Login
You're viewing the mstdn.social public feed.
  • Jun 28, 2026, 4:24 AM

    Today, an unknown bot swarm started using my name, boosting my posts, and inserting itself into communities I helped create. I treated it like any other potential attack and started defending myself and our communities as best I could. This has taken up more of my day than most malicious bot attacks, because it had the air of legitimacy—despite taking the actions of a threat.

    When the owner, @evan ¹, came in with the same justifications as the porn-scrapers and LLM-owners I regularly fight against—repeatedly doubling-down in the face of backlash²—I felt more and more sure of my response.

    I now feel justified in calling for a #FediBlock of tags.pub (and probably his other projects), at least until a better opt-in consent model is built into the project.

    ¹ I'm including his name as he's a public figure associated with Activity Pub, and our whole conversation today is already a public record, but please don't dogpile; just defed or block as you see fit and call it a night (or day—I'm not your mom).

    ² Receipts: lgbtqia.space/@alice/116824281

    #FediAdmins

    💬 49🔄 474⭐ 415

Replies

  • 💬 0🔄 1⭐ 15
  • 💬 0🔄 0⭐ 2
  • Jun 28, 2026, 5:00 AM

    @alice @evan I had to deal with the same shit yesterday. I also would support a #FediBlock of tags.pub
    It should at least be opt in

    I have general doubts that it’s made for a good purpose.

    💬 2🔄 4⭐ 15
  • Jun 28, 2026, 5:32 AM

    @no_brainer @alice @evan

    This is exactly the problem. The goal may be to help smaller Fediverse instances federate more easily, but good intentions don't justify an opt-out consent model. When a service reaches into other communities by default, the burden falls on everyone else. Opt-in is the better design. One would expect a public figure stewarding Fediverse infrastructure to understand that. Yet here we are.

    cosocial.ca/@evan/116825943308

    💬 0🔄 12⭐ 23
  • Jun 28, 2026, 10:05 AM

    @no_brainer @alice @evan would some sort of "robots.txt" mechanism help here where accounts can signal if they consent to certain aspects and ethical instances respect those controls and any not ethical instance that rejects those controls could e.g be auto blocked by default by ones own instance for example.

    💬 2🔄 0⭐ 1
  • 💬 2🔄 2⭐ 14
  • Jun 28, 2026, 10:17 AM

    @no_brainer @alice @evan yeah agree. robots.txt basically works like this: "hey bots please do not index this website, thanks" and if anyone ignores that they can be called out publicly/blocked etc. but not having any mechanism like this whatsoever to begin with seems odd and is a missing part here. Enforcement would work through social pressure (like robots.txt)

    💬 0🔄 0⭐ 4
  • 💬 2🔄 5⭐ 13
  • Jul 2, 2026, 5:18 AM

    @fromjason @no_brainer @bitbraindev @alice @evan I looked at the thing to see what it's about, and at first I didn't get its purpose, or the problem, but then I connected the dots. If you generally post tags with objects, like # thing, then the bot would be called @ thing, which would be kinda strange to see boosting your posts, but nothing really bad. However, if your hashtags are names instead, that's very creepy, way worse and feels like impersonation attacks. So yeah, first, why isn't this opt in? sure, it limits discoverability and all that, but like, the price is too high for a tiny bit more discoverability, there are privacy risks and so on. But also, especially because we have actual relays and we can follow hashtags, at least on mastodon, what's the point of doing this, if not trying to build a global graph or database of the entire fedi? Yeah, this does sound like one of those crawlers/bots, even if the purpose is different...or is it?

    💬 0🔄 0⭐ 0
  • 💬 0🔄 0⭐ 2
  • 💬 1🔄 0⭐ 0
  • 💬 1🔄 0⭐ 0
  • Jun 28, 2026, 3:04 PM

    @bitbraindev @no_brainer @alice @evan

    The alternatives to relying on the honour system don't reduce to "do nothing". There aren't only two options. Advocating for a "trust us to be well behaved bro" model amidst the largest breakdown of that exact thing in web standards is, to put this politely, out of touch.

    Naming and shaming, defederating the scumbags, etc., are all valid ways of dealing with these problems. Other more aggressive approaches unfortunately lead to closed off communities, which are counter to what many people believe the internet should be.

