- cross-posted to:
- [email protected]
- [email protected]
- cross-posted to:
- [email protected]
- [email protected]
Federated services have always had privacy issues but I expected Lemmy would have the fewest, but it’s visibly worse for privacy than even Reddit.
- Deleted comments remain on the server but hidden to non-admins, the username remains visible
- Deleted account usernames remain visible too
- Anything remains visible on federated servers!
- When you delete your account, media does not get deleted on any server
I understand the impulse but the way some people get so hung up on trying to make a way to permanently and universally delete posts made on public facing social media and framing it as a “privacy” issue feels kinda like saying something you regret on mic at a town hall and being mad that you can’t permanently delete the memory of it from the minds of everyone present, and claiming that they violated your privacy by remembering it
it’s an interesting idea, but it doesn’t vibe with the reality of the laws in the EU which has “right to be forgotten” rules
The “right to be forgotten” rules are, with all due respect to the EU regulators, pretty shortsighted.
I think the initial “right to be forgotten” lawsuit that Google faced from that Spanish guy-- where he claimed bankruptcy years prior. People( potential lenders?) kept finding that information online through google searches. He sued to have Google remove those sites from the index. He won and the Spanish Judge told Google they had to remove those results from searches.
But it didn’t change that the information was still on each site. Those sites, the ones that actually held the information didn’t get sued, just Google.
It also opened the door for oppressive governments covering up human rights abuses or hide other information they dont want widely available.
Google appealed and won: https://www.bbc.com/news/technology-49808208
I also want to point out that this Spanish guy’s situation is very different from “posting publicly on social media”. He was getting written about by others and the courts eventually said “no, this can stand. This information should remain available”. So I imagine, public statements made by an individual certainly wouldn’t qualify to be forgotten.
At the end of the day, to me, this is a technical decision not a privacy one.
GDPR applies to companies operating in the EU, not every single entity on the internet. Posts on random forums are not subject to these laws, so I don’t think Lemmy would count.
Now if a Lemmy operator began using user personal data for profit, then GDPR would apply. At the moment, I don’t think that’s happening anywhere in the fediverse.
GDPR applies to companies operating in the EU, not every single entity on the internet
It applies to every single public entity on the internet that holds data of EU citizens. No matter which country they’re located in.
AFAIK, this world-wide nature of the GDPR is pretty unique and quite contentious.The GDPR includes exceptions for private purposes but hosting a lemmy instance with public signups is most certainly not intended to be of private nature, so the GDPR does apply.
I can’t comment on whether that means the right to be forgotten needs to be exercised by federated instances, I just want to set the record straight here.
The EU may claim GDPR applies to all data of EU citizens no matter where in the world it is stored, but if the entity storing that data does zero business in the EU, there isn’t much that can be done to enforce that law. Its the same as US law firms thinking their DMCA claims apply in other countries, etc.
Federated Lemmy instances operating in non-EU nations with no business/holdings/etc in the EU, are under zero obligation to recognise GDPR requirements unless otherwise required somehow to do so by their own national law (say a treaty agreement or the like).
The EU can no more demand or enforce global adherence to their data laws than the US can.
They can just block access to the site, no?
I think this is a great point. I would say its much less of a privacy issue and more of a technical issue.
I think deletions should propagate across all instances and there should be a level of trust between federated servers that they will make those deletions as requested. If only because we’d have a mismatch and orphan comments lingering in perpetuity and we could end up with wildly inconsistent data across the fediverse.
That’s a strawman. No one demands mind-altering powers. Records to be deleted: that’s another story.
Being able to delete tweets doesn’t stop people from screengrabbing them. It’s still good that the option exists.
This demonstrates a fundamental misunderstanding of digital privacy. You can never be guaranteed that data is deleted, just like you can never be guaranteed that someone has “forgotten” something. It doesn’t matter what any entity claims they are doing under the hood, you have to assume they can’t be trusted. That’s not an expectation you can have, and not something privacy advocates are asking for.
I’m posting this comment publicly, and there’s nothing stopping any random user (or non-user) from scraping this lemmy instance and archiving the data themselves. I know that when I post it. Same for reddit, raddle, any mastodon instance, etc. I can copy the text and usernames of everyone involved in that raddle thread and do whatever I want with it, there’s nothing anyone can do to stop me.
To think otherwise reminds me of that first day on the internet kid meme. “I deleted my comments off of their servers, hah, they’ll never get them now!”
What I can demand is: if I send a message directly to another party, I want to be able to verify that that party and ONLY that party can read the message (end-to-end encryption). I can also demand that they not require me to dox myself to them, that they not run weird js-based fingerprinting/port scanning processes on my system/network, and that I am allowed to connect to their services through a VPN should I so choose.
