- 24 Dec, 2025 *
A discussion continuing on from Ava’s post on choosing alt web services and the risks inherent in using small web sites and self-hosting.
So I read Ava’s post recently about choosing indie/small web options over large corporations and I completely agree with all of the things she discusses that people should consider before doing so. I was reminded of it by reading Becky’s post commenting on it last night.
Personally, what I look out for when I am looking for a new online service are:
- a professional looking terms of service and privacy policy that indicates they understand the moral and legal responsibility of hosting other people’s data
- …
- 24 Dec, 2025 *
A discussion continuing on from Ava’s post on choosing alt web services and the risks inherent in using small web sites and self-hosting.
So I read Ava’s post recently about choosing indie/small web options over large corporations and I completely agree with all of the things she discusses that people should consider before doing so. I was reminded of it by reading Becky’s post commenting on it last night.
Personally, what I look out for when I am looking for a new online service are:
- a professional looking terms of service and privacy policy that indicates they understand the moral and legal responsibility of hosting other people’s data
- clear indication of where geographically the servers are hosted
- clear indication of what legal jurisdiction they are operating in
- if it is hosting a lot of user-generated content like a mastodon server or blog, a clear content moderation policy that isn’t "don’t be mean" - ideally with clear examples of what is and isn’t acceptable and demonstration that they understand fundamental issues of content moderation such as the "Nazi bar" problem
- admins, developers, and mods who have prior experience running online services or similar small businesses
- an indication of how the project is being financed and long term goals around financing - ideally a transparent budget, but that’s rare
- demonstration that the admin/developer has planned for if they are hit by a bus
- indication that the project is currently being developed and actively maintained
- up to date and clear documentation / support
- an account deletion button (does not require contacting support)
- a one-click export/backup function in a non-proprietary format (does not require contacting support)
- support / moderation has clear off-platform contact methods, preferably multiple including email ("just send me a DM" well what if the problem is that I have lost access to my account? if I make a throwaway account how are you going to confirm I am the person who owned the original account?)
Not every service needs to have all of these points. For something important that I rely on and will contain a lot of personal information like a social media or blogging site, or a calendar or email service, I am much more strict than if it’s a movie tracker website. But I’ve started making looking for an export button a priority whenever I’m trying out a new site and now that is a non-negotiable. It seems to be a good rule of thumb metric for if a service is reliable and trustworthy or not. There is no guarantee the export will always continue working, though, so I am always looking out for warning signs that the developer is losing interest, moderators are dwindling, bugs aren’t being repaired, financial information is suspiciously scarce, or paywalls are increasing so I can get out early.
An aside on the trustworthiness of FOSS projects (again)
"FOSS means you can check the code yourself" needs to stop being an excuse for the community to wash their hands of any responsibility whenever an issue gets too difficult to deal with. In the same way that we cannot all be testing every food we eat for toxins we cannot be auditing and vetting every piece of software or online service we use. It is simply unrealistic. We all rely on a network of trust to get through our day without dying, from international and government regulations to professional standards to trusting other drivers to behave predictably while driving and people using the public washroom wash their hands. Nobody is enough of an expert in everything to manually judge the trustworthiness of everything they use, even experienced software developers do not know every single language or library or potential security issue! I’m definitely not the first person to say it, but FOSS software cannot claim to be both a silly hobby project with no responsibility to the end user and also a trustworthy and reliable system that can be recommended widely to the general public for tasks important to day to day life.
Self-Hosting Means Trusting Yourself
But following on to Ava’s point that you have to have a certain level of trust that the people who run smaller services are actually ready to be responsible business owners, if you decide you do not trust them the main option offered is to host it yourself.
And there seems to be an underlying assumption that doing so is more trustworthy and reliable, because you have control over it. (For the purposes of this article I am temporarily ignoring the fact that there is a long chain of things you do not, in fact, control when you "self-host".) But that assumes that I am more trustworthy than a large corporation full of hundreds if not thousands of people, most of whom are experts in their fields being paid full time to work on it. And I know I am not.
I have seen a lot of people recommend to a tech newbie that they should buy a domain name and use it for an email address as if that is definitely safer and more reliable than using an email provider’s domain.
If hosting or domain names cost money, what happens when I can’t afford it any more? Or forget to renew it and someone else grabs it? About ten years ago I had three separate domain names and I cancelled all of them to save money, along with all my other subscriptions and servers, so I completely lost access to all the email accounts associated with them and any links pointing to them are dead. One of them now hosts a completely different website. So this isn’t a hypothetical nightmare scenario for me, it’s something that has already happened once and could completely happen again.
I could be locked out of my Google accounts for any random reason according to Google’s whims, but I also could have a power surge at home that overwhelms my surge protector. I could have a drive fail. I could have a house fire, or a robbery, or a water leak. I could make a simple mistake in the shell and delete all my files with a misplaced rm -rf. I could get hit by a phisher or a ransomware attack. My backups could fail or be corrupted or be deleted. I could become homeless (again) or have to move in with other people in a place where I don’t control the router or the quality of the internet. I could become more disabled and unable to have the energy or mental capacity to understand or work on these projects.
I do not trust my own memory, I do not trust my own software skills, and so I plan for the fact that I am unreliable. And anybody who thinks they aren’t unreliable is dangerously delusional. In life-critical fields you are taught that any system that relies on humans to not make a mistake is fundamentally unsafe. Because people will makes mistakes, and they will make bad decisions, and systems needs to account for that. Putting everything onto a single point of failure (me) is unsafe.
In the end I think this comes back to the fact that most programmers and tech workers in general are very privileged and so exist in a reality where terrible life-altering things happen to other people. The vast majority of people think "Well, that might be bad, but it won’t happen to me".
You could slip on some stairs, fall, and be disabled for life today. Unable to work, no income, fighting for disability benefits, friends stop talking to you, family get tired of supporting you. You could get COVID or any other viral illness that triggers ME/CFS and become unable to literally leave your bed to do basic life maintenance tasks let alone focus long enough to ssh into your server. You could develop arthritis that makes using a mouse and keyboard extremely painful. You could develop Parkinson’s or Alzheimer’s or dementia and find your body and mind no longer works the way you want it to. Aging happens to everyone.
That is all aside from all the other family and life events that can make maintaining a server and multiple pieces of software not a reasonable thing to spend hours on every week, or drop everything to fix. Your partner gets laid off so you have to work more hours. Your partner or family member becomes disabled so you have to take care of them and take on all the household responsibilities. You have a baby, I hear those are a lot of work. You get a divorce or there is a death in the family. Your kid is struggling in school and you need to focus on getting them help. You have to move to another country to avoid political persecution. Your family is at risk of being deported or attacked. Your country may be invaded or unstable.
An awful lot of things can happen that make updating docker containers and reading release notes and troubleshooting bugs not a priority. When you’ve convinced all your family and friends to use your self-hosted server for all their most important day to day tasks anything that causes you to not be able to maintain that fucks them all over too. And there’s no support team to call.
As someone who is disabled and has been precariously housed and living in poverty, I know any of these things can happen to me at any time because they have happened before. And it informs how I calculate risk when it comes to having a Google email account vs paying a subscription to an email service / domain name registrar vs hosting it myself. And I think more people who are promoting self-hosting as the cure for all internet ills need to consider those personal life risks more seriously.