Open Source, Decentralised, and Federated Social Media Alternatives

tl;dr: Join me in exploring some alternatives to Facebook, Twitter, Instagram, YouTube, Discord, Slack, Zoom, Skype, etc. Only through trying them out and starting to develop a critical mass will we be able to free ourselves from these giant platforms that don’t have our best interests at heart.

When it comes to social media these days, we users are very definitely the product. We are bombarded with ads (or need to resort to ad blockers), censored for posting things that the platforms deem risky or not profitable (such as sexually explicit material or expressions about less mainstream parts of our identity), and at the same time are powerless to reliably get the platforms to remove content that is actively harmful.

To mainstream social media, we’re just marketing opportunities generating ad revenue. We stay, mostly, because these platforms have the critical mass of people with whom we’d like to connect. But what if we decided to go elsewhere?

OK, so I know that less mainstream or more niche platforms don’t have that critical mass, and as a result are less appealing. But I’d like people to consider them nonetheless, because that’s the only way we’ll actually get any sort of critical mass and have a hope of cultivating a social network on platforms where we have more freedom and agency.

I’ll explain what I mean by “decentralised” and “federated”, and go into some examples of each.

What is a Federated Platform?

A federated platform is one in which there is no single centralised authority or hub on which the system, platform, or network depends. The most prominent example of this is email. While most people these days have a Gmail address, we also have the option of instead using a Yahoo! or Hotmail address, or any other free or paid email service, or we could choose to host our email ourselves. (Incidentally, I personally pay for a Fastmail account because I’m the customer and not the product, and having worked for them in the past, I trust their security and values.) Regardless which email hosting provider you use, you aren’t siloed or restricted to communicating with others who use that email provider. A Gmail user can email a Yahoo! user, for example.

The key takeaway here is that while there are hubs through which communication and networking must occur, there are many of them, and you have a choice of which one you use, or whether you set up your own.

Federated Platforms and ActivityPub

Many federated platforms support ActivityPub. Without getting into too much technical detail, in the same way the SMTP protocol allows different email services (Fastmail, Gmail, Yahoo!, Hotmail) to talk to each other, ActivityPub allows some different social media platforms to talk to each other.

So, for example, if I was part of a Twitter-like social media site for people who love ponies, and a friend of mine was part of a Twitter-like social media site for people who hate pineapple on pizza, ActivityPub would still let me, on my pony-loving site, follow and interact with my friend on their pineapple-on-pizza-hating site, without each of us needing an account on each others’ community sites (which is a relief, because I’m definitely pro-pineapple-pizza!).

Not only that, but if I had a third friend (I know; I’m so popular!) who was on a Facebook-like site for people who want to try water-skiing, and both my Twitter-like site and their Facebook-like site support ActivityPub, I could even mutually follow and interact with them, even though the sites we’re using run different software and have different focuses. I’d see their Facebook-like posts as Tweet-like things in my timeline, and they’d see my Tweet-like things as Facebook-like posts on their timeline, and we’d be able to comment on each others’ updates from our respective websites. Pretty cool, huh?

Visual example of ponies/pineapple/ski explanation.
Federated social media example

Collectively, apps and sites that communicate with each other via ActivityPub are said to be part of the “Fediverse” (a portmanteau of “federated universe”). Each site (be it a pony site or a pineapple pizza site) is often referred to as a “server” or, more commonly, an “instance,” (as in, “an instance or server in which this particular software is installed”) such that in this context, these terms can all be used interchangeably.

Examples of Federated Platforms

Alright, without any further backstory, let’s dive into some examples. Many of the federated examples I’m listing below support ActivityPub (i.e. are part of the Fediverse), which means that if you join a site that runs any of those apps, you’ll be able to talk to people on any of the others (including me)!

Mastodon (Twitter alternative)

Screenshot of Mastodon's mobile web interface
Screenshot of Mastodon’s mobile web interface

Mastodon is a great alternative to Twitter. It has all the paradigms you know and love, with a few different names. Tweets are called Toots, and Retweets are called Boosts. Toots on Mastodon are usually limited to 500 characters, compared to Twitter’s 280 characters, and you can also include Content Warnings on your Toots, which will hide the Toot’s contents until the reader clicks on it (after they’ve read whatever content warning you provided), and will blur out any attached media by default too. There are even various services, such as Moa.party, which will let you post your Twitter Tweets to Mastodon, and vice-versa, if you wish.

