Is Mastodon safe? Understanding the security of decentralized social networks
6 min read
Even though it’s considered one of the most popular decentralized social networks, is Mastodon safe? Many believe such social media platforms have solved the issues of privacy, censorship, and data ownership that are still plaguing their centralized counterparts. However, these apps have their fair share of problems. They are often less intuitive, and moderation and security are sometimes handled by inexperienced volunteers. Let’s explore what this means for Mastodon and its safety features and challenges.
What is Mastodon?
Mastodon is an open-source social media network people can use to set up self-hosted servers that act as their own social networks. It’s decentralized and uses microblogging features similar to what you get on X (formerly called Twitter).
However, unlike X, whose features are handled by one centralized authority, the microblogging aspects of Mastodon are offered by independent nodes. They are called instances or servers, and each has its own terms of service, privacy policy, code of conduct, content moderation rules, and privacy options.
Even though Mastodon doesn’t set the community rules and privacy policies for the entire platform, its parent nonprofit organization still maintains a directory of servers agreeing to a baseline set of policies dubbed the Mastodon Server Covenant. The guidelines require “active moderation against racism, sexism, homophobia, and transphobia.”
Based on the fact Mastodon resembles X, many have dubbed Mastodon the Twitter alternative. That’s why it gained a large number of users in 2022 when Elon Musk bought Twitter and made significant changes to how it works.
Mastodon first appeared in October 2016 when Eugen Rochko, a Russian-German software developer, released the beta version of the platform. He managed to fund the development through crowdfunding but also made use of a grant from the European Commission and an open-source development grant obtained from Samsung.
Rochko was largely led to develop Mastodon when he heard rumors that Peter Thiel wanted to purchase Twitter. He believed that a large social network like Twitter, which is almost a public service, shouldn’t be controlled by a US corporation.
According to Statista, Mastodon has been gaining traction, with 10.04 million registered users as of March 2023. In the wake of Musk’s acquisition of Twitter, Mastodon gained 230,000 new users in only the first week of November 2022.
How does Mastodon work?
As stated, Mastodon operates on independent instances, each of which can be considered a unique social network with its own rules and security and privacy standards. Every one of these nodes is also its own website, meaning you have to register on the one you want to use. The original Mastodon server is Mastodon.social.
Every instance is managed and operated by a team of admins and moderators, all of whom are volunteers. More often than not, the instance only has one person who does all the work. These operators have complete freedom to decide how they run their server and how and if the instance they run will interact with other instances.
This decentralization is possible because all the data and services are distributed among nodes and users instead of sitting on one centralized server or a set of interconnected ones. This makes Mastodon more protected from a typical hacker compared to other networks, though that’s not necessarily the case with every server on the platform, precisely due to their independence.
In terms of its operation, Mastodon is considered a federated social network because users of one instance can still interact with every other instance as long as they are not blocked for reasons like hate speech. This allows users to select the node they prefer based on the policies it respects.
The whole network is powered by a decentralized social networking protocol called ActivityPub, which is also implemented in services like Friendica, Kbin, Lemmy, Nextcloud, and Pixelfed.
Decentralized social networks
To understand fully how this social network operates and to answer the question “Is Mastodon safe to use?”, it is helpful to first understand the differences between centralized and decentralized social networks. Here’s a quick overview:
| Centralized social networks | Decentralized social networks |
|---|---|
| Control is given to a central authority | Power is distributed across many nodes |
| A central authority makes all the decisions | Decisions are made through consensus |
| User friendly | Often harder to use |
| A single point of failure is possible | No single point to breach by hackers |
| Bigger target for hackers | Not often targeted by hackers |
| Entirely relies on internal services | Often depends on third-party services |
| The central authority owns content | Content is in the hands of the users |
| Easily censored by central authority | Hard to censor because it requires consensus |
| Centralized moderation | More complicated to moderate under a unified set of standards |
| A central authority decides the amount of privacy | Users can have more privacy, but that depends on several factors |
| Reliance on advertising | Less reliance on ads |
Is Mastodon safe?
Mastodon seems to be secure, but this only applies to the platform as a whole, not every server. As Mastodon is a fully decentralized structure, it’s not an easy target for a standard data breach, but such events can still happen on instances without proper safety precautions. An individual user can still be affected by a scam on a less secure server.
Let’s evaluate the privacy policy of Mastodon.social, how Mastodon compares to centralized social media platforms, how servers differ and the way that affects your security, the security and data privacy features of the platform, and advertising and data collection policies of Mastodon.
Mastodon Social privacy policy
The Mastodon privacy policy is made for Mastodon.social, but it also applies to other servers that have agreed to respect it because they have agreed to follow the Mastodon Server Covenant explained earlier.
According to this privacy policy, Mastodon.social collects basic user account info, and all public content is clearly visible to everyone. The site protects data with standard user security measures, including SSL encryption.
When it comes to direct and followers-only posts, they are visible only to the included users. However, it’s important to understand that this policy also depends on the server the users are coming from.
For example, if the server doesn’t have the same privacy policy as Mastodon.social, its operators may be able to see your messages because Mastodon does not offer end-to-end encryption for private messages. So it’s crucial not to share sensitive data, especially on instances whose admins you can’t fully trust.
Comparison to other social media networks
Mastodon collects and stores less data than most other social media networks do, especially centralized ones like X and Facebook. Due to that, the site is less of a target for serious breaches, social engineering, identity theft, scams, and bots.
Evaluating Mastodon server choices
As you’ve already realized from how this network works, you need to be careful with the servers you join because you can easily end up choosing a Mastodon instance that’s insufficiently secure.
Even larger instances can be more prone to cyberattacks precisely because of their size, albeit to a lesser extent than centralized social media platforms that are more commonly targeted.
Still, Mastodon community security is high in most reputable instances as long as they have a proper set of rules and privacy features.
Authentication and data privacy features on Mastodon
Passwords are hashed with a one-way algorithm, and you can use the Mastodon two-factor authentication feature to secure your Mastodon account further. The system even allows the use of popular authenticator apps like Google Authenticator.
Moreover, Mastodon privacy controls are sound, with the exception of the little caveat we’ve mentioned, where server administrators may be able to access your messages and the content you post and send.
Advertising and Data Collection: Mastodon vs. Twitter
You don’t have to worry about your Mastodon privacy as much as you do on Twitter or X.
Naturally, this is only true if you use Mastodon.social and other reputable instances. Social media data collection on these instances is much lower than on X, and you have a lot more control over who sees your posts and interacts with you.
Moreover, Mastodon doesn’t rely on ads, so you’re less often bombarded with promotional content. At the same time, Mastodon doesn’t collect as much information as X does.
So, is the Mastodon app safe? Yes, it is secure, but Mastodon users need to exercise their due diligence when choosing which instances they will rely on, as each is its own website with a different set of rules.
Moreover, using Mastodon’s 2FA feature and outside services like a malware protection tool and a VPN is a good choice if you want more security. And as always, stay vigilant and smart with where, how, and with whom you share your sensitive information.
