- cross-posted to:
- foss@beehaw.org
- fediverse@lemmy.world
- cross-posted to:
- foss@beehaw.org
- fediverse@lemmy.world
Federated services have always had privacy issues but I expected Lemmy would have the fewest, but it’s visibly worse for privacy than even Reddit.
- Deleted comments remain on the server but hidden to non-admins, the username remains visible
- Deleted account usernames remain visible too
- Anything remains visible on federated servers!
- When you delete your account, media does not get deleted on any server
You must log in or register to comment.
Personally when I want to share what I’m saying with the world I write a letter, burn it, and snort the ashes. This is the only truly private way to do this.
That’s a non issue. You just cannot expect to be able to delete anything you post on the internet. Even the great reddit with the awesome deletion feature cannot help you. You might be able to delete your comment there, but there is https://www.unddit.com/ https://archive.is/ https://web.archive.org/ and many others, where your comment will still be available.
Eh. Often times I want to delete it particularly on reddit or some other place. Just so that it doesn’t hang on my profile
Well, reddit doesn’t actually allow you to delete things anymore, so tough luck.
When did that happen?
Do you think about Reddit “undeleting” posts? The reason for this is that your posts in privated subs make them disappear from your profile. So when they go public again, they are there.
If I wanted privacy, I wouldn’t be browsing online.
That’s a poor answer to be honest. Total privacy is an illusion, but having the tools to delete some of the traces if wanted should be there. I would argue that the EU law about the right to be forgotten might want a word with someone.
I escaped Reddit, but i hold anyone else to a standard too.
Lemmy, do better or it wont end well. https://gdpr.eu/right-to-be-forgotten/
I find all the “privacy isn’t possible on the clearnet, lol” Commets quite troubling. Yes, the internet doesn’t forget and we should always behave on the internet as if our moms could read it.
But that kind of “privacy realism” fosters an additude that doesn’t care about privacy at all; no matter how it could be improved (even if it’s never perfect). Just because anyone on the street can follow me home and therefore can find my home address, I’m not carrying a sign with my address when going to a protest.
According to this comment, privacy is worse than with mastodon. And while data always can be scraped, it still isn’t too much to ask to properly federate deletions.
Yes, the internet is a public place and reddit is bad and you might not like raddle, but come on, people. Have you all given up on improving things already? And do only tech-savvy people with the knowledge and resources to run their own servers have a right to privacy on the internet?
I think you are conflicting some things.
The analogy you used doesn’t quite work, because you are not telling everyone at the protest where you live. A more accurate analogy might be you going to a protest, loudly saying something which you later regret, and then ask everyone to just forget about it and delete any footage you might be on. Some might comply, but many won’t, and you won’t have any idea who didn’t.
Furthermore, “people with the knowledge and resources to run their own servers” would be no more safe than you are, because other servers (instances) will still record whatever they post out there. If I make my own federated server and send out a comment, other instances that federate with mine will receive a copy of it. At that point I can ask them to delete it; however, even if they do comply, there is no guarantee that another user hasn’t made a local backup of the comment or just screenshotted it.
At the end of the day, tech isn’t magic. Everything has limitations, and you can’t do everything at once. You can’t have a system that allows you to make public comments that go out to several servers where it is shown to thousands or millions of people, and at the same time expect to be able to delete all of it when you feel like it. Tech can’t do everything, and at some point we need to take agency and accept responsibly for what we put out there.
Finally, I’ll add on what another user said:
Opposite to Instagram or Facebook, on Lemmy or Mastodon you can create an anonymous account. Yes it will be logged (normal public internet), but you won’t be treacable. The UI doesn’t have any tracking scripts, and many instances don’t require an email even to sign up. Use the Tor browser to spoof your IP.
This demonstrates a fundamental misunderstanding of digital privacy. You can never be guaranteed that data is deleted, just like you can never be guaranteed that someone has “forgotten” something. It doesn’t matter what any entity claims they are doing under the hood, you have to assume they can’t be trusted. That’s not an expectation you can have, and not something privacy advocates are asking for.
I’m posting this comment publicly, and there’s nothing stopping any random user (or non-user) from scraping this lemmy instance and archiving the data themselves. I know that when I post it. Same for reddit, raddle, any mastodon instance, etc. I can copy the text and usernames of everyone involved in that raddle thread and do whatever I want with it, there’s nothing anyone can do to stop me.
