Fortifying the Fediverse: Decentralised Trust and Safety 2024

As 2024 comes to a close, it’s a fitting moment to reflect on a year of collaboration and innovation in trust and safety within the decentralised social web. This year has been one of growth for IFTAS and the fediverse community, marked by new initiatives, partnerships, and tools that strengthen the resilience and inclusivity of federated platforms.

IFTAS Milestones

We began the year with the release of our DSA Guide for Decentralised Services, offering practical insights to help decentralised platforms navigate the EU Digital Services Act. This resource has become essential for community leaders adapting to the latest regulatory requirements. In March, we introduced a suite of Personal Digital Safety Tools from Tall Poppy, designed to help community leaders safeguard themselves against doxing, harassment, and other online threats. This initiative supports the well-being of those at the forefront of creating safe spaces.

In May, we proudly launched IFTAS Connect, a collaborative platform for moderators, administrators, and trust & safety teams. By fostering community-building and sharing resources, IFTAS Connect has become a key tool for improving moderation efforts across the Fediverse. We also introduced FediCheck, a transparency tool that helps users evaluate the policies and safety measures of various Fediverse servers. By making this information accessible, FediCheck empowers service administrators to make informed choices about the platforms they engage with.

In October, our community demonstrated exceptional resilience during a large-scale spam attack on the Fediverse. This collective effort showcased the strength of our network and our ability to address challenges collaboratively.

We welcomed three amazing contributors, Ted Han, Erin Kissane, and Andrés Monroy-Hernández, to our Advisory Board. Their expertise in open-source technology and digital governance strengthens our mission to build safer, more equitable online spaces.

We stress tested our Content Classification Service, starting with tools to detect and combat child sexual abuse material. This marks a significant step forward in equipping moderators with resources to enhance community safety.

We ended the year with the release of our annual Needs Assessment Report, gathering insights from 180+ services hosting over 4.3 million accounts across the open social web. The report highlights key challenges and opportunities, offering actionable recommendations to support moderators and administrators, and will guide our work in the coming year.

The Ecosystem Expands

2024 saw a range of non-profit organisational growth including the launch of the Social Web Foundation, dedicated to enhancing interoperability, safety, and governance across decentralised networks.

As decentralised platforms grapple with the challenges of misinformation and disinformation, Newsmast emerged as a key player in combating these threats. The platform’s proactive approach to content verification and user education has set new standards for maintaining the integrity of information shared on federated networks. Their collaborative efforts with community moderators have been instrumental in promoting accurate and reliable discourse.

Emelia Smith proposed and led the creation of the ActivityPub Trust and Safety Taskforce, whose first task will be an overview of current state of trust and safety on the Fediverse, followed by work on flags, blocks, and content labelling.

Juliet Shen announced the creation of the Open Source Tooling Consortium at TrustCon, which can both contribute to, and learn from, the open source community building federated social networks.

A New Social was launched to liberate people’s networks from their platforms, leveling the playing field across the open social web – with it’s first project to adopt and expand BridgyFed.

We look forward to collaborating with these and other organisations as the network grows, seeking to reduce duplicative effort and leveraging the energy and commitment all these amazing people are bringing to the table.

Platform Developers

Two FediForum events highlighted a ton of new work in federated platforms.

The Mastodon team is spearheading the Federated Auxiliary Service Provider specification, which is focussed on search and discovery for now but can open up a world of possibilities for trust and safety tooling. Mastodon 4.3 saw improvements in dealing with unwanted content, and Bonfire Networks undertook a range of activities to explore governance and moderation tooling as a foundation of their platform development.

Fediseer continues to be a growing resource for Lemmy and Mastodon administrators, and fedi-safety is a novel tool that can classify genAI CSAM on Lemmy and potentially other services. Pixelfed introduced comment controls and enhanced spam classifiers.

BlueSky introduced Ozone, an innovative moderation tool designed to support moderators in managing their communities. Ozone’s integration of advanced filtering systems makes it a standout contribution to the trust and safety ecosystem, powering several “composable moderation” projects on the Bluesky “ATmosphere” with the notable success of Blacksky, an AT Protocol implementation prioritising the community building efforts of marginalized groups; especially Bluesky’s community of Black users after which the project is named.

