Mastodon Privacy Guide V.1.0

A guide on data protection obligations, challenges & pitfalls for Mastodon Users & Instance owners / Admins.

<!-- TOC start -->

• Who Are You and Why Should I Trust You?
• Scope
• But I Thought the GDPR Doesn't Apply to Me?
• 'Doing Stuff With Data'
• Okay. The Data Protection Laws May Apply. Now What?
  • 1. General obligations of controllers
  • 2. Data residency/sovereignity issues
  • 3. Using your instance for legally dubious purposes
  • 4. Building in privacy-enhancing tech
• Some Parting Thoughts
• About Me (expanded)

• APPENDIX (Definitions, Details, Footnotes, etc.)
  • Territoriality of the GDPR
  • Some Relevant Definitions
    • Personal Data v. PII
    • Processing Data
    • Controllers & Processors
    • What's a Data Subject?
    • What are Data Subject Rights?
    • What is Lawful Basis
    • Responding to Data Breaches
    • What Does Establishment Mean?
    • Monitoring Behavior?
  • Footnotes

<!-- TOC end -->

Who Are You and Why Should I Trust You?

My name is Carey @privacat@dataprotection.social and I am an External Data Protection Consultant, researcher, and Mastodon instance admin (I run dataprotection.social.

In my I also work for a small consulting outfit out of Dublin, Ireland, Castlebridge. You can read more about my background here.

Scope

This is both a guide & a general backgrounder/crash course on data protection law.

It's primarily targeted at Mastodon instance owners and admins, but much of the elements will likely also apply to other #Fediverse services (Misskey, Pleroma, Pixelfeed, etc.)

I am primarily considering this from the EU POV, so the citations will heavily skew towards the EU and UK General Data Protection Regulation [GDPR] (https://gdpr-info.eu) [^1]. That said, if there's interest, I'll attempt to supplement this document for territorial-specific rules. If you have knowledge / insight on additional laws to consider, please file an issue, or ping me directly at admin @ dataprotection.social.

But I Thought the GDPR Doesn't Apply to Me?

Despite the various rumors and wishful thinking out there, for many instance operators, the GDPR probably does apply.

Tl;Dr the GDPR (and many data protection laws around the world) have wide reach and applicability, and apply to a whole host of activities and types of information sharing that don't always seem obvious.

Essentially, the GDPR applies to you if:

1. You are making decisions to do stuff (or processing) data; and
2. The data you're doing stuff with directly identifies or, with other information, can make a person (the law calls people 'data subjects'). This kind of data is referred to as 'personal data' in the EU, and 'personally identifiable information' in the US; and
3. The people whose data you're doing stuff with are based in the EU or your processing is occuring in the EU.

'Doing Stuff With Data'

In plain English: If you are collecting, using, storing, sharing, transferring, selling, or generally making use of personal data on a computer (or physically), you're probably 'doing stuff' with data in some way. So, legally speaking, you're processing data.

Common Fedi examples of processing include:

• Your instance collects and stores user information such as email address, userid, IP address, biographical information, photos of data subjects, followers/following information, etc. of your instance's users and others interacting with users of your instance.
• Your instance collects and stores posts, likes, boosts, bookmarks to posts, etc.
• Based on how Mastodon works, your servers automatically perform various operations on the data (checking for spam, logging access attempts and posting information) (restricting data, storing data)
• A user deletes their account/posts, or sets up the auto-delete function (erasing or destroying data)
• By virtue of being #federated, your instance shares, transmits, and disseminates personal data about users and their posts, likes, and boosts with other users across systems (unless you defederate from everyone).
• By allowing users to boost, comment on, or link to profiles or posts, your instance is adapting and altering that personal information.
• If you've got any sort of analytics going (Google Analytics, or even Matomo), you're likely collecting, storing, transmitting, and using device IDs, advertising IDs, IP information and other details about visitors to your site.
• By storing any of this on a server somewhere that's not your own, you're also transmitting personal data.
• When users send you an email (for example, if they sign up for an account or they make a data subject request), you're collecting, storing, transmitting, and using their email address, potentially their name, their userid, and whatever other information they provide to you.

Okay. The Data Protection Laws May Apply. Now What?

Things to Consider as a #fediverse Admin:

1. General obligations of controllers

As a controller you've got many obligations, beyond just the standard boilerplate Mastodon Privacy notice (which you should not use, as it's exceedingly generic). Controllers must, at a minimum ensure that adequate 'technical and organisational' measures are in place to meet obligations under the GDPR. In simple terms, that means things like:

• securing personal data in transit and at rest;

• ensuring that access controls and authorisation are strong (strong passwords, limits on access by others to personal data of your users, using multi-factor / two-factor authentication);

• having appropriate auditing and logging of data on your systems;

• limiting (to the extent possible) what data is retained and stored on your system (including in logs) and for how long. This is especially true for things like IP addresses, userids and deleted content/accounts in backup, which are considered personal data. Essentially, if you don't need to keep it, treat it like hazardous waste and destroy it; [^2]

Examples here might including setting shorter log retention limits and changing your nginx-configuration scripts to block the collection of data. For example, this set of recommendations by @chpietsch@digitalcourage.social #proxy_set_header X-Real-IP $remote_addr; #proxy_set_header X-Forwarded-For # $proxy_add_x_forwarded_for

• clearly defining what types of personal data you collect about your users and why you collect it (and spelling this out in the Privacy Notice);
• identifying the legal grounds for collecting this data. This is referred to as the lawful basis;
• identifying yourself as the controller, including providing contact information, as well as the reasons (purposes), categories of data collected, and third party processors you share data with. Examples here include your cloud hosting provider, CDN, and email provider;
• setting up processes to handle people demanding things of you, namely access to their data, correcting data if it's inaccurate, deletion, and objections to processing;
• setting up processes to handle and respond to data breaches;
• setting up appropriate policies and procedures for complying with the law;
• ensuring that contracts are in place when transferring data to third parties (for example, if you host on AWS, GCP, Azure, Infomaniak, or even a bespoke Mastodon hosting provider like masto.host);
• ensuring confidentiality, availability, integrity, and even resiliency of data are considered in your processes.

2. Data residency/sovereignity issues

Depending on where you're based (or where your #fedi server is hosted) you may have data residency/localisation or sovereignity requirements. Essentially, you may be limited by your own country's laws, which may include strict obligations to store information in that country (if targeting users of that country), or to permit government access.

As a separate concern, while the EU does not have strict requirements to host data in the EU/EEA, the GDPR adds a whole load of complexity if you process data about EU data subjects outside of the EU or another adequate country. See: But I Thought the GDPR Doesn't Apply to Me. [^3]

3. Using your instance for legally dubious purposes

If your instance is large, engages in activities that are legally suspect in your jurisdiction (loli, child sexual abuse material (CSAM), drugs, warez, terrorism, etc.), you may need to think about how you will respond to a government request for data about users of your service. This is pretty unlikely for small instances, but it absolutely is a concern that shouldn't be wholly ov