If you head over to Mastodon’s home page and scroll down a bit, you can find a bunch of instances you can join to become part of the Fediverse, and communicate with anyone else who’s also connected. I personally am a member of Aus.social, a Mastodon server targeted at Australian folks. My friend, Aurynn, has also recently launched Cloud Island, which is targeted at New Zealenders, but is also open to Australians.

Cloud Island is a paid-for service (minimum $8USD/month, via Patreon), which helps to support the servers running the site, and the effort required to keep it going. It also has a well-defined and enforced code of conduct, meaning it’s well-moderated, and the site is entirely hosted in New Zealand, which means it’s pretty fast to access from Australia, and isn’t hosted with a big cloud provider like Amazon’s AWS (which I think is a Good Thing). You can find more information on the Cloud Island homepage, or the About section of its Patreon page.

There are iPhone and Android apps that support Mastodon too. On Android I use Tusky. I don’t have any recommendations for iPhone apps, but could probably hunt some down if asked.

A 2-minute Mastodon introduction video

Pixelfed (Instagram alternative)

Screenshot of Pixelfed's mobile web interface
Screenshot of Pixelfed’s mobile web interface

Pixelfed is also part of the Fediverse, and has a focus on photos and pictures, in the same way that Instagram does. I’ve not played around with it a whole lot, but it looks like they’re doing some really cool stuff. Head over to their list of instances if you’d like to join up and give it a shot.

Friendica (Facebook alternative)

Screenshot of Friendica's mobile web interface
Screenshot of Friendica’s mobile web interface

If you really want something that looks like Facebook, from what I’ve seen, Friendica is your best bet. You can check out their list of instances, or maybe try to come join me over on Nerdica. Friendica shows information in Facebook-style posts and comments (even if the conversation happened on another platform like Mastodon — yes, Friendica is part of the Fediverse too!), as well as supporting things like Events; one of the main things I keep Facebook around for.

PeerTube (YouTube alternative)

Screenshot of Peertube's mobile web interface
Screenshot of Peertube’s mobile web interface

If videos are your thing, give PeerTube a shot. You can filter their list of instances on various criteria, post videos, and watch other videos (from your instance or others). PeerTube has the added option that, while watching a video, you can share bits of the video (using a BitTorrent-style protocol) with anyone else also watching the same video, to reduce the load on the server hosting it! Furthermore, if you find someone who posts videos that you enjoy on PeerTube, and you’d like to subscribe to them, you can do this from any platform that supports ActivityPub, and see updates on your platform of choice whenever a new video is uploaded!

WriteFreely (Blogging/writing platform)

Screenshot of WriteFreely's mobile web interface
Screenshot of WriteFreely’s mobile web interface

WriteFreely is a really clean-looking blogging and writing platform that’s also part of the Fediverse. This means you can subscribe to WriteFreely authors from whatever Fediverse platform you’re a member of. If you want to give WriteFreely a shot, you could try out Write.As, from the folks who develop WriteFreely, or join another instance of your choice.

Riot.im and Matrix (Slack/Signal/IM alternative)

Screenshot of Riot's mobile app
Screenshot of Riot’s mobile app

Riot and Matrix work together to provide a chat service, both for one-on-one chats, and for group chat rooms. Matrix is the name of the server-side (the service you connect to in order to interact with others), and Riot.im is the name of the client side (the app you run on your computer or phone to connect to the network). There are other alternatives to Riot if you’d like to connect to Matrix with something different. FluffyChat is one of them. It’s pretty cute and friendly, but I don’t think it’s quite as featureful as Riot is just yet.

Screenshot of FluffyChat's mobile app
Screenshot of FluffyChat’s mobile app

If you want to give Riot/Matrix a shot, I highly recommend creating an account on matrix.org using their instance of the Riot web app.