    💬 0🔄 0⭐ 0
  • Jun 28, 2026, 5:05 AM

    @alice @evan@cosocial.ca Appreciate the words of caution - blocked their ass so hopefully, we won’t have any issues with them. Hope you have sorted it out as well. 🫤

    💬 0🔄 0⭐ 4
  • 💬 0🔄 1⭐ 11
  • Jun 28, 2026, 5:25 AM

    @alice @evan How hard would it be to make this "service" opt in only? It would still be able to perform the stated intended function and prevent this unnecessary collateral damage.

    The owner's unwillingness to do this makes it seem like some kind of content or info scraping scam.

    If people are uncomfortable with it then don't do it. You're only pissing people off by continuing to go down your current path. Why do that?

    💬 2🔄 2⭐ 12
  • Jun 28, 2026, 5:33 AM

    @Darkasvim @alice @evan He's probably too lazy to get a large enough user base the right way (opt in) for what ever he's doing this for.

    All platform bridge bots etc require that you follow them to participate in their function, it's a long established practice.

    💬 0🔄 0⭐ 4
  • Jun 28, 2026, 11:21 AM

    @Darkasvim In his comments, their owner shows absolutely no sense for empathic behaviour ... (even not for legal requirements for consent in the EU which has opt-in even for tracking).
    And he names 3 bot instances (how much more will he have?). Blocked them.

    @alice @evan@cosocial.ca

    💬 0🔄 0⭐ 0
  • Jun 28, 2026, 5:31 AM

    @alice I must admit, I understand the technical side of it. Especially considering that there are people here going "hurr durr, doing your own instance is the only true way to use Mastodon" and the like, discoverability of Hashtags is directly tied to the size of your instance.
    Is their approach heavy-handed? Undeniably.
    Does it solve an issue? I'd say so.
    Is there a better approach? Honestly, time must tell, the fediverse still is pretty much in its infancy and a lot of contract still forms.

    💬 4🔄 1⭐ 8
  • Jun 28, 2026, 5:37 AM

    @alice I mean we're on a 'social network' after all, there is a point to be made that everything we post publicly comes with an 'implicit default opt-in' to redistribution, which especially includes retooting. I'd see a line crossed if they were to copy-steal posts of others, but from what I saw in this discussion, this is not what they're doing. As long as federation holds, modification or deletion should be propagated to all participating instances, leaving 'you in control of your content'.

    💬 1🔄 0⭐ 4
  • 💬 1🔄 3⭐ 9
  • Jun 28, 2026, 5:57 AM

    @alice I understand your position to this, but who decides whether this is 'the correct way' to interpet what social media means as concept for mastodon? I mean everything happening is a continuous negotiation between all participants, there is not (neither should there be) a single authority deciding what is right and what isn't. In this instance, however, I believe their approach genuinely steers the fediverse in a more inclusive direction than it currently is, which feels a win in my book.

    💬 2🔄 0⭐ 1
  • Jun 28, 2026, 6:00 AM

    @alice and to go more specifically to your example: what I believe they are doing is not flirting with you; they are only taking your statement that you are available for flirting and making it visible for potential candidates which otherwise might not have had a chance to know about this prospect.

    💬 1🔄 0⭐ 3
  • Jun 28, 2026, 6:40 AM

    @DJGummikuh if someone is looking for me, they'll eventually find me here. I don't need a dating service to opt me in without my permission.

    What is so fucking hard about asking for permission?

    It's the "no", right?

    It's because it's easier to avoid "no" if you don't ask my permission.

    This is the same mentality that makes us wear roofie-detection bracelets at bars.

    *Unambiguous* consent needs to happen *first*.

    💬 1🔄 7⭐ 15
  • Jun 28, 2026, 6:49 AM

    @alice Ok that is an interesting aspect. Obviously, roofie-detecting bracelets are proof for a failing system and victim-blaming, no argument here. But did you not give consent that your post is visible (and likable+boostable) for anybody looking for that hashtag by explicitly USING that hashtag on a public post? What is this bot doing beyond what you deliberately allowed by posting with these settings in the first place? (this question again is not rethorical, I really try to understand this)

    💬 1🔄 0⭐ 3
  • 💬 0🔄 2⭐ 8
  • Jun 28, 2026, 6:32 AM

    @DJGummikuh did you see the thread? It was *overwhelmingly* negative, and what's-his-name seemed intent on digging a hole to Fediblock land as fast as possible.

