Lemmy experienced a CSAM attack this week, with some significant ramifications for the entire network. It started early in the week, where new accounts created on lemmy.world posted Child Sexual Abuse Material (CSAM) on multiple communities. This prompted the lemmy.world admins on Monday to set the registration to application only, with no more open signup on the server. The next day the CSAM attack continued, this time from accounts made on other servers that posted to communities on lemmy.world. As a response the lemmy.world admins closed the lemmyshitpost community, as that seemed to be the main focus of the attack.
This problem with CSAM on Lemmy differs from the problem that Mastodon has with CSAM, as reported on earlier this summer. When the Stanford Internet Observatory report found CSAM on Mastodon, it often existed below the surface, with the vast majority of users never encountering the material. The attack on Lemmy seems to have been executed with the purpose of getting people to see the material, as quite some people reported seeing the material, see here and here.
One of the major impacts of this attack relates to technical design choices that Lemmy has made. Images that are posted on server A get send over and stored on server B, when someone on server B follows a community on server A. Images that are posted on lemmy.world, the biggest Lemmy server, exists in the databases of most other Lemmy servers as well. This means that due to the attack on lemmy.world, many Lemmy admins do now have images of CSAM in their database. With it comes liability for the admins, as well as reporting requirements. IFTAS has a good overview of the resources for admins to navigate these requirements.
Other aspects of Lemmy have confounded the issue of third party servers unwittingly hosting CSAM. It is currently not possible to federate with other Lemmy servers, and receive the text of a post, without also receiving and hosting the images of a post. Mastodon for example does allow servers to reject images while not rejecting text. Selective deletion of images in the database on Lemmy is also hard to do, and as a result, servers decided to delete all federated images in their database.
One of the ways admins deal with this new threat is with a new AI scanning tool called Lemmy Safety, created by the admin of the dbzer0 lemmy server. It scans all images in the Lemmy database for potential CSAM, and automatically deletes the images, and can also be used to scan newly incoming images. While this can help in the short term with making sure there is no CSAM material, it might interfere with legal obligations that administrators have. In various jurisdictions, administrators are required to report to the relevant authorities when they become aware of CSAM. Again, this collection of resources by IFTAS is a good start with helpful information.
It is clear that this is a complicated problem for volunteer admins to deal with. Multiple administrators concluded that the risks and complications of continuing to host Lemmy servers is not worth it. Other servers, such as lemm.ee have made extensive plans on how to deal with the situation, such as disabling image uploads, and applying a custom patch to prevent images from other servers to be saved on their server. They also float the idea of an invite-based registration system.
On the Matrix chat channels for Lemmy admins, tension is rising, and people are frustrated with the lack of acknowledgement and communications from the developers @dessalines and @nutomic. The developers have not communicated anything about this on either their Matrix chat channels or on their Lemmy. On their GitHub, the dbzer0 admin proposed to expand his automated CSAM scanning to allow for saving and review potential hits, instead of outright deletion. Developer @dessalines stated that this “is not something we have time for rn.” For servers that are operated under US law however, administrators are mandated to save CSAM they encounter, report it to the authorities, make it not visible for users, and restrict access to the saved material as best as possible. The outright rejection by the main developer to build tools that can admins satisfy these legal requirements does not help the confidence of admins who are worried about their responsibilities.
Meanwhile, new reports are starting to pop up of a new type of CSAM attack. Posts that are titled ‘Tiktok Cringe’, and first show a few seconds of a random tiktok video, and then switch to CSAM material. This makes it really easy for moderators to miss the content, unless they watch the entire video. At this point, it is unclear if this was an isolated incident, or part of a bigger attack. How this situation will develop in the near future is out in the open, but I’m sure we’ll come back to it soon.
In other news
Social network Minds has been working on implementing ActivityPub, and are now mostly connected to the fediverse. Minds, which launched in 2015, has a strong focus on free speech and cryptocurrency. As such, multiple outlets report the far-right nature of its user base. Minds reported that they joined the fediverse in a not particularly clear post. So far it seems like posts made on Minds are visible on Mastodon, but comments made by Mastodon users on a post made by Minds, are not visible on the Minds’ platform itself. The culture and ethics of Minds seems to differ significantly from that of most fediverse servers, and if Minds becomes more prominently visible within the fediverse, this will likely lead to friction and conversations around defederation. On the other hand, it does give another indication that ActivityPub is becoming the standard protocol for other social networks to implement.
A contributor to the Tusky project (an open source Android client for Mastodon) leaves the project, and writes a blog post alleging financial mismanagement. The other contributors write an extensive explanation of the situation, denying the allegations. While the situation itself is not particularly impactful for the fediverse, it is a good illustration of how difficult the organisational aspect of collectively building software on the fediverse is.
Technology website The Verge has moved their backend to WordPress. Editor-in-chief Nilay Patel calls this a bet for The Verge on Threads, and by extension ActivityPub.
Pixelfed has many features in the works. Developer @dansup has announced groups, channels, and a solo server project, and is working on other fediverse projects as well. One of these features, Stories, is finally shipping for mobile.
The Bundestag, Germany’s parliament, has joined the fediverse on the social.bund.de server.
Interoperability between software on the fediverse is often more complicated than the ideals of the fediverse might suggest. Here is an overview of the conversations around a testing suite for ActivityPub, which can help make sure that different software works properly with the rest of the fediverse.
If you are a developer of fediverse software, it’s recommended to check out this first version of a test suite by Steve Bate.