To think otherwise reminds me of that first day on the internet kid meme. “I deleted my comments off of their servers, hah, they’ll never get them now!”
What I can demand is: if I send a message directly to another party, I want to be able to verify that that party and ONLY that party can read the message (end-to-end encryption). I can also demand that they not require me to dox myself to them, that they not run weird js-based fingerprinting/port scanning processes on my system/network, and that I am allowed to connect to their services through a VPN should I so choose.
Knowing that any information you share publicly can be stolen, I think the way Lemmy’s instances have the original comment after you deleted it could help counteract people manipulating what you said after you deleted it, such as making a quote and editing “your” original post after it was deleted. But this could give a lot of power to the admins as well, as they could be the ones manipulating.
You’re talking about real privacy, the critiques above are all about exposure reduction (incorrectly framed as privacy). Good retention policies are still important for situations like trying to delete something that you regret posting.
An example I could think of from the other site is the very common occurrence of posting some relationship questions and then deleting them later so that the person they’re about can’t stumble onto them. In that case you want finding the thing you deleted to be nontrivial enough that it can’t accidentally be found. Someone with both the skills and knowledge about what they’re looking for may still find it, because it was once public, but that’s a different threat.
I would encourage you to stay as far away from Raddle as possible. It has an incredibly toxic site-wide culture, and some serious security problems.
Do they really advocate you use tor to post memes?
I understand the impulse but the way some people get so hung up on trying to make a way to permanently and universally delete posts made on public facing social media and framing it as a “privacy” issue feels kinda like saying something you regret on mic at a town hall and being mad that you can’t permanently delete the memory of it from the minds of everyone present, and claiming that they violated your privacy by remembering it
I think this is a great point. I would say its much less of a privacy issue and more of a technical issue.
I think deletions should propagate across all instances and there should be a level of trust between federated servers that they will make those deletions as requested. If only because we’d have a mismatch and orphan comments lingering in perpetuity and we could end up with wildly inconsistent data across the fediverse.
it’s an interesting idea, but it doesn’t vibe with the reality of the laws in the EU which has “right to be forgotten” rules
The “right to be forgotten” rules are, with all due respect to the EU regulators, pretty shortsighted.
I think the initial “right to be forgotten” lawsuit that Google faced from that Spanish guy-- where he claimed bankruptcy years prior. People( potential lenders?) kept finding that information online through google searches. He sued to have Google remove those sites from the index. He won and the Spanish Judge told Google they had to remove those results from searches.
But it didn’t change that the information was still on each site. Those sites, the ones that actually held the information didn’t get sued, just Google.
It also opened the door for oppressive governments covering up human rights abuses or hide other information they dont want widely available.
Google appealed and won: https://www.bbc.com/news/technology-49808208
I also want to point out that this Spanish guy’s situation is very different from “posting publicly on social media”. He was getting written about by others and the courts eventually said “no, this can stand. This information should remain available”. So I imagine, public statements made by an individual certainly wouldn’t qualify to be forgotten.
At the end of the day, to me, this is a technical decision not a privacy one.
GDPR applies to companies operating in the EU, not every single entity on the internet. Posts on random forums are not subject to these laws, so I don’t think Lemmy would count.
Now if a Lemmy operator began using user personal data for profit, then GDPR would apply. At the moment, I don’t think that’s happening anywhere in the fediverse.
GDPR applies to companies operating in the EU, not every single entity on the internet
It applies to every single public entity on the internet that holds data of EU citizens. No matter which country they’re located in.
AFAIK, this world-wide nature of the GDPR is pretty unique and quite contentious.The GDPR includes exceptions for private purposes but hosting a lemmy instance with public signups is most certainly not intended to be of private nature, so the GDPR does apply.
I can’t comment on whether that means the right to be forgotten needs to be exercised by federated instances, I just want to set the record straight here.
The EU may claim GDPR applies to all data of EU citizens no matter where in the world it is stored, but if the entity storing that data does zero business in the EU, there isn’t much that can be done to enforce that law. Its the same as US law firms thinking their DMCA claims apply in other countries, etc.
