Mastodon is not a twitter alternative
There’s a world out there that Twitter and Facebook don’t want you to be too aware of. It’s called the Open web. In both capital and small ‘o’, actually, but I won’t go into it today (this post is already too long). For a mostly-decent look at Mastodon for beginners, check out this article.
The open web is what Tim Berners-Lee created: a protocol to retrieve pages and a protocol to render the pages graphically. when you link to a page, the page at the other end doesn’t need to know about it, or to keep being there, it’s a bunch of one-way pointing arrows, the only common thing about them is the protocol standard, which allows to “surf” them all with the same browser, or use many browsers to get and display the same page. Those were the good old days, when nobody knew how to really “do” internet business and usability. Other than DNS, SMTP, IRC, Gopher, and FTP, many protocols where not too open nor cross-platform. Until the WWW took shape and center stage, there were attempts by AOL and MSDN to create proprietary browsers, much like Compuserve before them, that would only fit pages and information designed for them. Luckily the open standards won and HTTP+HTML+CSS became the comm0n ground. It would have been quite horrible if different sites required different browsers and protocols to access.
As someone who started using the ‘net in that era seeing today’s collection of walled gardens — how Twitter, Facebook, Linked-In, Instagram, Medium, Tumblr, Google+, Orkut, MySpace and whatnot do not interact (not to mention IRC vs. Slack, Gitter, discord etc) — I facepalm in despair. This is not the web we want. If my Email provider isn’t nice to me, I’ll go to another one, or rent my own server and install my own SMTP server. There’s no registry to apply to, anyone can buy a domain name, I own several in fact. However if Facebook or Twitter start censoring me or blocking me out, I’m done. No way to interact with the social graph I left behind.
On the side there were a few decent attempts at offering an open alternative. StatusNet, pump.io, Gnu Social, Disapora*, Twister, Scuttlebutt, and lately Mastodon. Some caught on, others haven’t. What none of them attempts to do is to create another cohesive behemoth like Twitter, and that’s an important thing to understand:
StatusNet and Mastodon are not a single site or entity. There’s no one official list of instances. There is no need to register a newly installed instance anywhere, and possibly no one will find out that that instance exists if nobody on it interacts with the world.
Therefore:
- There’s no unique ID that logs you into all of them. Each instance is its own social network that just so happens to enable you to interact with others outside. In that vain, @wikileaks and @potus are already taken on mastodon.social but maybe not on other instances, and none of them may be real, most of them will be fake.
- For the same reason, you can’t expect #hashtags to work the same as on a centrist site like Twitter. Don’t expect to see other users of the hashtag, only what’s on the local and federated feeds of THIS instance will be visible. There’s the notion of !topics you can subscribe to on GNU Social, but I don’t support for it on Mastodon instances yet. Maybe it’s in the works.
- No real secrecy of private messages and accounts, your local instance’s admin and possibly other admins (if a user of their instance is authorized by you) can see everything you post.
- It is your responsibility and yours alone to manage the trust of others in your account (more on that later).
- There’s no guarantee anyone outside your instance will be able to find you unless you tell them you exist. By “tell them” I mean interact with them on the fediverse (loosly federated instances of OStatus compatible software: Statusnet/GnuSocial/Mastodon/other installations), or inform them on other networks where you know them (Socnets or direct Email). E.G., This is me on the fediverse, AKA @I@tooot.im. Now you can follow me from GNU Social, Mastodon or whatever future network interacts with the fediverse. If tooot.im dies, I’ve created fallback accounts on other instances.
- There’s never going to be a “verified” symbol next to a user-name that’s as trusted as that of Twitter’s, but there can be ways to improve on that. Read on.
- Mastodon is the software, anyone can run it, it won’t mean any of the instances are obliged to keep open communication lines with any of the others, in fact some are already banned.
- All the above “shortcomings” are not bugs or design problems, they are the perfectly natural outcomes of a federated net. Don’t expect them to “get fixed later”. Mastodon instances are not Twitter.
Identity management on a centrist, unfederated service is easy. You have to trust the owners of the site (usually a for-profit corporation), that they will kick out impostors (Facebook) or reward paying, checked customers with a hard-to-fake verification badge (Twitter). There’s a single point of authority, which is better or worse (depends on your POV) than the hundreds of trusted CAs (Certificate Authorities) that come cooked into your browser. There are smart people sitting and talking on the dev teams at Oracle (Java), Mozilla (Firefox), Apple (Safari), Microsoft (Edge/Explorer), Google (Chromium/Chrome), Opera etc. A new CA wanting to get on that list has to prove itself worthy and it’s pretty easy to get kicked out if you lose their respect (e.g. Startcom and Comodo has come close at times).
On the open web, how do we each prove our identity? You can do it once for Linked-in, once for Twitter, another time for Facebook, etc. — each time sending them a (probably unencrypted) scan of your ID or a credit card transaction. That in turn is processed by a third party that knows how the ID cards of a few dozen countries look like, and who knows what they will do with your scanned documents? (If you ever registered for AirBNB or flagged as fake on facebook you know what procedure I’m talking about).
