- cross-posted to:
- foss@beehaw.org
- cross-posted to:
- foss@beehaw.org
Federated services have always had privacy issues but I expected Lemmy would have the fewest, but it’s visibly worse for privacy than even Reddit.
- Deleted comments remain on the server but hidden to non-admins, the username remains visible
- Deleted account usernames remain visible too
- Anything remains visible on federated servers!
- When you delete your account, media does not get deleted on any server
You must log in or register to comment.
That’s a non issue. You just cannot expect to be able to delete anything you post on the internet. Even the great reddit with the awesome deletion feature cannot help you. You might be able to delete your comment there, but there is https://www.unddit.com/ https://archive.is/ https://web.archive.org/ and many others, where your comment will still be available.
Eh. Often times I want to delete it particularly on reddit or some other place. Just so that it doesn’t hang on my profile
Well, reddit doesn’t actually allow you to delete things anymore, so tough luck.
Do you think about Reddit “undeleting” posts? The reason for this is that your posts in privated subs make them disappear from your profile. So when they go public again, they are there.
When did that happen?
Personally when I want to share what I’m saying with the world I write a letter, burn it, and snort the ashes. This is the only truly private way to do this.
If I wanted privacy, I wouldn’t be browsing online.
That’s a poor answer to be honest. Total privacy is an illusion, but having the tools to delete some of the traces if wanted should be there. I would argue that the EU law about the right to be forgotten might want a word with someone.
I escaped Reddit, but i hold anyone else to a standard too.
Lemmy, do better or it wont end well. https://gdpr.eu/right-to-be-forgotten/
After reading some more comments, I think I came up with a good analogy to explain this issue, and I wanted to share.
Think of websites like a bar that also has an open mic.
Now, when I go to a bar, I don’t want to have to give the bouncers and staff my full name as well as my address. I also wouldn’t want them to know that I just came, for example, from a store where I was looking for a vacuum, and then have them warn a vacuum seller about it. A vacuum seller who is then going to sit next to me, while I’m trying to have a drink, and show me a pamphlet regarding the “amazing vacuum” he has for sale.
Ideally, I can also look for a bar that will allow me to come in costumed and not show my face. Or I could ask the bar to delete footage of me at some point, and to not store my ID if I do have to show it to a bouncer at the entrance.
All of that is relatively feasible and within the realm of reason; and all of that are things that privacy advocates might advocate for.
However, what is not feasible, or within the real of reason, or what privacy advocates tend to advocate for, is the ability for me to willingly go up on stage, say something on the mic which I immediately regret, and then ask everyone present to forget it ever happened and delete any footage they might have of it. No reasonable person would ask for something like that, because it is not a reasonable request.
That is how regular websites work. With federated websites, that becomes enhanced; it’s like if the bar you’re in has a camera pointed at the microphone, and transmits both video and audio directly into several other bars. So when you go up to that mic, you better make sure you’re okay with what you are saying being made public and available to anyone.
Allow me to pick your example apart a bit.
However, what is not feasible, or within the realm of reason, or what privacy advocates tend to advocate for, is the ability for me to willingly go up on stage, say something on the mic which I immediately regret, and then ask everyone present to forget it ever happened and delete any footage they might have of it. No reasonable person would ask for something like that, because it is not a reasonable request.
That’s not what is demanded. No one demands that the audience (users) forget what I said (the comment), much less: immediately. No one is asking for mind-erasing power or the ability to remove screenshots from other people’s client devices.
With federated websites, that becomes enhanced; it’s like if the bar you’re in has a camera pointed at the microphone, and transmits both video and audio directly into several other bars.
Now, that is where the actual demands come into play: As you pointed out, it is reasonable to demand that the bar deletes any recording of what I said on stage. But the way the footage is shared with the other bars can be regulated via a protocol. In your analogy, it’s like the other bars copy tapes from the original bar and show them at their place. Now, implementing a procedure of “delete that tape, please” is not impossible. In fact, it already works on Mastodon. If a bar doesn’t comply, it simply wont get any tapes from the other bars (it gets defederated).
AFAIK, there is already such a feature planned on github. Which is great. But that is exactly the reason why these things need to be brought up and “privacy realism” is counterproductive.
That’s not what is demanded. No one demands that the audience (users) forget what I said (the comment), much less: immediately. No one is asking for mind-erasing power or the ability to remove screenshots from other people’s client devices.
Well, that why it is an analogy; the forgetting is equivalent to erasing from someone else’s storage. You have no real control over it. Other people can say they do, but you don’t know that. And that is what is being demanded - right now I can already “delete” my comments and Beehaw will indicate to other instances that it was deleted, but it can’t control whether they do it, and it has no way to know if they really deleted something or just hid it from public view.
