CARIAD Policy

Consensus Aggregated Retractable IFTAS Allowlist Denylist

Version 1.2 May 1st, 2025

Summary #

CARIAD is intended to provide new service providers a basic, first step in reflecting the domain blocking activity demonstrated by high volume service providers, as a means to block the most widely blocked domains. IFTAS Needs Assessment respondents; community members; and advisors have asked for a shared knowledge of the most commonly blocked domains. The CARIAD list reflects the observable domain blocks affecting roughly 55% of all Mastodon accounts.

CARIAD cannot and will not provide safety for all possible use cases.

Many communities will require additional research and resources to provide more comprehensive domain federation management. Specifically, CARIAD does not protect LGBTQ, BIPOC, BAME or other marginalised communities. Additional research will be required to better serve your membership, we recommend reviewing the Denylist Resources section of the IFTAS Connect Library.

CARIAD is not intended to be a long term solution. It is highly recommended that new service providers first use CARIAD or a similar “minimum necessary” list to begin their domain curation activities, then explore additional resources.

Motivation #

Newcomers to Mastodon service provision are often unaware of the full extent of the large number of servers with which they will immediately federate content once installation is complete. A known number of these federating servers are operated by bad faith actors, leading to documented cases of newly-created servers being overwhelmed with hate speech, illegal content, network or service abuse, and spam.

Denylist assistance is an oft-requested feature and the lack of knowledge or at-install support for denylists leads to documented cases of new administrators being overwhelmed by hate speech, trolling, network or service abuse, and spam. This highlights the need for an effective, early denylist approach to curtail the most obvious vectors for abuse and inauthentic behaviour.

As noted in The Atlantic Council’s Task Force for a Trustworthy Future Web report “Scaling Trust on the Web”:

“Federated spaces have many of the same propensities for harmful misuse by malign actors as mainstream platforms like Facebook and Twitter, while possessing few, if any, of the hard-won detection and moderation capabilities necessary to stop them. Each instance of a federated service can choose for itself what its governance approach will be. Community standards, content moderation, user reporting, and protecting against large-scale or coordinated campaigns of harassment or disinformation—even within an individual instance—require a broad array of technical, institutional, financial, and logistical competencies that federated spaces are not currently designed to support.”

Securing Federated Platforms: Collective Risks and Responses notes that

“…shareable or centralized denylists—that is, lists of instances believed to be malicious or harmful that can be blocked en masse by instance administrators and moderators—are a useful first step for knowledge-sharing among community members, while alleviating burdens on moderators to curate and block instances individually. Initial implementations of shared instance denylists could readily extend to a critical gap identified in our analysis: an inability to exchange content moderation decisions and threat information across instance boundaries.”

The high-volume providers that CARIAD observes have demonstrated that they block domains for:

• Network and service abuse, spam, malware, malicious activity;
• Illegal (in their respective jurisdiction) content – this may include (but is not limited to) sale of illicit drugs or weapons, child sexual abuse material, terroristic content, advocation of national socialism;
• Inactive domains – domains that are no longer in service but may become available for sale or otherwise transferred and re-used maliciously.

CARIAD Policy Specification #

Intended Use #

CARIAD is intended to provide new service providers a basic, first step in defederating the domains already widely defederated by high volume service providers. IFTAS needs assessment respondents, community members and advisors have asked for a shared knowledge of the most commonly blocked domains. The CARIAD list reflects the observable domain blocks in place covering roughly 55% of all Mastodon accounts.

CARIAD cannot and will not provide safety for all possible use cases. Many communities will require additional research and resources to provide more comprehensive federation management. It is not intended to be a long term solution, and resources are listed below for service providers seeking to enhance their denylist to further curate the domains with which they federate. 

Source Inclusion Criteria #

CARIAD combines data from two sources:

1. The IFTAS Do Not Interact list, a manually reviewed list of domains labelled by harm. 
2. A curated aggregation of the blocks in place on high volume Mastodon service providers. To be eligible for observation, each service provider is reviewed for the following criteria:
   1. Have been in service for at least 6 months;
   2. Have at least 0.25% of total MAU as measured by FediIndex (at time of writing this is roughly 2,200 MAU);
   3. Themselves have a demonstrable set of domain blocks already in place;
   4. Not themselves appear on the CARIAD or DNI lists.

Bias #

The inclusion criteria is a mix of North American, Western European and Southeast Asian service providers. This biases the list in favour of white and global north speech and prejudices, and as such should be used only by new service providers who are comfortable reflecting the aggregated views of white or global north service providers.

Additionally, the sources represent the largest service providers, who have generally favoured preserving relationships over blocking speech and content, and therefore are less likely to take action against domains that others may consider worthy of blocking. Larger service providers are also less hesitant to block a small service with few accounts, which may lead to unintended aggregation of this bias. 

Domain Inclusion Criteria #

As new entries become eligible for inclusion, they are reviewed by IFTAS staff and advisors. If approved for inclusion, entries are listed with the majority recommendation. Domains listed on the IFTAS DNI list are included at the IFTAS severity level, regardless of observed sources.

