404 Media has obtained the list of sites and services that ICE contractor ShadowDragon pulls data from. ShadowDragon sources data from all over the web and lets government analysts easily search it and draw connections between people.
It apparently scrapes everything on the public feed. So when I subscribed to users on Mastodon server A from Wordpress, DMs from Mastodon server A going to Mastodon server B became visible.
I had a separate account on Mastodon server A to confirm that I couldn’t see these DMs as Mastodon user on server A, and that the Wordpress scrape was grabbing messages normally not meant for public view.
This was using the ActivityPub plugin for Wordpress about six months ago.
EDIT: I should be clear that I was as surprised as the other commentators that the DMs weren’t encrypted and that I could see them at all through a 3rd party software. I did NOT see DMs between local users - only cross-instance.
It apparently scrapes everything on the public feed. So when I subscribed to users on Mastodon server A from Wordpress, DMs from Mastodon server A going to Mastodon server B became visible.
I had a separate account on Mastodon server A to confirm that I couldn’t see these DMs as Mastodon user on server A, and that the Wordpress scrape was grabbing messages normally not meant for public view.
This was using the ActivityPub plugin for Wordpress about six months ago.
EDIT: I should be clear that I was as surprised as the other commentators that the DMs weren’t encrypted and that I could see them at all through a 3rd party software. I did NOT see DMs between local users - only cross-instance.