Back in 2024, I published a reading of the Online Harms Act from my perspective as an admin of a Mastodon instance. The Online Harms Act was a proposed Canadian bill meant to regulate social media to prevent "harmful content," particularly hate speech and child abuse materials. While the Online Harms Act ultimately did not come to pass (due the proroguing of Parliament later that year), the Carney Liberal government is bringing much of it back with a new Digital Safety Act. In this post, I am also giving the new Act a look from the perspective of a Mastodon admin.

(Head's up: this a long post!)

Background: What's Mastodon? What's the Fediverse?

Since I'm hoping this post might be useful for debate about this bill, let me offer a very short primer on Mastodon (skip it if you're familiar). Mastodon is a microblogging system, so it's a Twitter-like social media system. But it's different in that there are thousands of installations of Mastodon all around the world. Each installation is a small community of people who can do social media things: share posts, comment or like posts, read other people's posts. So it's decentralized (or, as I prefer, noncentralized): there are many Mastodons out there.

What's important to note is that, as I discuss in my latest book, these community servers tend to be run by volunteers on a non-profit basis. They nearly all avoid surveillance capitalism -- they don't sell user data, thus protecting people's privacy. And they are moderated by the communities who run them, not by third parties, algorithms, or AI.

Each of these communities can connect (or federate) with others, meaning a person on a Mastodon server in Canada can connect to a person on one in Brazil. The linking of all these little servers into one big network is called "the fediverse." And the fediverse can include more than microblogging -- there are photo-sharing services (e.g. Pixelfed), video-sharing services (e.g., PeerTube), and more.

Mastodon and the fediverse have a very strong Canadian history and presence. Two of the authors of the underlying protocol are Canadian, the developer of Pixelfed is Canadian, and I would estimate there are more than 700 fediverse servers in Canada currently. I also believe things are growing as Canadians seek digital sovereignty in the face of troubled relations with the USA.

Finally, the fediverse can also connect to other social media, such as Bluesky, BlackSky, and NorthSky.

I can say a lot more about the fediverse -- I think it's a very exciting development in social media -- but I will leave this to get to the reading.

What's Different about the Digital Safety Act?

The 2024 Online Harms Act (OHA) was criticized because part of it involved criminal penalties for hate speech. The concern was that it would give the Canadian government too much power over how Canadians communicate online. That bit is removed from the Digital Safety Act (DSA).

The DSA has a new element that wasn't present in the OHA: the regulation of generative AI chatbots (think ChatGPT). The justification for this regulation is tied to the Tumbler Ridge Shooting in BC earlier this year, where the shooter had consulted ChatGPT prior. That part won't be too relevant here since I'm interested in the social media aspect.

The other difference between the OHA and the new DSA is the proposal of age verification or estimation for users of social media, chatbot, and pornography sites. I think it's safe to say that this part -- age verification and a potential ban of kids under 16 from social media -- is the most controversial part of the DSA, and it certainly will figure into my reading here.

What's the Same?

There's a lot. Rather than list the ways in which the DSA repeats material from the OHA, I'm just going to dive into the my reading of the Act.

Usual caveat: I'm not a lawyer.

I am reading this as an admin of a Mastodon server called AoIR.social. AoIR.social is a Mastodon server that serves the membership of the Association of Internet Researchers, an international group of scholars who study the Internet. We set up AoIR.social in the wake of Elon Musk's purchase of Twitter -- our members decided to no longer contribute to Twitter in light of Musk's atrocious politics (see this news todayfor the latest reason why).

Reading the DSA

Would AoIR.social be affected? Would the Fediverse?

Just as I asked back in 2024: would AoIR.social be affected by the DSA? And would I, as a Mastodon admin residing in Canada, be affected? And would the broader fediverse be affected? The answer is: most likely.

Social media, per the act, is

a website or application that is accessible in Canada, the primary purpose of which is to facilitate interprovincial or international online communication among users of the website or application by enabling them to access and share content.‍

Social media allows people to “communicate content to the public.” So, AoIR.social and the rest of the fediverse would be affected, yes.

And as an "operator" -- a “person that… operates a regulated service” -- I would be affected, as well.

But! Here's a big question. The DSA repeatedly refers to the "number of users" of regulated services, yet there’s no specific number. It seems this number would be set by the “Governor in Council,” which is the Governor General (and I could be wrong -- I’m new to Canada). I’m gathering that the Governor will establish the Digital Safety Commission, who I think would make the decisions would be made by this Commission.

