This page, prompted by the #TwitterMigration of late 2022-23, is intended to be a rolling, continually updated collection of legal (and law-adjacent) links and resources for those deploying or administering their own Mastodon instances (servers) open to the public as they scale to tens of thousands of users or more. (As Bluesky goes from an initial platform to a federated AT Protocol, these principles may similarly apply.) There are undoubtedly many superior guides out there from a technical or operational perspective; my focus here is on three broad areas:

1. Legal:  Legal, compliance, regulatory, privacy (“data protection” in EU parlance), intellectual property (especially copyright, e.g. DMCA safe harbor), online liability (e.g. Section 230 in the US), judicial and legislative developments and threats
   
   
2. Trust and Safety (T&S):  Risk, abuse, harassment, spamming, scams, stalking, threats, phishing, doxxing, violent or hateful speech, dangerous dis- or misinformation, platform manipulation, data security breach, surveillance
   
   
3. Content Moderation:  Involving features of both of the above, as problematic content and misconduct in social media poses threats both to site or platform owner/operators (from a legal/liability perspective) and to the communities themselves (degrading or destroying trust, collegiality, community, signal-to-noise (S/N) ratio, overall value and usefulness) 
   
   

But first, a brief pep talk courtesy of EFF:

“I worry that people will not want to host instances at all, because they go, ‘this is too scary,’ says Corynne McSherry, legal director at the Electronic Frontier Foundation, a nonprofit focused on civil liberties in the digital world. “But it doesn’t have to be scary.”

OK, now on to the good stuff! 

Mastodon Legal Mini-FAQ:

1.  Why should I care?

• As owner, operator, or admin (#MastoAdmin) of any user-generated content (UGC) site, such as a Mastodon server, you face responsibilities, risks, and potential liabilities that aren’t necessarily obvious. 
  
  
• Pragmatically, the risk profile shifts dramatically if your volunteer hobbyist project explodes from a few friends to tens or hundreds of thousands of strangers using a platform open to members of the general public. (Compare to having a few people over to your house vs. running a shopping mall—even though you don’t own any of the stores, and may not even be charging them any money yourself.) 
  
  

2.  Why should I not care?

• If you’re just a normal user of someone else’s Mastodon instance (server), you probably shouldn’t. This is “inside baseball.” That said, if it interests you anyway, read on! These issues and debates are not going away any time soon. 
  
  
• If you operate entirely outside the United States, I can’t offer many suggestions as to what legal, compliance, or regulatory risks you might face in your country. This may all be irrelevant. That said, similar problems regarding trust and safety, and challenges of content moderation, are similar to some degree worldwide.

3.  Why should I listen to you?

• As a lawyer who’s headed or worked on in-house legal teams at social giants dating back to MySpace (2004-06) and eHarmony (2006-09), I’ve built and managed legal teams and compliance processes for #1, served as chief legal counsel to trust and safety teams in #2, and collaborated with community managers, T&S teams and senior executives on #3. 
  
  
• On a personal level, I’m a geek who’s been a prolific user of various flavors of social computing dating back to the mid-1980s, when I was co-sysop of my middle school friend Dave’s BBS in Menlo Park, CA. (I envied his 10MB — yes, megabytes, not GB or TB — hard drive the size of a microwave oven, noisy fan and all, that accompanied his Apple IIe and dial-up modem.) 
  
  
• That said, feel free to ignore or tell me why I’m wrong. With an online industry background at private-sector startups and growth companies, which built platforms ranging from zero to more than a billion page views per day, I’m new to the unique challenges and distinctions of federated content and open protocols at such vast scale.

4.  How can I help?

In the spirit of all things Fediverse, any form of collaboration is welcome. Don’t hesitate to suggest additions to any of these links or resources. I am planning to develop more original material and curate good examples to serve as reference for admins (e.g., TOS, privacy or copyright policies). 

Mandatory disclaimer

• I am an attorney in private practice, licensed in the State of California. That said, everything posted or linked from here should be considered information, not legal advice or opinion, unless we have formally entered into an attorney-client relationship. 
  
  
• Federalism in the US is its own challenging subject. Congress has chosen to regulate many areas at the federal level (patent, trademark, copyright, privacy, online liability, advertising, child protection) which may preempt or work in conjunction with the laws of multiple states. Depending on the subject or state, “your mileage may vary.” 
  
