TLDR
He was raided for unrelated reasons to his mastodon server, the police have a seize it all policy.
There is talk about changing policy to exclude things like servers and similar devices that are not related to the initial reason for the search. There doesn’t seem to currently be laws or rules about what police can or can’t do with data.
That’s the whole article basically
Good TLDR
I would also add:
Data gathered from the raid can be used to investigate and prosecute crimes unrelated to the original seizure.
Mastodon does not currently encrypt direct messages.
The whole point of Mastodon is to speak publicly, so I’m not sure I see the problem.
Other than the server owner’s property being unnecessarily confiscated, of course. Such thievery is quite clearly a tactic for depriving defendants of the financial and other resources they need to prove their innocence in court.
The problem is DMs. Having what appears to be a “private” communication mechanism that isn’t private at all might mislead users into divulging information that could put them at risk.
When you type up a DM on Mastodon, there’s a little popup notice that appears next to the text box that says:
Posts on Mastodon are not end-to-end encrypted. Do not share any sensitive information over Mastodon.
IMO the platform handles informing users about this responsibly.
How is a law enforcement agent staring at some workstations and computers to know what equipment was involved in the alleged crime they are raiding the facility for? If the FBI was raiding a home for child abuse and pornography, there’s no way they have the access or expertise at the time of a raid to know the server in the corner is only for Mastodon, the box over there is just a Linux firewall, and that box over there is a porn server. There’s no practical way to trust a defendant on site as to what is relevant to an investigation or not. I agree that unnecessary confiscation is a problem, but in general I don’t think the ill intent is there. I’m not a law enforcement officer, nor am I lobbying in any way for them, I’m just putting myself in their shoes in this situation.
How is a law enforcement agent staring at some workstations and computers to know what equipment was involved in the alleged crime they are raiding the facility for?
That would be a valid argument if they timely returned whatever they don’t need, but they don’t, so it isn’t.
If the FBI was raiding a home for child abuse and pornography, there’s no way they have the access or expertise at the time of a raid to know the server in the corner is only for Mastodon, the box over there is just a Linux firewall, and that box over there is a porn server.
Maybe not, but if they’re not completely incompetent, they’ll have images of all of those devices within a day or two. They don’t have any legitimate need to keep the seized equipment after that.
The cruelty is the point.
We’re talking about law enforcement agencies, not an IT department. Of course it’s technically possible to image a machine quickly. However, there are all kinds of steps and rules for chain of custody, transporting evidence, cataloging it, storing, examining it, etc. and a finite number of personnel to perform the work. Revisiting the child pornography example I used, fingerprints and DNA evidence on equipment could be quite relevant to a case. There may even be a need to examine hard drive platters (old school spinning disk, not SSD obviously) to determine if there was data deleted in the past. It’s rather simplistic to say it’s a matter of just imaging and returning as quickly as possible. I agree the equipment being gone often presents a hardship for a defendant, but arguing that it’s intentionally set up this way to inflict cruelty ignores the reality of investigations.
Poor data management practices on the part of this admin.
It seems like yes, but also:
To make matters worse, it appears that the admin targeted in the raid was in the middle of maintenance work which left would-be-encrypted material on the server available in unencrypted form at the time of seizure.
The drive wasn’t encrypted, a not-encrypted database dump was on the laptop when the raid happened. It might have had to do with gearing up for the Mastodon update that caused us a lot of grief across Fedi a couple of weeks back. Or it could have been database server debugging; the timing was incredibly bad.
According to Kolektiva, the seized database, now in the FBI’s possession, includes personal information such as email addresses, hashed passwords, and IP addresses from three days prior to the date the backup was made. It also includes posts, direct messages, and interactions involving a user on the server.
This is all stuff you should assume isn’t private anyway. I’m not so sure about “wakeup call”.
And people say what instance you choose doesn’t matter. Wild that the choice often seems to be between giving your info to mega corps or trusting a random person who’s servers could be raided at any moment for entirely unrelated reasons.
Given what we’ve learned about illegal and secret government surveillance from whistleblowers like Edward Snowden, I wouldn’t trust a megacorp any more than “a random person”.
The government already has the keys to all the megacorps’ kingdoms. The only possible way to protect your data is to make sure it uses client-side encryption, and that those encryption keys never under any circumstances travel over the internet.
You should assume that any information you give to ANY site is readily available to all major world governments.
Keep your private messages on end-to-end encrypted platforms like Signal or Matrix. Consider everything else public.
or trusting a random person who’s servers could be raided at any moment for entirely unrelated reasons.
IMO the end goal of a decentralized network should be to have a large number of small servers. Any raid/takedown should only affect a small subset of users.
Right but the instance I’m on could get taken over by an asshole, and get defederated by, or defederates from, my favourite subs. Then I’ve got to abandon that account and start a whole new one, same as I did leaving Reddit. I’m really not sold on this model until I can transfer my account somehow.
I believe Mastodon has a “transfer accounts” feature. I don’t know if Lemmy and Kbin do though.