Federated Lemmy instances operating in non-EU nations with no business/holdings/etc in the EU, are under zero obligation to recognise GDPR requirements unless otherwise required somehow to do so by their own national law (say a treaty agreement or the like).
The EU can no more demand or enforce global adherence to their data laws than the US can.
They can just block access to the site, no?
That’s a strawman. No one demands mind-altering powers. Records to be deleted: that’s another story.
Being able to delete tweets doesn’t stop people from screengrabbing them. It’s still good that the option exists.
As a life long anarchist, I personally find raddle to be a fucking embarrassment. The elitist bullshit is right up there with other political anarchist sites like anarchist news they’re all a fucking shit show and shows why anarchists will never accomplish anything.
Isn’t the fediverse an anarchist project?
It seems to be the most flat peer structure of any social media.
Pretty much yeah, either the fediverse or Usenet. Somebody pointed that out to them in the comments of the linked post but they dismissed the point as nonsense.
Very performative anarchists over there lol
I’d like to see a more completely decentralized implementation, but federation does seem like it’s practical in that it’s easier to implement and use while still having a lot of the benefits of decentralization.
Ideally I picture something like a lemmy application that runs it’s own internal, persona instance, but I’m not sure how the protocol would deal with that many isolated instances.
Keeping an eye on things like holochain and locutus to see if one of them will end up being a viable protocol to build a fully decentralized forum app on.
In the mean time I mostly like lemmy because it’s written in rust. Postmill looks cool, feature-wise, but I can’t see myself contributing to it when I it’s written in PHP. I already have to use too much PHP in my day job. When I come home I just want to use an enjoyable language.
Opposite to Instagram or Facebook, on Lemmy or Mastodon you can create an anonymous account. Yes it will be logged (normal public internet), but you won’t be treacable. The UI doesn’t have any tracking scripts, and many instances don’t require an email even to sign up. Use the Tor browser to spoof your IP.
There are certainly ways to manage your privacy in how you use this service, and it’s different in a lot of ways from other services out there. Users should be educated on the risks against different types of threat models:
- In what ways can my comments be linked to my real world identity, through correlation to my username, registered email address/phone number/Matrix ID/other identifier, by other users of this service?
- In what ways can my comments and activity be linked to my real world identity by site administrators or other privileged users of the service (through access to things like server logs, trackers, etc.)?
- How can I control what activity I consider to be public or private on this service, and who can view that activity I prefer to be considered private?
Even with end to end encryption (which Lemmy does not have for DMs), the most secure protocol is only as secure as the other end you don’t control. People can and will screenshot, save, log, or simply remember what you’ve sent them before.
Lemmy and ActivityPub are new services and protocols to a lot of people. The shortcuts they have internalized on what is or isn’t true about privacy of other services (Facebook, Instagram, TikTok, Snapchat, Reddit, plain old email, cell phones, WhatsApp, iMessage/Facetime, etc.) need to be re-learned for these specific services.
New users should understand that the Lemmy/ActivityPub protocols on deletion or privacy of DMs don’t necessarily work like other services they’re used to. And we should encourage robust discussion around these things until they become common knowledge.
So just to clarify this point:
Anything remains visible on federated servers!
If I delete a comment on beehaw.org, it doesn’t get deleted when accessed from another Lemmy instance that federates with Beehaw?
When you delete it your instance tells others that it was deleted, but it cannot force them to follow through.
Which is indeed a problem as it makes it impossible for any admin to host in the EU or for EU citizens, in theory. GDPR §7 makes it very clear that complete deletion of all personal data (and yes,a Lemmy comment is personal data) must be facilitated by the original data collection point.
it can’t make it impossible. If facebook sold data to amazon, so now amazon has a copy, and then facebook’s user asks their data to be deleted, facebook can’t just march into amazon’s servers and delete the data themselves. The best they can do is send a formal notice to amazon requesting it be deleted, which sounds like what lemmy does. At this point it’s up to the federated server if they comply with the law…
Actually that is exactly what the GDPR stipulates. In your example Facebook needs a data processing agreement that ensures that all rights of the data owners are secured and the GDPR is followed. Facebook is liable here, not Amazon - the user must explicitly NOT ask Amazon to delete as the user may not even know where the data went to/should not be bothered to write requests to a huge amount of different data processing locations.
