
Federation is the Worst of all Worlds (2018) - mlejva
https://fieldnotes.resistant.tech/federation-is-the-worst-of-all-worlds/
======
mquander
_The threat model and economics of federated systems devolve to concentrating
trust in the hands of a few, while missing out on the scale advantages of
purely centralized solutions.

Federation results in the data of users being subject to the whims of the
owner of the federated instance.

Administrators can see correspondence and derive social graphs trivially. They
are also in a position to selectively censor inter-instance communication._

I am totally happy with picking someone I actually trust to have those powers
over me. The thing I don't like is when a random manager I don't know from
Adam has those powers over me.

~~~
vanderZwan
Yeah, delegation is inevitable in social networks because it just cannot scale
otherwise. Having some power over that delegation is better than almost none

~~~
beaconstudios
Is that inevitable though? A graph of independent but connected nodes could
theoretically scale indefinitely in the case where I hold my data and you hold
yours. If I want to add someone to my network, I can either get their direct
address or navigate through friends-of-friends (graph traversal). The only
necessary delegation would be a mailbox provider, but the contents of any
messages could be encrypted.

Not that any of this is easy to engineer, but in my mind it seems viable.

~~~
rakoo
It actually does exist already, in the form of Secure Scuttlebutt
([https://en.wikipedia.org/wiki/Secure_Scuttlebutt](https://en.wikipedia.org/wiki/Secure_Scuttlebutt)).
Friends connect directly to each other. When you want to get news about
someone, you download from them directly, along with news from friends of
friends. If both peers aren't connected at the same time it is possible to use
pubs, which are kind of hubs accepting all content and distributing to
whomever wants it. Pubs have no special functions apart from being a store-
and-forward, so you're not associated to a pub in particular (you can be on
multiple, or none at all) and no pub is more "important" than others. Nothing
is lost when a pub closes.

Cryptography makes sure that only the intended reader can read (unless it's a
public message), and that messages can't be forged.

The nice things is that it's all just a message passing infrastructure, and
applications can and have been built on top of it, like a git repository
system or a music sharing application. So, yeah, it is feasible.

~~~
kixiQu
The amount of data you have to store for even the network's current larval
state does not to me suggest that †he current version is real practical to
scale.

~~~
rakoo
I don't know, people have been on it since the beginning and have only a few
Gigs in their db, which is mostly non-text (pics, videos, audio, ...). You'd
need to store them in any case. It's true that initial sync is way too slow
but they're working on it.

------
rglullis
Matrix and XMPP, for example, provide methods for end-to-end encryption. The
operator of the node has no way to see the content of the messages. Deriving
the connection graph is not an issue exclusive to federated systems.

But most important, no one is ever bound to any federation system. This by
itself should be strong deterrent of bad behavior by bad actors. If I don't
trust one server I can always switch. In an extreme case of lack of trust I
can set up a server just for myself and the federation devolves into a peer-
to-peer system.

Either I am missing the point of the article or the author hasn't thought this
through.

~~~
johnchristopher
Matrix has e2e but it's a pain in the ass to use (every time you log on a
different browser of from a different client you have to import keys and
validate clients).

So most hub I have seen don't enforce users to use e2e and at least images are
stored in the clear on the matrix server.

~~~
MayeulC
That's true, but cross-signing is right around the corner for Matrix [1],
which will enable e2e by default in direct chats [2].

Encryption is useless for most public rooms, and actually counter-productive
most of the time. If the room is public, anybody can join it, idle there and
save the logs on their computer, or publish them. Activating encryption is
just annoying: from the top of my head, you can't read what was posted before
you joined (unless someone sends you their keys), search is client-side only,
it's hard to link to attachments or reuse mxc: (matrix content such as images)
from one channel to another.

[1]: [https://github.com/vector-im/riot-
web/issues/2714](https://github.com/vector-im/riot-web/issues/2714) and the
two links below

[1]: [https://github.com/vector-im/riot-
web/issues/10605](https://github.com/vector-im/riot-web/issues/10605) and
associated labels

[1]: [https://github.com/vector-im/riot-
web/issues?q=is%3Aissue+is...](https://github.com/vector-im/riot-
web/issues?q=is%3Aissue+is%3Aopen+cross+sign+label%3Across-signing-sprint)

[2]: [https://matrix.org/blog/2018/11/02/user-experience-
preview-e...](https://matrix.org/blog/2018/11/02/user-experience-preview-end-
to-end-encryption-by-default/)

[2]: [https://github.com/vector-im/riot-
web/issues/6779](https://github.com/vector-im/riot-web/issues/6779)

~~~
johnchristopher
That's really nice ! I hope the work on riot UI will continue.

