove this information if they want to, somehow? I'm not sure which way makes the most sense
trwnh
on 27 Sep 2018
I don't see any real benefit of this information being recorded and/or exposed.
Reasons to expose application:
- Help promote apps (third-party app ecosystem). Mastodon does not have an official app, and cannot point everyone to one app they should download. Letting people see which apps other people use, is therefore the only way in Mastodon itself that any apps can be linked (other ways are all outside Mastodon itself, e.g. documentation)
- If an application you previously authorized suddenly begins posting spam from your account, it's easy to see which one it is
Gargron
on 27 Sep 2018
I think spam identification and application based muting are some valid points. I suggest that the account owner can decide for each application whether or not they want to display the source application publicly.
Something like this (the wording could be improved):
Of course, the owner would still be able to see the source themselves.
jomo
on 27 Sep 2018
Fixed by #9897?
trwnh
on 24 Feb 2019
Related issues
svetlik
·
3Comments
thomaskuntzz
·
3Comments
sorin-davidoi
·
3Comments
almafeta
·
3Comments
golbette
·
3Comments
Most helpful comment
How about not recording it at all?
User-Agent strings will be sent to servers, but I see no point in all the "sent from web" "sent from pidgin" "sent via airplane" etc to be in the UI, all it does is to provide people potentially with the ability to gather data.