Re: privacy in ActivityPub/Mastodon CR: ActivityPub

Thanks Nick,

We will add this to the agenda for the call on Thursday.

On 15Sep2017, at 3:40 PM, Nick Doty <<>> wrote:

Apologies for bringing this up later than we should, but ActivityPub has had a lot of development recently, including prominent implementation in the Mastodon federated social media system. While earlier review might have been even more useful, I still think it'd be a valuable thing for us to discuss.

There is some privacy/security documentation in the spec already:
A non-normative security considerations sections notes rate-limiting, spam and denial of service attacks, with some potential mitigations.
The spec also includes answers to Mike West's security privacy self-review questionnaire. I think these might not be as germane for this particular spec as it's less a browser-site protocol and more an application layer client-server, server-server system. We could probably use these as the start of describing privacy implications, privacy issues and mitigations. Review might also show what kinds of questions are most relevant when working on a protocol of this type.
The Overview is a very readable description of how the system works. I think ActivityPub is likely to have particular privacy issues related to scope/audience (which actors can read messages that you post, etc.) and in federation (how do servers distribute messages). Abuse reporting might also be an important privacy issue to consider here, both in general as a social media system and particularly how it's handled in the federated environment.

This might be a good topic discussion for our upcoming call on 28 September. In the meantime, if there are other interested folks, it would be great to review the spec, issue-spot and discuss. Messages to this list are of course welcome, or I'm on Mastodon at


Begin forwarded message:

From: Notifier <<>>
Subject: CR: ActivityPub
Date: May 9, 2017 at 5:46:16 AM PT
Reply-To: Notifier <<>>
Archived-At: <>


feedback due by: 2017-06-06


The ActivityPub protocol is a decentralized social networking protocol based upon the [ActivityStreams] 2.0 data format. It provides a client to server API for creating, updating and deleting content, as well as a federated server to server API for delivering notifications and content.

Status of the Document

This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at

This document is a proposed submission to the W3C Social working group.

This document was published by the Social Web Working Group as a Candidate Recommendation. This document is intended to become a W3C Recommendation. Comments regarding this document are welcome. Please send them to<> (subscribe, archives). W3C publishes a Candidate Recommendation to indicate that the document is believed to be stable and to encourage implementation by the developer community. This Candidate Recommendation is expected to advance to Proposed Recommendation no earlier than 06 June 2017.

Please see the Working Group&#x27;s implementation report.

Publication as a Candidate Recommendation does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.

This document was produced by a group operating under the 5 February 2004 W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.

This document is governed by the 1 March 2017 W3C Process Document.

Received on Tuesday, 26 September 2017 23:01:00 UTC