Search on Mastodon is complex, Terence Eden writes, for a variety of both social and technical reasons. The vmst.io server has made extensive documentation for Mastodon search, visible here.
Thank you for reading! If you want to receive this update right in your mailbox every Sunday, subscribe below!
New report finds an increasingly decentralized social media landscape offers users more choice, but poses technical challenges for addressing child exploitation and other online abuse.
Welcome back to another episode! I was still on holiday this week as well, but enough has happened that I wanted to give you a shorter overview of the most important news. It’s been interesting to experience the fediverse as a regular user that doesn’t try to keep up with all the news however. That’s why this episode is still short, focusing on a few highlights that stood out for me. Next week this update will be fully back, including some upgrades!
Mastodon and CSAM
The most important news is the release of a report by Stanford about the proliferation of CSAM (Child Sexual Abuse Material) on Mastodon. The report looked at the public timelines of the top 25 Mastodon servers and found 112 pieces of actual CSAM, as well as over 1200 text posts mainly used to coordinate offsite trading of CSAM, all which is absolutely horrifying. The researchers also share detailed directions for future improvements that are worth reading.
The Washington Post is reported in detail on this as well. In the article it is not super clear that some servers such as Pawoo, a known bad actor, are commonly blocked. The Stanford report understandably is super limited in providing information on where exactly the information is found, but servers like Pawoo and some of the large Japanese Mastodon servers are the most common suspects. This lead to people voicing their frustrations that they felt like they were getting lumped in for a description of fediverse that does not match their view of fediverse (since they’ve blocked the server).
There are multiple frames of analysis here: the direct response by the community, the secondary response by the community by working on better safety features relating to this, and how this impacts the larger public’s understanding of Mastodon. I have not been available enough the last week to give a proper analysis of the direct response of the community, I’m regret to say. Responses seem to have varied wildly, from ‘the Washington Post article is a hit piece’ to large concerns about the findings. Personally I feel uncomfortable with some more negative responses that focus on mistakes and framing in reporting by news outlets, when in the end, there is a goddamn CSAM material on Mastodon and limited moderation tools to deal with it. I’ll be writing more how different community initiatives are being worked on to improve Trust and Safety and moderation tools, as well as how this report impacts the public’s perspective on Mastodon.
What turned people off Mastodon
Erin Kissane has done excellent research by asking people on Bluesky what turned them off Mastodon. Its an extensive look at 350 people who tell in their own words what turned them off Mastodon. Erin’s work is deliberately structured in a way that resists easy summarisation, so I’ll refrain from that with the urge to simply read it all, it’s worth it.
A few things stood out to me: Eugen Rochko’s responds to the line in the article ‘If I were Eugen Rochko, I would die of stress.’ with ‘Not that far off the truth!’. The Mastodon post for this article got a massive amount of attention, virtually all of it positive. Considering the amount of critiques of Mastodon culture that are in the post, it is nice to see how open people are to the feedback. Thats not to say that everyone is open in all context, and the scolding behaviour that Mastodon is known for is certainly real. However, it shows there are ways to format structural feedback and criticism that are acceptable to the community.
Calckey rebrands to FireFish, with new forks.
Two weeks ago, Calckey rebranded itself as Firefish. An impressive part of this rebrand is how the main server calckey.social got transferred to a new domain, firefish.social, without impact on the users. For example, my new username is now laurenshof@firefish.social, but old posts that are still tagged with laurenshof@calckey.social properly refer to my account. Firefish has put in significant effort in individual account transfers as well. WeDistribute has a writeup on how to transfer from Mastodon to Firefish, which includes a full transfer of your posts, lists, blocks and mutes.
Arguments between the main developer and other contributors of Firefish lead to the creation of the hardfork Iceshrimp. Hajkey, which is run by the admins of blahaj.zone server, was originally a soft fork of Calckey, with several safety features merged back into Calckey. Lead Hajkey developer @supakaity announced that they will not rebrand, and go downstream from Iceshrimp instead. In the announcement post she mentioned that she recently got overruled when trying to implement a feature which was intended to improve the safety of a minority group. As such, she felt that Hajkey aligns better with Iceshrimp, and as such will position Hajkey instead as downstream from that project.
Other links
The flagship server for Misskey, misskey.io, is experiencing rapid growth, adding 90k users in the last 2 weeks. Uncertainty around GDPR compliance has led them to discourage signups from European users, @darnells writes.
Mastodon client Mammoth has added an algorithmic For You page. TechCrunch has a review of it.
Mastopoet is a tool to share Mastodon posts as images, and specifically focuses on the design and visuals.
A blog posts by @renchap, one of the Mastodon developers, on a vision for the future of Trust & Safety for Mastodon.
The podcast Looks Like New talks about some of “Open Social Media’s origin stories from three speakers who have been involved in the development, culture, and communities of their platforms: Christine Lemmer-Webber (co-editor, ActivityPub), Evan Henshaw-Plath (founder, Nos), and Golda Velez (early participant, Bluesky).”
The Podcast Moderated Content has a new episode with an extensive discussion on “safety issues with the Fediverse, how Meta might deal with them, and some potential solutions to get ready for the challenges without Meta effectively calling the cops on a huge number of instances.”
Lemmy has had a massive inflow of bot registrations in the last months. @kersploosh has a writeup of their work on getting admins to delete these suspicious inactive accounts, leading to a drop of 900k registered users for Lemmy.
If you want to receive this weekly update directly in your mailbox, subscribe here! Thank you for reading!
