Get all your news in one place.
100’s of premium titles.
One app.
Start reading
Evening Standard
Evening Standard
Technology
Mary-Ann Russon

Mastodon: Twitter rival used to host child sexual abuse content, study finds

Twitter / X rival social media platform Mastodon is now being used by some users to trade child sexual abuse materials (CSAM), seemingly unnoticed and unpoliced, a new study by Stanford University in the US has found.

This comes following the news on Sunday that Twitter would be rebranding as X and losing its familiar blue Larry the bird logo, which saw more users threaten to delete their accounts.

Researchers from Stanford University’s Internet Observatory analysed 325,000 Mastodon posts over two days and found 112 specific videos or images of CSAM content, that directly matched content flagged by international databases like the Internet Watch Foundation (IWF), which routinely locate, identify and remove this type of criminal data from the internet.

They also discovered almost 2,000 posts that include the 20 hashtags most commonly used to indicate the exchange of CSAM content. The accounts were offering to provide criminal content in exchange for money, using gaming instant messenger Discord or Japanese content-creator subscription service Fanbox.

Mastodon is a decentralised, open-source social network founded by German software developer Eugen Rochko in 2016. It currently has 2.1 million active users, according to the latest data provided by Mr Rochko on Sunday.

While it looks similar to Twitter, Mastodon is not owned or hosted by any one company or organisation. Instead, it is made up of at least 25,000 different servers, which each host their own instance of the platform and have vastly different web addresses, pertaining to topics of interest. This concept is sometimes known as “the Fediverse”.

When controversial tech entrepreneur Elon Musk acquired Twitter in late November, droves of Twitter users announced that they would be leaving the platform for Mastodon.

However, many people who made Mastodon accounts did not delete their Twitter accounts, and others have since returned to the social network, despite overwhelming complaints online about the direction in which Mr Musk has taken the platform in.

Mr Rochko told The Standard that his non-profit makes the free and open-source software that powers Mastadon, but that it is not affiliated with or in control of any of the servers in it, except the flagship mastodon.social, which it operates, and mastodon.online.

“Each server operator is responsible for its operation, its moderation policies, and the content posted on that server,” said Mr Rochko.

“Authorities and governments would interact with these servers as they would with any traditional independent website — there’s a domain name, there’s a hosting provider, and so on.”

He added that Stanford’s study focused on newly posted content and did not measure whether content was being removed after being reported.

Child abuse content easily searchable

Mastodon, which was founded in 2016, now has close to 2.1 million active users a month (Rolf van Root / Unsplash)

Stanford’s researchers found that users were not even sharing the CSAM content discreetly, but on one of Mastodon’s most popular servers, with the content remaining online for hours and days, in which time they gained dozens of followers.

And even when the accounts were detected and removed, the servers themselves were not notified to take the offending content offline.

In posts widely visible on Mastodon, users were invited to negotiate sales by sending private messages on external encrypted messaging services like Telegram.

Some of the sellers appeared to be underage individuals open to dealing with adults and the researchers noticed conversations through Mastodon posts that indicated grooming was likely occurring in private chats.

“Federated and decentralised social media may help foster a more democratic environment where people’s online social interactions are not subject to an individual company’s market pressures or the whims of individual billionaires, [but] for this environment to prosper, however, it will need to solve safety issues at scale, with more efficient tooling than simply reporting, manual moderation and defederation,” wrote David Thiel and Renée DiResta of Stanford Internet Observatory.

Who is responsible when things go wrong?

Elon Musk, who acquired Twitter in November, has been accused of not doing enough to moderate the social network, such as preventing misinformation and fraud (AFP via Getty Images)

The issue is that if no-one controls Mastodon and everyone is trusted to do their own thing and run their own server, it becomes harder to police illegal activities and assign enforceable responsibility to protect users and victims.

It brings into question how viable it is to have large services online which aren’t run by huge conglomerates, who can at least be fined or otherwise penalised by either international lawmakers, local authorities, or courts acting on behalf of victims in civil lawsuits.

According to Christopher Whitehouse, senior associate at international law firm RPC, Mastodon presents a difficult problem because, unlike cryptocurrencies, there are fewer “centralised” points where authorities can say that a distinct individual is responsible, such as the owner of the cryptocurrency exchange where people are making financial transactions.

“You would need to identify who operates the server [that the illegal content was found on] and bring a lawsuit against them,” Mr Whitehouse told The Standard.

He says that England and Wales have “one of the best legal systems in the world” if you want to attain information from a third party so that you can try to identify a specific individual that you could, in theory, sue, but you would still need to have jurisdiction over the server or proof that someone specific has been harmed in the UK, in order to be able to bring a civil case.

The responsibility to moderate and prevent illegal content from being shared therefore lies with the community running each individual Mastodon server — for instance, Mr Whitehouse says the largest server, mastodon.social, does have a policy prohibiting the sharing of CSAM material.

Stanford’s researchers recommend that the people hosting Mastodon servers invest in free open-source software that scans content on the platform for CSAM material and other illegal content, as well as automatic moderation tools that can detect suspected criminal content using artificial intelligence (AI).

“Decentralised platforms have relied heavily on giving tools to end-users to control their own experience, to some degree using democratisation to justify limited investment in scalable proactive trust and safety,” added Mr Thiel and Ms DiResta.

“Counterintuitively, to enable the scaling of the Fediverse as a whole, some centralised components will be required, particularly in the area of child safety.”

Mastodon’s Mr Rochko agrees with some of the suggestions made by the Stanford researchers.

“The study makes some good suggestions for extending Mastodon’s moderation tooling, something we are actively working on. Sadly, this problem is rampant across the entire web, and is far from straight-forward to solve — similar reports have been made about Twitter and Instagram,” he said.

“Most of the problematic content found in the research is contained on specific servers most commonly blocked by the rest of the network. Someone on a well-moderated server, such as the ones we actively promote through our onboarding would have no association with it.”

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.