  
• Things get extra messy on the Internet, where the “location” of activities like publishing or making copies of something (and therefore jurisdiction of states or countries over those actions) can be ambiguous. Never mind the entire field of conflicts-of-law when electrons collide mid-Interwebz. 
  
  

Mastodon Legal, Compliance, Privacy, Trust and Safety Resources for Admins:

[N.B.: Just getting started here, under construction; consider this version 0.1]

All legal materials refer to United States law unless otherwise noted.

Legal, Compliance, Privacy / Data Protection, IP:

1. My own overview of the range of considerations running a UGC site here at Techlexica (badly needs updating, yet covers most essentials):
   If you build it, they will abuse it 
   
   
2. The first-I’ve-seen guide to potential legal liabilities for US people running a Mastodon instance, posted in November 2022 by Denise Paolucci, drawing on long experience from LiveJournal and Dreamwidth 
   
   
3. Original thread by Denise (@rahaeli on Twitter), on which she based the above (unrolled for easier reading) 
   
   
4. User Generated Content and the Fediverse: A Legal Primer, by EFF counsel Corynne McSherry 
   
   
5. Mastodon Is Hurtling Toward a Tipping Point (Wired, Amanda Hoover) 
   
   
6. The Copyright Challenge With Mastodon (Plagiarism Today, Jonathan Bailey) 
   
   
7. Sample Terms of Service and Copyright Policy (aka DMCA notice-and-takedown procedure) for a US-based UGC site, kindly offered by Denise on a CC-BY-SA basis (see #2 above)
   
   
8. UK:  Notes on operating fediverse services from an English law point of view, by Neil Brown 
   
   
9. EU / EEA: Mastodon data protection guidance including Mastodon Privacy Guide and template privacy notice geared towards EU-based admins, by Carey Lening (@privacat@dataprotection.social) 
   
   
10. Brand protection on Mastodon: what trademark professionals need to know (World Trademark Review; Paywalled)
    
    

Trust & Safety, Content Moderation, Community Management:

1. The thick skin guide to online community management, by Michael Szell
   
   
2. How to Make the Fediverse Your Own, a guide from Social.coop to “intentionally setting up democratic governance, democratic economics, and democratic community”
   
   
3. My own guide If You Build It, They Will Abuse It (#1 above)
   
   
4. The Santa Clara Principles on Transparency and Accountability in Content Moderation
5.  

Lots more to come. Stay tuned and thanks for reading! Don’t hesitate to contact me (@antone@sfba.social) with questions or suggestions.

(Last revised May 15, 2023 by Antone Johnson)

Connect with social media lawyer Antone Johnson on Mastodon or Bluesky Social.

What was it like to live in Palo Alto before 1990?

Read Antone Johnson‘s answer to What was it like to live in Palo Alto pre-1990? on Quora

Why not just stick one employee there, as an “office” and make the local government happy? The answer being that having an office in a country changes the tax position completely and the important phrase to understand here for non-accounting types is “permanent establishment.”

Tim rightly points out that taxation of Internet businesses that flow across porous international borders is a thorny subject. The largest, most successful social Internet companies are understandable targets for tax authorities. Nevertheless, in the case of countries like Turkey under authoritarian leader Recep Tayyip Erdoğan, I think the discussion of taxes is mostly political theater. The main issue for social platforms like Twitter in Turkey in my opinion is free speech, or rather the desire to manage and squash it.

As a seasoned Internet lawyer who’s served as GC and in other in-house counsel roles advising Trust & Safety teams at social Internet companies including MySpace and eHarmony, I can tell you why I wouldn’t want an office in Erdoğan‘s Turkey (or certain other countries): Twitter is the middleman for a vast amount of free speech, much of which certain governments will dislike. What do you do when the authorities come knocking with a demand to take down content critical of the Erdoğan regime, turn over electronic records or grant real-time access to data that may well lead to them imprisoning, torturing and/or executing a whistleblower or dissident? You have two choices: Be complicit or refuse. If you refuse, as the person(s) on the ground in Turkey, you face a very real risk of being arrested for some crime or other and thrown in, uh, Turkish prison. (And you thought the NSA was bad?!)

