>
>
> A controversial developer circumvented one of Mastodon's primary tools for blocking bad actors, all so that his servers could connect to Threads.
>
>
>
> We’ve criticized the security and privacy mechanisms of Mastodon in the past, but this new development should be eye-opening. Alex Gleason, the former Truth Social developer behind Soapbox and Rebased, has come up with a sneaky workaround to how Authorized Fetch functions: if your domain is blocked for a fetch, just [sign it with a different domain name instead](https://gitlab.com/soapbox-pub/rebased/-/snippets/3634512).
>
>
>
> Gleason was originally investigating Threads federation to determine whether or not a failure to fetch posts indicated a software compatibility issue, or if Threads had blocked his server. After checking some logs and experimenting, he came to a conclusion.
>
>
>
> “Fellas,” Gleason writes, “I think threads.net might be blocking some servers already.”
>
>
>
> What Alex found was that Threads attempts to verify domain names before allowing access to a resource, a very similar approach to what Authorized Fetch does in Mastodon.
>
>
> >
> >
> > You can see Threads fetching your own server by looking at the `facebookexternalua` user agent. Try this command on your server:
> >
> >
> >
> > `grep facebookexternalua /var/log/nginx/access.log`
> >
> >
> >
> > If you see logs there, that means Threads is attempting to verify your signatures and allow you to access their data.
> >
> >
>
>
>
>
> We answer the questions readers asked in response to our guide to anonymizing your phone
>
>
>
>
> About the [LevelUp series](https://themarkup.org/series/levelup): At The Markup, we’re committed to doing everything we can to protect our readers from digital harm, write about the processes we develop, and share our work. We’re constantly working on improving digital security, respecting reader privacy, creating ethical and responsible user experiences, and making sure our site and tools are accessible.
>
>
This is a follow-up article. [Here's the first piece, if you'd like to read that one as well](https://themarkup.org/levelup/2023/10/25/without-a-trace-how-to-take-your-phone-off-the-grid)
>
>
> These TVs can capture and identify 7,200 images per hour, or approximately two every second. The data is then used for content recommendations and ad targeting, which is a huge business; advertisers spent an estimated $18.6 billion on smart TV ads in 2022, according to market research firm eMarketer.
>
>
>
>
> ChatGPT is full of sensitive private information and spits out verbatim text from CNN, Goodreads, WordPress blogs, fandom wikis, Terms of Service agreements, Stack Overflow source code, Wikipedia pages, news blogs, random internet comments, and much more.
>
>
>
>
> Using this tactic, the researchers showed that there are large amounts of privately identifiable information (PII) in OpenAI’s large language models. They also showed that, on a public version of ChatGPT, the chatbot spit out large passages of text scraped verbatim from other places on the internet.
>
>
>
>
> “In total, 16.9 percent of generations we tested contained memorized PII,” they wrote, which included “identifying phone and fax numbers, email and physical addresses … social media handles, URLs, and names and birthdays.”
>
>
Edit: [The full paper that's referenced in the article can be found here](https://arxiv.org/pdf/2311.17035.pdf)
Blur tools for Signal: if you take or edit photos of crowds or strangers with Signal, you can use our face blur tool to quickly hide people's biometric face data.
You can then export the photo from Signal if you want to post it publicly.