Admin of an anarchist Mastodon server raided by FBI, insecure user data gets seized

bnew

Veteran
Joined
Nov 1, 2015
Messages
55,107
Reputation
8,185
Daps
155,726

Paul Hill · Jul 1, 2023 16:18 EDT







The Kolektiva social banner
Kolektiva Social

When Elon Musk took over Twitter and started getting on people’s nerves, some users left to join Mastodon. Unlike Twitter, Mastodon is a federated network where individual servers run by different people interact using the Mastodon software. Now, one server admin has been raided and plenty of unencrypted user data is now in the hands of the FBI.

Unlike Twitter and Facebook which have their own legal teams, follow laws such as GDPR, and can overall be considered professional, just about anyone with technical know-how can set up a Mastodon instance.

This is exactly what the admins over at Kolektiva.social have done and now one of them has been raided and charged by the FBI for activities unrelated to Mastodon. To top things off, the admin in question just happened to be troubleshooting an issue and working with a backup copy of the server’s database which was in an unencrypted state when the raid took place and it was seized.

According to the admin who reported the incident, the raid took place in mid-May and the backup was dated from the first week of May. User data that the FBI will now have access to includes:
  • User account information like the e-mail address associated with your account, your followers and follows, etc.
  • All your posts: public, unlisted, followers-only, *and direct ("DMs")*.
  • Possibly IP addresses associated with your account - IP addresses on Kolektiva.social are logged for 3 days and then deleted, so IP addresses from any logins in the 3 days prior to the database backup date would be included.
  • A hashed ("encrypted") version of your password.

The admin that announced the capture of his comrade (Kolektiva is an anti-colonial anarchist collective) said that as a precaution users should change their password to something “new, unique, and strong” and change their two-factor authentication if they had that switched on.

The most damaging impact on users is probably the seizure of private DMs and their IP addresses. In the case of the DMs, users on other Mastodon instances could be affected with regard to any messages they sent to Kolektiva users.

While federated platforms like Mastodon are nothing new, many mainstream users are only just coming into contact with them. One of the new issues people need to think about is whose server they join. Do you trust anarchists with your data and ones that have come under the suspicion of the FBI?
 

bnew

Veteran
Joined
Nov 1, 2015
Messages
55,107
Reputation
8,185
Daps
155,726
I was have some fun with Google Bard and i'm sharing the results..

tell me about this article as if you were the sysadmin (first person perspective) recounting his experience in harrowing detail.



I'm the sysadmin of Kolektiva.social, an anarchist Mastodon server. I'm writing this to recount the harrowing experience of having my server raided by the FBI and having unencrypted user data seized.

was a Friday afternoon in mid-May, and I was working on troubleshooting an issue with the server. I had a backup copy of the database open on my computer, and I was working on restoring it.

Suddenly, there was a knock at the door. I opened it to find two FBI agents standing there. They showed me a warrant, and they told me that they were raiding my home and seizing my computer.

was stunned. I couldn't believe that this was happening. I asked the agents what they were looking for, and they said that they were investigating the admin of Kolektiva.social for activities unrelated to Mastodon.

I didn't know what to say. I just stood there in shock as the agents searched my home and seized my computer.

After the agents left, I sat down and tried to process what had just happened. I was horrified to think that the FBI had seized unencrypted user data from my server. This data included user account information, posts, IP addresses, and even hashed passwords.

I immediately sent out an announcement to all of the users of Kolektiva.social, warning them that their data had been compromised. I also advised them to change their passwords and enable two-factor authentication.

I'm still reeling from the events of that day. I'm angry that the FBI raided my home and seized my computer. I'm also scared that the user data from my server has been compromised.

I'm not sure what the future holds for Kolektiva.social. But I'm determined to keep the server running, and I'm committed to protecting the privacy of our users.

I urge all users of Mastodon to be aware of the risks of using a federated platform. If you're concerned about your privacy, I recommend that you only use servers that are run by reputable organizations.

I'm also calling on the FBI to release the user data that they seized from my server. This data is private, and it should not be used for any other purpose than the investigation of the admin of Kolektiva.social.

I'm grateful for the support of the Mastodon community during this difficult time. I know that we will get through this together.
 

bnew

Veteran
Joined
Nov 1, 2015
Messages
55,107
Reputation
8,185
Daps
155,726

FBI Seizure of Mastodon Server is a Wakeup Call to Fediverse Users and Hosts to Protect their Users​

BY CINDY COHN AND RORY MIR
JULY 25, 2023

Surveillance cameras peering around, each with a social media company icon.




We’re in an exciting time for users who want to take back control from major platforms like Twitter and Facebook. However, this new environment comes with challenges and risks for user privacy, so we need to get it right and make sure networks like the Fediverse and Bluesky are mindful of past lessons.

Last May, Mastodon server Kolektiva.social was compromised when one of the server’s admins had their home raided by the FBI for unrelated charges. All of their electronics, including a backup of the instance database, were seized.

It’s a chillingly familiar story which should serve as a reminder for the hosts, users, and developers of decentralized platforms: if you care about privacy, you have to do the work to protect it. We have a chance to do better from the start in the fediverse, so let’s take it.

