Salta al contenuto principale


Report: Privacy Preserving Interoperability and the Fediverse


The Social Web Foundation went to the UN’s 20th Internet Governance Forum in Norway. We hosted the workshop “Privacy Preserving Interoperability and the Fediverse,” which brought together developers, policy experts, and community organizers to explore th

The Social Web Foundation went to the UN’s 20th Internet Governance Forum in Norway.

We hosted the workshop “Privacy Preserving Interoperability and the Fediverse,” which brought together developers, policy experts, and community organizers to explore the growing importance—and complexity—of privacy in decentralized social platforms from Meta, the Data Transfer Initiative and the Social Web Foundation. As adoption of the Fediverse expands globally, this session focused on how interoperability can be achieved without compromising the privacy and autonomy of its users.

At the heart of the discussion was ActivityPub, the W3C standard that underpins most Fediverse platforms, enabling users to communicate across services such as Mastodon, PeerTube, and Lemmy. While this interoperability is foundational to the Fediverse’s decentralized vision, it also introduces new challenges: how to maintain user control and confidentiality when posts, profiles, and interactions can be federated across hundreds or even thousands of independently governed servers. Other protocols mentioned that ideally aim for Fediverse interoperability include Bluesky’s ATproto and DSNP.

Speakers acknowledged the fundamental tension between decentralization and privacy. In traditional centralized platforms, privacy controls are embedded within a single governance structure. In the Fediverse, each server can adopt its own privacy and moderation policies, which now includes whether to interoperate, or “federate,” with other platforms.

Several panelists emphasized the need for privacy by design at both the protocol and application level. This includes clearer visibility into where data travels, options to restrict federated visibility of posts, and default behaviors that favor user protection. End-to-end encryption was discussed as a promising but underdeveloped feature in the current Fediverse stack, with particular relevance for direct messages and private groups.

The session also highlighted emerging approaches to user agency and consent. Some platforms are experimenting with metadata labels that define intended audience or restrict visibility beyond a specific domain. Others are developing tools to make moderation decisions more transparent and portable—enabling users and communities to coalesce around shared trust models without imposing top-down controls.

Another major theme was moderation and governance in an interoperable system. Server administrators often rely on blocklists and reputation signals to manage exposure to spam, harassment, or misinformation. However, there remains a lack of shared standards or interoperable tooling for coordinating these decisions across networks. Speakers urged further exploration of decentralized trust models and cooperative moderation strategies that are transparent, auditable, and adaptable to local community norms.

The session also touched on the evolving regulatory landscape, particularly the General Data Protection Regulation (GDPR), Digital Services Act (DSA), and Digital Markets Act (DMA). Participants noted that while GDPR offers a strong foundation for individual data rights, its application in decentralized systems remains complex—especially when determining the role of data controllers across federated services. In particular, participants noted that the objectives of ensuring data openness and portability is often in direct conflict with the objectives of providing end-to-end data privacy and security. As a result, there are many open questions about how to deploy federated services within existing data protection frameworks.

Several recent laws in Europe both present opportunities and challenges for federation and interoperability. The DSA’s emphasis on transparency, content moderation, and systemic risk assessments was seen as both a challenge and an opportunity for the Fediverse to differentiate itself through community-led governance. Additionally, several participants lauded DMA’s interoperability mandates as a way to ensure a way to encourage gatekeepers to provide more open interfaces, but participants also noted risks to privacy, particularly if security, safety, and consent are not central to implementation. The Fediverse, by contrast, offers a living example of how interoperability can coexist with decentralization and rights-respecting design.

In summary, while the Fediverse promises a radical departure from walled-garden platforms, participants agreed that privacy and consent need to be an important part of Fediverse infrastructure, both at the technical layer and the governance layer. Without that, it may be difficult to reconcile traditional data subject privacy rights with federation. The conversation underscored that privacy and interoperability are not mutually exclusive—but realizing both requires thoughtful design, collaborative experimentation, and sustained investment in tooling.

