@mray But now you know why I'm asking. There is lots of energy around encryption but it's a very tricky thing to be done right. My point was simply that we start with some simple UX improvements and not wait for the encryption (given we already have private messages)
Post
Replies:
0
@scottjenson And on encryption, I think you could probably launch with UX improvements only, and leave encryption as a "fast follow". E2EE might not be *critical* but it's a *super-nice-to-have* ~ especially on today's internet.
The fact that we call them "direct messages" isn't enough; people have a natural expectation of privacy when they send DMs, and the Fediverse doesn't really honor that right now.
The more systems we can make "secure by default" the better.
@scottjenson Hey Scott! I'm so glad you're tackling this issue. I have lots of trouble with DMs on Mastodon. I think you're addressing, these, but here goes:
The biggest one is how easily they're confused with regular messages. I routinely mess this up, and make private messages public, or vice versa.
The next is how hard it is to visualize threads - especially in the existing notification section. I often lose my place in complex discussions
@scottjenson I think making UX improvements to DMs is a great idea.
One of the biggest privacy problems with Mastodon DMs now is that people accidentally make them public.
Separating the private mention UI from the public posting UI will probably avoid a huge percentage of those user errors.
It'd be a big win for privacy.
@scottjenson encryption that still works if one of the parties changes fediverse servers seems like it maybe technically challenging
I also would note that a lot of my interactions on the Fediverse are not very “microblogging” focused. Ie this response isn’t a blog post.
I largely use DMs here for private but non sensitive content (like “hey your url is broken” or “you have a typo on that post”
@scottjenson Thanks for asking! I'm a big fan of Encrypting All The Things, but my impression here is that the dangers of PMs on Mastodon have more to do with the potentially confusing UX, so I think addressing the UX issues would help the most in the short term.
Ultimately, I want users to be able to assume "private" means encrypted, so I'm very glad that's part of the plan. Yes, people can use Signal, but there's still a need to privately transmit one's Signal username at a minimum. Also, private threads can stem from public threads, so it's natural to have some facility for privacy here. Finally, I'm a huge Signal fan, but its centralization means a single point of failure, and makes it a huge target for authoritarian state actors, and I worry about it going down or being compromised.
I would like to see more visual distinction between public and private posts, like different coloring, so fewer people confuse them.
@scottjenson I must request encryption, because even though I don't need it right now. ...
A - you never know when you might need it
B- if I did, I might feel really uncomfortable telling you the reason, so I'm gonna assume that I'm piping up for some of those folks.
@scottjenson My take is encryption is important, but not important enough that you shouldn't make UX improvements before having it
I particularly would like to see the list of mentions decoupled from the list of recipients, though I wonder if that might cause problems with replies from some software... but still
@jfred You're not the only person asking for this. It's a resonable suggestion (but I can't comment on the implementation complexity)
@scottjenson I know @soatok is working on E2E DMs for the fediverse.
But I already kinda use the existing DM feature but it is very clunky depending on the client you use. Having some sort of prominent tab that has it's own set of notification so I don't miss it in the flood of "normal" notifications would already go a long way.
@scottjenson I think any service with an implication of privacy should be encrypted, but that encryption needs to be done right. And the UI needs to convey the level of encryption clearly so people don't make incorrect assumptions about the security of their communications.
So I'm okay with the UX coming first, if it's designed with future encrypted messaging in mind.
I get DMs are not the focus of the app, so probably not a big priority, but they are still useful and important to many users.
@aaron Completely agree and why I'm asking. We can do both: improve the backend (adding encrypting) AND improve the UX. This is especially true as the frontend improvements are far easier to implement so people can benefit from this WHILE working on the backend.
Signal makes it easy to create a revocable "message me" link. I have one in my profile. If anyone wants to send me an encrypted message they can click on it and send one pretty easily.
I think reply controls and UX improvements should come first, maybe with, as others suggested, a note that the message is not encrypted (yet)
@gbargoud makes sense, thank you
As an aside, I'm surprised there isn't an instance at a link like staff.joinmastodon.org with an official account for each member of the core mastodon team.
