This post is part of a series on Mastodon and the fediverse. We also have a post on understanding the fediverse, privacy and security on Mastodon, and why the fediverse will be great—if we don't screw it up. You can follow EFF on Mastodon here.
The recent chaos at Twitter is a reminder that when you rely on a social media platform, you’re putting your voice, your privacy, and your safety in the hands of the people who run that system. Many people are looking to Mastodon as a backup or replacement for Twitter, and this guide will walk you through making that switch. Note this guide is current as of December 2022, and the software and services discussed are going through rapid changes.
What even is the fediverse? Well, we’ve written a more detailed and technical introduction, but put simply it is a large network of independently operated social media websites speaking to each other in a shared language. That means your fediverse social media account is more like email, where you pick the service you like and can still communicate with people who chose a different service.
EFF is excited and optimistic about the potential of this new way of doing things, but to be clear, the fediverse is still improving and may not be a suitable replacement for your old social media accounts just yet. That said, if you’re worried about relying on the stability of sites like Twitter, now is a good time to “backup” your social media presence in the fediverse.
1. Making an Account
When joining the fediverse, you are frontloaded with several important decisions. Keep in mind it’s easy enough to keep your account information when changing social media providers in the fediverse, so while important, these choices are not permanent.
First, the social media site which connects you to the fediverse (called an “instance”) can run one of many applications which often mimic how other social media sites work. This guide focuses on the most popular of these called Mastodon, which is a microblogging application that works a lot like Twitter. If you strongly prefer another social media experience over Twitter, however, you may want to explore some of those alternative applications.
Next, using a site like joinmastodon.org, you’ll need to choose which specific Mastodon instance you join– and there are a lot of them. In making a selection you should consider three things:
- Operators: Who owns the instance and how is it managed? You are trusting them not only with your privacy and security, but to be responsible content moderators. When reviewing an instance’s About page, make sure the rules they set are agreeable to you. You may also want to consider the jurisdiction in which the instance is operating, to help you anticipate what legal and extralegal pressures the moderators might face.
- Community: Instances run the gamut from smaller or private options that center shared values and niche interests to large, general interest platforms open to everyone. When selecting one, keep in mind that your local peers on an instance affect what content you see in direct and indirect ways. The result can be a close-knit community similar to a Facebook group, or a broad platform for exposure like Twitter.
- Affiliation: Your instance will be a part of your username, like with email. For example, EFF’s account name is “@firstname.lastname@example.org” with “mastodon.social” being the instance. This affiliation may reveal information about yourself, especially if you join a special interest instance. If your instance is considered polarizing or poorly managed, other instances may also “defederate” or block it—meaning your messages won’t be shared with them. That’s likely not a concern with most popular instances, however.
Newcomers, especially those trying Mastodon after using Twitter, will likely want to try a large general-interest server. To reiterate, Mastodon makes it relatively easy to change this later without losing your followers and settings. So even if your preferred instance isn’t available to new users, you can get started elsewhere and move later. Some of you may even eventually want to start your own instance, which you can learn about here.
2. Privacy and Security settings
Once you’ve registered your account, there are a few important settings to consider. While there is a lot to say about Mastodon’s privacy and security merits, this guide will only cover adjusting built-in account settings.
Remember, there is no one-size-fits-all approach, and you may want to review our general advice on creating a security plan.
- Require follow requests: Turning on this setting means another person can only follow your account after being approved. However, this does not affect whether someone can see your public posts (see next section).
- Suggest account to others: if you are worried about drawing too many followers, you can uncheck this option so that Mastodon instances do not algorithmically suggest your account to other users.
- Hide your social graph: Selecting this will hide who you are following and who is following you.
Preference - Other
- Opt-out of search engine indexing: Checking this will make it more difficult for a stranger to find your profile, but it may still be possible if your account is listed elsewhere–e.g., on another social media site or on another fediverse account.
- Posting privacy:
- Public: Your posts are publicly visible on your profile and are shared with non-followers
- Unlisted: Your posts are publicly visible on your profile, but are not shared to non-followers. That means posts won’t be automatically shared to the fediverse, but anyone can visit your page to see your posts.
- Followers-only: One needs to follow your account to view your posts.
Automated post deletion
Unlike Twitter, Mastodon has a built-in tool that gives users the ability to easily and automatically delete old posts on the site.
This can be an effective way to limit the amount of information you leave publicly accessible, which is a good idea for people worried about online harassment or stalkers. However, public figures or organizations may opt to leave posts up as a form of public accountability.