Action Points for Future Work


  1. Develop Federated Privacy/Bot Labels
    Create standard metadata fields within ActivityPub to indicate content visibility, consent preferences, and sharing restrictions across servers.
  2. Advance Encryption for Direct Communication
    Prioritize implementation of end-to-end encryption for private messaging and groups in major Fediverse platforms.
  3. Design User-Centric Privacy Controls
    Build intuitive interfaces that allow users to control how their data federates and who can interact with their content.
  4. Create Moderation Portability Tools
    Develop interoperable mechanisms for server admins and users to share blocklists, trust scores, and moderation decisions transparently.
  5. Establish Cross-Community Governance Frameworks
    Convene working groups across Fediverse communities to co-design norms and policies that align privacy, interoperability, and accountability.
  6. Fund Research and Infrastructure Development
    Support grants and fellowships for open-source developers working on privacy-preserving protocols and infrastructure in the decentralized web.
  7. Ensure Clear and Consistent Regulatory Standards
    Monitor and respond to regulatory developments such as the EU’s Digital Markets Act, which mandates interoperability for gatekeeper platforms. Use this regulatory momentum to advocate for clarity around how privacy and interoperability frameworks work together to improve decentralization without undermining user consent.

This session laid the groundwork for a vital and ongoing conversation about how to embed human rights—especially privacy and autonomy—into the technical architecture of a federated future. As the Fediverse evolves, it has the opportunity to model new paradigms of platform governance—ones that empower users and safeguard communities without relying on centralized control. The work begins now.

The full session can be viewed online:

youtu.be/9zEn1nUI4Zw


SWF at the IGF 2025


This month, the Social Web Foundation is joining the UN’s 20th annual conference on the internet, the Internet Governance Forum. Held in Oslo, Norway, IGF 2025 brings together policymakers, technologists, activists, and academics to address the most pressing questions about digital governance. From AI regulation to connectivity in underserved regions, the agenda reflects how internet governance is now inseparable from broader social, economic, and political concerns.

Mallory Knodel, Executive Director of the Social Web Foundation and founder of this newsletter, will be moderating a workshop on “Privacy-Preserving Interoperability and the Fediverse”, a session that speaks directly to the Social Web Foundation’s mission: growing, healthy, sustainable and multi-polar Fediverse.

The session will examine a practical tension: interoperability allows people to move fluidly across platforms—whether it’s Mastodon, PeerTube, or other services in the Fediverse. Yet this fluidity exposes new privacy risks. For example, a user’s profile photo or contact list might unintentionally follow them from one service to another without explicit consent. To ensure the social web continues to grow in a responsible way, we need thoughtful policy, smart technical design, and cross-sector collaboration.

To tackle this, Mallory will be posing three concrete questions to a diverse panel featuring voices from academia, civil society, and the private sector:

  1. User agency: How can we design cross-platform data flows so that individuals—not servers—decide what travels with them?
  2. Legal alignment: What does real compliance with the GDPR look like for a decentralised network, and how might the Digital Markets Act nudge the large incumbents toward meaningful interoperability?
  3. Technical safeguards: Which standards or privacy-enhancing tools could make federation safer by default?

By grounding the discussion in technical and legal constraints, this workshop aims to develop practical, actionable recommendations that platforms, developers, and policymakers can adopt. We’ll refine these into a summary document outlining key takeaways and next steps, which we’ll share in a future edition of this newsletter.

This conversation also comes at a critical time. The momentum behind decentralized platforms is growing, but regulatory clarity and technical safeguards lag behind. Without coordination, we risk repeating the mistakes of Web2: centralisation of power, opaque data practices, and exclusionary design.

Attending the IGF is free! Whether you’re joining us in Oslo or tuning in online, we encourage you to participate. Your questions, insights, and lived experiences help shape the conversation. We’ll be taking audience questions during the session, and they’ll feed directly into the discussion.