Fleeing Twitter users face uncertain privacy, security features on alternative platforms
As Elon Musk has decimated Twitter’s workforce and welcomed back some of the platform’s most polarizing figures, many Twitter users have decided they’ve had enough of his chaos and are migrating to smaller, niche platforms.
This influx of users to platforms such as Mastodon, Hive, and Post, which have a fraction of Twitter’s resources, raises the question whether these social media upstarts can cope with the privacy and security concerns of a rapidly growing user base — ranging from how smaller platforms secure private messages to how they would respond to law enforcement requests for data.
“For any company that is suddenly having this huge blow up in size as a communications outlet, I think it’s a very reasonable question and concern,” said Jake Laperruque, deputy director of the Center for Democracy and Technology’s Security and Surveillance Project. “Odds are you’re going to start getting more if not a lot more law enforcement demands for private communications. And the question is: Do you have the resources to handle those?”
While the decentralized messaging platform Mastodon remains a fraction of Twitter’s size, its users tripled between Oct. 27 and Nov. 12, according to the platform’s statistics. Its user base now tops 5 million, and the number of servers on the platform has grown from just over 1,000 to more than 11,000. Twitter, by comparison, has active users of around 200 million per month.
As the number of Mastodon grow, so too will data requests from law enforcement. In recent years, law enforcement has increasingly leaned on tech companies for data that can be used to prosecute crimes — including criminalized abortion. In just the first six months of 2022, Twitter received nearly 50,000 legal demands, including a 103% increase in legal demands from governments targeting journalists.
Privacy and security experts are concerned that platforms such as Mastodon are poorly positioned to properly deal with data requests like these. Addressing them would likely fall on independent Mastodon server administrators or their hosting companies, not Mastodon. While Mastodon is based in Germany, its administrators and their hosting companies span the globe.
Mastodon did not respond to CyberScoop’s questions about what guidance it provides individual server operations about law enforcement requests.
CyberScoop spoke with several Mastodon instance administrators whose member numbers ranged from the dozens to the tens of thousands about how they would handle a law enforcement request. Most ran their instance as a hobby and none had a legal background.
Jerry Bell, who is based in the United States and runs “infosec.exchange,” saw the number of members of his sever grow from just 180 at the end of October to more than 31,000 a month later. Bell, who works in information security, says in his five years running the “instance,” a term Mastodon uses to describe individual servers, he hasn’t received a request from law enforcement.
Infosec.exchange has emerged as perhaps the most popular destination for security researchers and hackers leaving Twitter, and Bell suspects that if the instance draws law enforcement scrutiny, data requests would likely be made to his hosting company, which is based in Germany.
“In my estimation, law enforcement very likely would not approach the instance owner, and rather go to their hosting provider, since this is a workload like any other running on hosted servers,” Bell wrote in a message to CyberScoop. “Should I receive such a request, I would attempt to validate its legitimacy. If it’s legitimate and appears to be problematic, I would seek assistance from a lawyer and, perhaps, the assistance of an organization such as the [Electronic Frontier Foundation.]”
Nick Mark, a doctor who started up a Mastodon server for the medical community on Twitter after Elon Musk took over, also said that he hasn’t received any law enforcement requests for his instance of just under 9,000 users.
“I’m actually kind of less concerned about them saying ‘hey give us this’ and rather just reading people’s posts and using that information,” Mark. “And I don’t think there’s a great solution to that other than people being cautious about what they post.”
That caution is especially important given the sensitive nature of some of the topics users discuss, including abortion and LGBTQ healthcare. Mark says his instance does not collect names from members, some of whom choose to be pseudonymous, but does collect emails. Any request for that information would be run by a lawyer, he says.
“If we got a law enforcement request from some red state saying ‘turn over this information immediately’ we would say ‘okay we are going to have our lawyer look over this,'” Mark told CyberScoop.
In the U.S., there are certain limitations around how law enforcement can access the private data of users, but for small platforms who lack the legal resources of a publicly traded company, it is not clear that volunteer site administrators will be able to properly vet requests.
“As far as the legal limit is concerned, unless you have a warrant or unless there’s an emergency order, you cannot freely hand out people’s private communications,” said Laperruque. “So, for these new companies, there are some limits. But you need smart lawyers understanding the complexity of it.”
Both law enforcement and criminal groups have abused emergency orders to bypass the ordinary warrant process, and without a robust vetting system, platforms risk turning over user data to online criminals posing as law enforcement. “Knowing the difference when the stakes are that high takes having smart people who are experts in this,” said Laperruque.
U.S.-based administrator Patrick Morris says that law enforcement requests haven’t come up for his small instance of just 12 members, but he’s dealt with requests for data in the past through his infosec work.
“I’d likely comply with any requests from law enforcement agencies whose legitimacy and authorization to obtain the data I could verify (fake law enforcement requests being a thing that happens fairly frequently),” Morris wrote to CyberScoop in a message. “Requests from lawyers, on the other hand, would be met with a firm but diplomatic ‘fuck off.'”
Daniel Schuman, policy director for Demand Progress, agreed that resources are important for responding to law enforcement requests but that in general Mastodon doesn’t pose any greater risk than most tech platforms.
“One should worry about using any of these platforms,” said Schuman. “The weakest instances are just as dangerous in the wild wild west as any other platform.”
Experts were quick to note that users should be thinking about what data platforms collect from the onset. On Mastodon, instance administrators have access to the contents of direct messages sent by server members, but understanding that requires a careful reading of a server’s privacy policy that might not be obvious to users of traditional social media platforms.
Some Mastodon admins CyberScoop spoke with have taken proactive steps to protect user privacy, such as turning off logging, encrypting user data and purging messages and user data after a set amount of time. Such practices decrease the risk of that data falling into law enforcement’s hands.
“You are trusting the instance provider, but that’s not completely different than a centralized model,” said Rand Hammoud, surveillance campaigner at Access Now.
The challenge, she says, is that without a clear, centralized vision of how the servers are protected it’s more difficult to implement any sort of oversight. “At the end of the day, it’s a trust transaction,” Hammoud said.
Centralization also doesn’t equal security, as other emerging Twitter competitors have shown. Hive, an app-based social network that has surged to more than 1 million users since Elon Musk took over Twitter, temporarily shut down its app earlier this month after German security researchers reported significant vulnerabilities putting users’ data at risk.
According to Hive’s privacy policy, the company turns over user data “where required by law or by order or requirement of a court, administrative or law enforcement agency or governmental entity.” The policy notes that information processed by servers in jurisdictions outside of users’ home countries may be accessed by law enforcement according to local laws without notice to Hive or the users.
Hive did not respond to CyberScoop’s request for comment.