------
fhennig
I see that the author has a point, there are more people I have to trust with
federated protocols.

But what's the state of instant messaging now? I have to trust Whatsapp,
Telegram, Signal. That's still three entities that require my trust, and it's
very difficult to verify any of their claims.

If I could at least have my federated Whatsapp instance that I use for family
and friends, then I would at least know that none of the metadata created in
these groups will be available to facebook, and I can find someone I trust in
my group of friends, more than I trust Zuckerberg.

I'm not too sure about the scale argument from a technical point of view. But
centralized platforms have scale problems too, such as moderation. Facebook
and Twitter are basically unable to moderate their platform. With more
instances there would be more people operating those instances and more people
moderating as well. I think this is one of the reasons for twitters recent
activity to develop a decentralized social media protocol.

~~~
ComodoHacker
>If I could at least have my federated Whatsapp instance that I use for family
and friends.

You can use p2p solutions for family and friends (Retroshare, Tox etc.) But in
reality pople prefer the benefits of having BigCorp behind the service, paying
for availability and fixing bugs.

~~~
ailideex
With Tox I cannot share an account between multiple devices - or that is I
cannot switch seamlessly between PC and phone. That is dumb and I don't want
that.

~~~
ComodoHacker
It's a cost you pay for true decentralization. Otherwise your devices would
have to authorize each other, which is even dumber.

>I don't want that.

That's the point, you prefer benefits of centralization.

~~~
ailideex
> Otherwise your devices would have to authorize each other, which is even
> dumber.

Not sure why that is so dumb, presumably if one device gets compromised other
linked ones are also compromised but if one device gets compromised now it is
still compromised.

~~~
ComodoHacker
Because if one device gets compromised, you want to regain control of your
identity and deny access from compromised device. Also you want to prevent the
hacker from doing the same. We have not yet invented a way to do it without
central authority, which is also acceptable in terms of usability.

~~~
ailideex
So say I use this on my phone, and someone steals my phone, my "identity" is
compromised anyway. I have to create a new Identity anyway. User experience of
sending everything to someone N times over is not acceptable either. If I want
to talk to someone I don't want to have to send a message to each of their
devices.

------
AndrewKemendo
Federation is absolutely necessary to scale a system that needs
discoverability and access control for heterogeneous data types from unrelated
producers. There is no way to scale it in a centralized manner without having
insanely large and complex data governance.

I wish the author had prefaced with the context and scope. It seems like this
is really referencing something like a decentralized twitter.

So sure, in the context of the author maybe that's true but it's clearly
generalizable about federation.

------
alienspaces
Couldn't actually read the article as the font colour is too close to the
background colour.. sorry, the title was interesting!

~~~
narnianal
Try firefox, it has a reader mode that always translates all html pages to the
same structure. I bet it's also configurable.

~~~
clarry
Yes it's configurable, but no, unfortunately it does not always work.

~~~
geolgau
This is mainly because of poorly designed sites - including sites with TONS of
js ads that obfuscate the text.

------
motohagiography
Working on federation now. Depends on what you mean by privacy.

If you have federation for a group in society like doctors, you can push
policy down to the applications themselves, who can express and enforce it
locally, while trusting identity from the Idp (identity provider). If you want
more centralization, you can have the applications consume their policy from a
UMA2 (or formerly xacml) policy service, but to me that level of central
governance is dumb, imo. Provide tools for the edges instead.

The users themselves don't have anonymity and their movements are all logged,
but this is what facilitates the data subjects (patients) privacy in that
scenario. So it's a question of, "privacy, for whom?"

On the normal internet, arguably, it's content providers who have all the
privacy where viewers/users do not. The criticism in the article is federation
doesn't invert this model, but that's not what it's for.

The radio/tv model where users can anonymously receive a broadcast signal is
the conceptual model for most privacy thinking. This isn't how the internet
works, and the only way this is possible is by adding noise to the channel the
way Tor does it with onion routing, or some future way of obfuscating the
origin of a request using ephemeral paths and end points.

Barring new cryptological link/network/transport layer protocols, we're
basically stuck with the current privacy model of the internet until quantum
computing becomes commercial.

------
cjslep
Federation works with the current physical network hardware topology. Pure
peer-to-peer solutions typically rely on some subset of up/down speed
symmetry, physical proximity (to skip backbone routers and switches), or equal
distribution of computing/battery power. None of these are equitably friendly
with the hardware reality of today.