Matrix are also doing some really cool stuff in an endeavour to support being decentralised, as well as federated. Check out their peer-to-peer Matrix blog post for more info.

Matrix is also great as an alternative to Signal, with the advantage that all the software is completely open source (while for Signal, you’re using the Signal servers, whose source code you can’t verify), and doesn’t require sharing your phone number with contacts. It does full end-to-end encryption, and has recently released a really simple verification tool with Riot 1.6, meaning that if you’ve verified the Matrix identity of a friend in-person, you can be certain that you’re talking to them, no matter what device they’re talking to you from. It’s a really smooth experience!

Riot also supports one-on-one video and voice calling, and, if integrated with Jitsi (mentioned below), can also do group video chats.

What is a Decentralised Platform?

A decentralised platform is one in which every participant is equal. There are no hubs that we need to interact through, and no contributor is more important than any other. The best example of this that I can think of is attending a social gathering in person. You might know some people there, and not know others. You find yourself in a group talking to some folks, one of whom is an astronomer. Later on in the event, you find yourself in a different group of people, chatting, and somebody mentions astronomy. At this point, you can mention that you were chatting to an astronomer earlier on, and potentially invite them over or connect them to this person later on.

In this example, no one person holds all the knowledge from all the conversations in the event space, or is arbitrating and dictating who can speak with whom. Every individual at the event is a free agent who can communicate with any other person, and can share information from other interactions they’ve had. This is what I mean by decentralised.

Examples of Decentralised Platforms

Decentralised platforms are still relatively new, and many of them aren’t particularly polished, but here are a few examples:

Secure ScuttleButt

Screenshot of Manyverse's mobile app
Screenshot of Manyverse’s mobile app

Secure ScuttleButt is probably one of the more predominant platforms right now. It uses what is known as the “gossip” protocol, in the same way that I described in my example of different conversations at a social event above. I hear information from my friends, and then I can “gossip” that information to my other friends as an intermediary, without each of my friends knowing each other directly. This has the advantage that there is no single point of failure, and anybody can pass on a message from one person to another, as long as they’re connected to both of those people. The disadvantage, though, is that anything posted to the ScuttleButt network is immutable (i.e. you can’t edit or delete what you), and, with the exception of private messages, all your posts are publicly visible. (Private messages can be passed on from one friend to another, but can only be decrypted by the intended recipient.)

The other upshot of this model of not having any central servers are that you can make updates (e.g. a social media post) to your ScuttleButt journal from anywhere, even if you don’t have an internet connection at the time, and then as soon as you’re in range of a friend who also uses ScuttleButt, your devices can communicate directly (without needing to go via the internet), to share the information you’ve published, and then your friend can pass it onto others via the internet, or directly. This all happens automatically and seamlessly.

Further to the above, if you receive updates from your friends, your device will download all of those, and you can read them offline at your leisure. This does mean that your cache of ScuttleButt content can grow quite large (gigabytes, in some cases), and you may need to set it up to delete old content once in a while, with the additional disadvantage that you then won’t be able to pass this content onto others, or access it yourself unless you retrieve it again from a friend.

To get started with ScuttleButt on your computer, I recommend downloading Patchwork and following the ScuttleButt Getting Started guide. To get started on your mobile device, give Manyverse a shot. It’s worth noting that due to how ScuttleButt works, you can’t have the same identity on both your phone and your computer, but you can easily cross-link unoffically by mentioning your phone’s identity in your computer’s profile bio, and vice-versa.

Aether (forum-style platform)

I haven’t really played with Aether much yet, but it’s a platform that allows you to create and subscribe to forums on various topics. Like ScuttleButt, because it’s decentralised, you basically download all the information to which you’re given access, and then you share that with others you interact with. In order to keep the amount of information you download relatively small, the platform only allows sharing text data (though this data can contain links to other media such as images elsewhere on the internet).

IPFS (Distributed world wide web)

IPFS, the InterPlanetary File System, is a peer-to-peer file storage system. Their homepage likely explains how it works better than I, but in short, you and others store files you’d like to publish via IPFS, and then everybody who downloads those files becomes capable of sharing them with others.

