Users in a Discord server/local community on tools like Discord naturally expect that their actions within that community are private in so far as they trust everyone in the community (including the operator) to keep it so.
By using ATProto, Colibri fundamentally makes all of your communication within any community completely public to everyone on the internet.
That’s fine for something like Twitter, where the product sets the expectation of such a thing. You can imagine how big of an issue this is when you try to do it in a trusted community model. Add on that Discord is used by kids who likely don’t know this and you can see why this is dangerous.
I consider this not only just a liability but bordering negligence. It is fundamentally broken, at an architectural level
I agree that is borderline negligence, and by far the biggest issue with AT and Bsky. Here is what I believe to be the most recent discussion on that topic:
The current conversations are around how to do permissined data properly on atproto. I have a prototype, but Bluesky hasn't participated in the community effort and looks to be doing their own thing. They also took Bain Capital "funding" (private equity) which was the breaking point for me. They could have set up subs for nothing and made more than that, hard fumble imo.
Yeah having the messages be e2ee by default and then extending it out to one or more groups depending in which circles are currently included for messages could let atproto act like an encrypted group chat with crisscrossing group chats per message, which can ratchet up and along with the new enceyption keys each message/batch of 10 messages/hour/day until that client is dropped from a group or a group is dropped from a conversation, then the keys change and pfs prevents old clients from continuing to read future messages.
Sure you can see that users emit messages in the pds but you dint know if its for your former group or other activitt
Fair point! A different user has already pointed out that this isn't disclosed enough on the landing page, and I'll be adding a section to clarify that, both on there and in the app itself.
I think one of the replies here already linked the current proposal for private data spaces, which I'm hoping will become implemented later this year. At that point, people will have the option of either having their community be 100% public, or confined to a more Discord-style data storage, where people can still join, but not everyone can "just read" the messages
Just want to chime in with, this does feel very slick, but this was the #1 question I had. I could not determine it from your site, and had to try it out to see.
One major criticism of things like Discord is that they're private, so I don't think that it's inherently disqualifying, some people might even prefer it for that reason. But it's very, very important that you're very clear about this, up front.
First, the user knows this when joining a public community.
Second, the moderators can choose to remove someone who has joined the community in bad faith.
Third, it is entirely different than broadcasting every single action taken by every single user in every single community on the entire protocol to anyone with one URL.
the moderators can choose to remove someone who has joined the community in bad faith
unless you prevent new members from reading the chat history until given permission then they can already read everything before they are kicked out, and they can come back with a different account.
you also can not detect people acting in bad faith if all they do is read.
basically, you can't expect privacy if you don't limit members to people you know and trust. that goes for any group chat, encrypted or not.
i also doubt that discord chatlogs are encrypted on their servers.
> the moderators can choose to remove someone who has joined the community in bad faith
This is one of the challenges of building a Discord alternative on atproto. Allow access or not, how moderation works, and having shared ownership that can change.
What is your point? I feel I made the one you are making before you even responded the first time.
That Discord communications can be exfiltrated in this specific set of circumstances (again, something I already said) does little to change that Colibri is implemented in the least privacy preserving way possible, short of publishing directly to every news and intelligence agency on your behalf, and does little to make that very clear in the first place.
you said: Users in a Discord server/local community on tools like Discord naturally expect that their actions within that community are private in so far as they trust everyone in the community (including the operator) to keep it so.
my point is: you don't get that in a public discord. and i believe that most discord servers, those for games anyways are public. only small team discord servers are private. privacy on discord is an illusion. i also would not trust discord to keep any messages private even from a private server.
you seem to imply that just by looking like discord colibri promises the same privacy options as discord. why? colibri does not present itself as a discord alternative. and although the line "privacy when needed" was misleading, in the FAQ they clarified that there is no private data. (to be sure i checked the site as it was 2 weeks ago: https://web.archive.org/web/20260311020805/https://colibri.s... )
> First, the user knows this when joining a public community.
From Colibri: your community chats are public and visible to everyone by default.
So it's the same.
> Second, the moderators can choose to remove someone who has joined the community in bad faith.
Colibri has mod tools as well.
> Third, it is entirely different than broadcasting every single action taken by every single user in every single community on the entire protocol to anyone with one URL.
Sure, but then just don't use it?
It's really no that different from how IRC worked. Except persistent history is part of protocol and not some bots.
This is not public communities, not for small group of friends sharing edgy memes and discussing national security.
