Early in December 2019, Twitter CEO Jack Dorsey announced that the social platform is funding development of “an open and decentralized standard for social media.”
Within the hour, Mastodon responded with a virtual eye-roll—it had been three years since it was specifically launched as a decentralized Twitter alternative.
Mastodon is one of the latest data sources added to the Echosec Systems Platform. With a growing user base, mainly in Japan and the US, the platform is a growing and useful data source for detecting threats.
Keep reading to find out more about what Mastodon is, how it works, and what makes it a valuable threat intelligence source.
What Is Mastodon and How Does It Work?
Mastodon is a free, open-source microblogging software with a Twitter-like interface. Users post public or private 500-character messages often called “toots.” However, Mastodon has some key differences from Twitter.
Mastodon is a decentralized, federated network. This means that instead of operating as one website and storing its data in one place, it distributes data across thousands of websites and servers around the world. Mastodon subnetworks or servers, known as “instances,” each host distinct content types and communities. The Echosec Platform gathers and indexes data across Mastodon servers.
Some popular instances include Mastodon.social, a “general-purpose” server run by Mastodon’s founder, Eugen Rochko. Mastodon’s largest instance, Pawoo.net, has over 545,000 users and is used primarily for sharing art.
Example of a public toot on mastodon.social
Each instance has its own terms of service, codes of conduct, and moderation policies, but operates seamlessly together as a federated network. Rochko compares this to a federated network most of us are already familiar with: email. Email users can easily connect even if one person uses Gmail and the other uses Outlook.
Even though users can interact across instances, instances can also block content from other servers with policies or content they disagree with, without losing access to the entire Mastodon network.
Federated Networks: A Double-Edged Sword
One of the benefits of federated networks is that they combat censorship, for example, from governments. It’s harder to dismantle content distributed across many servers around the world than it is to dismantle a centralized platform where data is more concentrated. Federated networks aren’t centrally governed by content rules and US law in the same way most mainstream social networks are.
As such, Mastodon hosts many communities that would be kicked off of networks like Facebook and Twitter. For example, the Mastodon instance Switter.at was built for sex workers. Its server is hosted in Australia, where sex work is legal.
The federated model also means that Mastodon can’t be “shut down” in the same way that other platforms can be. Hypothetically, if Facebook shut down tomorrow, users would lose their pages, followers, friends, and content, and would have to re-establish themselves elsewhere. Even though Mastodon servers might grow, shrink, or become isolated if many other servers block them, they cannot theoretically be taken offline.
Many users also migrate to Mastodon to avoid advertising and other Twitter features, such as character limits and clunky updates. Mastodon also has a “content warning” feature to prevent users from inadvertently viewing sensitive material.
One of the original benefits of Mastodon, in opposition to Twitter, was its servers’ zero-tolerance policies for harassment and hate speech. This was complicated in July 2019 when Gab migrated to a Mastodon server. Gab is known for its far-right user base and struggled to find hosting providers after its user activity was linked to the 2018 Pittsburgh Synagogue shooting.
Public Gab post, as hosted on Mastodon
This points to the double-edged sword that is a federated network: it provides an open platform for a variety of communities to thrive—but this can also enable hate speech and radicalization in spite of Mastodon’s core values. And because it’s decentralized, it’s not possible for Mastodon to make a platform-wide change like removing a server. Mastodon instances can only block Gab content in an effort to isolate themselves from the controversial site.
Mastodon As a Threat Intelligence Source
Online social networks are valuable sources of open source threat data for security teams. Publicly available social content is useful for finding:
- On-the-ground security risks (e.g. extreme weather events, travel disruptions, bomb threats/active shooter situations)
- Evidence of hacking/data breaches
- Threats or harassment targeted at individuals and organizations
- Hate speech and toxicity
Mainstream networks like Twitter are useful for finding this data. However, less regulated and decentralized networks like Mastodon, where content guidelines tend to vary, are arguably more valuable. This is especially true for Gab.
Considering that there are thousands of Mastodon instances, finding threat data relevant to your organization would be an incredibly cumbersome process without specialized search tools. The Echosec Systems Platform helps organizations efficiently gather and filter relevant threat data from Mastodon and a variety of other online networks.
Mastodon and The Echosec Systems Platform
The Echosec Systems Platform aggregates and filters Mastodon data. Users can search for text, image, and video-based Mastodon content by keyword and username.
Even though Gab is technically hosted on Mastodon, Echosec Systems tools consider it a unique data source because of its prevalence as a platform for hate speech and user radicalization. Echosec Systems gathers Gab and Mastodon data through its own API, which uses AI classifiers to identify content indicating hate speech/toxicity and breached data.
Gab and Mastodon selected as data sources in Echosec (social discovery tool) and Beacon (dark web search tool
“The main reason I don’t like Twitter in 2018 is their position on free speech and their position on hate on their platform,” Rochko stated in a 2018 interview with Slate. “We don’t tolerate that stuff. We have a strict code of conduct, and that’s why people like being on Mastodon.social and that’s why people like Mastodon.”
There’s a certain irony in this statement: not only did Mastodon end up attracting some of the content it set out to prohibit—but Twitter, of all platforms, is following its model (almost 3 years later) with project Bluesky.
There are a couple things we can take away from this: decentralized social media is likely to continue growing, attracting a variety of communities not present on other mainstream social networks. And whether these communities are “good” or “bad,” they are crucial sources of threat intelligence for organizations.