I had to check your profile to see that you were someone asking for feedback who could do something about it rather than someone who was asking out of curiosity
@scottjenson imo that’s totally fine. Just need to make it known straight up that the messages are not encrypted, which is more or less just an alert that hard blocks interaction until acknowledgement…
@scottjenson I am kind of surprised that no one has mentioned that "oh the admins of the servers shouldnt see my DMs!" Creates a moderation nightmare and a harassment loophole that really shouldnt be considered worth the hassle. I am on team "just use signal" because if you need to have a really private conversation with someone who didnt give you their private contact information, no you dont.
@Montaagge There is a lot of traffic on this thread and that point has been made by the way. It's a reasonable request. I just appreciate that it's not a simple ask and I'm hoping we can tackle some UX improvements WHILE the background work is going on.
@scottjenson one huge problem with private mentions is that they actually aren't equivalent to DMs... because if you try to talk about another person and link to their profile, you effectively "mention" them and they can see the message. I don't know of any other DM that works this way and the UX is extremely confusing to users and just wrong IMO.
I think private mentions should be scrapped entirely and reworked as a different AP object type than Note so that they are treated differently.
@scottjenson Adding a vote for encryption first. For the simple reason that “personal message" is associated with a modicum of privacy. And the current Mastodon implementation does not provide much privacy at all for personal messages. As welcome as UX changes are, they would not change the underlying architectural issue, and might even increase the _appearance_ of those messages providing any actual meaningful privacy.
Let me know if you find that explanation needs more details. 😉
@jochenwolters That's a very clear explanation thank you. I don't think many apprecaite just how hard it is to add encryption properly and it's like going to take a while. As we already have PMs in the product and improving them would be very helpful, it seems like we shouldn't wait.
Part of why I'm asking is that here are MANY ways to use PMs, many of which do not require encryption at all. Of course it would be very nice to have. But I just want to call out, even with encryption, you likely want to be very careful using Mastodon for organizing as your profile and public posts would likely leak a tremendous amount of personal info.
Again, this doesn't mean we shouldn't do it, just that microblogging makes it hard to proprely protect your identity.
@scottjenson Not critical, as I wouldn’t expect it because of the current implementation.
If a future iteration of PMs would change that, it might as well be a good idea to communicate it explicitly in the UI, e.g. at the beginning of a new conversation. Basically the opposite of what WhatsApp does (see screenshot).
Also, if encryption means it’ll harder for third party apps, services,… to adopt PMs, then I feel like it’s definitely not worth the effort.
@scottjenson Don't really need encryption just for the DM edge-case. I only need to know where/for who exactly my message will pop up automatically, though.
Suggesting "encryption" exists in mastodon, how can one make sure it is interoperable with ActivityPub AND nobody gets it wrong and falsely assumes encryption is omnipresent, when it is absolutely not.
@mray Encryption is being explored by a FEP
@scottjenson Interesting, seeing how other protocols got burned by adding encryption as an afterthought (XMPP, MAIL) I think we are still very very far away from having something comprehensive, reliable and usable. Unless that's a reality I'd shy away from promoting it unnecessarily loud. 🤷♂️
Encryption rocks though. I hope that FEP has lots of traction.
@mray But now you know why I'm asking. There is lots of energy around encryption but it's a very tricky thing to be done right. My point was simply that we start with some simple UX improvements and not wait for the encryption (given we already have private messages)
@scottjenson also dealing with encrypted chat inside the browser is extra spicy. I'd love to see people seriously tackling that, but I remain reserved. 😬
@scottjenson I'm pessimistic up to the point where you have to have to assume it will fail completely. Just as XMPP and MAIL failed.
The only encryption implementation with success were the approaches where the UX can be controlled centrally.
For MAIL there is #autocrypt now, it is astonishing of good it is – but email is still not encypted today.
XMPP/Jabber has OMEMO, but stillt struggles with client adoption and it isn't omnipresent.
Where it worked: #DeltaChat and #Signal both using a central library that can make sure encryption reliably lands at peoples fingertips.