Spritely is working on the next generation of decentralised tech, building on co-founders’ Jessica Tallon and Christine Lemmer-Webber’s experience co-authoring ActivityPub.

Research and Writings

Yoel Roth and Samantha Lai published “Securing Federated Platforms: Collective Risks and Responses“, which has become an essential resource for administrators and moderators. The report explores the shared vulnerabilities of decentralised networks and provides actionable recommendations for mitigating risks collaboratively. Its release has sparked important conversations about collective accountability and the role of communities in safeguarding the social web.

Darius Kazemi and Erin Kissane published “Governance on Fediverse Microblogging Servers” – answering the question “What are the most effective governance and administration models in place on medium-to-large sized Fediverse servers?”

Looking Ahead to 2025

As we celebrate the progress made this year, we are energised by the opportunities that lie ahead. Reviewing the 2024 Needs Assessment we see our work expanding moderation tooling and providing new and enhanced resources to further strengthen and scale trust and safety in federated social networks. Wherever possible, we will endeavour to align with projects and participants that are similarly working to create #BetterSocialMedia

We are committed to advancing trust and safety in the federated web. Together, with the continued support of our community and partners, we will build on the foundations laid in 2024 to create safer, more inclusive online spaces.

To support our global community, we are translating our shared labels and definitions into multiple languages. We welcome any and all input in this collaborative effort, submit a few translations today!

Recognising the emotional toll of moderation, we will adopt and adapt resources to support moderators dealing with traumatic content. We aim to offer comprehensive guidance on various regulatory frameworks, including the UK Online Safety Act, to assist administrators and moderators in building toward compliance.

Our comprehensive Moderator Handbook is in the final stages of editing and will soon be available as a valuable resource for both new and experienced moderators. We plan to introduce hash and match services to identify and manage non-consensual intimate imagery and terrorist and violent extremist content, using platforms like StopNCII and GIFCT.

You can track our in-progress and planned activities on our Activity Tracker page.

We thank everyone involved and engaged in strengthening and scaling trust and safety in this exciting landscape, and look forward to achieving even greater milestones together in the coming year.

Support the Social Web

Almost everyone and everything mentioned above is supported by donations. If you believe in an open web that is safe and inclusive (not to mention ad-free and not in the habit of selling your data to the highest bidder) consider signing up for a subscription, or making a donation to any of these institutions and individuals who are working to ensure an open, democratic web for everyone in the world to enjoy. This is just a list of links for people and projects listed above, but there are hundreds more worthy of your support.

#TogetherStronger

• Blacksky
• Bonfire Networks
• Darius Kazemi
• db0
• Emelia Smith (@ThisIsMissEm)
• Erin Kissane
• Fediseer
• Independent Federated Trust and Safety (IFTAS)
• Lemmy
• Mastodon
• Newsmast Foundation
• Pixelfed
• Social Web Foundation
• Spritely Institute

The 2024 IFTAS Needs Assessment Report is Here!

We are pleased to to announce the release of the 2024 Fediverse Trust & Safety Needs Assessment Report. This annual report is a cornerstone of our mission to support the decentralised social web with evidence-based research and actionable recommendations for moderators, community managers, and administrators.

This year’s report reflects the insights of 183 services spanning platforms like Mastodon, Lemmy, and Peertube, collectively hosting over 4.3 million accounts. This year we also heard from volunteer independent moderators on Bluesky. By analysing the experiences and feedback of these moderators and admins across the Fediverse, the report highlights the challenges and opportunities within this rapidly evolving ecosystem.

We will follow up with an analysis of what we’ve seen change since last year’s report, as well as key resources we think can help solve some of the needs identified.

Key Findings

• Resource gaps – only 16% of communities have 24-hour moderator coverage, and nearly half of moderator teams lack formal guidance. That said, we see roughly one moderator for every 1,200 active accounts.
• Top ranked priorities – moderators need tools for CSAM detection, spam prevention, and legal guidance for compliance with regulations like GDPR.
• Burnout is a persistent issue – one in five moderators report experiencing trauma or burnout this year, underlining the need for wellness and resilience resources.
• Financial struggles – most communities operate on donations, and overall our survey participants are not generating enough money to cover costs. Very few moderators are receiving any compensation for their labour.