    In this case, if his "approach genuinely steers the fediverse in a more inclusive direction" the way it was just demonstrated, then I'll be blocking all those domains and going to exclusively "followers-only" posting.

    I already have follow requests on because I get harassed by bots and scammers constantly. I don't want to have to lock down my posts to avoid opt-out "services" that I don't want in the first place.

    💬 1🔄 2⭐ 6
  • Jun 28, 2026, 6:38 AM

    @alice yes I think the way he presented it was 'less than optimal' to put it mildly,though the general tone of the discussion (at least the part I saw) was heated and emotional, and usually nuance is the first victim in this climate.I truly understand your position; I also see the value in what they are trying to do. What becomes of the fediverse will be the result of the collective choice of its users, I just wanted to raise that it's not as black and white as partly depicted in the discussion.

    💬 1🔄 0⭐ 1
  • Jun 28, 2026, 7:25 AM

    @DJGummikuh consent isn't a grey area—we know what good consent looks like, and this was *not* it.

    I appreciate that you've been following me for a while now, but not understanding why consent is the important part of this is a huge red flag for me.

    💬 0🔄 2⭐ 6
  • Jun 28, 2026, 5:38 AM

    @DJGummikuh seems like there should be an efficient way to semi-anonymously broadcast that a server has specific hashtags, and if a user on a single-user instance follows that hashtag, then their instance would know which servers it has to poll to get posts with that tag.

    💬 1🔄 0⭐ 4
  • Jun 28, 2026, 5:41 AM

    @alice I don't think there is and that hinders discoverability of as of yet unknown persons massively. This is a direct function of the concept of federation, balanced against the load requirements of servers. We're firmly in the design philosophy territory of ActivityPub here, and social-graph forming via hashtags is a complicated issue, again predominantly disadvantaging small/one-user instances

    💬 2🔄 0⭐ 3
  • Jun 28, 2026, 5:45 AM

    @alice always keep in mind that ActivityPub has no master servers, so an inclusive "Push" to all servers is as impossible as an inclusive pull, as there is no central registry maintaining a list of all federating servers. Cheating around that 'short-coming' with an approach like theirs releases pressure on this pain point for people running one-user instances, which in turn simplifies the life of people trying to push for more instance-diversity as opposed to everyone going to the big instances

    💬 2🔄 0⭐ 3
  • Jun 28, 2026, 5:48 AM

    @alice again, I understand your underlying position of 'no usage of my posts without my explicit approval', but I'd wager a bot exclusively restricted to retooting (i.e. not using the gained reach for propagating their own messages) should fall short of any thorough definition of 'usage', at least in the context of a social media.

    💬 2🔄 0⭐ 4
  • DBlawyersgunsnmoney
    Jun 28, 2026, 6:05 AM

    @DJGummikuh Interesting that I already had that douchebag blocked. Given that you’re advocating for the douchebag , presumably because you want to do the same, kindly fuck off. You’re blocked as well. @alice

    💬 0🔄 0⭐ 1
  • Jun 28, 2026, 6:18 AM

    @DJGummikuh my nudes were being boosted by @alicepics@tags.pub 😐

    There was also a @bunnyalice@tags.pub, and several other hashtags that were turned into named bots for the sole purpose of boosting my posts.

    This was the most "Invasion of the Body-Snatchers" implementation of a "service" I've seen. Though I admit it would have been worse if it had used my profile photo for the bots.