But, @hikaru755@feddit.de added another interesting point: The Instance may or may not be seen as a single data processing entity that does not voluntarily hands over data to other instances. That could indeed be a reasonable cause as e.g. data scrubbers are not within the sphere of influence of e.g. a service publicly displaying data. But as the whole network is build on interconnected nodes I wouldn’t count on it if that reasoning would fly in front of a court. It may. Or it may not.
In this case though, would it not be that then if Facebook did have a processing agreement with Amazon with which they communicate information, and this agreement stipulates that (in order to comply with GDPR) data they sell to amazon must be deleted upon request, and Amazon does NOT do so, this would make amazon liable for breach of contract instead of facebook being liable for breach of GDPR?
If so, all fediverse instances would need is a copy-paste agreement when two instances federate that data from one must be deleted on the other upon request.
Partially right - Amazon would be liable, but not towards the data owner but Facebook. The data owner sues Facebook, Facebook then sues Amazon.
A copy&paste agreement is the first (and from my point of few most important step). Personally I would also integrate a automatic mechanism that deletes data (e.g. the delete request gets automatically federated) and defederates instances that do not follow them globally. Sadly this is still not enough - data handling in the US and other jurisdictions with similar bad privacy laws is also a problem, see the recent Facebook case and Schremp2. But tbh I have no idea how to solve that.
Lemmy can, by definition, not be GDPR obtain full GDPR compliance. We should make sure that best effort is ensured, especially with the right of deletion and the right to “know”(where data is stored), but also consider lobbying towards a reformed law for the federated use cases.
The originating instance definitely cannot be held responsible for failing to force a separate instance in another country to delete its cached copy of user data imo. I think what is more likely is that EU courts could force European Jimmy instances to only federate with GDPR-compliant instances.
From what I understand instance 1 has to delete data if requested, but instance 2 has no obligation to unless requested. Just like data remains archived in sites like internet archive or other private archives. Just like it works on reddit or any other site currently.
I don’t think it’s quite that bad/simple. Viewing your main instance as the Controller and other instances as Processors in GDPR terms won’t work, because instances don’t have the necessary control over each other for that, as you say.
However, you could circumvent that issue by making the case that each instance actually acts as an independent Controller. By participating on a federated service, you are explicitly agreeing to the data you provide (your profile, posts, comments, etc.) being made public and shared with other compatible services. That should be enough as the basis for other instances to reasonably assume you want your data to be processed by them, which (I think, not a lawyer) is sufficient justification for processing the data independently, as long as it’s in line with how you generally expect the fediverse to work.
This would mean that each federated instance is its own, independent entity that processes your data, and to make use of your rights under GDPR, you need to do that with each of them individually. They effectively become their own “original data collection point”, in your words, even if that data collection was not explicitly triggered by you.
The only thing missing for that to be legal (again, in my layman’s view) is transparency about who’s processing your data and how, which is necessary under GDPR. Every instance that receives your data via federation would need to let you know about that, and make available to you information on how exactly your data is processed and how you can make use of your rights under GDPR with them. That, in turn, would probably be easiest if the protocol spoken between fediverse servers were extend with automated and standardized ways to propagate GDPR requests from your home instance to any other instance that is processing your data, so that you don’t have to actually deal with every single server yourself to get your rights enacted. Defederation in the meantime might be a problem, but there’s ways around that, too.
The first point is indeed the only one I see atm that might be working. If one can reasonably argue that the node/instance is not voluntarily giving away the data and has no way to prevent that without massively hampering operation of the plattform it might be acceptable in front of a court.
Again: With a lots of might/could/ifs.
Because simply the fact that the nodes themselves are build for connecting to each other and very much do so (and you can effectively block other nodes from federating your content to a extent) speaks against that reasoning. But it worked for e.g. data scrubbers,etc.
However, you could circumvent that issue by making the case that each instance actually acts as an independent Controller. By participating on a federated service, you are explicitly agreeing to the data you provide (your profile, posts, comments, etc.) being made public and shared with other compatible services. That should be enough as the basis for other instances to reasonably assume you want your data to be processed by them, which (I think, not a lawyer) is sufficient justification for processing the data independently, as long as it’s in line with how you generally expect the fediverse to work.
