With the growing number of users on alternative social media platforms, such as Threads, Mastodon and Bluesky, the notion of ‘federated’ platforms and how legal frameworks apply to them are becoming a pressing issue. This CEPS Explainer dives into two characteristics of federated platforms in light of the EU’s Digital Services Act (DSA) – decentralisation and federation.
While all user accounts on traditional social media are hosted on a central server by one organisation, accounts on federated platforms (that make up the ‘fediverse’) resemble email accounts, in the sense that one can choose whether to create a Gmail, Hotmail or Yahoo account but they can still send emails to any other account because the underlying protocols are interoperable. In the fediverse, users can decide between different ‘instances’ – servers or communities – hosted by all kinds of organisations. The rules and administration of content moderation are ‘federated’ and managed by the instance hosts. Overall, there isn’t one singular decentralised social network. There are many different communities across instances on different services (e.g. Mastodon, Threads) that are in turn connected to one another. This means that content can be (and is) shared across platforms and services.
The DSA applies to fediverse services and characterises each instance as a platform. But there are two pressure points in applying the DSA to the fediverse: i) the decentralisation of server hosts results in a number of small organisations hosting instances, which means that exempting small and micro enterprises could lead to compliance gaps; and ii) the federation of services makes it more difficult on how to count the active users of services, since content is able to spread beyond one service and across platforms, thus potentially over- or underestimating the systemic risk of fediverse platforms.
This Explainer advocates that federated platforms need to engage closely with the DSA and work together on a strategy to ensure compliance. On top of this, the methodology for classifying VLOPs needs to be revisited so that the systemic risk of federated platforms can be accurately evaluated and then the responsibility for mitigating said risk is properly assigned.
