Gonna block qoto.org on this instance later this morning when I’m at my desk.
Their forked version of mastodon implements a feature that allows accounts on their instance to follow locked accounts—even if you reject a follow request from a qoto user, they can see all your public-level posts on their home timeline.
This is a breach of trust to users of other instances and provides a vector for stalking and harassment, as users may not know who is following them.
Public posts may be discoverable and accessible by visiting someone’s profile, but this qoto feature (and the mastodon pull request that does the same thing) posits that users are entitled to view someone’s public posts at the moment they’re posted. That’s wrong. Denying a follow request, but not blocking someone, means you do not consent to giving them instantaneous and convenient access to reply to or engage with your posts. Just because they’re public doesn’t mean they’re for you.
The people replying to this saying “but your public posts are easy to get already, just grab the RSS feed or remember to visit the profile!” underestimate the value of slightly inconveniencing users whose follow request you denied. Nothing is easier than something being in your home timeline, across all masto clients, to reply to or boost or like or bookmark.
@alex It is still public right? No one is "entitled" to see your posts, but if you are posting them publicly, there is little you can do to stop certain people from reading it. That is the nature of a free network (versus one where someone is in control of everything). There is also an RSS feed attached to each account by default which is trivial to follow in many different ways.
Also, in a free network, I acknowledge your freedom to block qoto.org to show your disagreement with their feature.
@masterofthetiger it is not about stopping them, it is about inconveniencing them. Introducing a tiny bit of friction to discourage it.
@alex But is it wrong for them to break that friction themselves?
I agree that it was probably a bad idea for QOTO to do that (while understanding that there were likely legitimate reasons for the it), but is it really worth blocking the whole instance over it?
@masterofthetiger they specifically advertise the ability to follow locked accounts as a benefit of their platform.
@alex Hmm... I looked more into it and read a couple different conversations some people have had. It is a complicated issue. As it stands, I believe it can too easily be used for the wrong reasons.
I think that there are legitimate reasons for such a feature, but it seems to be bad the way qoto has implemented it. It needs a lot more consideration.
"...but this qoto feature (and the mastodon pull request that does the same thing) posits that users are entitled to view someone’s public posts at the moment they’re posted."
I'm confused. Aren't there already RSS feeds for every Mastodon user on every instance? For example, yours is https://email@example.com and mine is https://firstname.lastname@example.org. Wouldn't this enable anyone to "view someone's public posts at the moment they're published?"
Or ... is it possible to disable RSS feeds? And/Or ... is there a significant delay from when posts are published in Mastodon and then added to the RSS feed?
I'm just now seeing this issue with qoto and your comments are some of the first I've seen, so I apologize if some of the context I'm missing makes my question moot.
@coding I can’t speak to the ability to block the RSS feeds, but I do know using an rss reader to my feeds as a level of complication and abstraction from interacting that’s good enough for me
@alex I see your point. Friction can help deter bad behavior. Yet, at the same time, it's important for people to know that their public posts are public to anyone whether one follows or not.
It's also important for users to know that their private posts are, at the least, accessible to instance maintainers.
I agree with blocking qoto. I would probably do the same if I maintained an instance. In doing so, I'd also remind my users that their RSS feeds are still public, people can still see their public stuff via a browser, etc... so they don't have a false sense of security and accidentally get into trouble posting something they think someone can't see.
@coding I think this is absolutely the right call, and the right way to view the situation. What I'm disheartened by is the people who seem to think "the best way to teach people about how they don't really have privacy is for me, personally, to violate their expectations of privacy!", which is the attitude of a few people in the replies to this thread (people who I have now blocked)
@alex those people all coincidentally hang out on perfectly silencable instances themselves, amazing how that works.
If you don't want someone to reply to your toot, just block them. Or better yet, mute them and let them reply for the benefit of other people if you don't want to read them.
I'm getting notes of DRM from this.
@alex To say the obvious: it clearly makes a difference for the people wanting to be creepy. They always could just use RSS or public posts, but they still insist on the new "feature".
@alex What is the purpose of locked accounts with public-level posts? Anyone can see the posts with a regular web browser, there is no need to have their "forked version".
@bortzmeyer sometimes you post public, sometimes you post followers-only. If I deny your follow request, it’s because I don’t want my posts on your home timeline. This fork takes that choice away from me.
@alex I'm still puzzled. If you post public, it means you accept anyone (follower or not) to see your toots (and I think that Mastodon reminds you of that when you post).
@bortzmeyer I want to do the best I can to guarantee my users have the same experience if they deny a follow request across the fediverse. That might not be possible, but I can at least block obvious offenders.
@alex Good job putting a fork in their forked version. Can y'all do it for cooler.mom also?
@feld as I have said elsewhere in the thread, introducing just a little friction is enough of a deterrent for many, and the simple fact is that I want to be able to get as close as I can to guaranteeing to my users that if they decline a follow request from a user, that user will not get to have my user's posts in that user's home timeline
@feld not a fan of any form of education that requires a violation of trust
@feld I am giving users the expectation that follow relationships on mastodon will work the way they are described in mastodon's own documentation
@qrsbrwn @feld this is a service that regular people use and it is perfectly reasonable to make small gestures towards expectations of normal behavior, I don't need PGP keyed interactions or whatever I just want to shame known bad actors from disrupting a loose social contract of shitposters and gardening dads
@Kinetix my question is—what does it mean to decline a follower request? if the answer is "if you even occasionally post publicly, literally nothing" then, well, ok. but many people, including me, post publicly sometimes and followers-only (or on my instance, local-only) other times. I think there's a reasonable expectation among users that denying a follow request means that the person you denied will not get your posts in their home timeline, regardless of the other methods they can get to you
@Kinetix I did not ask what it mean to accept a follow request, but rather that it means to /deny/ one, and it seems like your answer is "nothing"
@Kinetix okay. I do not believe your position on this is shared by the average user of mastodon dot com, the website for posting garbage
@Kinetix I will not be convinced by the argument that I should leave my users exposed to little violations because I'm leaving them exposed to bigger ones anyway. I do what I can. done with this thread, have a lovely week
dads.cool is a Mastodon instance for dads, running the Hometown fork of Mastodon.