    💬 1🔄 0⭐ 5
  • Jun 28, 2026, 6:21 AM

    @alice I fully expect there to be no discriminatory logic behind the operation of this approach. From my understanding this bot just takes the hashtag, generates it as an account and causes the posts to propagate. I'd be ABSOLUTELY with you that the bot attempting to actually impersonate you (e.g. by using your pic), therefore suggesting a direct relation between you and it, would clearly cross a line of immorality, but it doesn't, which feels a very deliberate choice to steer free of this topic

    💬 2🔄 0⭐ 2
  • Jun 28, 2026, 6:25 AM

    @alice also, with your nudes being public, they already would be available without any controls, authorization or access control beyond deletion by you, even outside the fediverse altogether, so from a strictly judical standpoint, the bot does not tread on issues such as privacy or individual consent for access. I believe the actual discussion to be had in this specific case is the exact definition of what 'publicly available' is supposed to mean and entail

    💬 2🔄 0⭐ 1
  • 💬 1🔄 0⭐ 9
  • Jun 28, 2026, 7:21 AM

    @alice no whether or not something is deserved or anybody's fault is not part of my argument. I see now that we have genuinely different understanding of what publicly posting content on mastodon allows other actors to do, and I do not have the authority to decide which position is 'right'. Voicing and explaining my opinion on that matter was the main goal, with the hope that it is of some value to you and others reading this.

    💬 0🔄 0⭐ 3
  • Jun 28, 2026, 10:33 AM

    @DJGummikuh

    I mean this is technically arguable yes, but "from a strictly judicial standpoint" is simply not the right standpoint. Consent and the law aren't a one-to-one mapping.

    💬 1🔄 0⭐ 0
  • Jun 28, 2026, 10:51 AM

    @unchartedworlds that is correct but the problem is, the law (and to a degree the ToS of Mastodon) is essentially an agreed-upon understanding of what is and isn't tolerable. Everything beyond that very quickly descends into individual opinion, which is absolutely legal to have but becomes difficult to navigate when different opinions differ. Such as whether posting something public while allowing everybody to boost still allows you to then complain that somebody/something does exactly that.

    💬 2🔄 0⭐ 0
  • Jun 28, 2026, 10:53 AM

    @unchartedworlds I think this also touches on the question what "rights" you retain to the Hashtags you use. Hashtags are predominantly a technical utility that allow you to categorize and tag your posts for specific topics. Using the name of that hashtag to name a bot does in my personal opinion not touch any legal limits, as they are neither copyrighted nor have an exclusive usage. It also (again, my opinion) does not tie the user to any kind of identity, as their usage is not limited.

    💬 1🔄 0⭐ 0
  • Jun 28, 2026, 10:56 AM

    @unchartedworlds I think at its core this whole thing blew way out of proportion with a lot of the discussion being caused by completely different frames of reference. This also is an issue exclusive to the Fediverse - no centralized SoMe actually has this problem family, as even bluesky has master servers that theoretically allow synchronization of content - and therefore touches issus and motivations nobody ever really faced since the advent of search engines.

    💬 1🔄 0⭐ 0
  • Jun 28, 2026, 12:21 PM

    @DJGummikuh

    "This also is an issue exclusive to the Fediverse - no centralized SoMe actually has this problem family"

    If the issue is "material shared in a particular context is transmitted onward into a different context without asking", then I disagree it's exclusive to Fedi - I've seen that area conceptualised and navigated on Twitter as well. Examples:

    • People asking "Okay to retweet?" - not because they legally _had_ to ask, but out of sensitivity to whether the OP _wanted_ their post shared further. Often used for posts where a personal anecdote was shared and other people find it especially illuminating.

    • Quote-tweets being used to focus attention on a tweet - widely considered an affordance which can be used for good or evil :-)

    Or are you thinking of a _different_ issue?

    💬 1🔄 0⭐ 0
  • Jun 28, 2026, 12:35 PM

    @unchartedworlds no, that's the point, I'm talking about a COMPLETELY different issue. Due to the federated, non-centralized nature of ActivityPub, if I'm on a single-user instance, and I post a message e.g. under the generic hashtag "linux", even if you follow the linux hashtag, you WILL not see my post unless your server and my server are federated. With this bot server, it would be (presumably, still trying to find out) enough that your server knows the bot server to find my original post.

