Mastodon is a decentralized social media application that has recently been gaining traction after Elon Musk acquired Twitter. Communities have been migrating from Twitter to Mastodon, leading to more than a doubling in Mastodon’s MAUs since the deal was announced. Mastodon has more than 2.5 million MAUs as of Nov 23, 2022.

One big driver for user migration stems from Twitter’s user's concerns with data privacy. This is not surprising, given Twitter's history of mistakes when it comes to guarding user data. So we were curious about how Mastodon's data collection, usage, and sharing stand against its privacy terms and against Privacy Laws worldwide.

Data elements used by Mastodon

Per the Privacy Policy of Mastodon's mastodon.social server, the app collects username, display name, biography, profile picture, and header image as public information apart from email address and password for authentication. The admin servers also store additional information like the IP address of the device using the app and all the communication (including DMs) that happens on the app.

Note that every server (or node) in the Mastodon network has its own privacy policy. Refer to your server’s privacy policy to ensure you agree to them before creating an account.

We tried to analyze if the actual application code (which is open-source) actually adheres to the privacy policy as declared by mastodon.social server. Therefore, we ran the Privado privacy scanner on Mastodon’s Android application code.

The analysis can be found here.

How does Mastodon handle user data?

To better understand how data flows in Mastodon, we first need to understand how Mastodon works. Mastodon works on a federated architecture. This means that each server is run by an individual or organization, and those servers communicate with each other to serve their users. There is no central server and all servers in the network communicate with each other to serve their users.

This is important because, in a federated architecture, anyone can set up a server and start onboarding users, so it is important that the owner of the server is a trusted individual or an entity. However, analyzing only the data flow between the application and server is insufficient to get a complete picture of users' data. We also need to map data flows within an application.

Such a code analysis was done using the Privado scanner, which helped us trace the data flows of all data elements used in the application. An example of the data flows of the email addresses is given below:

So, once we have complete visibility of data flows within and among multiple applications in Mastodon, it ultimately all comes down to the question:

What do the Mastodon’s server admins know?

To understand how data flows in the Mastodon network, let us assume the following scenario:

You created an account at @primary.server as @you@primary.server and posted a few posts. Apart from that, you sent a few private messages to your friends, who have created their accounts at @friendly.server as @friend@friendly.server.

Now, all the data that is generated through the following process, and servers that have access to that information are depicted below:

Note that “Public Server" is any other mastodon server in the Fediverse. Besides that, servers also store logs that might contain the IP address and the user's approximate location.

How to secure your privacy in Mastodon

Once we understand how data flows in the Mastodon network, combined with the fact that Mastodon does not support end-to-end encryption (E2EE) for communication, we recommend the following practices:

• Create an account on a server that you trust. This server has access to all your information on Mastodon.
• Do not share any personal information with users who are registered on servers you do not trust.
• Enable "Require follow requests" in your settings to filter out unwanted follows
• Mark posts unlisted or private when needed
• Never share any personal or sensitive information publicly on Mastodon. Overall, we believe that the Mastodon application uses minimal data, does not share information with any third party, and transparently declares the data usage and risks of using the application. Therefore, we believe that the Mastodon application is safe to use, and as long as you have registered your account in a trusted server, there are minimal privacy breach risks.

What next?

We are currently auditing the code structure of the Mastodon’s code, and analyzing the privacy practices of the application, including, but not limited to the following factors:

• Personal data leakages via logs in the application and server
• Default data storage and encryption practices of Mastodon, along with variations among various servers
• Compliance with standard security practices. Need to try this yourself? Shoot us a message over at our community. Download our OSS tool here.