404 Media has obtained the list of sites and services that ICE contractor ShadowDragon pulls data from. ShadowDragon sources data from all over the web and lets government analysts easily search it and draw connections between people.
It doesn’t appear to have any fediverse instances, unless you want to count Threads. It does have ProtonMail & Signal; I wonder what that actually means.
Thanks for the list. Unfortunately, they list “Fediverse” which likely means they’re scraping ActivityPub. They’re also going after your Steam account, Twitch, YouTube, and porn.
In other words, this is so much worse than the headline makes it out to be.
They would have to hack the individual servers to get at the DMs, because they’re encrypted in transit. All the public stuff is trivial to scrape.
Nope, ActivityPub DMs are not encrypted between servers - if it’s on the feed, it’s public- or at least it was as of six months ago. I found this out when I attached a Wordpress site to a Mastodon instance and suddenly found i could read anyone’s DMs to users on other servers. Totally unencrypted. I actually paused development and working with ActivityPub because of it.
This doesn’t mean that messages to users on the same server are necessarily exposed, but the potential is there if you don’t have a filter for local publishing only engaged on your Mastodon instance.
It is insofar as TLS/SSL/HTTPS encryption is used in transit. That’s what I mean by encrypted in transit.
i could read anyone’s DMs to users on other servers
If you’re an administrator for (WordPress) ActivityPub server A, you can see all the DMs coming to and leaving from your server, yes. And they’re not encrypted at rest, so you can read them any time. But how would you see DMs going between server B and server C, when your server isn’t involved in the transaction?
It apparently scrapes everything on the public feed. So when I subscribed to users on Mastodon server A from Wordpress, DMs from Mastodon server A going to Mastodon server B became visible.
I had a separate account on Mastodon server A to confirm that I couldn’t see these DMs as Mastodon user on server A, and that the Wordpress scrape was grabbing messages normally not meant for public view.
This was using the ActivityPub plugin for Wordpress about six months ago.
EDIT: I should be clear that I was as surprised as the other commentators that the DMs weren’t encrypted and that I could see them at all through a 3rd party software. I did NOT see DMs between local users - only cross-instance.
Paywall bypass: http://archive.today/2025.03.12-170136/https://www.404media.co/the-200-sites-an-ice-surveillance-contractor-is-monitoring/
The list: https://archive.ph/o/Lldzh/https://docs.google.com/spreadsheets/d/1VyAaJaWCutyJyMiTXuDH4D_HHefoYxnbGL9l02kyCus/edit?usp=sharing&ref=404media.co
It doesn’t appear to have any fediverse instances, unless you want to count Threads. It does have ProtonMail & Signal; I wonder what that actually means.
Thanks for the list. Unfortunately, they list “Fediverse” which likely means they’re scraping ActivityPub. They’re also going after your Steam account, Twitch, YouTube, and porn.
In other words, this is so much worse than the headline makes it out to be.
Surprisingly, Reddit is NOT on the list.
Here’s the full list of names:
4chan Archives
Discord Archives
21Buttons
500px
about.me
AllMyLinks
AllTrails
Amazon
Ameba
Amino
AnimePlanet
Apple Music
Artists&Clients
Asciinema
AudioJungle
AudiUSA
BabyCenter
Baidu
BeReal
Bigo Live
Bing
Biolink
BitChute
BlackPlanet
Blogger
Bluesky
Bodybuilding
BookCrossing
Breaches
BuyMeACoffee
Cash App
CastingCall Club
Chaturbate
Chess.com
Cigar Dojo
CityXGuide
CloutHub
Cocolog
Companies House
Cozy.tv
Cracked
Creema
Dailymotion
Danbooru
Dark Web
DeepL
DeviantArt
Disqus
DLive
Dot.cards
Douyin
Drum
DuckDuckGo
Duolingo
E621
eBay
Eporner
Etsy
Facebook
Fansly
FastPeopleSearch
Fediverse (likely ActivityPub - possibly DMs between servers)
FetLife