This is one of the challenging aspects about defining permissioned spaces on atproto. In essence, you have a completely separate database per user (sits next to their repo) with which you can do permissioned public->private spectrum. Nesting more privacy inside another permissioned space requires breaking the typical permission walking chain, eg. in Google Docs, if you have access to a folder, you have access to the subfolders.
Please consider adding screenshots of the UI that provide an idea of what the experience will be like without having to log in using Bluesky or other credentials.
It's impossible to consider ATproto apps usable until the horrific oauth situation is fixed. It's still not possible to adjust oauth permissions to something restrictive dynamically so every app needs a new account which kind of defeats many of the interop promises, if apps even allow it (colibri requires invite code)
This looks neat, but should I be concerned about the permissions this is requesting for my account? Bluesky: Manage your profile, posts, likes and follows
> This implementation is almost entirely vibe-coded for the purpose of being able to quickly get started with development of the main application. It will be re-written in the near future to take advantage of Tap and be reworked to include all user data storage as well as any OAuth capabilities, which currently reside within the website's backend. If you are interested in helping with this, start a discussion on this repo!
ActivityPub (Mastodon etc) has already very granular permissions wrt. who to federate with, which posts to make public, edit or withdraw posts after initial creation, etc. catering to EU privacy and moral/personality rights demands.
For closed group chat, there are many alternatives.
Discord is after all a video chat app designed to be used during a gaming session first and foremost.
> Running a private group chat? As soon as the AT protocol supports private data, we'll work on implementing it and giving you the option to create private communities.
Not exactly "private when needed" then, is it? It's disingenuous to even mention this in the marketing copy.
Is there anything like this but more of a reddit style layout?
I'm on a Facebook group and we're actively trying to get off of all Meta platforms, and wanted to see whether I could start up my own platform using an open source platform - but I think something like Reddit would be more suitable as opposed to a massive chat UI.
We need more aggressive laws to prevent privacy destroying platforms.
Every person who creates a website or platform that advertises any kind of private communication but does not fully encrypt user data must go to jail.
This cancer needs to be stopped.
Discord's main problem for me is that it's built around people having one and only one user, which is a huge privacy and pseudonymity mess. The only alternative that works somewhat is using the PTB version of Discord for your "alts".
If this project has genuinely decent multi-user support instead of the miserable experience of Discord, I'd emphasize and promote that first over being a Discord-like, since this genuinely improves on some of the privacy issues of Discord, despite AT Proto being public.
Better to distinguish the product from Discord rather than promoting how similar it is. Because of the public architecture, it's more similar to a forum board than Discord anyway, so you could also just as well give people another interface by showing the community as a conventional website. People may or may not like it, but it's basically what it practically is.
One of the big issues with Discord is that it takes public knowledge like wikis and makes it private instead - and beholden to the whims of mercurial mods and admins. Information being public doesn't have to be a bad thing that way.
Instead of Discord, you can give the people Discourse. :)
tl;dr: AT Proto being "open" can look like a bad thing in nominally private spaces like Discord, so promoting as something more open like an open forum board rather than a closed Discord server might be more interesting and persuasive. But I'm also a forum board evangelist.
Thanks for building this, UX is nice and should encourage people to switch from Discord. Bsky only is a bit disappointing as it is still heavily centralized. I would love to see a system like this that can also set up channels over Nostr and the Fediverse. Fragmentation is starting to become an issue with decentralized and federated social.
103 comments
By using ATProto, Colibri fundamentally makes all of your communication within any community completely public to everyone on the internet.
That’s fine for something like Twitter, where the product sets the expectation of such a thing. You can imagine how big of an issue this is when you try to do it in a trusted community model. Add on that Discord is used by kids who likely don’t know this and you can see why this is dangerous.
I consider this not only just a liability but bordering negligence. It is fundamentally broken, at an architectural level
https://github.com/bluesky-social/atproto/discussions/3363
Sure you can see that users emit messages in the pds but you dint know if its for your former group or other activitt
I think one of the replies here already linked the current proposal for private data spaces, which I'm hoping will become implemented later this year. At that point, people will have the option of either having their community be 100% public, or confined to a more Discord-style data storage, where people can still join, but not everyone can "just read" the messages
One major criticism of things like Discord is that they're private, so I don't think that it's inherently disqualifying, some people might even prefer it for that reason. But it's very, very important that you're very clear about this, up front.
https://www.malwarebytes.com/blog/news/2024/04/billions-of-s...
Second, the moderators can choose to remove someone who has joined the community in bad faith.
