The fall of pol.social is not just a failure. It's a GDPR incident, result of negligence and tolerating disinformation. Risk analysis for Fediverse users. Privacy advocates, are you sleeping?
Table of Contents
Services managed by the Foundation Technologies for People have vanished like in a digital palimpsest. The current situation with pol.social very likely qualifies as a personal data protection breach incident. The prolonged service unavailability combined with lack of communication is a serious negligence of administrator duties.
Communication Catastrophe and Vanishing Without a Trace
I wrote on September 6th about the massive multi-day outage, lasting over 5 days, of all services of the Foundation Technologies for People servers. The outage ended with the restoration of some services, but resulted in a complete communication catastrophe - no explanation provided.
Currently, it’s Saturday, September 20th, and for approximately 3 days now, the pol.social server - one of the larger and more reputable servers in Poland’s decentralized social network fediverse running on Mastodon - has disappeared from the internet without explanation. The Foundation’s website has also vanished. NGOs, private individuals, and organizations like WatchDog Poland have lost access without any explanation not only to their social media profiles, but also to the Nextcloud cloud system where some kept files, Pixelfed where they stored photos, and PeerTube where they kept videos. There is no information about what is happening.
Outage as GDPR Violation
In my opinion, this already bears the hallmarks of GDPR violation, which I expressed in my BSKY profile:
Since the administrator is not informing users about what is happening, in my opinion this bears the hallmarks of a serious violation and needs to be addressed by UODO (Polish data protection authority). We certainly have a loss of data availability here. Data security is based on three pillars: confidentiality, integrity, and availability. A three-day (or longer) outage during which users do not have access to their data (posts, private messages, contacts) is a violation of the availability principle. If the outage results from lack of appropriate safeguards (e.g., lack of backups, disaster recovery plan), this is direct administrator negligence.
Deeper Problem: Tolerating Russian Disinformation
Most interestingly, the fediverse community remains silent on this matter, efficiently criticizing big tech for violating privacy principles while simultaneously being unable to create a real and safe alternative. This concerns the potential of decentralized networks for spreading spam, disinformation, and as we can see, losing control over one’s data.
The pol.social server, until its deactivation, was for several weeks a conduit for Russian disinformation, despite repeatedly informing the administrator (Piotr Sikora) about the existence of profiles pumping Russian propaganda on a massive scale. He did nothing about it. Contact was made through official channels by users, as well as through Mastodon’s moderation mechanisms. The administrator took no action.
Disturbing Question: Is This Law Enforcement Intervention?
The question is whether the shutdown of pol.social servers is not a consequence of these negligences and law enforcement control?
If this is true, then the administrator, through his negligence, exposed fediverse users to exceptional danger. By neglecting his duties, the data will now be analyzed by law enforcement, which means that people completely unrelated to such activities and seeking, for example, a safe haven for activist activities, may be exposed. Yes, of course the Mastodon network is fully public, but documents stored in Nextcloud are not, just like private messages sent “privately”.
The Safe Haven Trap and Community Silence
I think there’s no point in counting on reflection from the fediverse community, because recent events prove that the alleged safe port turned out to be a trap.
I wrote repeatedly about the need for professionalization. I wrote about the possibility of easily collecting compromising material on administrators through the presence of dangerous spam and porn. This was not met with favorable reception from alleged specialists and wannabe administrators picked at random (though I’m talking about other situations here, because we have plenty of disappearing servers and strange projects in the fediverse). I think the current silence over pol.social’s grave indicates that this community probably cannot learn from mistakes. And law enforcement has an excellent opportunity to collect compromising material among people with often exceptional technical competencies, but incorrect views or morality.
Dear Readers, when it comes to the internet’s infosphere, it’s clear that we are transitioning from the sniffing stage to the biting stage.
My Earlier Publications About Fediverse Problems
Signal #2536 Problems with pol.social servers - bitter lesson for Fediverse
The Activism Trap: Critical Analysis of Interpellation on Social Media Federalization
