Staying Safe on Mastodon and the Fediverse

Do I need to use my real name or real photo?

No.

You don’t need to reveal any kind of personal information about yourself on the Fediverse. Use any name you want, and any picture (or no picture at all).

The only information you need to give when signing up on a Fediverse server is an email address, and you can use an email alias if you want to keep it secret. The only other data a Fedi server might see is your computer’s or phone’s IP address, but this is hidden if you’re using a VPN or Tor.

Revealing personal information on the internet is a bad idea in general, as it makes unwanted tracking and identity theft much more likely.

How do I report a post? How do I report a person?

On Mastodon, you can report a rule-breaking post by clicking … on the post and selecting Report.

Alternatively, you can go to a person’s profile and click the ︙ or … button and select Report.

Reporting forms include the option to also send an anonymous report to the server of the account that wrote the post. This option can be important, because only a user’s home server has the power to suspend or delete their account. Other servers can block accounts, but in the worst cases it may be better that a nasty account is deleted at source.

Reporting anti-social accounts is a good idea as it’s the main way server administrators find out about nasty behavour. Once admins are made aware of a problem, they can take action using special blocking tools that are not available to ordinary users.

How do I contact the person who runs my server? How do I find out what the rules are on my server?

If you have any problems with the server which can’t be addressed through the reporting system, you can email the administrator (or “admin”) of your server directly.

On Mastodon, you can find the public email address of your server admin on the server’s About page. This page also lists all the server’s rules.

To see your server’s About page, go to your server’s website. If you’re logged in, click on the About this server link and if you’re not logged in click on the Learn more… link. The email address will be listed in the top half of the page, just above the list of rules. It is worth reading the rule list as it varies from server to server, and it is usually written in plain language that is easy to understand.

Blocking and muting on the Fediverse

It is totally fine to block or mute people on the Fediverse. It is not considered rude or unusual to do so.

On Mastodon, you can block or mute someone by clicking … below their post or by going to their profile and clicking the ︙ button and selecting Mute, Block or Block domain.

  • Mutes are the softest option. When you mute someone you will no longer see their posts and you won’t see posts that mention them. You can also optionally mute notifications from them. People who are muted will not know they are muted, and they will still be able to follow you, see your posts and interact with them.
  • Blocks are the harder option. When you block someone, it does everything a mute does but also prevents them following you and hides your posts from them while they are logged in.
  • Domain blocks are the most extreme option, and they will block not only that account but all accounts using the same server. You probably don’t need to do this. The only times this is advisable is if a server is full of nasty people and the server administrator is refusing to do anything about it, or if the server is actually owned by the person you want to block.

Really important: If you are posting public posts they will still be visible to the blocked person when they log out, because public posts are visible to everyone on the internet. To restrict the audience for a post, use a followers-only visibility (see below for details on how to do this).

You can view lists of all of your blocks and mutes by going to your profile page, clicking ︙ and selecting Muted Users, Blocked Users or Blocked Domains. Clicking the icon next to a name on a list removes restrictions.

Restricting who can see your posts

On Mastodon, there are four options for post visibility, click here to see a complete guide.

You can set the visibility of each post by clicking on the visibility symbol at the bottom. This will usually be a globe 🌐, an open padlock, a locked padlock 🔒 or an @ symbol along with text to describe which is which.

You can set which visibility is your default by logging in on the website and going to Preferences > Other > Posting Privacy, choose the default you want and click Save changes. This is only a default, you can still override it for individual posts by clicking the visibility icon.

You cannot currently change the visibility of a post after you’ve published it, so make sure you choose the correct visibility before posting.

If you @ someone in a DM, they will be able to see it

The equivalent of DMs on Mastodon is called “Mentioned” and has an @ symbol. This mode means that the only people who can see a post are those mentioned within it. To send a DM you just put it into Mentioned mode and mention the person you’re sending it to.

This is simple to use, but it also means you have to be really careful which accounts you mention in a “Mentioned” post. If you @ someone in a post, they will see that post (though they will not see any posts in the thread where they are not mentioned).

Restricting who can follow you

On Mastodon, you can use a follow request system to restrict who can follow you. When it’s switched on, no one can follow you unless you manually approve their request.

To restrict who can follow you, log in through the website and go to Edit profile > Require follow requests, tick the box and click Save changes.

Note that if you are screening followers, don’t screen people out just because they have blank profile pictures, as many blind users don’t have profile pictures and they are not spammers or bots. The best way to screen potential followers is just to look at their profile and see what they have posted.

How to hide your follows and followers

On Mastodon, you can keep your lists of follows and followers hidden on your profile if you want to. Log in through the website, go to Edit profile > Hide your social graph, tick the box and click Save changes.

You will still be able to see your follows and follower lists when you look at your profile while logged in, but other people will just see a message telling them the data isn’t available.

Hiding posts from search engines

If you use a public setting on a post, it will be visible to everyone, even people who aren’t Fediverse members. This means the post may be indexed by search engines.

The safest way to prevent a post ending up on a search engine’s index is to use a non-public visibility setting as described above. Followers-only and direct/mentioned settings cannot be seen by search engines, so they will not be indexed.

Mastodon has an additional option to request that search engines don’t index your public posts: go to Preferences > Other > Opt out of search engine indexing, tick the box and click Save changes. However, it’s up to a search engine if it wants to honour this request, and if you want a post to remain off search engines it’s safer to use a non-public setting.

Using Content Warnings (CWs)

Content Warnings (CWs) are optional Fediverse features which hide the content of a post behind a warning message. The post can be revealed by clicking on the warning.

