FOSTA/SESTA changes nothing

FOSTA – the Allow States and Victims to Fight Online Sex Trafficking Act of 2017 – and SESTA – the Stop Enabling Sex Traffickers Act of 2017 are some likely unconstitutional, certainly unnecessary jackassery. While I agree with the EFF that this is terrible law, I don’t think it’s the end of the world.

FOSTA says:

(Sec. 2) This bill expresses the sense of Congress that section 230 of the Communications Act of 1934 was not intended to provide legal protection to websites that unlawfully promote and facilitate prostitution and websites that facilitate traffickers in advertising the sale of unlawful sex acts with sex trafficking victims. Section 230 limits the legal liability of interactive computer service providers or users for content they publish that was created by others.

By no plausible interpretation is Free Radical a website meant to “unlawfully promote and facilitate prostitution” or “facilitate traffickers in advertising the sale of unlawful sex acts with sex trafficking victims”. I’ve never seen such a post in the fediverse, let alone one that originates on Free Radical, and it’s certainly not meant for that purpose any more than is any other general public forum.

(Sec. 3) The bill amends the federal criminal code to add a new section that imposes penalties—a fine, a prison term of up to 10 years, or both—on a person who, using a facility or means of interstate or foreign commerce, owns, manages, or operates an interactive computer service (or attempts or conspires to do so) to promote or facilitate the prostitution of another person.

Same as above. I have never and would never own, manage, or operate a website to promote or facilitate the prostitution of another person. Regardless of whether prostitution should be illegal in the first place, it’s not something I’m going to directly participate in.

(Sec. 4) The bill amends the Communications Act of 1934 to declare that section 230 does not limit: (1) a federal civil claim for conduct that constitutes sex trafficking, (2) a federal criminal charge for conduct that constitutes sex trafficking, or (3) a state criminal charge for conduct that promotes or facilitates prostitution in violation of this bill.

Again, I’m not going to be promoting or facilitating prostitution. Note that this is different from carrying traffic that may incidentally facilitate illegal activities. For example, I guarantee that people use Gmail to do illegal things. That’s not its designed or advertised for, though.

(Sec. 5) The bill amends the federal criminal code to define a phrase related to the prohibition on sex trafficking. Currently, it a crime to knowingly benefit from participation in a venture that engages in sex trafficking. This bill defines “participation in a venture” to mean knowingly assisting, supporting, or facilitating a sex trafficking violation.

Key word: knowingly. I won’t be knowingly doing any of that stuff. I explicitly don’t read, monitor, analyze, or moderate all traffic flowing through the system. I don’t pretend to. I specifically don’t want to.

I side with the EFF that this is a bad idea and I oppose it. That said, I can’t imagine a plausible scenario where FOSTA/SESTA affects me – an American admin using American hosting resources – in any way. And if some dipshit prosecutor sees it otherwise, I’ll fight it. As an EFF member and friend to many a lawyer, I’m not going anywhere any time soon. These ridiculous bills won’t scare me away.

edit: Upon the excellent suggestion of a friend, I’ve added:

No solicitation of prostitution

to Free Radical’s Code of Conduct.

How we backup

I woke up to the terrible news that our good friends on another instance had lost their database during a software upgrade. Godspeed and good luck in bringing it back online. We’re pulling for you!

The Free Radical site backs itself up hourly to a private S3 bucket, and keeps a month’s worth of these snapshots. It’s configured to upload all media files to S3 and serve them from there. In the event of a complete server failure, I could – assuming all goes well – re-deploy the software on a new server and restore from backup without losing more than just users and posts created since the last hour’s backup.

Upgraded to v2.3.0

Free Radical is now on Mastodon v2.3.0.

Admin tip: if you’ve set UID and/or GID in your .env.production, be sure to update Dockerfile with ARG UID=... and ARG GID=.... If you don’t, you’re going to get lots of permission errors in the docker-compose run --rm web rails assets:precompile part of the upgrade process. Don’t be me.

That’s what I log about you

I deliberately log as little as possible about my users. My nginx logrotate config is configured to store one week’s worth of access and error logs:

/var/log/nginx/*.log {
    rotate 7

As of this moment, that looks like:

-rw-r-----  1 www-data adm     443615 Jan  5 08:29
-rw-r-----  1 www-data adm    5405613 Jan  5 06:25
-rw-r-----  1 www-data adm     395094 Jan  4 06:24
-rw-r-----  1 www-data adm     407455 Jan  3 06:24
-rw-r-----  1 www-data adm     375444 Jan  2 06:24
-rw-r-----  1 www-data adm     474143 Jan  1 06:24
-rw-r-----  1 www-data adm     344550 Dec 31 06:25
-rw-r-----  1 www-data adm     452215 Dec 30 06:25
-rw-r-----  1 www-data adm          0 Jan  5 06:25
-rw-r-----  1 www-data adm       1461 Jan  4 23:10
-rw-r-----  1 www-data adm        349 Jan  3 18:43
-rw-r-----  1 www-data adm        458 Jan  3 03:35
-rw-r-----  1 www-data adm        314 Jan  1 13:49
-rw-r-----  1 www-data adm        428 Dec 30 16:01
-rw-r-----  1 www-data adm        409 Dec 29 18:01
-rw-r-----  1 www-data adm        387 Dec 29 05:47

To be explicit: these are not usually processed in any way and are never used for analytics or tracking. I’ll occasionally (but rarely) use standard local Unix commands (grep, awk, etc.) to examine them directly on the server for troubleshooting, but that is their sole use and the only time they’re ever accessed.

Mastodon itself records a timestamp of each user’s most recent activity and IP address. I never access this information except in the course of investigating reports.

I have not enabled logging in S3, so I have no specific record of what media assets a user might have accessed. Amazon provides some aggregate statistics (“this many objects were accessed”, “we’ve served this many gigabytes of images”, “you owe us six bucks”, and so on) but nothing more granular.