Briar (messaging app)

Briar is an Android-only messaging app that works via peer-to-peer access direct between phones, or over the internet via the Tor network. It’s not particularly polished, and doesn’t have a bunch of features yet, but is designed to be secure and private, and for basic messaging, it seems to work relatively well.

Jitsi (Video conferencing platform)

Jitsi is one of the up-and-coming video platforms available these days as an alternative to Zoom, Skype, Microsoft Teams, etc. It’s completely free to create a video chat on their website Meet.Jit.si, and you don’t even need an account for it! They’re also working hard on getting end-to-end encryption up-and-running, and already have a proof-of-concept working! Meanwhile, if you’re concerned that their server can decrypt your video messages, you can run your own instance of the server that you control! Jitsi can run completely in-browser, but also has desktop and mobile apps for all major platforms.

Big Blue Button (Video conferencing platform)

As if having a single video conferencing alternative wasn’t enough, Big Blue Button is another one! I’ve not played with this a whole lot, but it’s also completely free, and seems to offer some more seminar-like tools that Jitsi lacks, as well as a collaborative note-taking space shared by everyone within a given meeting. Like with Jitsi, Big Blue Button can be installed on your own servers, so that you can control who has access to your data.

Summary

There are so many more cool apps that I didn’t mention here. All of the ones I have mentioned are completely open source, so the code for them is completely available for anyone to read, or install on their own systems so they’re not reliant on servers controlled by anyone else.

Of the services listed above, here are those that support ActivityPub and are part of the Fediverse, along with any accounts I have on them. I’m inactive on most of them except aus.social, so whichever platform you choose, that’s the best account to follow:

If you’d like to make contact with me on any of the other services I’ve mentioned, here’s where you can find me:

  • Matrix: @mattcen:matrix.org
  • ScuttleButt: @qAAoOWTZ9ynC/huIf9TplQujL4ccNUMGvUvQLxUa9xY=.ed25519

I know that switching away from our current familiar social media platforms that have all our friends on them is a big ask. I also know that some people think that the benefit of being able to easily connect with their social circle outweighs the detriments of giving your data to a big company, or of expending energy switching to a more free and liberated alternative and then trying to convince your friends to do the same so you don’t feel so alone there. I’m here to tell you that getting started on some of these platforms really isn’t that hard, and you don’t need to give up Facebook or Twitter right away. It’s easy to create a Mastodon account on Mastodon.online or Aus.social, and then use that to follow friends on those or other Fediverse platforms, either from a computer or smartphone. It’s equally easy to install Riot.im on your smartphone (or their newer client, RiotX, if you’re on Android) or access its web interface on desktop, to create an account on Matrix.org and use it to chat with friends and meet new people.

All I’m asking is that you give it a chance and see how it works for you, and who knows, maybe we’ll be able to start such a trend that we create our own brand new community of pineapple-pizza-hating or pony-loving humans!

So, please join me. Let’s give some of these other freedom- and privacy-respecting social media tools a chance, and see if we can build a new friend network away from the Facebooks and Twitters of the world!

The pain of passwords

This post may get a bit rambly and is kind of self-indulgent, but some might find it an interesting story. There’s a tl;dr at the bottom.

I use a password manager to manage passwords to the majority of services and websites I have accounts with. Most of these sites have unique and complex passwords that I have no hope of remembering. I like it this way.

Password managers can’t help with everything. You still need to remember the password/phrase to unlock the password manager, and the phone and/or computer you access it from. If you host the password manager’s data file on a cloud storage service, like I do, you need to remember your password to log into that too. Further, given that, that in my case, my cloud storage service of choice, ownCloud, is self-hosted, I need to remember all the passwords pertaining to the server that runs that service. This includes local Linux passwords and SSH key passphrases.

Now, sure, I have a copy of the passwords on removable storage somewhere safe so I’m not dependent on all this infrastructure. But guess what? That copy is PGP-encrypted. With a passphrase. That I have to remember.