Differentiating between a client and a provider becomes extra tricky when you remember everyone can start up their own instance and still be essentially just a client - and, I think this is also worth mentioning, people can create their own backends that also federate using ActivityPub, but which are not open-source, and you’ll have no idea what goes on in their servers. In the bar analogy, this would be people watching a stream of the mic at home; or another place, other than a bar with the same set-up, streaming and recording what goes on in that bar.
Also, if no one is demanding that things be deleted from client devices, then logically nothing should stop someone from sharing it with other people/clients. And if you believe otherwise, then as example: what if someone posts a comment, I reply, and then they edit it to put me in a bad light? Is it an invasion of privacy for me to show what it said previously?
This is not a privacy issue; you cannot demand privacy for something you shared willingly and publicly.
Respectfully, I find it more counterproductive, and even harmful, to encourage and spread the idea that people should have any expectation of privacy regarding things they have shared publicly.
With all due respect: I think your analogy made a strawman of what was originally demanded.
Originally, several less-than-ideal “privacy” (or whatever you call it) issues were pointed out.
No one demanded perfect privacy like with E2EE messengers, but rather: sensible protocol implementation of deletions.
No one is demanding that people shouldn’t be able to scrape stuff from the internet.
Still: There is a possibility of doing everything in your power to delete stuff that’s supposed to be deleted when you’re a developer.
And they actually do implement this stuff. That is why it is important to point these things out! The squeaky wheel gets the grease, as they say. Or is this issue counterproductive too, because it gives people the illusion that you can delete things on the internet?
If you think that “privacy” is the wrong term: granted. But sensible deletion protocols are not too much to ask for.
If you think that “privacy” is the wrong term: granted. But sensible deletion protocols are not too much to ask for.
Well, that is in a nutshell what I am arguing. I’m not inherently against the ability to delete things, as it can be quite useful as a quick means to say “I take this back”, or “this information I shared is wrong, so I’m removing it” (although in that case I would opt to use an edit). Even “I’m embarrassed about this, so I don’t want more people to look at it” is a good enough reason that I would respect, and for which I would delete the thing if it was in my possession. Essentially, I just don’t think it should be treated as a privacy issue, because that might give a lot of people the wrong idea.
Ok, so I guess it’s a semantics issue then.
Thank you for a more productive conversation than any of the ones I’ve had on twitter. Take care.
Wholesome award 🐻
As a life long anarchist, I personally find raddle to be a fucking embarrassment. The elitist bullshit is right up there with other political anarchist sites like anarchist news; they’re all a fucking shit show and shows why anarchists will never accomplish anything.
Isn’t the fediverse an anarchist project?
It seems to be the most flat peer structure of any social media.
Pretty much yeah, either the fediverse or Usenet. Somebody pointed that out to them in the comments of the linked post but they dismissed the point as nonsense.
Very performative anarchists over there lol
I’d like to see a more completely decentralized implementation, but federation does seem like it’s practical in that it’s easier to implement and use while still having a lot of the benefits of decentralization.
Ideally I picture something like a lemmy application that runs it’s own internal, persona instance, but I’m not sure how the protocol would deal with that many isolated instances.
Keeping an eye on things like holochain and locutus to see if one of them will end up being a viable protocol to build a fully decentralized forum app on.
In the mean time I mostly like lemmy because it’s written in rust. Postmill looks cool, feature-wise, but I can’t see myself contributing to it when I it’s written in PHP. I already have to use too much PHP in my day job. When I come home I just want to use an enjoyable language.
Not sure what the point of “Mastodon’s” opinion is? Firstly, Mastodon is pretty big and decentralised, and it has no-one who really speaks on behalf of all its users. Lemmy is not a privacy central network like a direct messenger service. It never claimed to be privacy centric as far as I know. The point is to share posts in communities, and the more that see them, the better.
But it is federated which means posts do get shared to other servers everywhere, and deleting those is not as easy as for a centralised server. Whatever I post on any sharing type service, I consider to be public.
I don’t even understand why the OP calls this “Mastodon’s” opinion. The link doesn’t go to Mastodon. I think the parent post is being a bit of a troll honestly :( The criticisms at the link don’t make sense, the person posting the link doesn’t seem to think the criticisms are good, and they attribute the criticism to Mastodon while posting “Raddle”. It’s like they’re only doing this to get everybody riled up
Mastodon is where the link to the raddle article appeared. The post on Mastodon basically said they wouldn’t use Lemmy because of what the article stated.
i think OP may have mistaken Raddle for a mastodon instance of some kind, idk
Here is the title of the Raddle post that was linked: “Warning: Lemmy doesn’t care about your privacy, everything is tracked and stored forever, even if you delete it”.