~~~
NoGravitas
Yeah. I _want_ to like Secure Scuttlebutt, which I think is the best current
example of peer-to-peer social networking. But power usage and mobile data
usage are an impediment to using it on mobile, and they don't currently have a
viable multi-device story (as in, I want the same identity on my phone and my
laptop).

Federation is a _good_ compromise.

------
sneak
I worry about this too; admins of popular ActivityPub instances have far too
much power to silently censor things from tens of thousands of people.

I think federated systems might be the least bad of the available models,
though. Technically, we just need to make it easy to switch hosting, like
email with your own domain. Swapping out your email host is straightforward.

~~~
cjslep
> admins of popular ActivityPub instances have far too much power to silently
> censor things from tens of thousands of people.

This is a tired line of argument. Centralized systems are no better.
ActivityPub is not FreeNet, and if you want censorship resistance then you're
using the wrong network on ActivityPub.

ActivityPub is about being able to build communities that still interact with
other communities. And if one community doesn't want porn, hate, gore, and
ideology X to be federated with it, and that instance becomes popular, perhaps
it's popularity is _because_ of the censorship, not _in spite_ of it. So who
are we as outsiders to dictate its members and its admins are ethically
_wrong_ for systematically censoring _only from their community_ ideology X
when building _their specific_ community? We have as much of a moral right as
to demand that church communities discuss the proper usage of BDSM rope knot
placements for safety and maximum pleasure. That is: none.

~~~
sneak
The difference between local and remote in most AP software is minimal. Admins
defederating is more a parental powertrip about which domains their users can
or can’t read than anything.

If this sort of thing were really valuable and popular, we’d see browser
extensions that do it. For the most part, those only block spam and trackers,
and don’t break HTTP along ideological grounds.

I think it’s the “free hosting” part that is popular, not so much the “admin
powertrip” part.

They also aren’t only censoring from their community. They are censoring their
own users’ posts from the entire set of users on the instances they have
blacklisted. The censorship cuts both ways.

If anyone with any sizable audience were using AP, they would not tolerate a
hosting admin deciding who is allowed to follow them.

~~~
kixiQu
Why do you think browser extensions are the non-technical user's preferred
option? I'm getting a headache just thinking about how to get a consistent
mobile/desktop experience.

> If anyone with any sizable audience were using AP, they would not tolerate a
> hosting admin deciding who is allowed to follow them.

Well, at that point they can make a single-user instance (toss some euros at
masto.host if not technical) and then they can get exactly the moderation
experience they want.

~~~
sneak
What about readers who don't want some stranger deciding what they can or
can't read?