So let’s recap. The passwords I currently have to remember include:

  1. Local workstation computer password
  2. Smartphone PIN/password/pattern
  3. Password manager passphrase
  4. Cloud storage password
  5. GPG key passphrase
  6. SSH key passphrase
  7. Server login password

Now I’m going to put aside the questionable design decisions I’ve made here; I grant that I could just use a single encrypted password file on a USB key (with backups elsewhere), that I can plug into any computer I trust, and access my passwords. And that’s great for a fallback which I could easily implement, but it’s not exactly something I want to do on a day-to-day basis. Let’s say I simplified this system, though, so I wasn’t worrying about the cloud-hosting of the file. I’d still need to remember 2-3 passwords:

  1. Local workstation computer password
  2. Smartphone PIN/password/pattern
  3. Password manager passphrase

Yes, that’s better, and more manageable. Say, though, that I have multiple computers. Do I use the same passwords for all of them, or should I be a good security-conscious person and use different ones everywhere?

I will tell you right now that in the longer list of passwords above, several of those services shared a password. I hate remembering passwords, as everyone else does, so naturally, I try to remember as few as possible and put as many as possible in my password manager. It got to the point that the aforementioned shared password was one that I’ve used for a long time. By long, I mean at least 10 years. Now before you start yelling at me for being careless and insecure, in my opinion, it was a pretty good password. It was reasonably long, contained non-dictionary words and different character classes, and for the most part, the services that used it were not directly exposed to the internet, so you’d likely need possession of one of my devices to try to crack it.. I had no reason to expect that it was compromised.

Monday last week, I typed that password into a group chat. You know how it is; it could happen to anybody. You see your computer screen is blank, and, given how unlikely it is that you’re within the 5-second grace period, you assume your computer is locked, so you sit down, and blindly type in your password while your screen wakes up. You hit Enter, switch to the window you want to be in, and get on with your day. Then your colleague leans over quietly and says “perhaps you want to delete that message you just posted,” and, confused, you take a look at the channel, and feel the ground fall out from under your chair.

Not just because you remember that the password you’ve been typing from muscle-memory for a decade without really thinking about can actually be interpreted as a rather juvenile set of words that your present self would never use, but also because now you’ve got a problem: you have to relearn a new password or passwords, for the machine you type the password into about 50 times daily.

Bother.

Because of the nature of passwords, ones like this one have existed since before the jury came back on what a good memorable password looked like. My general passwords that I’d drop into a password manager look something like this:

$pyf|?u?'yB7pCNW~$y:yv;Kc*^<c,%U

The length I use has increased over time, as I’ve found less occasion to have to type these manually. There’s no way I want to remember a password like this, let-alone have to type it, fingers moving all over the keyboard, hitting Shift every second character. I don’t even want to contemplate having to regularly type something like this into my smartphone.

So after some deliberation, I took a leaf out of Randall Munroe’s XKCD comic

password_strength
Pictured: A comic contrasting the struggle of memorising low entropy passwords like “Tr0ub4dor&3” with high entropy passwords like “correct hors battery staple” (CC-By-NC Randall Munroe, XKCD 936)

This, combined with a handy shell script, written by a past colleague, which assembles a password from several words from Linux’s /usr/share/dict/words file, gave me a password that I just had to start remembering. I quickly set the password on my laptop, while storing it in my password vault accessible from my phone (which I could access with other, different passwords that I already knew and didn’t need to change right now) for the inevitable moments I forgot it.

I probably had to look it up about a dozen times, and about two dozen other times I had to sit at my computer for several seconds while I (a) typed my old password before remembering it had changed, and (b) remembered which words comprised the new one, getting it wrong the first couple of times. So all it all, it’s taken almost a week, but I think I’ve got it embedded in my memory now. I still want to have a backup of it somewhere safe in case I have a lapse of memory, but I’m pretty pleased.

There are still a couple of services that shared my old password that I haven’t changed yet (a reason I was reluctant to publish this post yet, but decided wasn’t a big deal), which I’ll do shortly, after I’m a bit more confident in my memory. My main remaining question is whether I get ambitious and try to use different passwords for each of these services. I suspect that if I leave some time between changing each one, I’ll be able to sufficiently remember them all, but it’s a bit scary to think that I could forget one of them and then be completely locked out. I will consider this further.