But wouldn’t Mastodon instances be able to automatically backup posts, comments, edits, and deletions? Hell, users would be able to do it too yeah?
The whole idea of this being a privacy issue kind of goes against the whole internet archival movement and is really a moot point.
I can see this maybe being a problem with privacy regulations though.
Deleted comments remain on the server but hidden to non-admins, the username remains visible
This is a negative behavior by Lemmy, in my opinion. Deleted comments should be purged after some time. Tildes does the same thing - I think with 30 days?
Deleted account usernames remain visible too
These should be replaced with some random string of characters or something like DeleteUser<numberhere> or something.
Anything remains visible on federated servers!
This is just a concession of federation.
When you delete your account, media does not get deleted on any server
This is an issue, too, in my opinion.
Honestly, this is definitely something that can be added - and in fact it might even be beneficial to server costs. Alongside optional deletion of cached data from other instances maybe a year or two after the data arrived.
People need to remember that Lemmy is an alpha software - we haven’t even reached the big 1.0 release
can’t anyone who runs a lemmy instance script all that in the db? alternately, can’t anyone who claims to do so just not do it in the db? it’s not like you would ever know.
In my opinion it’s unreasonable to think anything can truly be deleted in a federated system. Even if the official codebase is updated to do complete deletion & overwrite, it’s impossible to prevent some bad actor from federating in a fork that just ignores deletion requests.
Seems sensible to just not post anything that you don’t want to be available for the lifetime of the internet.
This is how I treated Reddit too. And Twitter. And everything else. I have two modes; public and private. And private is private; strong encryption and local storage. Having some middle ground is a recipe for disaster.
I don’t expect my data to be fully deleted in a centralized system either. even if it was deleted from the central server someone might have made an archive of it
and reddit is definitely guilty of this since they were bringing back peoples deleted comments and accounts
In my opinion it’s unreasonable to think anything can truly be deleted in a federated system.
yeah like. this is just a byproduct of how federation works currently. i don’t even know how you’d begin to design a federated system where some of these critiques can’t be levied
Anything that is visible to another party can be hijacked - even a 1:1 communication does not guarantee that the other party doesn’t capture the data and then spread it. The only things that are private are thoughts that you have which are not shared with others in any fashion. As soon as information is shared in any fashion, it is not private.
Past this point it’s a matter of how private you think is reasonably private. You could design a system where users are in control of their own data through a series of public and private keys, ensuring that keys must be active to view content, but as stated above even in such a case and the user revoking keys does not stop other people from making copies of said data. This is akin to screenshotting an NFT. For all intents and purposes, a copy of the data as it existed at the time of copying is now publicly available.
Quibbling over the fact that you’re the one who “truly owns” the data when it comes to something like social media feels like a mostly pointless endeavor because the outcome (data is available for others to view/consume/read/etc) is the same regardless of who “owns” it. Copyright law will apply to anything you produce, if it comes to legal problems (someone copies your artwork and sells it, for example) and having a system to prove you own it is primarily a formality to make it easier to prove ownership. Generally people aren’t arguing through this lens, however, and are instead arguing through the privacy/security lens - that they don’t want people stealing/selling their data, which lol, good luck. AI models are proof that no one in the world actually cares about this ownership if they reasonably think they can get away with using your data without any real incentive to not do so - interestingly copyright law and models being trained on corporate data such as movies are a vector by which the legality of this might actually stop or slow AI development and protect the end-users data.
I understand the impulse but the way some people get so hung up on trying to make a way to permanently and universally delete posts made on public facing social media and framing it as a “privacy” issue feels kinda like saying something you regret on mic at a town hall and being mad that you can’t permanently delete the memory of it from the minds of everyone present, and claiming that they violated your privacy by remembering it
it’s an interesting idea, but it doesn’t vibe with the reality of the laws in the EU which has “right to be forgotten” rules
The “right to be forgotten” rules are, with all due respect to the EU regulators, pretty shortsighted.
I think the initial “right to be forgotten” lawsuit that Google faced from that Spanish guy-- where he claimed bankruptcy years prior. People( potential lenders?) kept finding that information online through google searches. He sued to have Google remove those sites from the index. He won and the Spanish Judge told Google they had to remove those results from searches.