You’re talking about real privacy, the critiques above are all about exposure reduction (incorrectly framed as privacy). Good retention policies are still important for situations like trying to delete something that you regret posting.
An example I could think of from the other site is the very common occurrence of posting some relationship questions and then deleting them later so that the person they’re about can’t stumble onto them. In that case you want finding the thing you deleted to be nontrivial enough that it can’t accidentally be found. Someone with both the skills and knowledge about what they’re looking for may still find it, because it was once public, but that’s a different threat.
Knowing that any information you share publicly can be stolen, I think the way Lemmy’s instances have the original comment after you deleted it could help counteract people manipulating what you said after you deleted it, such as making a quote and editing “your” original post after it was deleted. But this could give a lot of power to the admins as well, as they could be the ones manipulating.
i mean raddle is a site that has an anti doctor post pinned in the mental health community … like c’mon I and many others need medicine to survive and you are encouraging anti-psychiatrist posting, Church of Scientology levels of anti-medicalist posting
That’s fucking ghoulish.
— someone who has to do that shit in order to have a stable life where I don’t want to end it all on a daily basis
The illusion of Privacy is Mastodon (or social media in general)
There’s a reason why when you go to “private mentions” on Mastodon, this appears:
While yes, we should be able to delete our content if we want, but it’s a bit naive to think there could be true privacy in any decentralised social media platform.
There’s a reason why one of the think people tell you when you come to the fediverse is not to share personal and sensible information.
The only decentralised social media that has some level of privacy is Matrix, and that’s why it has it’s own protocol and only federates within/between its own servers.
In general I think we should go back to separating personal identities from internet identities on discussion forums like these. There are already platforms for promoting your personal identity that are way better than these types of forums
I completely agree. I’d add that. in general I wouldn’t put any type of personal information on the internet, no social media site, is really private.
The line gets a little blurry if you start posting into a geographical community though. Sometimes it’s hard to stay 100% anonymous
I was rather peeved I had to give an email to create an account on Lemmy. It shouldn’t be needed.
I have an email that I specifically use for the fediverse. I wasn’t asked to give email here, but otherwise it would have been hard to know when and whether my join in request was approved or not.
Unfortunately there has been a wave of fake accounts being created on lemmy. Requiring email on signup is one way to try to prevent this from happening.
While yes, we should be able to delete our content if we want, but it’s a bit naive to think there could be true privacy in any decentralised social media platform.
Especially an email or “reddit” threaded conversation systems where quoting of messages is routine. Here I am, quoting you.
You are putting a billboard up in public, on a bulletin board in the center of the Internet, the assumption should be that anyone can photograph it.
Exactly.
That with the addition that the function of thread-like social media is being a place to discuss topic and share information/knowledge. So content needs to be kept even if the account that posted it exist no more. The contain remaining when the account gets deleted is a feature, because otherwise important information could be lost.
Content deletion should be an option, but the content remaining if you delete your account its a needed feature for this type of platform
There’s a reason why when you go to “private mentions” on Mastodon, this appears:
Lemmy carries the same warning:
Given the beta status of Lemmy, I don’t even think it’s a great idea to give the appearance of privacy. I think the core purpose of a webapp like Lemmy is public messages.
I think it’s a can of worms for server operators to get into the business of thinking they can safely hold private messages between users/strangers. None of the Lemmy instances I’ve joined have had a “terms of service” or anything like that on SIgn Up, I really think the message should be sent far and wide that Lemmy is about posting IN PUBLIC and that messages are being FEDERATED to peers, even people that you don’t know could be collecting the data for a search engine.
With small-time server operators opening up hundreds of Lemmy instances, without giving away their experience or human identity, how can you have any confidence that someone is properly securing a server they only have part-time job to update and operate? Major corporations are having their database stolen, Valve, Sony, Nintendo, health care companies, mobile network companies (AT&T)… you think a low-budget shoestring server by a hobbyist running Lemmy should be held to the same standards as a corporation who has an entire team and services to defend their data?
Exactly my thoughts. People looking for privacy on these public forums/platforms with o real audit or checks in place is really ironic in my opinion.
The fediverse is the real internet, it’s not a company providing a service. On the real internet, once something gets out there, there can never be a guarantee that it’s taken back. Even on Reddit, once you post something, Reddit might fully delete it but someone out there may have copied it.
I had years worth of posts and comments that I deleted via the interface a while ago. Then as part of the reddit exodus I decided to run a removal tool that used the API, and it turns out 11 years worth of “deleted posts” were all still sitting out there, they were just hidden from me.
I did find it strange when I received a reply to a years old comment that my profile page said was deleted, but I just thought it was a caching issue. Turns out all of that content was still out there with my name attached, I was the only one who couldn’t see it.