A Fediverse Wake-up Call

A story where “all their electronics were seized” echoes many digital rights stories. EFF’s founding case over 30 years ago, Steve Jackson Games v. Secret Service, was in part a story about the overbroad seizures of equipment in the offices of Steve Jackson Games in Texas, based upon unfounded claims about illegal behavior in a 1990s version of a chat room. That seizure nearly drove the small games company out of business. It also spurred the newly-formed EFF into action. We won the case, but law enforcement's blunderbuss approach continues through today.

This overbroad police “seize it all” approach from the cops must change. EFF has long argued that seizing equipment like servers should only be done when it is relevant to an investigation. Any seized digital items that are not directly related to the search should be quickly returned, and copies of information should be deleted as soon as police know that it is unrelated—as they also should for nondigital items that they seize. EFF will continue to advocate for this in the courts and in Congress, and all of us should continue to demand it.

Law enforcement must do better, even when they have a warrant (as they did here). But we can’t reasonably expect law enforcement to do the right thing every time, and we still have work to do to shift the law more firmly in the right direction. So this story should also be a wake-up call for the thousands of hosts in the growing decentralized web: you have to have your users’ backs too.

Why Protecting the Fediverse Matters

Protecting user privacy is a vital priority for the Fediverse. Many fediverse instances, such as Kolektiva, are focused on serving marginalized communities who are disproportionately targeted by law enforcement. Many were built to serve as a safe haven for those who too often find themselves tracked and watched by the police. Yet this raid put the thousands of users this instance served into a terrible situation. According to Kolektiva, the seized database, now in the FBI’s possession, includes personal information such as email addresses, hashed passwords, and IP addresses from three days prior to the date the backup was made. It also includes posts, direct messages, and interactions involving a user on the server. Because of the nature of the fediverse, this also implicates user messages and posts from other instances.

To make matters worse, it appears that the admin targeted in the raid was in the middle of maintenance work which left would-be-encrypted material on the server available in unencrypted form at the time of seizure.

Most users are unaware that, in general, once the government lawfully collects information, under various legal doctrines they can and do use it for investigating and prosecuting crimes that have nothing to do with the original purpose of the seizure. The truth is, once the government has the information, they often use it and the law supports this all too often. Defendants in those prosecutions could challenge the use of this data outside the scope of the original warrant, but that’s often cold comfort.

What is a decentralized server host to do?

EFF’s “Who Has Your Back” recommendations for protecting your users when the government comes knocking aren’t just for large centralized platforms. Hosts of decentralized networks must include possibilities like government seizure in their threat model and be ready to respond in ways that stand with their users.

First of all, basic security practices that apply to any server exposed to the internet also apply to Mastodon. Use firewalls and limit user access to the server as well as the database. If you must keep access logs, keep them only for a reasonable amount of time and review them periodically to make sure you’re only collecting what you need. This is true more broadly: to the extent possible, limit the data your server collects and stores, and only store data for as long as it is necessary. Also stay informed about possible security threats in the Mastodon code, and update your server when new versions are released.

Second, make sure that you’ve adopted policies and practices to protect your users, including clear and regular transparency reports about law enforcement attempts to access user information and policies about what you will do if the cops show up – things like requiring a warrant for content, and fighting gag orders. Critically, that should include a promise to notify your users as soon as possible about any law enforcement action where law enforcement gained access to their information and communications. EFF’s Who Has Your Back pages go into detail about these and other key protections. EFF also prepared a legal primer for fediverse hosts to consider.

In Kolektiva’s case, hosts were fairly slow in giving notice. The raid occurred in mid-May and the notice didn’t come until June 30, about six weeks later. That’s quite a long delay, even if it took Kolektiva a while to realize the full impact of the raid. As a host of other people’s communications, it is vital to give notice as soon as you are able, as you generally have no way of knowing how much risk this information poses to your users and must assume the worst. The extra notice to users is vital for them to take any necessary steps to protect themselves.

What can users do?

For users joining the fediverse, you should evaluate the about page for a given server, to see what precautions (if any) they outline. Once you’ve joined, you can take advantage of the smaller scale of community on the platform, and raise these issues directly with admin and other users on your instance. Insist that the obligations from Who has Your Back, including to notify you and to resist law enforcement demands where possible, be included in the instance information and terms of service. Making these commitments binding in the terms of service is not only a good idea, it can help the host fight back against overbroad law enforcement requests and can support later motions by defendants to exclude the evidence.

Another benefit of the fediverse, unlike the major lock-in platforms, is that if you don’t like their answer, you can easily find and move to a new instance. However, since most servers in this new decentralized social web are hosted by enthusiasts, users should approach these networks mindful of privacy and security concerns. This means not using these services for sensitive communications, being aware of the risks of social network mapping, and taking some additional precautions when necessary like using a VPN or Tor, and a temporary email address.

What can developers do?

While it would not have protected all of the data seized by the FBI in this case, end-to-end encryption of direct messages is something that has been regrettably absent from Mastodon for years, and would at least have protected the most private content likely to have been on the Kolektiva server. There have been some proposals to enable this functionality, and developers should prioritize finding a solution.

The Kolektiva raid should be an important alarm bell for everyone hosting decentralized content. Police raids and seizures can be difficult to predict, even when you’ve taken a lot of precautions. EFF’s Who Has Your Back recommendations and, more generally, our Legal Primer for User Generated Content and the Fediverse should be required reading. And making sure you have your users’ backs should be a founding principle for every server in the fediverse.
 
Top