@mray I so appreciate your concerns. It's actually why (personally, I'll add) I'm concerned why encryption may take a while (the Mastodon team is very thorough and would not release a rushed version of this) This is why my original post really had nothing to do with "should we add encryption" but was rather "while we're waiting can we at least make some improvements?"
@scottjenson I don't see much wiggle-room for improvement if it is not clear how it works under the hood.
Ideally encryption feels almost imperceptible, and needs a mere indication on the side, but I guess the UX work won't be to GET THERE – but is to make the emerging pain points more bearable. 😂
I think the UX you would want to improve is connected more with the FEP itself than any UI concerns. Depending on what they come up with you'll be free to do what you want – or deal with strange constraints. (Key handling seems to be the arch enemy of UX in encryption if you ask me :P)
@mray Well first of all we have a shipping product (warts and all) and improving it is important to do even outside of encryption (I mean I hear your point but I'm saying we'll improve the UX independently as, honestly, it's got lots of issues that need fixing.)
But I agree with you empathically that proper key management is a horribly difficult thing to get right and almost always makes the UX very challenging to "be seemless"
@scottjenson My take (which seems to fly in the face of the zeitgeist) is that Mastodon is not meant foremost as a private messaging app. It is at its core, an *open, social* microposting platform. There are apps that are radically better suited for private and safe comms, and I am a huge proponent of letting things be true to themselves. When you try to shoehorn stuff into a system not intended to do that stuff, it ends poorly.
So, sure, DMs out of the timeline, but no Signal-like hardening.
@octothorpe Thank you! To be clear, I'm not against adding encryption to Mastodon but it would be rather different than what you get with Signal. Here is a simple example. Many people are quite public with their real name here on mastodon, that makes sense. But if you REALLY wanted to use an encrypted message you ikely wouldn't want to use your public name. So in many ways, encrypted messages by you very little (well,in some situations)
That's kind of my point, I don't think people really see the FULL JOURNEY necessary for encryption.
However, many have said "I just don't want to have to trust my admin. I just need it for privacy" and you know, that's a perfectly good reason and to be fair, has NOTHING to do with competing with Signal.
That's all I'm trying to do here, understand how and why it would be used.
@scottjenson I dig it. And yeah, the complications you implied are probably exactly the same I did (my post char limit is small)… which is why I shorthanded to ‘signal-like’.
But yeah, I get why folks may want it. I think it’s probably best to not encourage that behaviour in the app (because of how easily it could be accidentally borked, ex: public posting passwords). The notion being if you KNOW it’s not encrypted, you’re less likely to send sensitive material.
@scottjenson I think, given today's climate, encryption should be a priority over UX changes. My thought is not whether microblogging DMs should be encrypted or not, but simply if *any* kind of messaging exists that is not public, on any service, it should be encrypted. It's the sad world we live in now where services can't be trusted. Non-public messaging that isn't encrypted shouldn't exist. Should microblogging services be Signal? Not at all. But DMs already exist, so now it has to be dealt with. Simply telling users "it's not for private discussions" isn't enough.
in 2026, gabe is absolutely right. a few years ago, i would've been the first one debating this position... but it's 2026.
@gabek @scottjenson
@by_caballero @gabek We've publicly announced we're working on encryption. It's a TON of backend work. It can proceed in parallel with UX work. It's not one vs the other. Especially as the UX work is FAR less than the encryption work
@scottjenson some of these are in the Mastodon roadmap!
https://blog.joinmastodon.org/2026/02/our-technical-direction/
@mapache Yes, I know! 😉 I'm not saying no I'm exploring when (as encryption will take longer than UX improvements
As long as there's a "hey, this isn't encrypted!" Kind of Disclaimer, I'm fine. If we wanted encryption, there's other apps or services. But, I don't want people to mistakingly share sensitive info on this platform.
That said, encryption in the future would be amazing, but I prefer other improvements not be blocked by that for the moment.
@scottjenson broadly, encryption for DMs on a social network isn't something I'd expect.
Would any of the proposed changes to DMs trigger age-verification requirements in the UK, Australia, etc?
@mia Honestly I hadn't even thought of that, thank you for bringing it up!