In summary: Passwords are hard. Brains are fallible. Computers are the worst.

Tl;dr: I typed my very old workstation password into a work chat room and had to go through the pain of choosing a method to generate and remember a new one, then change that password in all the places I used it.

Online privacy: a tale of irony and contradiction

This is the post that prompted me to start this blog a month ago.

I understand online privacy better than most. Unfortunately, privacy (and security; the two often go hand-in-hand) is often at odds with convenience. I have previously sacrificed convenience over privacy and security in many instances, because the latter two are important to me. Fair warning, this post doesn’t answer how to compromise between the above; it merely highlights my frustrations while trying to do so. Here are some of the more significant attempted compromises I’ve made, and the associated struggles:

Running free and open source software on my Android phone

I’ve had Cyanogenmod installed on my phone since shortly after I purchased it. For the past year or two, I’ve had it installed without any of the Google apps, such as the Play store, YouTube, Maps, Hangouts, Google+, and Gmail. Not having the Play store meant not being able to install any of the apps it offered. Instead, I made do with F-Droid, an app catalogue that exclusively contains free and open source apps.

This encumbered my ability to interact with other people, sites, and hardware. I couldn’t use common chat applications, some social media sites were clunky because I was limited to their mobile web page which is often a second-class citizen to their mobile app, and I couldn’t stream to my Chromecast. Eventually, about a month ago, I caved and installer the Google apps, because the disadvantage of missing out finally outweighed the advantage of knowing with reasonable certainty that my location data, contacts, and other private phone information was safe from third parties.

Facebook

I deleted my Facebook account in 2013 after it insisted on hounding me for personal information regarding my education institutions and place of employment. Initially, it was freeing. I had more time up my sleeve, and knew that even if Facebook didn’t delete the data for my old account, they weren’t getting any new data from me (though possibly from others; see Shadow profiles).

Again, though a couple of months ago, I’d gotten sick of the disadvantages. I’d occasionally get forgotten by people organizing events, because I wasn’t on Facebook to be invited. Many friends were difficult to get hold of because Facebook was one of their main communication media, and when I met somebody new in person and wanted to keep in touch, the first question I got was “What’s your Facebook”? My social life could be enriched, and so, with significant trepidation, I yet again forfeited my personal information to Facebook and started adding friends.

Gmail plus-addressing

I try to sign up to different sites with different email addresses (using Gmail’s plus addressing). This way, if i receive spam to a plus-address, I know which site disclosed that address (this, I admit, has never actually happened).

On January 21, a colleague and I were discussing various web services, and I mentioned that I used Gravatar, which serves up a picture for use as your avatar based on your email addresses, to any website that supports it. My colleague remarked that they were surprised that I, somebody reasonably privacy-conscious, used Gravatar. I considered this briefly. Gravatar works by asking you to supply all your email addresses, and upload one or more pictures, each of which can be associated with one or more email addresses. Then, when you sign up with one of those email addresses to a site that supports Gravatar, the site can send a request to Gravatar which includes your email address, and retrieve a picture that it can then use as your avatar or profile picture.

Gravatar is a free-as-in-beer service. They don’t charge members any money to use the service. Given this, they obviously need to make their money elsewhere, so it’s reasonable to assume they monetise their members, making members the product. Each request that a Gravatar-supporting-site sends to Gravatar likely contains a referrer stating which site made the request. This means that Gravatar could collect a huge database of all the email addresses associated with a member, and all the Gravatar-supporting sites they visit, then sell this information to the highest bidder. Because some of the sites I use plus-addressing on support Gravatar, Gravatar needs to know all thise addresses, making using Gravatar reckless, to say the least, because Gravatar can be used to unify my identities across all sites that support it. I signed up for Gravatar years ago, before I was quite so paranoid, so it hadn’t been subject to my now-more-stringent privacy analysis. Ironically, here I am blogging about Gravatar on a blog hosted by WordPress, who own Gravatar.

Solutions?

So how does one integrate with society while remaining reasonably private and secure? I’ve no idea, but I’m still looking, despite feeling a bit resigned to the reality that sometimes it’s all too hard.