The database and its associated lists will be reviewed quarterly by IFTAS to ensure the criteria are working as intended, and not causing harm to any community. 

Domain Exclusion Criteria #

As and when domains fail to meet inclusion they will be delisted, and FediCheck will remove the listing from any subscribed server. 

Appeals #

In order to appeal a listing, a request must be sent from an address at the listed domain (eg: abuse@example.com) to our contact address below, with evidence that the issue has been resolved. We may verify the address by sending back a confirmation message asking for a response. 

Delisting requests must be sent to the delisting email address, written in English language, in text form: delist-cariad (a) iftas (.) org 

Requests are typically investigated and processed within three business days. 

All delistings are free of charge.

Listing Longevity #

As an observational list, all listings are observed and reported. Each individual listing will remain on the list for as long as a listing is visible on any of the sources and meets the requisite threshold. 

Access #

Access to the CARIAD list will be free and available via the domain observatory service. No payment is required for use of the list, nor for listing or delisting requests.

Public Feedback #

Members of the public may make enquiries about the list, or raise issues, using the email contact@iftas.org

Further Reading #

Denylist Resources #

CARIAD is intended to be a new service provider’s first step in obtaining recommendations for limiting or defederating third-party services. It is highly recommended that service providers research additional resources to understand the threats, mitigations, and approaches to managing domain federation. The following links may be of help in this regard.

• GitHub – eigenmagic/fediblockhole: A tool for automatically syncing Mastodon admin domain blocks 
• GitHub – ineffyble/mastodon-block-tools: An attempt to list as many different projects/tools/scripts related to Mastodon & fediverse block management as possible 
• Importing ready-made server blocklists on your own Mastodon server
• Mastodon Blocklists

Server Administration and Moderation Communities #

Online communities are a good way to learn from experienced service providers and community managers.

• https://stg-iftasmembers-761.ue1.rapydapps.cloud/forums/ – IFTAS Connect discussion forums
• https://matrix.to/#/#space:matrix.iftas.org – IFTAS moderator community chat
• https://matrix.to/#/#mastodon_admin:matrix.org – Community admin chat
• https://matrix.to/#/#mastodon_moderation:matrix.org – Community moderation chat
• https://matrix.to/#/#local-moderators-hub:matrix.org – Locality-based service providers
• https://discord.gg/jxEMxvF7 – The official Mastodon chat space

Academic Research #

These papers may be helpful in understanding the benefits and dangers of shared lists.

• Mansoux, A., & Roscam Abbing, R. (2020). Seven Theses on the Fediverse and the Becoming of FLOSS (pp. 124–140). Institute for Network Cultures and Transmediale. http://urn.kb.se/resolve?urn=urn:nbn:se:mau:diva-55221
• Zulli, D., Liu, M., & Gehl, R. (2020). Rethinking the “social” in “social media”: Insights into topology, abstraction, and scale on the Mastodon social network. New Media & Society, 22(7), 1188–1205. https://doi.org/10.1177/1461444820912533
• Gehl, R. W., & Zulli, D. (2022). The Digital Covenant: Non-Centralized Platform Governance on the Mastodon Social Network. Information, Communication & Society. https://hcommons.org/deposits/item/hc:49433/
• Rozenshtein, A. Z. (2022). Moderating the Fediverse: Content Moderation on Distributed Social Media. SSRN Electronic Journal. https://www.journaloffreespeechlaw.org/rozenshtein2.pdf 
• Van Raemdonck, N. & Pierson, J. (2022) A conceptual framework for the mutual shaping of platform features, affordances and norms on social media Tijdschrift voor Communicatiewetenschap vol. 50 nr.4 pp.358-383  https://cris.vub.be/ws/portalfiles/portal/92575001/TRANSLATION_Conceptual_framework_for_interaction_of_platform_features_FINAL.pdf 
• Marwick, A. E. (2021). Morally Motivated Networked Harassment as Normative Reinforcement. Social Media + Society, 7(2), 205630512110213. https://doi.org/10.1177/20563051211021378 

FAQ #

1. What sources does the aggregation process draw from?
   IFTAS manually curates a list of service providers that are deemed appropriate and representational. The source for CARIAD is IFTAS, not the observed sources.
   
2. How are observed sources weighted?
   No weighting is applied, other than the source inclusion criteria, which precludes all but the largest providers from participating.
   
3. What happens when a CARIAD source blocks an instance because it appears on the CARIAD list?
   A potential outcome of this activity is a number of domains may slowly progress to 100% observed agreement. This is an anticipated possible outcome that we will monitor and act on as needed. Of note, the observed sources at time of writing do not themselves collectively block any single domain, and fewer than ten percent of all observed domain blocks are shared by more than half the sources.
   
4. Does IFTAS perform manual review?
   Each domain is reviewed for inclusion by IFTAS before being made available to FediCheck.
   
5. What are the reasons or labels?
   IFTAS uses a shared vocabulary for the DNI list, and may, in the future, undertake to label additional domains and/or incorporate labels from trusted flaggers.
   
6. Why “CARIAD”?
   Cariad is the Welsh word for love. We believe helping create and preserve safety is an act of love.