What about editing the comments? Do they keep any log of the original message and the subsequent edits or something? Maybe this would be a workaround to effectively delete them.
There’s no way to know without proper testing, and I’m gone for good. I did use redact.dev, which overwrote all of my comments before deleting them, so fingers crossed that the account is nuked.
Multiple people reported Reddit undeleted stuff they had deleted from their accounts recently …
That’s why you rewrite your old comments to actively steer people away from the site. ASCII rocket ships, Lemmy links, etc
That’s what I was thinking, do someone know if Reddit keeps logs or something?
Ive been doing daily PowerDeleteSuite cleanses of my reddit profile, stuff just keeps re-appearing
Opposite to Instagram or Facebook, on Lemmy or Mastodon you can create an anonymous account. Yes it will be logged (normal public internet), but you won’t be treacable. The UI doesn’t have any tracking scripts, and many instances don’t require an email even to sign up. Use the Tor browser to spoof your IP.
There are certainly ways to manage your privacy in how you use this service, and it’s different in a lot of ways from other services out there. Users should be educated on the risks against different types of threat models:
- In what ways can my comments be linked to my real world identity, through correlation to my username, registered email address/phone number/Matrix ID/other identifier, by other users of this service?
- In what ways can my comments and activity be linked to my real world identity by site administrators or other privileged users of the service (through access to things like server logs, trackers, etc.)?
- How can I control what activity I consider to be public or private on this service, and who can view that activity I prefer to be considered private?
Even with end to end encryption (which Lemmy does not have for DMs), the most secure protocol is only as secure as the other end you don’t control. People can and will screenshot, save, log, or simply remember what you’ve sent them before.
Lemmy and ActivityPub are new services and protocols to a lot of people. The shortcuts they have internalized on what is or isn’t true about privacy of other services (Facebook, Instagram, TikTok, Snapchat, Reddit, plain old email, cell phones, WhatsApp, iMessage/Facetime, etc.) need to be re-learned for these specific services.
New users should understand that the Lemmy/ActivityPub protocols on deletion or privacy of DMs don’t necessarily work like other services they’re used to. And we should encourage robust discussion around these things until they become common knowledge.
I didn’t even give this shit an email address
Damn, Raddle seems worse than Reddit when it comes to toxic attitudes. I never looked much into it since it’s just another centralized platform like Reddit with different management, but boy oh boy are those comments just awful. Great community you folks got over there 😬
I didn’t know anything about Raddle besides the name until now. But gosh, is that a needlessly toxic pit. There’s a poor guy there getting completely beaten up by an admin and some others which seem to be enjoying their time-wasting public bullying. Oh well…
In my opinion it’s unreasonable to think anything can truly be deleted in a federated system. Even if the official codebase is updated to do complete deletion & overwrite, it’s impossible to prevent some bad actor from federating in a fork that just ignores deletion requests.
Seems sensible to just not post anything that you don’t want to be available for the lifetime of the internet.
In my opinion it’s unreasonable to think anything can truly be deleted in a federated system.
yeah like. this is just a byproduct of how federation works currently. i don’t even know how you’d begin to design a federated system where some of these critiques can’t be levied
Anything that is visible to another party can be hijacked - even a 1:1 communication does not guarantee that the other party doesn’t capture the data and then spread it. The only things that are private are thoughts that you have which are not shared with others in any fashion. As soon as information is shared in any fashion, it is not private.
Past this point it’s a matter of how private you think is reasonably private. You could design a system where users are in control of their own data through a series of public and private keys, ensuring that keys must be active to view content, but as stated above even in such a case and the user revoking keys does not stop other people from making copies of said data. This is akin to screenshotting an NFT. For all intents and purposes, a copy of the data as it existed at the time of copying is now publicly available.
Quibbling over the fact that you’re the one who “truly owns” the data when it comes to something like social media feels like a mostly pointless endeavor because the outcome (data is available for others to view/consume/read/etc) is the same regardless of who “owns” it. Copyright law will apply to anything you produce, if it comes to legal problems (someone copies your artwork and sells it, for example) and having a system to prove you own it is primarily a formality to make it easier to prove ownership. Generally people aren’t arguing through this lens, however, and are instead arguing through the privacy/security lens - that they don’t want people stealing/selling their data, which lol, good luck. AI models are proof that no one in the world actually cares about this ownership if they reasonably think they can get away with using your data without any real incentive to not do so - interestingly copyright law and models being trained on corporate data such as movies are a vector by which the legality of this might actually stop or slow AI development and protect the end-users data.
Yeah, but dick-pics…safe?
Just as it’s impossible to stop scrapers from archiving data on traditional websites. “Deleted” data is probably in a database somewhere, being sold by someone. As you said, you lose some degree of control over your data as soon as you post it. Data is valuable, and if there is a will there is a way.
