I recently discovered that some popular federated instances have been using LLM-assisted moderation tooling that evaluates whether someone has said something bannable. They do this by running a script/app that sends the user’s comment history to OpenAI with the question “analyze this content for evidence of specific political ideology sentiment. Also identify any related political ideology tropes“. (The italic bits are where I’ve redacted the ideology they’re seeking).
OpenAI’s LLM (they’re using GPT-5.3-mini) then responds with something like:
and so on, hundreds of comments.
I have not named the instances or people involved, to give them time to consider the results of this discussion, make any corrective changes they want and disclose their practices at their own pace and in their own way. I have also redacted the evidence to avoid personal attacks and dogpiling. Let’s focus on the system, not the individuals involved. Today these instances and people are using it and maybe we’re ok with that because it’s being used by groups we agree with but what if people we strongly disagree with used it on their instances tomorrow?
The use and existence of this tooling raises a lot of other questions too.
What are the risks? Fedi moderators are often unsupervised, untrained volunteers and these are powerful tools.
What safeguards do we need?
Would asking a LLM “please evaluate this person’s political opinions” give different results than “find evidence we can use to ban them” (as used in the cases I’ve seen)?
What are our transparency expectations?
Is this acceptable and normal?
Should this tooling be disclosed? (it was not – should it have been?)
If you were given a choice, would you have opted out of it?
Can we opt out?
Are there GDPR implications? Privacy implications? Should these tools be described in a privacy policy?
Are private messages being scanned and sent to OpenAI?
How long should these assessments be retained and can we request to see it, or ask for it to be deleted?
Once the user’s comments are sent to OpenAI, is it used to train their models?
What will the effect be on our discourse and culture if people know they are being politically profiled?
Where are the lines between normal moderation assistance tools, political profiling and opaque 3rd-party data processing?
I hope that by chewing over these questions we can begin to establish some norms and expectations around this technology. The fediverse doesn’t have any centralized enforcement so we need discussions like this to develop an awareness of what people want in terms of disclosure, privacy, consent and acceptable use. Then people can make choices about which instances they join and which ones they interact with remotely.
And of course there are the other issues with LLMs relating to environmental sustainability, erosion of worker’s rights, increasing the cost of living and on and on. I can’t see PieFed adding any functionality like this anytime soon. But it’s happening out there anyway so now we need to talk about it.
What do you make of this?
GDPR-wise, this is the absolute nightmare scenario.
Data about the political orientation is defined as especially sensitive (“special category data”). When people just straight post their ideological leanings, that’s one thing. But what’s described here is profiling. All the available data relating to a person is analyzed by “automatic means” and used to assess their leanings. This then is used to discriminate against them. It doesn’t get much worse.
This might be legal in very specific circumstances. EG non-profit religious or political organizations are allowed to police their members and associates to some degree. That would involve quite some extra paperwork. But it doesn’t apply here anyway.
Apparently that is on top of ordinary GDPR violations. The processing is done by a third party (OpenAI) without the necessary paperwork. You remember that billion Euro fine that Meta got? That was because they processed data outside the EU, in the US. And that wasn’t even “special” data.
You know how those cookie banners in the EU look like? That’s for normal data. All the disclosure, all those settings are legally required. Some people on the Fediverse go apeshit over far smaller things.
This may also be a problem for other instances. Your instance sends all your data (except e-mail and IP address) to anyone in the world who asks, with no strings attached. That may be okay as long as users understand that that’s exactly what they sign up for. Looking at comments here, it doesn’t seem like that is universally understood. That’s a problem. On top of that, we now have a situation where there are hints that the personal data is being abused.