Fiverr
Flickr
FlightAware
Foursquare
FriendFinder
FurAffinity
Gab
Gaia Online
GameFAQs
Gelbooru
GeneralMotors
Geocaching
GeoEstimation
Gettr
Giphy
GitHub
Glassdoor
GoFundMe
Goo
Google
Goodreads
Gravatar
Guancha
GunBroker
Habbo
Hackaday
Hatena
Honda
Hubski
ILoveGrowingMarijuana
ImageShack
Imgur
IMVU
Indeed
Instagram
Instructables
JudyRecords
Jugem
JustForFans
Keybase
Kick
Kik
Last.fm
LibraryThing
Lichess
Likee
Line
LinkedIn
Linktree
LiveIn
LiveJournal
Lobsters
Mail.ru
Malgari
MapMyTracks
Marshmallow
MarTech
Massage Anywhere
Medium
MeetMe
Mercari Jp
MeWe
Minds
Minecraft
Mix
Mixlr
ModDB
Mughosts
MyFitnessPal
Myspace
MySubaru
Naijapals
Nextdoor
NissanUSA
Odysee
OFAC Sanctions List
OkCupid
OK.ru
OnlyFans
Pandia
Pandora
Passes
Pastebin
Patreon
PayPal
PCGamer
Peloton
PGP
Pinterest
Plurk
Poal
Popl
Pornhub
Poshmark
Product Hunt
ProtonMail
PSNProfiles
Reblogme
Reddit
RedGifs
Replit
ReverbNation
Roblox
Rule34.xxx
Rumble
Rutube
ScoutWiki
Seesaa
Seneporno
Signal
SkipTheGames
Skype
SlideShare
Snapchat
Sogou
SoundCloud
SourceForge
Spiceworks
Spotify
Sprashivai
Steam (fuck off you fucking fucks)
StellantisEU
StellantisUSA
Strava
Stripchat
Substack
TechNet
Telegram
Tellows
Tesseract OCR
Threads
TikTok
Tinder
TinEye
ToyotaUSA
Trakt
Triller
TripAdvisor
TrueCaller
TruthSocial
Tumblr
Twilio
Twitch
Twitter
Untappd
Venmo
VidLii
Vimeo
Vine
VirusTotal
VK
Volkswagen
VSCO
WatchMeMore
Weibo
WhatsApp
Wire
Wordfeud
Xbox
xHamster
XING
XVideos
Yahoo
Yandex
Yappy
YCombinator
Yelp
YouTube
Zhihu
Zillow
ZoneH
What are they gonna do? Download gibberish?! Lol, it’s all end-to-end encrypted with the decryption keys stored locally.
Maybe they got access to a backdoor.
.............If that is the case, I...am concerned. o_o
I mean Sweden asked for a backdoor recently. Maybe they’re jealous of the US lol
Aww man seriously DuckDuckGo is on the list? Ugh… Welp, does anyone know of any good alternatives? (I hear Ecosia’s not half-bad…)
Reddit is right there in your list.
Also:
Thanks. Brings back memories.
If they’re slurping all these other sites, I highly doubt they’re not slurping Reddit, too, even if it’s not on the list.
They would have to hack the individual servers to get at the DMs, because they’re encrypted in transit. All the public stuff is trivial to scrape.
Nope, ActivityPub DMs are not encrypted between servers - if it’s on the feed, it’s public- or at least it was as of six months ago. I found this out when I attached a Wordpress site to a Mastodon instance and suddenly found i could read anyone’s DMs to users on other servers. Totally unencrypted. I actually paused development and working with ActivityPub because of it.
This doesn’t mean that messages to users on the same server are necessarily exposed, but the potential is there if you don’t have a filter for local publishing only engaged on your Mastodon instance.
It is insofar as TLS/SSL/HTTPS encryption is used in transit. That’s what I mean by encrypted in transit.
If you’re an administrator for (WordPress) ActivityPub server A, you can see all the DMs coming to and leaving from your server, yes. And they’re not encrypted at rest, so you can read them any time. But how would you see DMs going between server B and server C, when your server isn’t involved in the transaction?
It apparently scrapes everything on the public feed. So when I subscribed to users on Mastodon server A from Wordpress, DMs from Mastodon server A going to Mastodon server B became visible.
I had a separate account on Mastodon server A to confirm that I couldn’t see these DMs as Mastodon user on server A, and that the Wordpress scrape was grabbing messages normally not meant for public view.
This was using the ActivityPub plugin for Wordpress about six months ago.
EDIT: I should be clear that I was as surprised as the other commentators that the DMs weren’t encrypted and that I could see them at all through a 3rd party software. I did NOT see DMs between local users - only cross-instance.