This is not a joke. It’s all very well to pontificate about universal values and human rights in a comfy conference room at an EFF symposium, but if your butt is in that chair in that office when government agents saunter in with machine guns, things get real in a hurry. An employee of Facebook or Google or Twitter in Turkey enjoys no special status: A corporate office is on foreign soil, not an embassy; they aren’t government officials, so diplomatic immunity doesn’t apply. As a business enterprise they aren’t even sheltered by the voluntary restraint most countries (though certainly not all) customarily show with NGOs and journalists.

Pragmatically, a company that does business in a foreign country does so on its terms, full stop. The unique, world-changing thing about the global Internet is that you can do business with millions of people in a country like Erdoğan‘s Turkey without actually being in Turkey. That circumvents the grip authoritarian and totalitarian governments have on bricks-and-mortar businesses to coerce them into doing just about anything. Without a physical presence there, the worst thing a hostile government can do is try to block access to data networks (e.g., the Great Firewall of China).

I have no inside knowledge of the goings-on at Twitter, so the foregoing is just a theory on my part. I can say that if I were back at eHarmony — or GC at any other Internet company with millions of users — and my CEO wanted to have a chat about opening an office in Turkey under Erdoğan (or any illiberal, authoritarian state without solid free speech protections), this would be how I framed the discussion: Are you willing to have the company serve as a tool of a repressive regime, in deference to local law or fiat, regardless of how forcefully we might disagree with it in substance? If not, better to stay outside its borders and continue fighting the long war with electrons.

First, this wasn’t a leak about some garden-variety (pun intended) pot-growing or cocaine-smuggling operation getting busted, or even a bribery scandal involving high-ranking public officials. It didn’t involve “whistle-blowing” on any wrongful government behavior. This leak reportedly related to the successful infiltration of freakin’ al Qaeda in Yemen that effectively prevented a terrorist attack using an advanced type of bomb that is allegedly undetectable by airline security.  A Saudi double agent with cojones of steel managed to get himself chosen as the lucky volunteer to be be the suicide bomber — then made off with the bomb, delivered it to the good guys for analysis, and vanished. That’s the kind of incredible espionage story with a happy ending that I’d expect to see in a Hollywood thriller, not real life.

This top-secret information was leaked to AP reporters by an unknown source. If the timing had been different, the agent(s) involved would have faced certain execution (if lucky) or torture; the bombing plot may well have succeeded, killing at least a couple hundred innocent civilians; and if so, the United States would have been thrown into a state of fear and panic as after 9/11. This is presumably why Attorney General Eric Holder said it was one of the most serious leaks he’d seen in his long career.

That’s probably enough for 90% of the general public to nod their heads and agree that the DOJ should leave no stone unturned in investigating this particularly egregious leak. There are leaks and there are LEAKS. Despite the conclusions many have leapt to, this was no fishing expedition on a whim. DOJ only resorted to subpoenaing AP journalists’ phone records after FBI agents had interviewed hundreds of people at the White House, the Pentagon, the NSA and the CIA. That’s some serious stone-turning.

For the most committed lifetime ACLU members and Chelsea Manning fans, though, there’s another, more strategic reason to tolerate this kind of investigation for the greater good. Looking at potential second-order consequences of this very series of events, the free association and privacy rights protected by the First and Fourth Amendments face more serious threats. Suppose the leak happened earlier, the operation was compromised, and the terrorist attack was carried out. Consider when and why the USA PATRIOT Act was passed:  As a direct response to a terrorist attack on American soil — by an overwhelming majority in both houses of Congress on a bipartisan basis (98-1 in the Senate).

Historically, the most troubling expansions and abuses of government power in the United States — from warrantless wiretapping to internment of Japanese-Americans — have taken place after, and been justified by, actual or perceived threats to national security. It does no good for those who dwell in ivory towers to wish for a general public and elected representatives who place a higher value on civil liberties as a matter of principle than on national security and counter-terrorism interests. That simply isn’t the world we live in.  As a matter of realpolitik, the way to advance the cause is to recognize when compromise is necessary to achieve progress.