Content warnings are for any kind of content where the person reading may not want to read it right that minute, but they may want to read later. It could be something serious like upsetting news, or less serious like film spoilers. There’s also a very strong Fediverse tradition that those who are able to should use CWs when talking about emotive topics such as politics or religion. It is also often used for potentially “not safe for work” content such as gore or nudity.

You can add a content warning while writing a post by clicking on “CW” or “warning” or ⚠️ or other similar icons at the bottom of the editing window. Remember to write a warning that gives people a clear idea of what to expect within the post itself, without them having to actually open it. Try to very briefly say why they might not want to open it right that minute.

On Mastodon, you can make all the CWs in a thread open or close at once by clicking the eye icon in the top right corner of the thread.

If you don’t want to see any CWs at all, you can make Mastodon open all CW posts by default by going to Preferences > Always expand posts marked with content warnings, tick the box and click Save changes.

No one is forced to use CWs, but it is considered polite and considerate to do so. Imagine going into a restaurant and shouting loudly at others about your political opinions, you could do it but others may not appreciate it. In extreme cases you might be asked to leave.

CWs are also an accessibility feature, as they allow people who have traumas triggered by certain topics to read potentially triggering posts when they are mentally prepared to do so. It’s important to emphasise the point that CWs are not about avoiding topics, it’s exactly the opposite: CWs make triggering posts accessible to people who would otherwise have to avoid them, in the same way that text descriptions make images accessible to blind people. They widen your post’s audience.

Having said that, it is a bad idea to call people out for not using CWs! Some people will have legitimate reasons for not using CWs, for example someone who is currently going through a serious personal trauma, or perhaps is being persecuted or under threat of violence. It is not appropriate to demand CWs from someone who is going through something really horrific in their real world life. They may have much bigger things to worry about than social media, and we should help them deal with these bigger things however we can.

Even if someone should be using CWs, having public arguments about rules is not necessarily the best way to get someone to obey them, especially if they’re new to the Fediverse.

If there’s a post you think should be CWed and there’s no obvious reason why it isn’t, check the rules on your server and then ask your server admin for advice on what to do. They set the rules, and they are ultimately the ones that decide what is allowed on there.

In short, CWs are a balancing act, and require a lot of social skill (that’s why this section is so long!). The existence of CWs brings the Fediverse a tiny bit closer to the complexities of everyday life in the real world, where reading the room is essential to getting on with people. No one is going to get this right all the time, but simply being aware of CWs as an option and using them when you feel appropriate and able will make the Fediverse a much more accessible and pleasant place to be.

Filtering your timeline

On Mastodon, you can set your timeline to automatically hide posts featuring certain words or phrases. You can choose to hide them completely, or hide them behind a warning that you can open manually.

This isn’t just about offensive posts, it can be filtering for any reason at all. Some people use filters to hide Wordle posts for example.

To add a filter log in through the website and go to Preferences > Filters, click Add new filter, choose the settings you want and then click Save new filter.

You can make filters temporary or permanent, and edit or delete them at any time.

How to prevent your account being suggested to others

On Mastodon, there’s a feature that automatically suggests accounts to follow when people first join a server, and when they click on the For You tab in Explore or Search. It is based on how many people on that server follow the account and boost its posts, and server admins can optionally add suggestions manually.

If you don’t want your account suggested to others, log in through the website and go to Edit Profile > Suggest account to others, make sure the box is unticked and click Save changes. If you want your account suggested, tick the box and save instead.

Verification works very differently on the Fediverse

You might see some people on the Fedi using a Twitter-style “verified” symbol next to their names. This symbol means absolutely nothing on the Fediverse, the Fedi does not use that kind of verification system. People with such a symbol could be absolutely anyone, they’ve just added a custom emoji to their profile.

Most people who use a “verified” symbol on the Fediverse just do so as a joke, or as a comment on celebrity culture. Some people even have an “unverified” symbol with an X instead of a tick. Whatever their reasons, it’s important you know that the Twitter verified symbol does not mean verified on the Fedi.

There is a verification system on the Fediverse, but it works completely differently, and relies on people having a well-known website which links back to their Fedi account. On Mastodon, a website verified as belonging to the account turns green on their profile.

Is Mastodon end-to-end encrypted?

No. Mastodon isn’t E2EE yet.

If you’re needing to send sensitive information, use an E2EE messaging system instead.

In theory, the owner of your server could read at your DMs in the server’s database, and you’ll often hear people say “The admin can read your DMs”. This is not quite the whole story. An admin would need a certain level of technical skill, as there is no way to view DMs in Mastodon’s admin interface. The server owner would have to look directly at the database itself to read a DM, and ignore Mastodon’s interface completely.

“Authorized Fetch”

This is a bit technical, but there’s a little-known feature on Mastodon called “Authorized Fetch”, aka “Secure Mode”. By default it is switched off as it uses more resources and can cause compatibility problems with servers running older software.

However, if it is switched on it makes user blocks more effective, as it makes it harder for blocked people on other servers to interact with public posts from people who blocked them. (It only really helps with public posts, private posts are already protected against trolls.)

It can only be activated by your server’s administrator. It might be worth asking them if they have Authorized Fetch switched on in order to better protect their users. There’s a technical description of Authorized Fetch here ⧉ which they might find useful.

Authorized Fetch cannot be switched on from the graphical interface, it requires manually editing a certain file on the server. If a server is on a managed hosting service, the server admin can ask the managed hosting company to switch it on for them.

Creating an isolated server

Servers on the Fediverse don’t have to communicate with each other. They can be run as totally isolated silos if the owner wants, and some people do this to get an extra layer of user safety.

If you want to do this with Mastodon, there’s a web page with instructions and tips here ⧉ and there’s a technical description of “Limited Federation Mode” ⧉ in the official documentation.

↩ Back to contents page