Saying "well, you can just pay to run your own" is a silly response. Millions
of people won't, and tinpot dictators will decide what does or does not show
up in their feeds, simply by domain-association.

~~~
cjslep
I don't think you've addressed my 2 core points:

1\. ActivityPub is not a censorship-resistant network. Criticizing it for not
being censorship-resistant is obvious, so what is the motivation for the
criticism? Evangelizing FreeNet, pushing for a different federating protocol,
or just shitting on AP users? I've mentioned FreeNet (which is almost 20 years
old!) as an actual censorship-proof network, but you haven't seemed
interested, which is why I'm continuing to question your intentions.

2\. How do you treat users who _want_ instance blocks and censorship for their
community? Are they just _wrong_ and haven't seen "the light"? Should we begin
demanding churches host seminars on the two forms of Satanism, show 2girls1cup
in high schools, and go to historical black colleges and shout the N word over
and over? Because that's the meatspace equivalent of "no instance blocking" on
ActivityPub, and local communities in society has found it healthy to limit
content and speech to appropriate places. The indigenous and black ActivityPub
instances aren't there to have "race debates" questioning their existence;
they want to just talk with other cool people. Blocking helps protect them
from groups of assholes who want to exercise their "free speech" by shouting
slurs.

The rest of your posts haven't been convincing, either, because it's unclear
what you're arguing for, besides just generically criticizing the protocol.

> The difference between local and remote in most AP software is minimal.
> Admins defederating is more a parental powertrip about which domains their
> users can or can’t read than anything.

> I think it’s the “free hosting” part that is popular, not so much the “admin
> powertrip” part.

Strongly disagree. Using highly charged words like "powertrip" make me think
you've had a particular experience color your world view. Most folks I know
don't want gablins and freespeechextremist filling up their boosts &
timelines, and I can count on 1 finger in 2+ years of Mastodon of a user who
later felt like they "missed out" because the instance they originally signed
up for blocked another interesting instance -- which was rectified by them
simply _signing up on another instance_ and using Mastodon's move feature.
That's not a high barrier and doesn't require alarmism.

> If this sort of thing were really valuable and popular, we’d see browser
> extensions that do it. For the most part, those only block spam and
> trackers, and don’t break HTTP along ideological grounds.

That ship has _long_ sailed. It's not worth fighting. HTTP(S) is broken today
on many different competing ideological grounds, the most obvious of which is
The Great Firewall, and the most mundane of which are company ACLs/Firewalls
(which usually give an ideological reason why they are banned - like "no games
at work").

> They also aren’t only censoring from their community. They are censoring
> their own users’ posts from the entire set of users on the instances they
> have blacklisted. The censorship cuts both ways.

Yes, that's the point of doing an instance block. I don't see how this relates
to the thesis of your argument (and I've honestly forgotten what you're
arguing for).

> What about readers who don't want some stranger deciding what they can or
> can't read?

This is a ridiculous question, and betrays the amount of thought put into your
argument.

Everything you read, except you reading your own original unpublished
writings, is somehow manipulated by someone else. Full stop. "Why was it
written", "who affected how it got published", "who put it into a book /
online", "who affected how I acquired the book / visit the website", "who
influenced me to not read a different book", "who edited this book or
article".

The answer to this question is equally ridiculous: run your own instance, or
get off ActivityPub and go back to the deceptively-open centralized silos
where everyone is, go to the ideologically-pure FreeNet where almost no one
is, or do <something else>? And don't forget to subscribe to every newspaper
and buy every book -- don't let one's own lack of time cause accidental self-
censorship.

------
Udo
I disagree with many of the premises laid out here.

 _> Federation results in the data of users being subject to the whims of the
owner of the federated instance_

In the largely unfederated world we have right now, that boils down to one
single owner per platform. The promise of a federated system is that you can
always set up shop on another system of the _same platform_ , without losing
access to your relationships. And that other system could in theory even be
run by yourself.

 _> Administrators can see correspondence and derive social graphs trivially.
They are also in a position to selectively censor inter-instance
communication._

Again, right now we're putting that trust into a single entity for the _whole
network_ instead. An entity whose interests we know for sure are not aligned
with their users, but with their customers. Giving participants in a network
the choice which administrator they want to work with is not strictly worse
than that.

 _> All the privacy issues, none of the scale advantages._

Social networks are not a place for privacy. Not in a federated world, and
certainly not in the unfederated model we have right now. Once more the case
can be made that the current system is worse, because not only is your
communication and metadata _not_ private, but the unfederated systems we have
often demand, or at least can correlate from context, your real-world
identity. A federated system can _at least_ do away with that issue to some
degree.

If you require privacy, and there should absolutely be a place for that in a
civilized society, you need to use an end-to-end encryption scheme for point-
to-point data exchange. There are fundamentally opposed design goals that
apply for such systems.

 _> Considering that one of the main goals of decentralized systems is privacy
preservation, and thus, control distribution, we must develop better models
than “the most popular federated instances gain full control over the users
interactions”._

Control distribution is absolutely achievable within a federated context,
while privacy preservation will always depend on (in this case: unwarranted)
trust. Just because you can't reasonably achieve one, it doesn't follow that
the other is a fool's errant. I would also argue that the quoted sentence at
the end here is a bit of a straw man, because taking away that power from the
individual instance is - or at least should be - the _actual_ design goal of a
federated system.

Don't get me wrong, a network design should do what it reasonably can to
prevent and mitigate abuse, but I believe advertising inflated privacy
expectations to end users is fundamentally dishonest. What they get is _not_
privacy. What they get is some degree of control and independence. Which
incidentally is one of the reasons why no federated system has really taken
off yet in the mainstream: those are not big enough selling points on their
own, and they're certainly not enough to motivate people into taking the huge
social hit from moving onto an empty new platform. So far, only fringe groups
have taken up these decentralized offers - groups who frankly almost nobody
wants to have associations with.

 _> Reliability & Discoverability being the main two._

I agree very much with the problem being discoverability. None of the open
networks really tackle that aspect, but it's not a problem coming from the
fact that these are _federated_.