Third, it is entirely different than broadcasting every single action taken by every single user in every single community on the entire protocol to anyone with one URL.
unless you prevent new members from reading the chat history until given permission then they can already read everything before they are kicked out, and they can come back with a different account.
you also can not detect people acting in bad faith if all they do is read.
basically, you can't expect privacy if you don't limit members to people you know and trust. that goes for any group chat, encrypted or not.
i also doubt that discord chatlogs are encrypted on their servers.
> the moderators can choose to remove someone who has joined the community in bad faith
This is one of the challenges of building a Discord alternative on atproto. Allow access or not, how moderation works, and having shared ownership that can change.
That Discord communications can be exfiltrated in this specific set of circumstances (again, something I already said) does little to change that Colibri is implemented in the least privacy preserving way possible, short of publishing directly to every news and intelligence agency on your behalf, and does little to make that very clear in the first place.
my point is: you don't get that in a public discord. and i believe that most discord servers, those for games anyways are public. only small team discord servers are private. privacy on discord is an illusion. i also would not trust discord to keep any messages private even from a private server.
you seem to imply that just by looking like discord colibri promises the same privacy options as discord. why? colibri does not present itself as a discord alternative. and although the line "privacy when needed" was misleading, in the FAQ they clarified that there is no private data. (to be sure i checked the site as it was 2 weeks ago: https://web.archive.org/web/20260311020805/https://colibri.s... )
> First, the user knows this when joining a public community.
From Colibri: your community chats are public and visible to everyone by default.
So it's the same.
> Second, the moderators can choose to remove someone who has joined the community in bad faith.
Colibri has mod tools as well.
> Third, it is entirely different than broadcasting every single action taken by every single user in every single community on the entire protocol to anyone with one URL.
Sure, but then just don't use it?
It's really no that different from how IRC worked. Except persistent history is part of protocol and not some bots.
This is not public communities, not for small group of friends sharing edgy memes and discussing national security.
> This implementation is almost entirely vibe-coded for the purpose of being able to quickly get started with development of the main application. It will be re-written in the near future to take advantage of Tap and be reworked to include all user data storage as well as any OAuth capabilities, which currently reside within the website's backend. If you are interested in helping with this, start a discussion on this repo!
https://github.com/colibri-social/appview/blob/main/README.m...
ActivityPub (Mastodon etc) has already very granular permissions wrt. who to federate with, which posts to make public, edit or withdraw posts after initial creation, etc. catering to EU privacy and moral/personality rights demands.
For closed group chat, there are many alternatives.
Discord is after all a video chat app designed to be used during a gaming session first and foremost.
> BUILT ON OPEN STANDARDS. PRIVATE WHEN NEEDED.
> Running a private group chat? As soon as the AT protocol supports private data, we'll work on implementing it and giving you the option to create private communities.
Not exactly "private when needed" then, is it? It's disingenuous to even mention this in the marketing copy.
I'm on a Facebook group and we're actively trying to get off of all Meta platforms, and wanted to see whether I could start up my own platform using an open source platform - but I think something like Reddit would be more suitable as opposed to a massive chat UI.
“Open social” is so much bs compressed in a couple of buzzwords.
If this project has genuinely decent multi-user support instead of the miserable experience of Discord, I'd emphasize and promote that first over being a Discord-like, since this genuinely improves on some of the privacy issues of Discord, despite AT Proto being public.
Better to distinguish the product from Discord rather than promoting how similar it is. Because of the public architecture, it's more similar to a forum board than Discord anyway, so you could also just as well give people another interface by showing the community as a conventional website. People may or may not like it, but it's basically what it practically is.
One of the big issues with Discord is that it takes public knowledge like wikis and makes it private instead - and beholden to the whims of mercurial mods and admins. Information being public doesn't have to be a bad thing that way.
Instead of Discord, you can give the people Discourse. :)
tl;dr: AT Proto being "open" can look like a bad thing in nominally private spaces like Discord, so promoting as something more open like an open forum board rather than a closed Discord server might be more interesting and persuasive. But I'm also a forum board evangelist.
Use AS2.
Use AS2.
Making decentralized social media?
Use AS2.
This is not chat, it’s social media with a chat UI.
You should use AS2.
AT is a joke invented by nontechnical people. They had 1 good idea (updatedAt and use of At) everything else was not good for decentralization.
AS2 is perfect for feeds of content especially when you want to nest other content e.g. a user posted a reply to a comment on a game.
AT is centralized social media with cancer, stop using it.