In addition, the Commission would have to consider "the technical and financial capacity of the operator." AoIR.social, like much of the rest of the fediverse, is a nonprofit run by volunteers. (More on this below.)

So, given that many fediverse instances are small (last I checked, the average size is ~500 accounts) and have limited budgets, perhaps the Commission would exclude them from the DSA.

Regardless, just as I concluded back in 2024, the DSA does seem to include AoIR.social and the rest of the fediverse. I'm continuing on with my reading with this in mind.

Blocking and Flagging

If the DSA affects AoIR.social and the fediverse, what would that entail? One big part is that the Act would require services to allow their users “to block other users and flag harmful content.” This is a repetition of the older OHA.

On its face, this is straightforward. However, as I pointed out the last time, this gets very difficult in the fediverse. Let’s go point by point to see why:

36 (1) The operator of a regulated social media service must implement tools and processes to

(a) enable a user of the service to easily flag to the operator content that is accessible on the service as being a particular type of harmful content;

Done and done. Mastodon (and many other fediverse systems) have this built in. AoIR.social also has a code of conduct prohibiting pretty much all the stuff the Act discusses. If one of our members flag such a thing and it's happening on AoIR.social, it's taken down right away. (It's also probably never going to happen since AoIR is a professional organization, but I digress.)

(b) notify a user of the service who flagged content as being a particular type of harmful content of the operator’s receipt of the flag as well as of any measures taken by the operator with respect to the content or of the fact that no measures were taken; and

This is trickier. Mastodon does not really include a means to alert users about the state of their reports. As an “operator” I could reach out directly to whomever reported, but I don’t often do that, and being required to would add a lot of work to my already laborious moderation process.

(c) notify a user of the service who communicated content that was flagged as being a particular type of harmful content of the fact that the content was flagged as well as of any measures taken by the operator with respect to the content or of the fact that no measures were taken.

As I discussed last time, I think this is a bad idea. Here’s what I wrote back in '24:

notifying people that they have had their content removed can invite more harassment. The approach on Mastodon is to block and not really let the blocked person know. I believe this is for safety purposes –- if we block someone’s content and tell them, they might harass us.

And as I wrote before, since the fediverse is a collection of 10s of thousands of servers, if this Act requires me to report to someone on another server that their “content” has been flagged, it could lead to a lot of bad outcomes:

If, for example, some trolls are harassing people on AoIR.social, I might communicate with them to tell them to stop, but most likely I’m just going to block them (and hence remove their posts) and not explain myself. Explaining myself would probably lead to more harassment, both for the original victim and likely for me or other AoIR.social moderators.

As I said back in 2024, and as I'm repeating here: much is going to hinge on how the Canadian government treats federated social media -- is it a single network or many individual sites?

Labeling Synthetic Content

The Act requires regulated social media to label “synthetic content.” This sort of thing wasn't in the OHA.

“Synthetic content” is defined as

an audio representation or visual representation of a person, object, place, entity or event that is made by electronic or mechanical means, including by means of artificial intelligence software, if the depiction is likely to be mistaken for an authentic audio or visual recording of a person, object, place, entity or event.‍

Assuming that definition holds up, the Act is basically asking regulated social media to label AI-generated content. I am totally fine with this, even on the fediverse, since I would appreciate knowing that things are AI-generated so I can more easily block people who post that sort of stuff. I also suspect many others on the fediverse are fine with this, since many fediverse communities are vocally against AI slop.

Anti-child abuse, Anti-revenge porn, Anti-harmful content

As I said in the last version of this, this is of course a no-brainer. It's a no-brainer across all of what I call the "covenantal fediverse" -- most of the fediverse has codes of conduct that prohibit these things.

Age Restrictions

This is the big new thing, the most controversial bit. Will it affect the fediverse? Likely, and the result could be devastating.

The Act proposes that regulated site “must implement any measures that are provided for by regulations that prevent persons under the age of 16 from” having access to that site. This includes social media, chatbots, and porn sites.

While I'm talking about social media here, because AoIR.social is comprised of members of the Association of Internet Researchers and thus includes scholars who study pornography, those members might post about their work including examples. But we don’t seem to be a pornography site as the Act defines it.