~~~
kixiQu
What I'm about to say you may already know, but for the benefit of other
readers:

> groups who frankly almost nobody wants to have associations with

I'd caution you about this claim; Gab, Spinster, Glindr, some of the less
savory Japanese instances probably fit what you're saying. If you want to be
less charitable about most people's broadmindedness, toss in the furries. But
from what I've seen, a large chunk of Mastodon users tend to just be LGBTQ.
For this group, the control/independence is a lot about knowing what you can
expect your moderators to take seriously (both in terms of allowed content and
protection against harassment). I'd question the term "fringe" for this group.
There's also been a movement away from Twitter onto Mastodon of Indian users
upset by Twitter's acquiescence with Indian government demands. In that case,
it's not so much about privacy as making legal demands a game of whack-a-mole.

Otherwise I totally agree with what you're saying.

~~~
Udo
I think this probably doesn't need to be said but LGBTQ people on Mastodon are
_not_ an example of what I meant. To make it extra clear, I also didn't mean
to imply that just any group with a strong presence on such networks is
automatically "fringe" or worse...

It's just by my (admittedly subjective) impression large-scale, community-wide
adoption of decentralized networks has been mostly by radicals or militants,
because they have increasingly been banned from mainstream social nets. They
had an easier time taking the hit from jumping to a new network, because they
had been ostracized.

~~~
kixiQu
Valid, valid. I think it's interesting to think about how groups that are in
between the "mainstream" and the "fringe"\--not banned necessarily, but those
with more variant needs from their networks--can serve as an "indicator
community" ([https://www.britannica.com/science/indicator-
species](https://www.britannica.com/science/indicator-species)) of social
ecosystems' function.

------
imtringued
I don't see the problem. Fully decentralized platforms like Bitcoin are too
inconvenient to use. Not everyone wants to download the full blockchain and
you still have to find someone to exchange your dollars to BTC. So what
happens is that most people sign up on an exchange which is effectively a
federated system which merely communicates with other exchanges over the
common Bitcoin protocol.

------
buboard
agree. federation doesn't seem to have been the initial plan of the internet.
some sort of POSSE with content-agnostic subscribing mechanism would be far
better. (and yes that subscription mechanism could be in a blockchain acting
as a discoverability mechanism and a backup).

~~~
athenot
NNTP (newsgroups) and SMTP (email) both are federated systems. Long before
domain names were convenience identifiers for just websites, you would be part
of an organizational domain, be it your company, your university or your local
ISP (before the advent of large national consumer providers). Those were much
more than just a pipe to the larger internet, they would run applications
which you would use, and which federated to other organizations.

~~~
buboard
i guess there is a difference between "dumb" federation the way nntp/smtp does
it and e.g. matrix where account data and subscriptions are kept in the
servers.

~~~
TheCycoONE
I don't follow. In what sense does SMTP have 'dumb' servers? Account data is
definitely on the mail server.

------
zallarak
Federation is actually quite centralized and explicitly so. DNS resolution is
“federated”.

Proof of work is the opposite end of the spectrum; maximally decentralized yet
slow.

The worst of all worlds is proof of stake / stake-based consensus. It’s
expensive yet super fragile.

------
bartread
This piece would be a lot more interesting, and useful, if it were illustrated
with some concrete examples.