    💬 2🔄 0⭐ 0
  • Jun 28, 2026, 12:36 PM

    @unchartedworlds so this bot activity serves a purpose that not necessarily has any gain for the bot per se, it just simplifies populating otherwise non-federated instances to each other. This bot is NOT an aggregator bot "follow my bot instead the artist to get a digest of content"

    💬 1🔄 0⭐ 0
  • Jun 28, 2026, 12:37 PM

    @unchartedworlds I'm uncertain (as I can't seem to find a definitive answer to that yet) if you even have to follow any account on the bot instance at all or if it is sufficient for your instance to have a single user to follow ANY account on the bot instance to allow you to find hashtag content on any OTHER instance the bot instance has crawled

    💬 0🔄 0⭐ 0
  • 💬 0🔄 0⭐ 0
  • Jun 28, 2026, 3:01 PM

    @DJGummikuh
    @unchartedworlds

    There are more nuances than this, though.

    First, 'public' does not equal 'okay to publicise' – the ease of access and amount of automatic visibility matters. For instance, I once spent a significant chunk of effort to get my deadname off my Wikipedia page, as it felt really uncomfortable to have it appear on the top 5 search engine results for anyone looking for my current work contact information.

    Second, a regular boost is the result of someone actually thinking that the toot is worth boosting and that it is appropriate to do so. What we have here is a bot-like entity that does the boosting automatically, without any meaningful supervision.

    'If it's technically possible, someone will do it' is certainly a pretty accurate description of the net. It's not a useful guideline for ethics, though.

    💬 0🔄 0⭐ 0
  • 💬 0🔄 0⭐ 11
  • Jun 28, 2026, 6:12 AM

    @DJGummikuh it's a bad solution that will be abused by bad actors to harm vulnerable people, and it takes control of my content (in this case, personal hashtags and photos of my naked body) out of my control.

    💬 1🔄 0⭐ 3
  • Jun 28, 2026, 6:17 AM

    @alice does it, though? Genuine question here - when you post something as 'public' here, which forms of control do you expect to have beyond the ability to modify and delete your post after publishing? I agree, discoverability is a two-sided sword that helps surveillance as much as it helps social graph building, but what form of control does it remove from the author if it is restricted to boosting?

    💬 2🔄 0⭐ 0
  • 💬 0🔄 0⭐ 5
  • 💬 0🔄 0⭐ 0
  • Jun 28, 2026, 6:09 AM

    @DJGummikuh we already have opt-in solutions for that. I'm registered with like a dozen of my most-used hashtags on multiple discoverability services.

    But I chose those.

    I chose to be listed as someone who talks about data privacy, LGBTQ topics, etc.

    No one assumed I'd be okay with being listed there.

    💬 1🔄 1⭐ 5
  • Jun 28, 2026, 6:14 AM

    @alice fair. And again, I do not have any capacity to judge authoritatively which is the right approach. I just felt inclined to point out that this is a workable, possible solution to a tangible problem with the underlying architecture of ActivityPub and not some pervert trying to make a buck, which is a consideration I felt lacking in a lot of the replies to your original thread.

    💬 2🔄 0⭐ 2
  • Jun 28, 2026, 6:30 AM

    @DJGummikuh @alice I somewhat hesitantly raise my voice also, that I’m not entirely against discovery aids, but at the same time if those are found to cause people harm, the community of fediverse can choose to come together block them on the server level.

    But I do also call for some level of organic experimentation to be encouraged, as designs by committee are vulnerable to other kinds of abuse: capture by large actors working against the small.

    💬 2🔄 0⭐ 4
  • Jun 28, 2026, 6:33 AM

    @gimulnautti @alice couldn't agree more! I am absolutely not against blocking people for doing something percieved to be immoral, even if it is just the perception of individuals. This is a vslid strategy to express dissent. I just find it important to raise that there are more nuanced sides to this story than the replies of quite some participants in this discussion suggest

    💬 0🔄 0⭐ 4
  • 💬 1🔄 0⭐ 7
  • Jun 28, 2026, 10:58 AM

    @alice @DJGummikuh It is not a question of understanding the issue. Merely notifying that while consent matters, absolute consent necessitates absolute prearrangement of details, potentially leaving no room for good surprises.

    Where is the space for argument, or ’courtship’? And how open is that space? These are difficult questions, and people’s tolerance in those spaces and how they’re defined seem to differ somewhat.

    💬 0🔄 0⭐ 0