But it didn’t change that the information was still on each site. Those sites, the ones that actually held the information didn’t get sued, just Google.
It also opened the door for oppressive governments covering up human rights abuses or hide other information they dont want widely available.
Google appealed and won: https://www.bbc.com/news/technology-49808208
I also want to point out that this Spanish guy’s situation is very different from “posting publicly on social media”. He was getting written about by others and the courts eventually said “no, this can stand. This information should remain available”. So I imagine, public statements made by an individual certainly wouldn’t qualify to be forgotten.
At the end of the day, to me, this is a technical decision not a privacy one.
GDPR applies to companies operating in the EU, not every single entity on the internet. Posts on random forums are not subject to these laws, so I don’t think Lemmy would count.
Now if a Lemmy operator began using user personal data for profit, then GDPR would apply. At the moment, I don’t think that’s happening anywhere in the fediverse.
GDPR applies to companies operating in the EU, not every single entity on the internet
It applies to every single public entity on the internet that holds data of EU citizens. No matter which country they’re located in.
AFAIK, this world-wide nature of the GDPR is pretty unique and quite contentious.The GDPR includes exceptions for private purposes but hosting a lemmy instance with public signups is most certainly not intended to be of private nature, so the GDPR does apply.
I can’t comment on whether that means the right to be forgotten needs to be exercised by federated instances, I just want to set the record straight here.
I think this is a great point. I would say its much less of a privacy issue and more of a technical issue.
I think deletions should propagate across all instances and there should be a level of trust between federated servers that they will make those deletions as requested. If only because we’d have a mismatch and orphan comments lingering in perpetuity and we could end up with wildly inconsistent data across the fediverse.
I’m at a loss. You’re saying that things that you said publicly are private? Or you’re saying that they become private because you delete your account? Assume you dox someone. I need to find out if that happened. As an admin I’d be able to see that
- you
- publicly posted
- their data
I would need to be able to provide this to authorities if they provided needed legal documentation. Why do you think that privacy dictates you should be able to commit a crime, and get away with it by deleting your account?
Wouldn’t Mastodon have the same legal requirements?
I don’t think there is a legal requirement that you store that data, just that you make the data you store available, or in some situations, you add logging for valid law enforcement requests.
Apple for example does not have access to end-to-end iCloud data that is encrypted to my knowledge. They wouldn’t be able to provide the contents of my notes application to law enforcement necessarily - and that is currently legal.
Apple (and Google, Microsoft, etc) are checking signatures of all files on their services to detect illegal stuff. They do it for copyrighted content and they do it for CSAM.
Checking against a known-malicious hash is very different than claiming to have access to the plain data. In fact, even for the known-malicious hashes, the companies doing the checks usually don’t have access to the source data (so i.e. they don’t even necessarily know what it contains).
I’m basing what I have said off of work I have done with attorneys in similar situations. I don’t know evidentiary law, but I wouldn’t want to be accused of destroying evidence of something. But my question stands. Why should someone who has doxed someone get away with it by deleting their account? How is that ethical?
Why should someone who has doxed someone get away with it by deleting their account?
Doxxing is not illegal in many places - the US included. Cyberstalking and harassment may be illegal, depending on location. That’s beside the point, but this is an extremely specific example.
Ultimately users should, in my opinion, be in control of their data. Tildes, for example, preserves deleted comments for (I think) 30 days and then permanently removes them. It seems like that approach is a compromise that would work for your situation while still respecting privacy long term.
So the key thing here is, “are you aware that the data is part of a legal proceeding or crime?”
If no, deleting it as part of normal operations is perfectly legal. There are plenty of VPNs which do not log user information, and will produce for the authorities all of the logs they retain (i.e. an empty log file).
From an ethical standpoint, keeping peoples’ data which they want removed, against their wishes, based on the hypothetical that at some point someone might do something wrong, is by far the less ethical route.
It’s cute how you think I’m going to take legal advice from you. You do you, have a nice evening.
Opposite to Instagram or Facebook, on Lemmy or Mastodon you can create an anonymous account. Yes it will be logged (normal public internet), but you won’t be treacable. The UI doesn’t have any tracking scripts, and many instances don’t require an email even to sign up. Use the Tor browser to spoof your IP.
There are certainly ways to manage your privacy in how you use this service, and it’s different in a lot of ways from other services out there. Users should be educated on the risks against different types of threat models:
- In what ways can my comments be linked to my real world identity, through correlation to my username, registered email address/phone number/Matrix ID/other identifier, by other users of this service?
- In what ways can my comments and activity be linked to my real world identity by site administrators or other privileged users of the service (through access to things like server logs, trackers, etc.)?