IFTAS Initiatives

Informed by last year’s findings, IFTAS has developed several solutions and programs, including a Fediverse CSAM scanner, a comprehensive Moderator Handbook (coming soon), and the creation of FediCheck for automated denylist management. Moving forward, we aim to expand resources for moderator wellness, launch our CSAM scanner for broader use (please register your interest), improve tooling for non-consensual image detection, and introduce new community guidelines templates.

We encourage everyone in the Fediverse community to read the full report for a deeper understanding of the challenges facing decentralised moderation and the innovative solutions underway.

Read the Full Report Here

Get Involved

IFTAS thrives on collaboration. Join our community of practice at IFTAS Connect, use our resources, or support our mission with a charitable donation to help make the Fediverse a safer, more inclusive space for all.

Let’s work together to empower moderators and create a stronger, safer social web!

#TogetherStronger

On October 8, 2024, an IFTAS Connect member observed one of the first spam posts from a network attack conducted by what appeared to be a reuse of the same “nuke” script we saw earlier this year in February, a simple but effective tool to create new accounts in bulk, and use those new accounts to deliver unsolicited messages in an infinite loop.

Various reports highlighted the activities of two parties engaged in an online argument, both sides of which appear to be young scripters based in Japan, with the intent of causing trouble for the other party.

In short, a Discord bot was created that can automate the creation of a new account on an open registration service and then repeatedly spam a new post with ten direct mentions, causing notifications to pop up for hundreds of thousands of Fediverse users, which -thanks to network bridges and unmanaged group functionality – included Bluesky accounts and Friendica groups that automatically boost the posts to potentially thousands more individuals.

The bulk of the October spam originated from predominantly Misskey servers, although other services including Mastodon were also compromised. Misskey is an ActivityPub-enabled microblogging service popular in Japan.

Within an hour of observing the first spam messages, the IFTAS Connect community had created a shared spreadsheet of affected servers. In the previous spam wave, much effort was spent on blocking the increasing number of servers delivering spam, and finding ways to identify and delete spam messages. However, due to the large number of independently operated Fediverse servers, getting this information out in a manner that was helpful to self-hosted and managed-hosted servers, without simply handing the mitigation to the spammers themselves to adapt their attack, proved to be difficult.

We saw fewer than a hundred servers involved in the spam wave. With potentially 30,000 servers, relays, groups and bridges to alert, the community decided to instead try to alert the small number of impacted service providers.

An alert was drafted in English, translated into Japanese and Chinese to help the server operators understand the issue being described, and research began to find contact information for the servers being tracked.

Within the hour, server operators began responding to the alerts and closing down registration, deleting the relevant accounts, and wiping the spam content. After 24 hours almost all servers had responded, leaving only ten still open and spamming the network. At this point, the Social Web ISAC issued an alert to limit content from those ten servers, and began filing abuse reports with the remainder’s web hosts and content delivery networks.

The community tracked outbound emails and messages, and updated the spreadsheet as servers responded and mitigated the issue. If no response was observed after 12 hours, emails were then sent using the relevant web host abuse report functions, which send an email directly to the service operator from their web host or domain registrar.

This mitigated several more servers, bringing the list of servers that were entirely unmonitored “ghost ships” to six. At this point, IFTAS decided to add the remaining servers to the IFTAS Do Not Interact list, which in turn updated users of FediCheck to automatically block those servers.

Overall, the community mitigated almost all of the spam within 48 hours, proving that despite the core issue of decentralised networks not having a network-wide view of the Fediverse, opportunities exist to work together and combat the same issues inherent to all social media platforms.

In response to the February attack, Mastodon added a feature to close new registrations on a service that appears to be unmanaged, which likely helped mitigate this second attack to some degree. Nonetheless, in an ecosystem that allows open federation and open registration by default, we will need better spam blocking tools, and better account creation review options to better guard against this kind of attack in the future. We are aware of several projects underway to provide various defenses against spam, as well as the Fediverse Auxiliary Service Provider Specifications project that should enable third-parties to offer plug-in style help for service providers.

Still, we couldn’t be prouder of the IFTAS Connect community and all the folks who gave their personal time and energy for the good of all. And if you’d like to get alerts from IFTAS consider following https://mastodon.iftas.org/@sw_isac or subscribing to our email alert service.

#TogetherStronger

https://about.iftas.org/2024/10/21/coordinated-community-response-mitigates-fediverse-spam-attack/