Whatever you decide, remember that, as with any social media site, other users can download or screenshot your posts. Post deletion cannot unring that bell. An additional concern for the fediverse is that post deletion must be honored by every instance your post reaches, so some instances could significantly delay or not honor deletion requests (though this is not common).
Account settings - Enable 2FA
This group of settings lets you change your password, set up two factor authentication, and revoke access to your account from specific browsers and apps. If you notice any strange account activity, this is the section you can use to lock down access to your account.
- Select Two-factor Auth
- Click setup and confirm your password
- Using an authenticator app, scan the presented QR code or manually enter the text secret
- Enter your two-factor code
- Click enable
- You’ll now receive 10 recovery codes in case you are not able to access the 2FA device you just set up.
As with all 2FA recovery codes, take extra care to save these in a secure place such as a password manager, an encrypted file, or even written out by hand and locked away. If you ever lose these codes, or suspect that someone else might have access to them, you can return to this section to generate new ones to replace these.
Finally, if you have a secure way to store information, it is a good idea to regularly create a backup of your account. Mastodon makes it very easy to save your online life, so even if the instance you’re on today is bought by a bored billionaire, you can easily upload most of your account info to a new instance. If you’re planning ahead you can also port your followers to your new home by having your old account point to the new one.
It’s worth emphasizing again that your instance is controlled by its administrators—which means that its continued existence relies on them. Like a website, that means you’re trusting their continued work and well-being. However, if your instance is suddenly seized, censored, or bursts into flames, having a backup means you won’t have to completely start over.
3. Migrating and Verifying your Identity
Making sure your followers know you’re really you isn’t just to stroke your ego. It’s a crucial feature in combating misinformation and impersonation. However, if you’re looking for an equivalent of Twitter’s original blue-check verification system, you won’t find it on Mastodon– nor on Twitter, for that matter. You do have a few other options, though.
Share your new account
The easiest step is to simply link to your new Mastodon account on your other social media account(s). Adding the account to your name, bio, or a pinned message can help your followers find you on Mastodon through a number of methods.
This is a good idea even if you plan for Mastodon to be your back-up account. You want users to know where you’ll be before it is necessary, and sharing early improves your ability to retain your following.
This is also a reason you may not want to delete your old account. Leaving this message up, especially from a verified account, will help your followers find you when they make the switch.
Mastodon also has a built-in verification system, but it’s a bit different than on centralized platforms. The original blue-check and similar mechanisms rely on users sharing sensitive documents to the social media company to verify that their online identity matches their legal identity–sometimes with that real name being required on the site. Ultimately, it is a system where users need to trust the diligence of that company’s bureaucratic process.
Instead, Mastodon instances only verify that your account has the ability to edit an external website. To do this, you first add the URL of a website you control to your profile under Profile > Appearance. The label for the URL does not matter.
Then you copy the line of HTML from your profile. This is simply a hyperlink to your account with a special message (`rel=”me”`) which most sites will remove from user-created text. Instead, you will need to edit the site’s HTML directly. For example, you can likely add or request this link be added to an employer’s website, who is then vouching for the account truly being yours. The result looks something like this:
On one hand, this system can eliminate an invasive, opaque, and often arbitrary bureaucracy from the verification process. On the other, you are now trusting two entities: the external website and the Mastodon instance hosting the user. This also asks users, like with email, to be careful for look-alike URLs being listed.
So when setting up verification, a good strategy is to include the website(s) you have the most secure control over, and which has the most recognizable name. A personal blog is less assuring than an employers’ or schools’ site, while including all three can be very assuring–especially on reputable instances.
Mastodon: Into the Fediverse
Now you’re ready to jump into the fediverse itself. There are a few options for viewing posts: your “Home” feed will show you posts from everyone you follow; “Local” will show the listed posts from others on your instance; and “Federated” will show you all of the posts your instance is aware of–like a shared follow list you have with everyone on your instance. Keep this in mind as you follow accounts and “boost” posts by sharing them with your followers (similar to a retweet). There is no algorithm deciding what you see on Mastodon, but rather a shared process of curation, and these actions increase the audience of a given post or user.
The fediverse, and Mastodon specifically, are rapidly developing and it is important to check regularly for changes to features and settings. Your particular security plan may also change in the future, so having regular reminders to check settings will help you adjust settings as needed.
We have the chance to build something better than what the incumbent social media platforms. While this is an ongoing process, this overview of settings should put you in a good starting point to be a part of that change.