Privacy Policies on the Fediverse: A Case Study of Mastodon Instances

Authors: Emma Tosch (Northeastern University), Luis Garcia (Northeastern University), Cynthia Li (Independent Researcher), Chris Martens (Northeastern University)

Volume: 2024
Issue: 4
Pages: 700–733
DOI: https://doi.org/10.56553/popets-2024-0138

Download PDF

Abstract: Free and open source social platform software has dramatically lowered the barrier to entry for anyone to set up and administer their own social network. This new population of social network administrators thus assume data management responsibilities for sociotechnical systems. Administrators have the power to customize this software, including data collection and data retention, potentially leading to radically different privacy policies. To better understand the characteristics — e.g., the variability, prohibitions, and permissions — of privacy policies on these new social networking platforms, we have conducted a case study of Mastodon. We performed a text analysis of 351 privacy policies and a survey of 104 Mastodon administrators. While most administrators used the default policy that ships with the Mastodon software, we observed that approximately ten percent of our sample tailored their privacy policies to their instances and that some administrators conflated codes of conduct with privacy policies. Our findings suggest the existing market-based individualistic frameworks for thinking about privacy policies do not adequately address this emerging community.

Keywords:

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.