A major note in the Mastodon fediverse brought down by the fact that it's administered by one person who, despite the fact they are running a social network node, never built up the real world trust connections to find somebody they could share the toil of administration with or tap in when it was time for them to bow out because we are all mortal.
The technological problems are not the hard problems in this space. The hard problems are social problems.
> Users have put their trust in me with their data. Choosing a new admin would require a massive amount of trust, since they’d have access to over a half decade of user data. Not just data from my local users, but from users they have interacted with.
I'm not a Mastodon user, but this is haunting. Just like shady data brokers, political shadow companies and "the feds" are running VPN nodes, subreddits etc, this architecture is practically designed for malicious actors. It wouldn't surprise me if it's already being used this way on other nodes.
To be clear, in 2005 this would have been great, tech is moving fast so one has to remain humble when critizising architectural decisions. Nevertheless, today we can't trust private data in hands of benevolent (and often de-facto anonymous) volunteer actors, if we want scale and security in the decentralized (or even federated) world.
We have had enormous progress in applied cryptography, both in social apps (Signal, Matrix) and defi (some successes, many failures to learn from). We should have the expectation for private data that the operator cannot read it. Doesn't mean that all data on a social app must be private, but DMs and invite only "groups" should be.
Currently, the typical website with per-node password auth doesn't satisfy these constraints, since credential harvesting is trivial. It's very difficult to build E2EE web apps and even if, users have no habit of keeping secrets on-device. The client itself needs to be vetted and accessed securely. Perhaps Matrix is best positioned in this space.
(Please correct me if I got any details wrong)
If this is a concern of yours, don't migrate your account. All instance admins play the role of Twitter CEO on Mastodon, which means (much like Amazon, Apple, Google, Facebook, Microsoft, Netflix, et. al) they can access all data you've trusted them with. The point of Mastodon is that it broke down these data silos, and give people more sane ownership models for social media. Your privacy concern is valid, but Mastodon doesn't advertise itself as a private protocol. A glorified microblogging platform doesn't really have a whole lot of data to leak besides maybe your DMs.
> We should have the expectation for private data that the operator cannot read it
That's called heterogenous encryption, and it's the technological equivalent of Mythril. End-to-end encryption doesn't stop the operator from decrypting your data. In fact, pretty much everyone has to, since raw encrypted TLS data can't just get slotted into your OneDrive/iCloud account. These operators literally need to read your data to operate on it. I genuinely don't know how you would engineer a more secure architecture here.
If you want to talk about architectures designed for malicious actors, you probably shouldn't start with distributed systems. Monolithic, profit-driven corporations like Twitter are much easier to tempt with salacious "data brokers, political shadow companies and "the feds""
Having publicly readable posts is core to the whole idea, just like Twitter.
Note: there are some interesting forks like Hometown[1] that have interesting privacy variants. The big feature I'm envious of in Hometown is the ability to send a message _just_ to people on your server that will never leave it. BUT overall mastodon is 100% about publicly readable information (like Twitter). If someone isn't comfortable with that they shouldn't use Mastodon.