Security isn’t about protecting everything from everything. It’s knowing what you’re protecting from what (and what you’re not protecting). That’s why we use threat models.
An analogy: you don’t protect food from the environment; you protect different types of food from different factors of the environment. You might design a heat lamp to protect the freshness of your dinner but a freezer for your ice cream. What you don’t do is design a heat lamp and assume it’ll protect your ice cream also.
@bhaugen On the fediverse, in its current incarnation at least (if we’re talking about ActivityPub), there is no expectation of privacy. Everything is public. I don’t know if there’s a formal threat model of ActivityPub in the spec (it’s been a while since I looked at it).
@cwebber @bhaugen When I said “everything is public”, I meant it in the same way that email is public (it’s a post card, not a letter in an envelope). I should have been more precise: it’s not end-to-end encrypted and thus does not have any privacy guarantees. I believe you’re working on that with Spritely? (Skimmed.)
It's a common meme though, and it's not just you. I agree that email is not good enough. The thing that annoys me is that there's a lot of imprecision and it sounds like AP is even *less* directed than email (one exception I will agree with is sharedInbox being a problem, but in a sense delivering to specific inbox endpoints is even more direct than email)
@aral still, both email and ap's "privacy guarantee" is the same: your messages will be private to the servers that receive them. that doesn't preclude the "rogue admin" threat model, but it doesn't make either "public" per se.
even if your measuring stick for privacy is e2ee, you're basically making the mistake of equivocating existing implementations with the spec itself. pgp exists for email, but hasn't been done yet for ap. it's like saying xmpp is public despite omemo
This is my personal Mastodon.