> "Impossible to leave" is not a matter of closed or open, but it's a matter of social networks in general. You could make Facebook free software and its problems wouldn't disappear.
Not true. If you have interoperability between different networks, you can leave. This is how ActivityPub (e.g. Mastodon, PeerTube, PixelFed) works.
> Not to mention that, again, 99% of people will get vendor-locked because in the end nobody wants to run their own instance of a federated social network.
You just switch to any other instance, because Mastodon doesn't prevent you from doing that.
> The main problem with privacy and computer control is a collective one that must be solved through laws. Thinking that individual action and free software will solve it is completely utopic.
We need both. You cannot force Facebook to allow interoperability when there is no other social network.
> If you have interoperability between different networks, you can leave
If all your friends are in a Mastodon instance and you think that instance is scanning your messages, you'll find it hard to leave because leaving the instance for another that doesn't share messages with that one means stopping communication with your friends.
> You just switch to any other instance, because Mastodon doesn't prevent you from doing that.
Controlled by another third party. Not to mention that, with enough users, there will be feature divergence so "switching" won't be that easy.
Want a real world example? See email. Open protocol with multiple client-server implementations. However, most people use one of the major providers (Google, Microsoft...), there are incompatibilities between clients and even if you "can switch", it's not that easy nor gets done often. Yes, you can switch to ProtonMail or something more secure if you want, but that won't solve the problems of the 99% of people that will use general providers and won't even know they can't switch.
> We need both. You cannot force Facebook to allow interoperability when there is no other social network.
Right now you could force Facebook to be interoperable and be open source and still 99% of the people would be on the original Facebook instance. Again, it's not a technical issue.
Everything is controlled by a third party except self-hosting. Mastodon allows that too. Closed networks don't.
> Yes, you can switch to ProtonMail or something more secure if you want
So you answered your own question.
> but that won't solve the problems of the 99% of people that will use general providers and won't even know they can't switch.
My point is that they are able to switch due to the openness of the platform.
> Right now you could force Facebook to be interoperable and be open source and still 99% of the people would be on the original Facebook instance. Again, it's not a technical issue.
Yes. It's not just a technical problem. But there is a technical side in it. Millions will immediately switch given a possibility. What happens next, who knows.
> My point is that they are able to switch due to the openness of the platform.
And my point is that most won't, and the ones that do will still go to another platform that's controlled by another third party and they'll still need to rust that the platform is not doing things they don't like.
> Millions will immediately switch given a possibility.
Switch to where? To another company that could do weird things out of the eyes of the users? Do you think all of those millions are going to run their self-hosted Facebook?
My point is that privacy and security is not something that will be solved by federation or open source. For open source and federation to be useful in that regard, you need most people to actively research and check that the tools that they use are private and secure. If they don't, they're just trusting someone the same way they trust Facebook now. And most people (that includes most people here on HN) don't have both the time and knowledge to do those checks.
In other words, this is a collective issue. Trying to solve collective issues by individual choices is not the best path.
> My point is that privacy and security is not something that will be solved by federation or open source.
I disagree. Here's why:
> For open source and federation to be useful in that regard, you need most people to actively research and check that the tools that they use are private and secure.
This is the key point. You do not need most people. You need some people. And you can always find some people who verify everything and self-host for you. This is how Signal and Matrix appeared and became (relatively) famous.
> This is how Signal and Matrix appeared and became (relatively) famous.
And what happens when another app comes and says that "it's secure" and people start using it instead of Signal or Matrix? What happens if Signal starts requiring some payments (running servers is not free) and people move to other apps? Maybe those other apps are open source and federated, but the federation protocol is found later to have a backdoor, or some instances run data mining on the messages, or something like that. Who will be faster, the users flocking to those apps or the few number of verifiers getting to work and detecting those issues?
If you want most apps to be like Signal or Matrix, the solution is easy: push for legislation and certifications that ensure that, no matter the app, a certain level of security and privacy is enforced. It's not perfect, but it's far better than just relying on trusting that some people invest a lot of time on that research.
> And what happens when another app comes and says that "it's secure" and people start using it instead of Signal or Matrix?
First, early adopters come and verify it. They bring their friends. If it's really secure and they find no serious bugs, more people join. Then, a bridge is created between the services.
> What happens if Signal starts requiring some payments (running servers is not free) and people move to other apps?
This is a problem with a non-federated protocol actively fighting against third-party apps and servers. It will definitely happen with Signal in this way, which is why I'm not using it and not recommending.
> Maybe those other apps are open source and federated, but the federation protocol is found later to have a backdoor, or some instances run data mining on the messages, or something like that.
Such backdoor will be quick and easy to fix, and to verify that it's fixed. Unlike with Apple's Pegasus. No system is ever 100% secure.
> Who will be faster, the users flocking to those apps or the few number of verifiers getting to work and detecting those issues?
Users are typically very slow to move. See Whatsapp & Facebook. But what's your point?
> If you want most apps to be like Signal or Matrix, the solution is easy: push for legislation and certifications that ensure that, no matter the app, a certain level of security and privacy is enforced.
This is definitely an important thing to do, but it's not enough. There is such legislation already in Europe: GDPR. Unfortunately it cannot dramatically change the industry quickly, because of the monopolies and network effects.
> First, early adopters come and verify it. They bring their friends. If it's really secure and they find no serious bugs, more people join. Then, a bridge is created between the services.
That's quite the optimistic path. What if the app starts being used by teenagers, for example? Or by people with less technical abilities?
> This is a problem with a non-federated protocol actively fighting against third-party apps and servers.
Federated services still need to pay for their servers.
> Such backdoor will be quick and easy to fix
Again, pretty optimistic on that.
> and to verify that it's fixed. Unlike with Apple's Pegasus. No system is ever 100% secure.
Pegasus was external malware. What makes you think a Pegasus for federated servers or open source phones can't exist?
> Users are typically very slow to move. See Whatsapp & Facebook. But what's your point?
Security research takes time, probably more time than users need to move from apps.
> There is such legislation already in Europe: GDPR.
And GDPR has accomplished way more in way less time than technical solutions. I wonder why.
> Unfortunately it cannot dramatically change the industry quickly, because of the monopolies and network effects.
Don't those monopolies and network effects affect the technical solutions you propose too?
My point is that of course you need good technical solutions, but just those by themselves are useless, because most people don't have the time and knowledge to reliably distinguish which ones are good and which ones are bad (and "good" and "bad" are relative too), and other differential features (price, capabilities, ease of use) that are easier to notice will weigh more on their decisions.
This is not a problem unique to tech and privacy. Food security, climate, building safety... almost everything you buy has had the similar issue of how to have "things done right" where deciding whether it's done right or not is hard for most people. Almost everything has been solved (or almost solved) with regulation, and just "better products" haven't been enough.
Not true. If you have interoperability between different networks, you can leave. This is how ActivityPub (e.g. Mastodon, PeerTube, PixelFed) works.
> Not to mention that, again, 99% of people will get vendor-locked because in the end nobody wants to run their own instance of a federated social network.
You just switch to any other instance, because Mastodon doesn't prevent you from doing that.
> The main problem with privacy and computer control is a collective one that must be solved through laws. Thinking that individual action and free software will solve it is completely utopic.
We need both. You cannot force Facebook to allow interoperability when there is no other social network.