Looking up most implementations’ activities has the followers collection uri in the ‘to’ or ‘cc’ fields.
Would it be a privacy issue if every single recipient the activity was sent to was listed in the ‘to’ or ‘cc’ fields?
Short answer: yes
Longer answer: there is more to consider than just privacy. By including the followers collection, you are also signaling to the recipient who those other people are. This provides semantics for both display and a way to address future replies correctly. The other recipients might ignore directly addressed replies and the thread owner won’t know that your reply should be forwarded to the followers on your behalf. The followers collection could also change at any time.
If it’s not resolvable, then it doesn’t particularly matter – delivery happens once and software takes it from there.
As metadata, it pretty much exactly follows email semantics – in theory, you could see other to/cc recipients on the activity, and bto/bcc will be stripped for any recipients in those.
As far as the ActivityPub spec goes, dereferencing is supposed to be done at delivery time, so including a followers collection in C2S should be converted to every single recipient for S2S – but in practice, existing software will happily send out follower collections in to/cc over S2S even if they are not dereferencable or resolvable. The presence of a follower collection in S2S is generally treated similarly to the as:Public “magic collection” – in other words, the receiving server will do what it wants to do with the activity.
You basically ignored everything I said about replies. That’s why it’s there. It’s not some accident or bug like you say.
I was answering MediaFormat’s question, but:
On a software level, you generally cannot address other people’s followers. Such an activity will be discarded as invalid due to lack of authority. Spec-wise it should be fine to address someone else’s followers in an activity delivered to that person, but only to that person (see: Forwarding From Inbox). In practice it is left up to the implementation, and if that implementation is Mastodon for example, then your activity will not be forwarded unless it is LD-signed. However, it is equally possible to filter out such activities as “spam”:
The server MAY filter its delivery targets according to implementation-specific rules (for example, spam filtering).
Generally, though, for your own activities and your own followers collection, what I said in my previous post applies – it may or may not be dereferenced before delivery.