Personally, I’d like to avoid more senseless slaughter of civilians by terrorist organizations and more invasive laws passed in response to such atrocities—whether they involve obtaining library checkout records, monitoring data packets transmitted over the Internet, or what have you. If that means sacrificing the privacy of AP phone records for these two months, so be it. It’s worth remembering AP journalists themselves are not being investigated, threatened or charged with any crime; their calls merely serve as evidence to pursue or confirm the source of the leak regarding Al Qaeda. Nobody forced them to knowingly receive classified information from someone who was plainly committing a serious crime by divulging it — and there isn’t even a fig leaf of whistleblower-type moral high ground to invoke in defending the breach here. In a media business driven by scoops, it was simply a scoop too juicy to resist.

Connect with social media lawyer and concerned citizen Antone Johnson on Mastodon or Bluesky Social.

In a sense, risk and opportunity are two sides of the same coin to early stage startups. The huge risk that eclipses all others is that the product or service being offered simply won’t succeed — there is no product-market fit, at least at numbers that would make for a financially viable business — in which case (assuming competent execution) the perceived opportunity, viewed broadly, wasn’t really there to begin with.

Perhaps it shouldn’t be surprising that financial and startup IP legal risk items on which experts focus seem like afterthoughts to many founders. After all, if value isn’t created in the first place, isn’t it premature to worry about its impairment? Even at large corporations, legal departments are jokingly dubbed the “Department of Sales Prevention” because of their tendency to insist on the elimination of all risk from deals.

A word about the title of this post: I’m not using “wrong” in any moral sense, but rather to refer to running afoul of the law in a way that makes for bad business. The very notion of intellectual property is a construct of legislation and court decisions made by fallible humans, riddled with exceptions, inconsistencies and ambiguities. We do the best we can under the circumstances, but in the age of social media, taking an expansive view, virtually every person who has touched a computer has infringed copyright at some point, probably hundreds or thousands of times. 

The law simply hasn’t kept pace with the largest upheaval in the distribution and consumption of content in human history, which has taken place in barely two decades since the consumer Internet was born in 1994. To a large extent, members of the general public have little idea what copyright is, how it works, or how it applies online, if at all. By contrast, how many items of merchandise have you shoplifted or cars have you stolen unintentionally? To equate infringement with theft, as copyright maximalists such as RIAA and MPAA do, is to insult our collective intelligence. But I digress.

In recent years, many of the most creative and disruptive startup businesses have involved the use of intellectual property in innovative, non-traditional ways that defy easy categorization and stretch the boundaries of concepts such as the fair use doctrine in copyright. When presented with a product or service in development, we often have to admit that there is no clear precedent and look for the best analogous situation to assess the startup’s IP legal risk. Is Instapaper like collecting press clippings? (If so, do you have to buy a copy of each paper first?) Is pinning a photo or article on Pinterest more akin to showing someone an article in a magazine you’ve bought or actually making and handing them a copy? Does using a friend’s photo in a Facebook ad more closely resemble a personal recommendation by that friend to buy the product or plastering the friend’s photo on the product packaging in stores?

At the height of the “cyberspace exceptionalism” era in the mid-1990s, the giants of the Internet industry were so worried about these legal risks that they invested heavily in lobbying Congress and helped shape the legal landscape of the social Internet. Unlike startups, companies like AOL, AT&T, etc. had the clout to take on the content industry and strike a balance in copyright law that ensured their survival. As I’ve written before at Gust, the social media explosion of the 2000s owes its very existence to their efforts. Nevertheless, the DMCA is showing its age with the advent of new communication tools (Twitter), content rendering platforms (Flipboard), curation formats (Pinterest) and even media consumption devices (iPad). What strikes the engineer or entrepreneur as brilliant and disruptive may come across to threatened incumbents as dangerous and illegal.

One poster child for this type of innovation — an extreme example of startup IP legal risk — is the original MP3.com’s introduction of a service called “My.MP3.com” way back in 2000. Its “Beam-It” tool enabled users to take music CDs they had already bought and upload them to an online “storage locker” of sorts (what we would now call “cloud storage“) from which they could then access the music anywhere on any compatible device. To implement the service, MP3.com bought a huge number of CDs — virtually every music CD available at the time — and made digital copies on its servers. A user could authenticate his or her physical CD and get access to the same tracks on the system without having to upload the actual song files. The benefits of this kind of system are clear: In the pre-iPod era, making one’s entire CD collection available anytime, anywhere was a vast improvement over carrying faux-leather CD caddies around with scores of discs. (Remember those?) In the digital domain, the system also eliminated the tremendous redundancy involved if hundreds of thousands of music fans were to independently upload identical digital copies of the same tracks from the same albums to their personal “digital lockers,” with corresponding savings in bandwidth, storage, and time (“data deduplication”).

