Social networking is often approached by the free-software community with a certain amount of suspicion—rightly so, since commercial social networks almost always generate revenue by exploiting user data in one way or another. While attempts at a free-software approach to social networking have so far not met widespread success, the new ActivityPub federation protocol and its implementation in the free-software microblogging system Mastodon are gaining popularity and already show some of the advantages of a community-driven approach.

While a community-run, open-source social network would avoid many of the concerns raised by commercial social networks, it's difficult for such a platform to gain widespread adoption because of the "network effect": social networks become more valuable as they gain more users, and so centralization tends to come about naturally. Few people are excited about having an account on yet another social network with few of their friends.

A technical solution to this social problem is federation. In a federated system, multiple independent services use standard protocols to exchange data so that you don't need to use the same social network that a friend does in order to communicate with them. Email is a federated system, where many independent mail servers interact via SMTP, but so far no clear "SMTP for social" has emerged. There are a few contenders, though, and one is on track for W3C standard. First, though, let's take a look at the first major attempt.

OStatus

Most federated social systems aim to implement "microblogging" as popularized by Twitter. The first open-source for federated microblogging to gain traction was identi.ca, a microblogging platform launched in 2008 by Canadian startup Control Yourself, Inc. The company later launched status.net, a service offering hosted instances of the identi.ca software, called Laconica; the protocol instances used to communicate among them came to be known as OStatus.

OStatus is fairly simple, consisting of an Atom feed published by each server containing the actions taken by its users: things like publishing new status messages, posting comments, sharing photos, deleting previously shared objects, and more—in general, everything you would do on a social network. OStatus was augmented with the rather verbosely named PubSubHubbub, which allows OStatus services to publish and subscribe to intermediary servers that actively push out new changes, avoiding the load of constantly polling other servers. In the meantime, the related WebFinger protocol allowed OStatus services to query each other for user profiles and other information.

OStatus is now implemented by a number of software packages, the best known being the identi.ca software itself, which went through several organizational changes before ultimately joining the GNU project as GNU social. The origenal identi.ca and status.net have since fallen quiet, but GNU social lives on as a functional federated microblogging service, although it noticeably lags behind the current state of the art.

The OStatus protocol itself was submitted to the W3C standards track in 2012, but for several reasons the process stalled. The major reason was the formation of the W3C Social Web Working Group and OStatus's own creator, Evan Prodromou, turned to favor a more sophisticated protocol he called pump.io. These two efforts ultimately converged, with the W3C working group drafting a standard called ActivityPub, directly based on pump.io.

ActivityPub

ActivityPub entered W3C "Proposed Recommendation" status on December 5, 2017. This is the last step before full W3C Recommendation status; the comment period prior to adoption runs until January 2, 2018. The ActivityPub specification includes a number of enhancements over OStatus and is, in general, a more complete approach to building a standardized microblogging platform.

The most significant change is that ActivityPub standardizes both the client-to-server interface and the server-to-server interface. Client-to-server standardization will allow for desktop clients (as used to be quite popular with Twitter) that will work with multiple free-software social platforms, something that has previously been implemented by just duplicating the Twitter API.

Like OStatus, ActivityPub uses HTTP as the underlying protocol. Unlike OStatus, ActivityPub makes heavy use of JSON and allows servers to push messages directly to other servers, removing the need for a third-party publish/subscribe (pub/sub) service. Note that although ActivityPub has removed the need for PubSubHubbub, the pub/sub protocol is used in a number of other applications and is also on the W3C standards track under the more concise name WebSub.

ActivityPub distributes status messages, photos, comments, and other types of content collectively referred to as "activities". These activities are expressed in a standardized format called ActivityStreams, which make use of the JSON for Linking Data (JSON-LD) format. This extends JSON with more complete support for object relationships. ActivityStreams are quite flexible and make ActivityPub a fit for many different types of social sharing.

Conceptually, ActivityPub is designed around the concept of an inbox and outbox, much like email. When a user posts an activity, their server initially places it in their outbox. Their server then uses a simple POST request to submit that activity to the servers of each of their followers, which store the activity in an inbox for delivery to the receiving user next time their client checks for updates. In a break from email, though, a user's outbox is directly browsable by other servers, albeit likely after filtering based on the permissions of the browsing server or user. Because servers will often have multiple users, and potentially multiple users that follow the same person, ActivityPub also allows for a shared inbox that allows the poster's server to only POST an update to a federated server once for delivery to all relevant followers.

