Closed n-bernat closed 1 year ago
No, this would be a huge privacy and security risk for the people followed. We definitely don't want to encourage anything of the sort. Followbots are distrusted for a reason
When I post publicly I want the widest possible audience based on whatever network distribution system works. FollowBots work. When I see a FollowBot follow me, I know that's one more thing moving my public posts around the web, helping others find me and interact with me. If I want something private I send a DM.
For example: The network effect
and the fact that Twitter covers such a WIDE audience is a 'feature not a bug', regardless of anything else you might think about Twitter or Centralized systems. The large audience and large network is not the problem.
There's a pretty clear divide between people who want to use ActivityPub as a social medium and people who want to use ActivityPub as a marketing/tech vector. In my opinion, when there's a divide like this, the more ethical approach is the one that doesn't decrease user privacy and increase the likelihood of corporate abuse; in this case, my belief is that that's the existing behavior.
This seems to boil down to "people think they're being followed by a sketchy bot, so I would like to remove the process informing them they're being followed by a sketchy bot". The correct answer here is to make the bot, and the service it empowers, not look sketchy.
Asking users to accept lower privacy protection and self-ownership because "it doesn't make my use case easy" doesn't sound like a fair bargain to me.
This undermines security and privacy of users on the fediverse for... a nebulous opaque reason? I think this would be a net negative.
I'm confused. You propose an addition to the spec that allows secret following so that you can perform behavior that has classically been considered sketchy or privacy invading without the target knowing about it. Then you claim alternatives do not encourage "real interaction" or "organic growth" when the thing you propose is a one-sided secret interaction to begin with.
If your goal is to promote real interactions, the way to handle this is to have people initiate (and optionally approve) follow interactions in a 1:1 manner, and build interactions around that process. Bootstrapping a new instance is a only half-solved problem right now, but part of the strength of the federated model is having networks where the links are a sum of what your community likes and not just a firehose of random stuff.
Solution that I thought of is to define an option to silently Follow an Actor
I am not clear on what would be gained here from the proposed use-case aside from the ability to slurp data without consent for any number of nefarious purposes. This could end up being a massive net negative for privacy, safety, consent, user agency. If someone does not want to be followbotted they'll block the bot and there's no problem; you're proposing taking that agency away for a purpose that is not entirely clear except for "I don't want to be refused in that manner"
Also not least of all is the avenue this creates into far more easily building a scraper or data farm without the consent or knowledge of the people being scraped...
On a more fundamental level I suspect if such a thing were to be enshrined in the spec, you would see almost 0% compliance from the sector of AP implementations that prioritize user privacy and safety which, at present, is most of them.
NO.
Can we PLEASE stop normalising hijacking and disregarding explicit consent and user agency?
Edit: Has nobody learned anything of the last few months? Qoto.org? Abusive followers? Can we please not repeat mistakes and ignore warning signals that have been taking place LITERALLY in the past MONTH?
This is not twitter, stop treating it like it is.
AP is not a marketing-oriented protocol, and it's not made for data-stealing or other toxic behavior.
Following (and manual approval of follow requests) exist for a reason: to allow everyone to see and manage their account and community, and to provide real accountability for users and bots. This is called informed consent.
If you want to do something you explicitly said would make people block you, there is absolutely no way to not consider this as extremely toxic, and trying to force such a horrendous idea into the spec itself to try to get implementations to comply with this is just plain bad.
what you are proposing is the most serious violation of user consent and privacy, which flies in the face of how and why literally the entire protocol exists
When I see a FollowBot follow me, I know that's one more thing moving my public posts around the web, helping others find me and interact with me. If I want something private I send a DM
Good for you, but If you like it when followbot follows you, you probably don't mind getting notification about it either and this feature request is unnecessary for your use case.
Doesn't the spec allow followers-only posts? It seems like this would completely violate the intent of those kinds of posts.
Hi all, I think we've made our point. I don't know if this got linked somewhere or why else this issue might be getting brigaded, but I think we've resolved this conversation for now and we don't need to add additional comments.
Hi all, I think we've made our point. I don't know if this got linked somewhere or why else this issue might be getting brigaded, but I think we've resolved this conversation for now and we don't need to add additional comments.
I think it's because this whitepaper which links back to this post has been circulating in some discussions about followbots and privacy.
I think it's because this whitepaper which links back to this post
That white paper is from a server that has had several fediblock posts circulating around, fwiw.
I think it's because this whitepaper which links back to this post
That white paper is from a server that has had several fediblock posts circulating around, fwiw.
Indeed, I came here because the bot followed me, and in discussion with my instance co-admin, she and I discovered this discussion referenced in the whitepaper and wanted to be sure our concerns were voiced. No brigading, per se.
Speaking as the operator of a Mastodon instance since 2017, I strongly object to any spec change that would reduce the privacy of users on the fediverse, which I believe this proposal would do. Ignoring the problem of scrapers, a Follower by nature would receive unlisted notes, even if a user’s profile is otherwise open. Follow-bots are annoying but at least the notification allows the end user to immediately take action to block the bot. A silent follow system of any form is unacceptably easy to abuse.
This is antithetical to what I perceive ActivityPub’s mission (granted, through the lens of a Mastodon operator) to be. At a period where ActivityPub adoption is accelerating, this feels especially ill-advised to suggest.
Ok, I think it's clear enough for me what is the purpose of ActivityPub. Thanks everyone for this discussion and taking your time, I will try to look for different solutions for my project that will satisfy both me and the community
(also replying to one of those comments I wanted to clarify that proposed instance-level follow would have access only to public posts and not those for followers)
Context: I'm creating a new server-to-server implementation of ActivityPub and I want to fill it with
Actor
s andNote
sCurrently, if a new instance wants to populate its "federated" or "public" feed in order to offer some more content to its users it has to either:
Follow
Actor
s that interacted with content already present on our instance (eg. automaticallyFollow
a remoteActor
that replied to aNote
by anActor
that is on our instance),outbox
es of various remoteActor
s.First solution may result in a degraded trust to our instance since followed users will wonder why they got followed by a sketchy bot.
Second solution (while works without bothering other users) stops organic growth of our instance since it won't grow as a result of real interactions. Moreover, it's possible that we go out of sync with
Actor
s that we are following.Solution that I thought of is to define an option to silently
Follow
anActor
as anActor
of typeApplication
which would result in subscribing toNote
s targeted tohttps://www.w3.org/ns/activitystreams#Public
without notifying followed user. Privacy won't be compromised since it's already there inActor
's outbox and user won't have to wonder why a weird bot followed them.