Should Fediverse Web apps show remote content to unauthenticated users?

mcneely@indieweb.social

@evan yes but. I haven't ever considered this very closely but I suspect that there's probably some sort of easy abuse vector here that could get me to change my mind... 🤔

tony@toot.hoyle.me.uk

@evan Yes, but don't do it in the UK otherwise it throws you right into compliance issues with the OSA.

With login only you can at least plausibly say all your users are over 18.

stevefoerster@social.vivaldi.net

@evan @fabio It's it's publicly viewable on the local server, won't bots eventually get it anyway? They'll either respect a nobots request of they won't.

tom@tomkahe.com

@evan oh this is a good one

I put "No", I think I prefer a redirect to the source. Though I think I could be pretty easily convinced that as long as the post marked "public" it should be fine

sigmasternchen@comfy.social

@evan@cosocial.ca Assuming it's public content: Yes.
The privacy expectation of a "public" should be that it's public. And showing remote content to unauthenticated users is actually really useful: A huge chunk of the accounts I follow I found by scrolling through profiles on other instances, and looking at reposts.

tom@tomkahe.com

@evan Hm, thinking more on this, if an AP post is quoting a remote post I think I would expect to see the remote content on the original page so maybe I'm shifting back up to yes on my own

defractal@infosec.exchange

@evan … but it should be a user-configurable option to withhold even one's "public" posts from unauthenticated users.

This mitigates access by blocked harassers, requiring them the delay of creating new accounts, presumably backed by new email accounts, to even see content from users who've blocked them. That added delay and inconvenience should accelerate most trolls getting bored of, for example, screenshotting and subtooting those who they'd previously harassed directly.

terryhancock@realsocial.life

@evan

YB...

Probably yes for "public" content.

An instance might also limit heavier content to logged-in users to avoid performance issues (e.g. protect against getting DDOSed by a bot, etc).

octarine_wiggle@mastodon.au

@evan no but...

It should show a digest. Publishing and archiving are distinct from social media but the open web is not.

Discord is not an open web platform. Archiving is exfiltration. But an archive of a digest is just good practice.

The Fediverse is walking and chewing gum at the same time - social media on the open web. But that doesn't mean anonymous users get the privileges of social participation. They get some amount of aggregation and summarisation but as it comes with no expectation of reciprocity it comes with no guarantee of parity.

manchicken@defcon.social

@evan I could see this being something someone wants. I don’t think it’s worth the development cost, and I certainly don’t think it should be a default setting.

golemwire@fosstodon.org

@evan I voted No, because if you're a curious onlooker checking out the Fediverse, and you start browsing all from within one website, you may mistakenly believe the website you're on *is* the Fediverse (or Mastodon since that's often the branding).

Debatable still. 🤷

trillionb@mstdn.social

@evan I voted "Yes, but" before I read your explanation post.

I was thinking of features such as server A showing a "From around the Fediverse" list of posts, perhaps "curated" with high numbers of likes or retoots (to avoid objectional content accidentally being shown).

I'm not a fan of server A becoming a de facto proxy to the rest of Fedi. A web crawl could destroy a small server by using it like a CDN. Not sure what is a good approach (my lack of knowledge, not that there isn't one).

countablenewt@mastodon.social

@evan Yes but only because I can't think of a reason NOT to