- How can I control what activity I consider to be public or private on this service, and who can view that activity I prefer to be considered private?
Even with end to end encryption (which Lemmy does not have for DMs), the most secure protocol is only as secure as the other end you don’t control. People can and will screenshot, save, log, or simply remember what you’ve sent them before.
Lemmy and ActivityPub are new services and protocols to a lot of people. The shortcuts they have internalized on what is or isn’t true about privacy of other services (Facebook, Instagram, TikTok, Snapchat, Reddit, plain old email, cell phones, WhatsApp, iMessage/Facetime, etc.) need to be re-learned for these specific services.
New users should understand that the Lemmy/ActivityPub protocols on deletion or privacy of DMs don’t necessarily work like other services they’re used to. And we should encourage robust discussion around these things until they become common knowledge.
Eww. Well, there is a reason why I try and be extremely careful about what I post nowadays. Don’t want to regret dumb shit I said in the future.
Did anyone use reddit thinking it was private? With stuff like push shift and way back machine people shouldn’t be posting stuff they aren’t comfortable sharing anyways on a wide open message board.
Always weirded me out the people who’d treat their reddit accounts like Facebook.
Yes. “The internet never forgets” is actually a thing.
With stuff like push shift and way back machine
So much this. I don’t get why people don’t remember this first thing when it comes to data storage.
The illusion of Privacy is Mastodon (or social media in general)
There’s a reason why when you go to “private mentions” on Mastodon, this appears:
While yes, we should be able to delete our content if we want, but it’s a bit naive to think there could be true privacy in any decentralised social media platform.
There’s a reason why one of the think people tell you when you come to the fediverse is not to share personal and sensible information.
The only decentralised social media that has some level of privacy is Matrix, and that’s why it has it’s own protocol and only federates within/between its own servers.
While yes, we should be able to delete our content if we want, but it’s a bit naive to think there could be true privacy in any decentralised social media platform.
Especially an email or “reddit” threaded conversation systems where quoting of messages is routine. Here I am, quoting you.
You are putting a billboard up in public, on a bulletin board in the center of the Internet, the assumption should be that anyone can photograph it.
Exactly.
That with the addition that the function of thread-like social media is being a place to discuss topic and share information/knowledge. So content needs to be kept even if the account that posted it exist no more. The contain remaining when the account gets deleted is a feature, because otherwise important information could be lost.
Content deletion should be an option, but the content remaining if you delete your account its a needed feature for this type of platform
In general I think we should go back to separating personal identities from internet identities on discussion forums like these. There are already platforms for promoting your personal identity that are way better than these types of forums
I completely agree. I’d add that. in general I wouldn’t put any type of personal information on the internet, no social media site, is really private.
I was rather peeved I had to give an email to create an account on Lemmy. It shouldn’t be needed.
Unfortunately there has been a wave of fake accounts being created on lemmy. Requiring email on signup is one way to try to prevent this from happening.
I have an email that I specifically use for the fediverse. I wasn’t asked to give email here, but otherwise it would have been hard to know when and whether my join in request was approved or not.
The line gets a little blurry if you start posting into a geographical community though. Sometimes it’s hard to stay 100% anonymous
This demonstrates a fundamental misunderstanding of digital privacy. You can never be guaranteed that data is deleted, just like you can never be guaranteed that someone has “forgotten” something. It doesn’t matter what any entity claims they are doing under the hood, you have to assume they can’t be trusted. That’s not an expectation you can have, and not something privacy advocates are asking for.
I’m posting this comment publicly, and there’s nothing stopping any random user (or non-user) from scraping this lemmy instance and archiving the data themselves. I know that when I post it. Same for reddit, raddle, any mastodon instance, etc. I can copy the text and usernames of everyone involved in that raddle thread and do whatever I want with it, there’s nothing anyone can do to stop me.
To think otherwise reminds me of that first day on the internet kid meme. “I deleted my comments off of their servers, hah, they’ll never get them now!”
What I can demand is: if I send a message directly to another party, I want to be able to verify that that party and ONLY that party can read the message (end-to-end encryption). I can also demand that they not require me to dox myself to them, that they not run weird js-based fingerprinting/port scanning processes on my system/network, and that I am allowed to connect to their services through a VPN should I so choose.
Knowing that any information you share publicly can be stolen, I think the way Lemmy’s instances have the original comment after you deleted it could help counteract people manipulating what you said after you deleted it, such as making a quote and editing “your” original post after it was deleted. But this could give a lot of power to the admins as well, as they could be the ones manipulating.
