- 22 Dec, 2025 *
A while ago, my brother-in-law asked around friends and family if anyone wanted to join the (private) cloud/file service he spun up.
Practical, right? Many outside the corporate web believe in smaller services within friend groups, families, and local organizations as the way forward. Instead of trusting big companies who could (or rather, will) enshittify and become too big and bloated (Google, Meta, Microsoft...), we should trust smaller maintainers within our circles.
The offer made me ponder what I would upload to the file service, and how much I would trust my brother-in-law with the files. Not just the integrity, but the uptime, the availability when issues arise, how swiftly severe bugs or security issues would be patched, and the uncomfortable quest…
- 22 Dec, 2025 *
A while ago, my brother-in-law asked around friends and family if anyone wanted to join the (private) cloud/file service he spun up.
Practical, right? Many outside the corporate web believe in smaller services within friend groups, families, and local organizations as the way forward. Instead of trusting big companies who could (or rather, will) enshittify and become too big and bloated (Google, Meta, Microsoft...), we should trust smaller maintainers within our circles.
The offer made me ponder what I would upload to the file service, and how much I would trust my brother-in-law with the files. Not just the integrity, but the uptime, the availability when issues arise, how swiftly severe bugs or security issues would be patched, and the uncomfortable question about confidentiality: Should I only upload files I don’t mind him to see, or should I trust him that he wouldn’t look at them?1
That made me think: How much do we trust alternatives to big tech?
When we host our various things like emails, image backups, blogs, social media accounts etc. with these big companies, a certain professionalism is expected. You’re dealing with a corporate entity, so you probably have the following expectations:
- I’m a consumer, and I have consumer rights against this corporation. I don’t feel bad about potentially suing them, because I’m suing the company, not one individual.
- While messaging their support, they (or nowadays, their AI chatbot?) keep it professional and are available in a reasonable time.
- I can lodge complaints and expect a fix fairly fast, and downtime is usually resolved within an hour or few.
- No one person or one department has access to absolutely everything, and especially not unchecked. Lots of eyes, control mechanisms, logs, and separation, limited rights and access on a need-to-know basis.
- People working there get paid for this, which affects how they treat the service or what they cannot risk doing.
- There are internal consequences for non-compliance, and there are internal workflows on how to deal with specific cases the same every time; even just deletion requests or requests for personal information.
- There are far too many employees, and far too many users; why should I, of all people, be interesting enough to have my privacy violated by an employee?
- I have a right to request my data, and a right to data portability. Due to financial interest in keeping the company going, they’re future-proofing.
All of these (whether they are actually realistic and enforceable or not) can give us a sense of security. A cold, sterile business relationship, like the one to our water provider.
If we want to switch away from these data-harvesting giants to smaller solutions, we are confronted with the fact that usually, it’s a small group of people, or even just one person. Some try to build up a smaller service professionally, but many just do it on the side, as a hobby. A Mastodon or PixelFed instance, another social media alternative, or media sharing.
That poses some challenges and questions for the average user:
- Do I still have consumer rights, even just rights like the GDPR, or not?
- Would I be comfortable pursuing this person legally if shit went sideways or they abuse or leak my data? Can I even, if this is just an internet stranger with a nickname and an email address?
- Can I expect a professional relationship about this service?
- If this is just done on the side as a hobby or experiment, will the person actually continue it after the first few weeks? What do I do if I lose this?
- Will they have the time and energy to continue to update it and care for it, and keep my data safe?
- If I need a quick fix or tech help, would they be able to respond in a timely manner? Depending on what it is, it might be urgent.
- Can I trust this person not to abuse their admin power and look into everything? Even if it’s SFW, maybe I wouldn’t want a stranger to click through my image files (... and use them for AI training or to make deepfake nudes I don’t know about?).
- Is data portability a thing at all with their service? Can I export the data in any meaningful and useful way?
- Does the maintainer do any sort of future-proofing?
These concerns make smaller services feel less reliable and trustworthy.
A big corporation can (and will) obviously mess up as well and the data breaches and downtimes are a lot more impactful, but: The roles are clear, legal identities are divulged publicly if needed (like their data protection officer!), and someone is responsible for an issue. With a small group of strangers or even just one person online that you don’t know, this is more opaque and there are not necessarily any consequences, quality control, workflows or customer service. There is often not even a real name offered that you can use for any sort of complaint or legal action.
I think I might have talked about this in another blog post or alluded to it, but there is a creator of a variety of indie web services that just refuses to delete my accounts since at least 2023. It started with just one I wanted gone, but nowadays I want all of them gone. After multiple fruitless attempts at asking for deletion via email and having no full account deletion in the settings page, I filed an official complaint at the Data Protection Authority responsible for my area.
Unfortunately, they were almost entirely useless, because as long as I do not have the full legal name of the person behind all those services, they say they cannot do anything. These fossils do not want to send out an email reprimanding them for being non-compliant despite processing the EU citizen’s data and even taking money for it, they insist on sending an actual letter to the person’s residence and don’t want to put effort into getting that address from the hoster. Their feedback ended with the great advice that next time, I shouldn’t sign up to websites that don’t have a privacy policy, proper account deletion process, or a responsible person named. Well, geez, wish I could time travel and tell 2021 me that, who had rose-tinted glasses about indie web alternatives.
Nowadays, I indeed don’t sign up, and I make sure to remind every project I see that necessitates user accounts to please fulfill at least the PP and the deletion process. I know I cannot make any of them share their full name if they don’t want to.
Being better than the big players doesn’t just involve not doing the excessive data harvesting they do, but also handling the little bit of data you get with care, and having processes in place that make dealing with user data easier and gives a lot of control to the user, and ideally, let them know who they’re dealing with.
And that’s where it really differs from case to case, because at Bearblog, I am really happy with how things are and have turned out so far, despite it only being one person. It is professional, I get amazing customer support, I know the legal identity, and I can find out exactly how data is collected and processed. Plus: There is an account deletion I can initiate on my own without having to message someone and hope for the best.
For comparison, it took Cohost (that was ran by a small group of people) about 4 months or so to delete my account that I had to request via email, and it took someone I know over a year. That means constantly checking back in whether the deletion has gone through and the profile is still up, and that is not only annoying, but it can also threaten the safety of people who get found by stalkers, family members and others. Some of these things are time-sensitive, and it’s irresponsible and non-compliant to not have a better system in place.
Strangers are simply a hit or miss. Could be a creep that reads all your DMs to other people on the instance, or not. What about a friend? If your friendship breaks apart, do you lose the service and the data accumulated on there? If it’s a family member and something really bad happens with your data and account, do you want to risk the family peace by holding them accountable? Honestly, no one wants to set up a formal contract for something like this as it feels silly, and many won’t. So what basis do you have?
If you are lucky, the indie project you want to use has open‑source code, transparent incident logs, and community reviews and PRs that serve as proxies for professionalism and quality control, but in my view, that is rather uncommon.
I don’t want to badmouth smaller alternatives, as I am still a big fan of them and rely on them. I just want to discuss these fears and risks, and some of my good and bad experiences. I want them to thrive and do better in these topics. Trust sadly isn’t purely rational, and familiarity, perceived competence, contracts, incentives, and consequences play important roles.
Reply via email Published 22 Dec, 2025
For the record, I trust him not to look at them, but it’s still a thought I had, since I never had to decide that before.↩