Technology

Very important context! The US is rapidly turning Christo-Fascist. I hate this country.

Thank you.

Actual context paints a whole different picture compared to the clickbait post.

Disclaimer: I've never run a Mastodon or similar server, so the software may have more privacy built in, but potentially the issue would be account setup information that could be associated with public posts. Email addresses, IP address logs, etc. Those would be critical in matching public "anonymous" speech with real-world identifiable information.

Or simply running their own server.

Yes

One way to look at this is to separate the information available into what's available locally and what's available across the Lemmyverse (I am not familiar with others). The information that you mentioned probably are available on all the servers that pull the posts/comments from the community in question.

Info that is local only: IP address, email, password, usage information. Info available to the two participants' servers: DM

I think the mitigations that the EFF article mention mostly protect the locally available information.

I'm curious, how would you do this in such a way that it wouldn't come at the expense of effecting your high availability?

If the server were on-prem or in the cloud... and the system crashed/rebooted, how would you decrypt (or add the passphrase) to the encrypted drive?... cause the likehood of the kernel crashing or a reboot after and update is higher than an FBI raid... and it would get tiresome to have the site being down, while we wait for Bob to wake up, log in, and type the passphrase to mount the encrypted hdd.

You could use something like HashiCorp Vault, but it isn't perfect either. If the server were rebooted, it could talk to Vault and request the passphrase (automatically) , but this also means that the FBI could also "plug in" the server (at their leisure) and have it re-request the passphrase. ... and if Vault were restarted there's quite a process to unseal (unlock) a vault - so, it would be as cumbersome as needing to type in the passphrase on reboot.

My point / question is: yes, encryption (conceptually) is easy, but if you look at "the whole life cycle / workflow" - it's much more complicated and you (as an administrator) might ask yourself "does this complexity improve anything or actually protect my users?"

That's a great question. The EFF article gives answers that I find somewhat unsatisfactory (but may be possible solutions given what're there at the moment):

For users joining the fediverse, you should evaluate the about page for a given server, to see what precautions (if any) they outline. Once you’ve joined, you can take advantage of the smaller scale of community on the platform, and raise these issues directly with admin and other users on your instance. Insist that the obligations from Who has Your Back, including to notify you and to resist law enforcement demands where possible, be included in the instance information and terms of service. Making these commitments binding in the terms of service is not only a good idea, it can help the host fight back against overbroad law enforcement requests and can support later motions by defendants to exclude the evidence.

Another benefit of the fediverse, unlike the major lock-in platforms, is that if you don’t like their answer, you can easily find and move to a new instance. However, since most servers in this new decentralized social web are hosted by enthusiasts, users should approach these networks mindful of privacy and security concerns. This means not using these services for sensitive communications, being aware of the risks of social network mapping, and taking some additional precautions when necessary like using a VPN or Tor, and a temporary email address.

Well, you could determine what jurisdiction the server is physically located in, to determine what law enforcement agencies will be targeting it. For example, a community focused on abortion rights is going to attract users who have had abortions. It would be a tremendously bad idea for such a community to be hosted in Texas, where law enforcement agencies would be directed to target it for harassment. California would be a better option, but that still leaves the server under the jurisdiction of US courts, who may direct the server owner to provide user data to Texas.

Pirates would want to avoid a physical presence in copyright-unfriendly jurisdictions. Potheads would want to avoid weed-hating jurisdictions.

Most "servers" now are virtual machines. Police don't seize VMs. Police seize the physical hardware running the VM. When they target a torrent seedbox VM running on the same physical server as a Lemmy VM instance, they have access to everything on the Lemmy site as well. It would be useful, from a risk assessment profile, to know what else is attracting attention.

The reason we don't see seizure of those servers is that those services have established working relationships with law enforcement, so there's no need to physically seize the servers.

It's worth noting that while various CEOs claim not to cooperate with law enforcement, the Patriot Act created provisions for establishing that cooperation without CEO permission or awareness.

In the case of Meta and the Muskverse, it's because they regard themselves as a third party and cooperate with law enforcement in disclosing everything about you on request. As per MEGAupload and Backpage (and presently TikTok) this tactic doesn't always work.

Google used to claim that they would demand warrants, and then run them past their blue-haired lawyers to make sure all the jots and tittles were in place before releasing data, but that was back in the aughts and early 2010s. I don't know what Google's relationships is to law enforcement today.

Amazon will also totally snitch on you, as will all the telecommunications services (Verizon, AT&T, Comcast, T-Mobile, Astound, etc.) It's one of the reasons you want to get a VPN service that actively deletes its records, and law enforcement doesn't like very much.

Once US law enforcement wants to get you, do not expect your civil rights to protect you. And don't talk to law enforcement. Wait for council and get a lawyer, because they will try to nail you for CFAA violations which can land you 25 years (which is more than some murder).

OpenPGP still exists. I've been saying this forever

Law enforcement in the US, including the FBI has long since abandoned the doctrine of staying within the threshold of legality, and the court system, right up to SCOTUS has defended them. Since the 9/11 attacks, the PATRIOT act and the creation of Homeland Security, the US Supreme Court has been chipping away at the protections established in the Fourth and Fifth amendments to the Constitution of the United States.

So, the question is not whether a given action (illegal seizure of property and the illegal search thereof) is legal rather if it'll be upheld.

SCOTUS has already established if a crime is severe enough, that the evidence from an illegal search can be admitted anyway. And they're talking about drug possession, not finding the leg of a child in the back of a van.

When police seize your computer arbitrarily, there is a risk that a judge will not accept it as a legal search, such as if a warrant wasn't sufficiently specific, or if probable cause wasn't sufficiently established. But in the majority of cases, judges side with law enforcement regardless in the US. (YMMV depending on what county you're in. Portland, OR is better about constitutional rights than Oakland, CA).

That said, the FBI is no longer law enforcement but its mission was changed to National Security by James Comey when he was director (it improved his budget to do so, and gave the FBI more latitude regarding operations). I'm tempted to say the FBI acts less as law enforcement and more like the secret police of the US (that is, hunts and investigates enemies of the current administration and those who might bring embarrassment to officials or the US state). So it'll seize what it wants, and aim to extract intel from what it gets while you fight in the courts to get your stuff back.

That said, if you're doing anything of interest to the FBI it's best to encrypt the snot out of it, including having alternate accounts filled with images of furry porn and victims of police violence. And yes, if you're plotting or signalling on the fediverse, do so in code.

Take this with a grain of salt but what if the unrelated server raid was an excuse

There's plenty of right wing bigots in the US government that would take the chance to take down anything they don't agree with

I mean, given there are companies that scrape user data and sell them to interested parties including governments, it's seems highly likely that there will be entities that create instances just to collect people's data in the fediverse.

If you posted them on the Internet, the NSA already had them.

You bring up valid points, but you are being very antagonistic towards server admins in the process. I get that you're frustrated by being dismissed all the time

Yea, you could have served your points in a less agressiv mana

Enterprise starts at 20k a year before traffic

My Mastodon server has just under 1.5k MAUs and has raised $4k so far this year. We've only been open for six months. This is not hard money to raise.

Lemmy DMs are not private and the software even tells you to use matrix.