- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
In response to Bray’s toot, Evan Prodromou — one of the creators of ActivityPub, who is currently writing an O’Reilly book about the protocol — noted that this “is also the argument for using the ActivityPub API.” He described the API as “an open, extensible API that can handle any kind of activity type — not just short text.”
This gets to the nub of the issue. The fact that I can’t use my Mastodon identity to, for example, sign up to Pixelfed is not actually an ActivityPub issue — it’s because the two applications, Mastodon and Pixelfed, each require you to create an account on their respective products. What Prodromou is suggesting is that, technically, you can use the ActivityPub API for account access.
Yes - that isn’t what’s being suggested. And that’s entirely irrelevant.
The correct way to measure the threat a proposal poses isn’t by what’s specifically being proposed, but by what the proposal, if enacted, carries with it - what it necessitates, implies or even just allows.
As I mentioned before, and this seems to me to be the biggest potential threat vector, unless people host their identities on their own hardware, that information is going to be on someone else’s hardware. And that’s not going to be a charity - it’s going to be a business, that’s going to profit off of it somehow. If this proposal goes through and is relatively widely adopted, there will one day be an industry leader in the identity-hosting business, and that company will have leverage over the fediverse as a whole. And at that point it would be easy enough for them to, for instance, strike a deal with the biggest instances so that the instances, in the name of security or convenience or whatever might suffice, only accept registrations through that particular service.
I’m not saying that that will happen - only that it could. And that’s enough, in my estimation, to make it a bad idea, because if the history of the internet has shown us anything, it’s that if there’s a way for someone to control something and profit off of it, someone will control it and profit off of it, and the original proposal that made that possible doesn’t mean a damned thing.
You are describing the current situation in the fediverse, not a problem caused by the idea proposed.
Allowing for federated identity would also imply allowing migration of identity, which wholly prevents what you just described.
The current system is guaranteed to have larger instances where people won’t want to leave because doing so abandons your identity.
If I could move around the fediverse freely I would do so, but that is not a feature that is supported so I stick to the largest instance which happens to be the one I chose. I am not unique in this. Obviously, or this instance wouldn’t be so large.
Offering federated identity is only a better situation than today.
No, it’s not the same.
You’re only describing what would happen at the instance level, and skipping over the fact that the whole thing hinges on your identity on each and every instance actually being one and only one identity that would reside in one particular place. It would actually exist on, and be federated from, one particular server somewhere.
What that means, and the part you’re leaving out, is that whoever controlled that server would control your access to the fediverse as a whole - not just on one particular instance, which is the reality with instance-specific identities, but on all instances of all services.
The only way to avoid putting control over your access to the fediverse as a whole in the hands of one company would be to maintain your server on your own hardware, and as the article itself notes, most people can’t or won’t do that. So most people will end up with their identity on all instances of all services under the control of one specific company. Which is very much NOT the case now.
Now, if someone wants to somehow use their control over my fediverse access for some self-serving purpose - either maliciously or simply as a goad with which to extract profit from me - they’re necessarily limited to one identity on one instance of one service because that’s as high as it goes. They might, for instance, hijack or disable or demand a subscription fee for access to my .world identity, which resides on .world’s server. All that would mean to me though is that that one particular identity on that one particular instance would be compromised. I could still access the fediverse, and even access .world, just by coming in through my kbin identity or my lemm.ee identity or my .ml identity or whatever, since all of those are out of their control.
With this scheme, if someone wants to use their control over my fediverse access for some self-serving purpose, they have one specific place to do it - at the one specific server on which my identity is hosted and from which my identity is federated. With one move, they could hijack or disable or restrict extort payment for my access to ALL instances of ALL services, all at once.
Again, that is very much NOT the case today.