OSINT: The Mastodon Paedophile Problem

There's been lots of tears lately because divisive billionaire VoldeMusk has completed his acquisition of Twitter and has begun making some bold changes.

Personally, I'm "meh" on the subject but I have created a new Twitter account to watch events unfold.  One of the most controversial changes has been the introduction of verification for paying users through Twitter Blue reducing otherwise "verified" users to the same status as average users. Musk's plan, according to his tweets - which seem to vary wildly day by day - was to verify users via a payment method and therefore reduce the risk of bots, spam, hateful or hurtful speech and other potentially damaging content.

This makes sense, at least in theory. I can't say I would be particularly comfortable posting anything divisive or controversial on a platform where my payment information was stored; though whether that is a force for "good" is another debate. For Musk, this also makes business sense - throw out the bots, keep real people and try to keep the tone of debate somewhat civil - after all, Twitter does have a reputation for being a virtual playground where people screech at each other over nonsense.

Ironically, this wasn't a good enough reason for the perpetually offended masses on Twitter. Within hours, #Mastodon was trending as an alternative platform to Twitter.

Mastodon is a bit more complex than Twitter. It requires that a user sets up an account on an "instance" which can be thought of as traditional social networking in that the user creates an account which allows them to login to a server somewhere on the internet; the clever part is that the account isn't limited to staying on that "instance" in the same way a Twitter user is limited to being on Twitter.

Mastodon users can be followed across instances. For example, if my instance is social.edwardcharl.es and I have a friend who is running an instance at social.afriend.com I can follow my friend on their instance, instead of them having to create an account at my instance. They can also follow me.

Similarly, if I decide that I don't want to maintain my instance anymore. I can migrate to social.afriend.com retaining all of my posts, followers etc.

Another benefit, or perhaps not as we'll see later, of Mastodon is that anyone can create an instance. These usually cost about $5/m to run if they have low usage, but the infrastructure can scale (or if you're clever, may not cost the earth) and are exactly as one might imagine - a private social network.

Within minutes, anyone and perhaps everyone can become Overlord of their own social network - making it as open or closed as they like to the "Fediverse". Perfect for families or entire communities. Sounds perfect. Down with Facebook, Twitter and all the rest. What is it the communists say? Our social network.

There is just one problem with this utopia. Whilst decentralisation of social networking allows communities more control over the rules and infrastructure. It also allows the very worst of society to throw up an instance and perpetrate crimes and abuse. In this particular instance, I'm talking about peadophiles - or as they like to be known, MAPs.

MAP (Minor Attracted Person), if you are not aware, is a sneaky way of trying to minimise and integrate peadophilia with the LGB+ community by inferring it is normal and somehow just a sexual preference. I don't claim to speak for the LGB+ community being a straight person, but I very much doubt they want to be associated with any of that complete bollocks.

In any event, the recent rise in popularity for Mastodon meant I decided to have a snoop around and check out the instances available. I'd already looked into Mastodon in 2019 and signed up to the technology server but this seemed like a good opportunity to have another look at it.

I was having a good poke around and noticed that mastodon.technology had blocked a few peadophile instances from interacting with it; this is where content moderation does work well with mastodon as moderators can ban/block other instances completely; but that only works to an extent as the instances are still listed on public fediverse indexes and so can still be found, joined and shared.

Blocking/banning means it only can't interact with that instance - much like blocking a particlar user.

The very last url is one of the blocked peadophile instances on mastodon.technology's list; but there were more. One does have to wonder whether listing the domains so publicly is a good idea too.

Having seen the block list, which I'm not sharing in full, I wondered whether it was possible to search an index of the fediverse and it was using Fediverse.to. According to Fediverse.to, there are 7,558 instances available from a variety of subjects - tech, art, books, activism, music, sport and unfortunately, when looking through the inevitable adult section; peadophilia too.

Take the below screengrab for example:

The very first returned result on the adult section was a peadophile instance which, by the description also seems to have an activist element to it. Obviously, I did not investigate further; but we can see that they have tagged the instance as LGBT which should outrage the many decent folk in those communities.

Perhaps even more of a problem is the 832 users and 227,000+ posts. This instance no doubt hosts very serious child porn content (although again, I can't verify that as there is no way in hell I am looking). To give the Dark Web some credit, this kind of content is forbidden on any site or index and there are many, many honey traps setup to dox peadophiles - information you can find with a quick search as its a real sport for some people.

This begs the question, why are Mastodon indexes allowing these instances? It's not just one rogue instance either. Check out these:

We have a "freak university" which encourages children to join despite being clearly marked as an adult channel and a peadophile support club. The former has nearly 500 users with 118k posts, so is clearly an active community. The latter is quite sadistic given it claims they are committed to "never harming a child" and are "fundamentally against adult-child sex". If that were the case, why would one even need to identify as "Minor Attracted People" as one would be able to form a relationship with an adult. The gaslighting begins in the description for the instance... perhaps they've taken a leaf out of NAMBLAs book?

These are issues which the Mastodon community must get to grips with fast; not only for its own credibility and continued growth but because western politicans are intent on passing legislation to limit online harm and these kinds of failures will lead to more harsh legislation. Activists have already pushed for "Zachs Law" which criminalises sending flashing images - that's right, you can be sent to prison for sending flashy gifs.

As an epileptic myself, I was bemused by the legislation and I fail to see how it could be policed effectively; but in addition to that, I regularly see people posting videos and images of nights out. How would they know if such content would cause a seizure? Could Zachs Law be used to maliciously prosecute?

This is just one example of a dumb piece of legislation passed by politicians who likely didn't know better. Imagine how much worse it will be if they have the pressure of child abuse victims, their parents and families and the media screaming that the Fediverse allowed child sex, grooming and so on...

Very unfortunately, Stephen Fry has quit Twitter and jumped on the Mastodon bandwagon, his profile is here. I think perhaps as a kneejerk reaction to the changes being made at Twitter and without fully thinking through possible brand damage which might come as a result of issues like the one presented here.

There's time to rescue the situation though if the Mastodon community steps up and makes it clear that Indexes should not list these sorts of instances.

Read this post and wondering what you can do?

1. Get in touch with Mastodon and link them to this post.
2. Contact the admins of Fediverse
3. Share this post with anyone joining Mastodon / Parents who monitor their childs online activity.
4. Share this post with any MPs who keep voting for needless online harms legislation.

If you're still on Twitter, give me a follow at @closebracket - you may find the lists I'm creating useful as I've been listing academics from various sectors including InfoSec and Law. I originally published this article here.