But this is the Open Web, I don’t need the trust of a credit card company or a nation state, just the trust of my followers. They don’t care if I’m using my legal name or an alias, they only want to know I’m the same guy they also interact with on GitHub, Twitter, or in PGP-encrypted emails.
One such solution is the centrist one — someone out there will figure out the business model of checking your identity securely (like CAs do for higher-level trust, see how Medium.com’s certificate is “DigiCert SHA2 Extended Validation Server CA”, looking more respectable than the humble green lock of a common Let’s Encrypt free cert). Such an entrepreneur could run a Mastodon instance where you get an account only as identified people (celebrities, authority figures, journalists?) who pay some nice fee to get verified by that instance’s admin and have their name reserved. Thus when you interact with @chopra@verified.social you will know you will really get the original newage BS from Deepak and not from an impostor. On such an instance, the owner may even patch the UI to display a “verified” badge or something. But that badge won’t propagate to other instances, and if it does, it will no longer mean much, as owners of other instances will be able to give those badges to anyone they want with a similar code. They can’t be forced to honor that one instance’s use of that badge feature the same way. You will have to trust the owner of your home instance, that posts from @user@verified.social are really from that site and not maliciously injected, or go see the local feed on verified.social (over https, yes?) to make sure that person was really the one who posted it.
On the other side of the spectrum is the completely anarchist, distributed approach of adding an identity to your PGP key (you do have one and it’s guarded well, right?) and upload it or send it to your web of trust, or just publish a public, signed message about your fediverse identity (or identities) that can be trusted, and your followers, if they trust your public key, will be able to verify it’s you.
Somewhere between those two examples are services which are centric but independent. My favorite at the moment is keybase.io (message me if you want an invite). This is a PGP key server on steroids. You can find my key and make sure it’s really me by cryptographically certified tests against my domains, websites and SocNet identities. Moreover it lets me post public files (reminiscent of public read-only share from a Dropbox account, only all the files are signed by me, and so unforgeable by keybase). For example, here’s my publicly signed page where I claim my various fediverse identities.
Back to Mastodon: so we can now agree that you don’t have “a user on Mastodon” no more than your Email is “a user on SMTP”, because each instance IS an island in terms of the identity database and credentials. Even if you catch your favorite nickname on Gmail and yahoo.com, it won’t guarantee it’s free on tutanota.de or any other public webmail service, your ISP’s pop3 mailboxes, etc. (certainly not sync passwords either, math forbid!). The correct ‘lingo’ is “I am @ia42 on tooot.im, which is part of the fediverse”. Other users can then follow you from Quitter, Gnu Social or any other compatible instance, without your local admin knowing about them, or registering to a central registry of instances, the same way that anyone (including spammers) can send email to anyone else. Like the web, links are one way, the server at the other end may block you or your admin may block replies from them, it’s not symmetrical nor fair and balanced. At best you can expect fair and biased.
Instead, you pick a community and join them. There’s tooot.im for Hebrew speakers and Israelis all over the globe, there’s toot.cat for cat lovers, there’s oulipo.social if you want to challenge your vocabulary skills and there’s room for more (sadly toki lili is not connected to the fediverse, but I bet someone will open an Esperanto-only, or limerick-only, or haiku-only community instance). I’ve seen instances dedicated for non-PC and shitposting, others may have adult-only posts, and each instance will have it’s own policies and standards, ideologies they will protect or ban. Some of those instances may limit toots to 1337 chars and discuss blackhat matters, others may be dedicated to newage and yoga, and one day there will be commercial ones if you want to pay a bit (money or privacy) to get a commercial brand address like @joe@armani.suite or something. Gamers and fashion brand junkies will soon follow.
As for the question of “distributed twitter alternative” — the fediverse is NOT. The Verge and others screwed up with their reports. Like I said, each instance is independent. Your nickname is not reserved and your password will not be recognized anywhere else. This is a GOOD THING. You don’t want your admin to start figuring out which other instance admins to trust and exchange password credentials with. Federated does NOT mean distributed.
This leaves some UI issues that need to be solved, mainly I’ve read complaints that the feed just shows the @nick and not the @nick@instance full address. I agree this is indeed a bit confusing, but the solution is simple and you can send feedback to Eugen Rochko on Github or on the closed community (doh!) of Discord, or on the fediverse directly, and ask him to find a way for the UI to differentiate between users of the same nick from the local or remote instances. Right now if you click on a user-name in the feed or hit reply, you will clearly see which instance the user is tooting from, but the feed shows only the shortened nick, and that’s confusing for many. It should at least be an option for each user to select if they want to see the full unique identifier, or maybe hash the instance name to a an extra icon or frame to the existing avatar icon (Like Gravatar’s automatic hash-generated icons). It’s a UX issue, not a bug. Mastodon is young, maybe prematurely hitting the headlines, but it will get better with time.
I’d like to give credit to Keith Parkins and his articles on Mastodon that gave me the push to publish this post. I’m also sorry I posted it a tad too soon, I’m since gone over it to fix spellings, grammar, syntax, and capitalizations. enjoy :-)
Update Apr-18: I fixed all my uses of node to instance, because — silly me — the fediverse is not a distributed network so I should use the correct terms. More in Eugen Rochko article here.
