"The ActivityPub specification does not provide any guidance for Direct Messages; in Mastodon, DMs are more akin to “posts with an audience of two”, and are readable by instance admins. Because of this, DMs on Mastodon are unlikely to be a primary channel for child exploitation-related activity. Instead, users in these communities most commonly request contact on Session, an encrypted messenger forked from Signal that uses onion routing by default and requires no phone number or e-mail address (instead, using a hash as an identifier). Session allows either large group chats or one to one encrypted communication, and is so heavily associated with CSAM that posts not containing a Session ID still will use the “#session” hashtag as a discovery mechanism (see Figure 2 on page 7).

Lack of end-to-end encrypted DMs (or indeed, any easy to use direct messaging) pushing users to other platforms has mixed results with regard to child safety: using Session is extremely slow and requires some technical understanding, limiting its reach. On the other hand, if Mastodon theoretically had end-to-end encrypted DMs or chat groups, it would at least have access to the e-mail and IP addresses of the users involved, and users in such a group could report to instance admins."

Nostr has encrypted DMs, with no email requirement, making it a more anonymous option than mastodon for abusers. IP could be collected by relays, but abusers could select trusted relays to send messages over.