That sadly explicitly does not work. Any consent given must be under definitive circumstances - a ‘card blanc’ consent is not possible under the GDPR. You must absolutely know where, by whom and what for your data is processed or transfered. And the initial data processor still has the obligation for a data processing agreement.
It could defederate any non-compliant instances.
It could, but actually policing it would be difficult. I don’t think there is any “yeah I’ll do that” response and even if there is an instance could say it will delete it and still do nothing.
You could defederate with instances running versions that don’t delete federated posts. Removing compatipility with older protocol implementations is not unheard of.
while this is certainly feasible, it is just a compliance checkmark of “doing your best”. It wouldn’t actually prevent someone attempting to persist that data. For example, I just need to maintain an insert-only copy of my deletion-compliant lemmy instance DB, and none of the deletions would be reflected on that.
I could then host that copy publicly on some unrelated lemmy instance, and without systematically de-federating from all other instances, you wouldn’t know which one was retaining the data.
How do you know if they are non-complaint without manual verification?
I assume anything I post online to remain there forever anyways. That’s why I regularly make a new account so atleast everything isn’t behind one username
Eww. Well, there is a reason why I try and be extremely careful about what I post nowadays. Don’t want to regret dumb shit I said in the future.
Not sure what the point of “Mastodon’s” opinion is? Firstly, Mastodon is pretty big and decentralised, and it has no-one who really speaks on behalf of all its users. Lemmy is not a privacy central network like a direct messenger service. It never claimed to be privacy centric as far as I know. The point is to share posts in communities, and the more that see them, the better.
But it is federated which means posts do get shared to other servers everywhere, and deleting those is not as easy as for a centralised server. Whatever I post on any sharing type service, I consider to be public.
I don’t even understand why the OP calls this “Mastodon’s” opinion. The link doesn’t go to Mastodon. I think the parent post is being a bit of a troll honestly :( The criticisms at the link don’t make sense, the person posting the link doesn’t seem to think the criticisms are good, and they attribute the criticism to Mastodon while posting “Raddle”. It’s like they’re only doing this to get everybody riled up
i think OP may have mistaken Raddle for a mastodon instance of some kind, idk
Here is the title of the Raddle post that was linked: “Warning: Lemmy doesn’t care about your privacy, everything is tracked and stored forever, even if you delete it”.
But wouldn’t Mastodon instances be able to automatically backup posts, comments, edits, and deletions? Hell, users would be able to do it too yeah?
The whole idea of this being a privacy issue kind of goes against the whole internet archival movement and is really a moot point.
I can see this maybe being a problem with privacy regulations though.
Mastodon is where the link to the raddle article appeared. The post on Mastodon basically said they wouldn’t use Lemmy because of what the article stated.
Deleted comments remain on the server but hidden to non-admins, the username remains visible
This is a negative behavior by Lemmy, in my opinion. Deleted comments should be purged after some time. Tildes does the same thing - I think with 30 days?
Deleted account usernames remain visible too
These should be replaced with some random string of characters or something like DeleteUser<numberhere> or something.
Anything remains visible on federated servers!
This is just a concession of federation.
When you delete your account, media does not get deleted on any server
This is an issue, too, in my opinion.
Honestly, this is definitely something that can be added - and in fact it might even be beneficial to server costs. Alongside optional deletion of cached data from other instances maybe a year or two after the data arrived.
People need to remember that Lemmy is an alpha software - we haven’t even reached the big 1.0 release
can’t anyone who runs a lemmy instance script all that in the db? alternately, can’t anyone who claims to do so just not do it in the db? it’s not like you would ever know.
A sketchy instance operator isn’t really a solid defense against implementation of better privacy features in the source code.
If you think anything on the Internet can ever be forgotten… Your going to have a bad time. Passwords, one of the most protected data types, are compiled from beaches into huge databases so that hackers can use them to try to log into website. There are literally dozens of not hundreds of those password databases on the public Internet to be downloaded, not to mention private or dark web collections. If passwords are not safe, what makes you think publicly available social media would be any different?
Even if somehow the whole federation agreed to purge all post every year, things like the Internet archive and Google cache of pages would retain the data.