I don’t expect my data to be fully deleted in a centralized system either. even if it was deleted from the central server someone might have made an archive of it
and reddit is definitely guilty of this since they were bringing back peoples deleted comments and accounts
This is how I treated Reddit too. And Twitter. And everything else. I have two modes; public and private. And private is private; strong encryption and local storage. Having some middle ground is a recipe for disaster.
You don’t even have to modify the code in a fork, just take regular database backups
@ffmike @elbowmacaroni advance ignoring deletion request technology like copy paste
Exactly. Even a server to just go down one day. Theoretically it has a snapshot in time
Yeah, I was thinking about jfs.
It is reasonable that people should be able to delete their posts / comments. However I don’t see how is this related to “privacy”. How can something you post on a public forum be private?
You can’t delete a mail you sent me, nor put your hand written letter to me in the bin. I can keep both and I can keep your name and addresses in my little black book. So there isn’t even that level of privacy in the real old fashioned communication.
And communication over the Internet was always the subject of storage. Your mail may be on the backup tape of a mail server. Your usenet posting is on archive.
So the assumption that the fediverse can forget….
There’s long dead people’s very private letters and diaries in museum’s and public archives. Really available on the internet now. So that’s not even a failing of the internet, if you write something people find interesting, they’ll find a way to preserve it.
I’m not sure how they think the fesiverse will be the one to solve that.
its the principle behind the ‘right to be forgotten’
if you posted something to a public forum and changed your mind, deciding it shouldnt be public after all, you should have that option
While this makes sense for corporations - it doesn’t really make sense on the internet. People will archive, take screenshots, etc. Anything that is public on the internet will likely stay on someone’s computer for years no matter how much we try to delete things.
It is kind of naive to think that the right to be forgotten will be respected by anyone other than the service provider.
That is generally true, with exceptions like leaking someone else’s private information.
But it implicates the adjacent “right to be forgotten” rather than narrowly defined “privacy”. This could be a real legal issue in the EU.
It is. GDPR in the EU dictates that every user which requests their information has to get it in 30 days, and every user who removes their information has to be able to get it removed (I think the time span for that is even shorter, so more pressure for the server admins)
The problem here is that your data is not only recopilated by your server and accessible to your server admins, the servers of the communities/magazines or people you interact with also recopilate any activity you have in relation to any community/magazine or user hosted in their server.
So, while the admin of your server has the obligation of deleting your data if you ask for it, the other servers admins don’t necessarily have that obligation.
Also, I’m reading the GDPR and the “right to be forgotten” that many are quoting seems to refer to personal information only.
It almost definitely isn’t and that’s clear looking into GDPR at all.
The right to be forgotten is not all powerful, and the lemmy instance your data originates on has an obligation to delete your data, that is true. However other servers may or may not have any of that obligation for a variety of reasons.
Now if you go to those other servers and make the request to have your information deleted, they may have an obligation to depending on whether that data is seen as currently usable.
The right to be forgotten is far weaker than you think it is, especially on public forums, under GDPR.
I’m also not sure how it’s enforceable in a distributed system.
Blockchains have the property of being append-only, so a blockchain is precisely what makes it impossible to delete transactions. That being said, in a distributed system, once the message leaves trusted servers, it is obviously also impossible to delete it.
Nothing about how lemmy or the fediverse platforms work has anything to do with blockchains. Don’t conflate “decentralization” to include blockchain. Torrents are also decentralized and have nothing to do with blockchains.
Why are you bringing up blockchain?
Lovely, the parent comment mentioned blockchain but was since edited… Trust me I would not have brought it up otherwise.
Probably in the sense that if it’s not me that posted it, then I don’t have any way of truly remove it (which I think is against the EU’s laws).
What I can think of right off the top of my head is revenge porn and doxxing. Furthermore there’s also the right to be forgotten.
I assume anything I post online to remain there forever anyways. That’s why I regularly make a new account so atleast everything isn’t behind one username
Lemmy is newish software. I assume everyone operates in the worst-case scenario too - but that doesn’t mean we should code with the worst-case scenario for privacy as some goal or built-in concession.
If you think anything on the Internet can ever be forgotten… Your going to have a bad time. Passwords, one of the most protected data types, are compiled from beaches into huge databases so that hackers can use them to try to log into website. There are literally dozens of not hundreds of those password databases on the public Internet to be downloaded, not to mention private or dark web collections. If passwords are not safe, what makes you think publicly available social media would be any different?
Even if somehow the whole federation agreed to purge all post every year, things like the Internet archive and Google cache of pages would retain the data.
Personally when I want to share what I’m saying with the world I write a letter, burn it, and snort the ashes. This is the only truly private way to do this.