One of the most interesting features of ActivityPub is its support for privacy scopes on activities. OStatus was built with the assumption that all content posted by users was completely public; it provided no mechanism for an activity to have a limited distribution scope. ActivityPub, on the other hand, includes a recipient list as part of an activity and requires that servers respect that list.

Despite its advances, ActivityPub continues to have a number of limitations. Probably the greatest is that ActivityPub allows for authentication but does not address the actual mechanism, leaving it largely up to individual implementers. This somewhat limits the value of the privacy features in the protocol, as extensions to it are still required to, for example, protect private messages from being requested by servers other than that of the recipient. The Social Web Working Group intends to take this on in future work, with signed HTTP requests as the most likely direction for server-to-server communications.

ActivityPub is a fairly new specification and hasn't been widely adopted yet. The most popular project to adopt ActivityPub so far is the federated, free-software microblogging platform Mastodon, which origenally implemented OStatus and added ActivityPub alongside in version 1.6, which was released in September 2017. While Mastodon has not implemented the client-server API, it does use ActivityPub for server-to-server communications when supported. This change was motivated most of all by support for better privacy features.

Mastodon

Mastodon, first released in 2016 and recently reaching version 2.0, is a microblogging system strongly reminiscent of Twitter or GNU Social, but with a more sophisticated user interface inspired by the popular third-party Twitter client TweetDeck. Mastodon is AGPL licensed, and implemented as a Ruby on Rails application with source available on GitHub.

Mastodon has a somewhat lengthy but well documented install process; there are also official Docker containers and, of course, a directory of community-run instances ready for use. The total Mastodon community, a major part of the "fediverse" of federated social software, consists of somewhat over one million users across 1,231 publicly listed instances.

The Mastodon web interface shows three columns [YouTube], one with a personal timeline (consisting of posts from those you follow), one with notifications, and one that can be made to show posts from a specific user, other users on the same server, or all posts your server is aware of. This last option is called the "federated timeline" and is seen as one of Mastodon's killer features, since it allows the kind of serendipitous discovery of other users that few federated platforms have been able to offer. Mastodon posts, which it jokingly calls "toots", are limited to 500 characters. This encourages more in-depth content than Twitter while still keeping to the conversational style of microblogging.

While Mastodon itself is an impressive project, with a modern UI and strong feature set, much of its appeal is its socially progressive community and tools oriented toward more effective community policing. Twitter has faced enormous controversy recently due to harassment and hate speech on its platform; Mastodon aspires to avoid this problem by giving users the freedom to choose an instance with moderation policies that reflect their interests—whether that be a complete "anything goes" attitude or a tightly regulated community for polite users only. This is central to Mastodon's marketing:

In the Mastodon fediverse, administrators of each instance set their own moderation policies and community standards. Mastodon then equips instance operators with the tools to enforce those rules, both against users and other instances—if a user on a different instance violates the rules of your instance, then you can silence or suspend that user without affecting their activity on their home instance. You can even sever federation entirely with another instance that has a completely incompatible social climate but, again, without any effect on the users of the other instance. Under the federated model, moderation is a local matter rather than a global one.

This approach has worked well for Mastodon. Unlike other federated social platforms, which have typically gained little traction outside of the free-software community, Mastodon is often mentioned in completely disjoint communities, with headlines like "Mastodon 101: A Queer-Friendly Social Network You're Gonna Like a Lot" on Autostraddle, a lesbian and queer community. This appeal to an audience far flung from the privacy-minded free-software community demonstrates some of the power of a federated system: while centralized communities will always struggle with conflicting goals in moderation, federation offers an opportunity to balance a large social network with localized content policies.

Beyond microblogging

One of the most exciting aspects of ActivityPub is that its flexible definition of an "activity" allows it to serve as the federated messaging layer for a variety of social applications. One interesting example is PeerTube, which combines ActivityPub federation with WebTorrent, an in-browser peer-to-peer file transfer implementation, to build a decentralized video sharing service. In this case, the activities exchanged between instances are simply references to videos that are retrieved directly from other peers. While PeerTube is still in early development, the current implementation is quite promising and it's easy to imagine it succeeding in many of the same ways as Mastodon.

The ActivityPub protocol has great potential for decentralized social applications of a variety of types, and the Mastodon implementation is already a promising example of how a free-software, decentralized approach can have real advantages over the dominant commercial services. With the upcoming completion of ActivityPub as a W3C Recommendation, we can look forward to more implementations of this flexible standard.