My.MP3.com was a bold, innovative cloud music service a decade before cloud storage became commonplace. Yet as the saying goes, no good deed goes unpunished, so it was essentially sued out of existence by the recording industry. Without getting bogged down in details, a service catering to consumers who owned legally purchased CDs furnished by a company that had also bought legal copies of the same CDs, making users’ music consumption more convenient and enjoyable while minimizing the burden placed on the related digital infrastructure, was crushed under the weight of century-old copyright law in the form of a $53 million settlement with one record label alone, plus many others.

If this product sounds vaguely familiar, it’s because Apple introduced virtually the same music service, branded iTunes Match, in November 2011 (count ’em, eleven years later) as part of its iCloud suite of cloud storage and computing services. Presumably it helps to be one of the world’s most valuable companies controlling the most valuable music distribution platform on the planet when negotiating deals with labels and publishers. In any event, the lesson for new startups is to look both ways before crossing the busy IP highway.

Copyright is not the only type of IP right implicated — and others such as rights of privacy and publicity become increasingly relevant in the age of social media — but it provides many of the most accessible examples. Let’s use Pinterest as a case study. For those who may not have tried the service, Pinterest is an online “pinboard” of sorts, enabling users to create “boards” on various areas of interest (see mine, Term Sheet, as an example). There is nothing new per se about a user-generated content site on which users select and post items of interest from around the Internet; “social bookmarking” and recommendation tools have been around for years, and of course sites such as Facebook and MySpace allow users to post images and links by the millions.

What sets Pinterest apart its its heavy emphasis on visual elements. In many cases the item being “pinned” (or “repinned” by others) is primarily an image itself rather than the underlying site or story to which the image is linked. This visual design accounts for much of the enthusiasm that drives Pinterest’s massive growth, but to some — notably professional photographers — it’s an example of rampant copyright infringement for which the site should be liable. Enough of a fuss was raised that Pinterest made a point of going back to review, revise and clarify its Terms of Use Agreement in an attempt to alleviate these concerns.

What gives? To gauge the degree of startup IP legal risk incurred by the company, we have to start by reviewing the basics of copyright law as it applies to photo licensing. Without turning this into a long, boring law school exam question, here are the key questions followed by answers:

• Does posting a photo on Pinterest involve making a “copy?”
• If yes, is the photo I’m planning to post copyrighted?
• If yes, do I own the copyright or have permission (a license) from the copyright holder?
• If not, can I still do it anyway?
• If so, what, if anything, can the copyright owner do about it?
• Finally, from the site operator’s perspective, is Pinterest liable for any infringing photos that I (or its millions of other users) might post on the service?

To the entrepreneur building a startup, the last two points are the ones that really matter. Granted no business owner wants to see his or her customers sued, but the liability issues that can kill a startup of this nature or render it unfundable are ones of secondary liability: In legal parlance, is Pinterest liable for contributory or vicarious infringement because of what its users are doing?

At this point, for anyone left wondering whether or when to consult a good lawyer, the answer should be self-evident. If the difference between creating an enterprise worth ten figures (let’s call it “Instagram“) and getting sued into bankruptcy (let’s call that one “Napster“) rests on critical points of startup IP legal risk such as questionable fair use and secondary liability, there’s no such thing as getting too much, or too early, advice from the right professionals. In getting up to speed, there’s also no substitute for reading the work of commentators whose grasp of the subject matter is detailed enough to make a thorough, reasoned analysis (notably Techdirt’s Mike Masnick — himself a lawyer — in this example).

In closing, it’s worth noting that even the most seasoned attorneys and law professors will disagree on some of these subjects. As with other potentially complex, risky undertakings like surgery, it never hurts to get a second opinion — although chances are, with lawyers as with doctors, you’ll always manage to fine one who is risk-averse enough to tell you not to do it.

Connect with social media lawyer Antone Johnson on Mastodon or Bluesky Social.