Since AoIR.social is for dues-paying members of AoIR, I am quite certain we have no minors on the site, since (to my knowledge) all AoIR members are at least undergraduates (and most are grad students or faculty). We have a built-in age verification system since we restrict accounts to AoIR members.

That would probably mean that the exemption would kick in:

The Commission may, on application by an operator, exempt, subject to any conditions it considers appropriate, the operator from the application of subsections 27(1) and 28(1) in respect of a regulated social media service if the Commission is satisfied that the operator provides adequate safeguards in the regulated social media service for the protection of children.

Of course, proving to the Commission that we should enjoy such an exemption might be a burden.

And what about other fediverse instances? This Act is asking volunteers and nonprofits to run age-verification or estimation systems or apply for exemptions. I cannot imagine that using age-verification services would be inexpensive -- in fact, the cost could be cripping for many fediverse instances. In addition, the use of age verification services would lead (as so many have noted) to privacy violations.

Again, this all seems to be at the discretion of the Governor in Council, who “may make regulations specifying regulated social media services or classes of regulated social media services.” Their criteria includes consideration of the financial and technical means of the services.

Digital Safety Plans and Tools

The Act states:

Subject to the regulations, the operator of a regulated service must keep all records, including information and data, that are necessary to determine whether the operator is complying with its duties under this Act.

If AoIR.social is a “regulated service,” then this may be a burden. We’re a volunteer-run, nonprofit organization. We’re not alone -- as I wrote about in my book, much of the fediverse is noncommercial and volunteer-run.

Some of what the Act calls for can be easily answered: Mastodon (the organization that writes the code) could provide a basic fact sheet on safety tools that could be supplied to the Commission.

But much as I wrote about last time, keeping records on the number of times things are flagged, the time I (or other moderators) took to respond, a “description of the content,” and the steps in the process we took -- that’s a lot of work. I am not quite sure how to keep such records, and if I have to write up a detailed government report for every flagged item, I would go a bit nuts. Even with our great moderators, we’re all volunteers with limited time.

Speaking of records, if we “make inaccessible to all persons in Canada content that incites violence or terrorism,” we have to keep a record of it for a full year. Usually when we block or suspend things, they get deleted right away. (And fortunately, terrorist content is not something we come across). I don’t really want to keep records of horrifying stuff -- and if I do so, am I personally liable if it’s on my computer? Where would I store such data?

The Act does not require operators to “proactively search content on a regulated service that it operates in order to identify harmful content,” which is good.

But it does require using “technological means to prevent content that sexually victimizes a child or revictimizes a survivor from being uploaded to the service.” Which, for our specific purposes, is very, very bad -- we would have to add a third-party scanner, which would likely cost too much and violate the privacy of our members.

The Commission

So much of this hinges on the Commission. From the perspective of an admin of a small, volunteer-run, noncentralized, nonprofit social media site: the Commission's decisions are going to be the key to all this.

I said it in my read of the 2024 OHA, and I'll repeat it here: much of the impact of the DSA, should it pass in this form, will rely on how this Commission conceptualizes the fediverse. If they treat the fediverse itself as a single network, the DSA could be very hard for individual fediverse admins to implement.

If the DSA treats each instance as its own entity, then implementation for fediverse admins might be more straightforward -- so long as the Commission doesn't choose a "one size fits all" approach that treats a small nonprofit the same as a wealthy transnational corporation.

The Commission, if it comes into existence, should recognize that the fediverse is largely a non-profit, volunteer-run collection of community sites, and they ought to make sure any of their rules do not place an undue burden on fediverse admins.

If however the DSA results in onerous burdens on volunteers, this valuable, civic-minded part of the Internet could be in trouble, and we could end up in a worse situation than the one we have: a true alternative to predominately US-based corporate social media could be lost.

Conclusion

There are many questions to consider, and I'd be happy to follow up with anyone about the particular concerns of the fediverse in relation to the DSA.

On a broader note, I am quite supportive of regulating big tech. But I want to stress that many of the evils of big tech -- the manipulation, the polarization, corporate surveillance, the monetization of our sociality, and the privacy problems -- can be mitigated with community-run social media. The fediverse is a good example of what Canadians (and other folks) can do to leave corporate social media behind. I do not want to see that project harmed by overly broad regulations.