A community dedicated to fediverse news and discussion.
Fediverse is a portmanteau of "federation" and "universe".
Getting started on Fediverse;
Provided that a Third Party User is followed by or following a Threads account, Meta will ingest these pieces of data specifically:
Username
Profile Picture
IP Address
Name of Third Party Service
Posts from profile
Post interactions (Follow, Like, Reshare, Mentions)
So if you follow a threads user or even if a threads user just follows you, they pull all this data?
IMO this seems like reason to defederate across the board. Someone else can leak your info to Meta.
Question, is this not how every activitypub server works?
Yes, but not every server is owned by Meta.
Ok, so we're back to defederation not because of any existing tangible evidence in this circumstance, but "because it's Meta". It's fine if that's your opinion and all, but let's stop spreading misinformation on the dangers of collecting the data required by anyone for federation.
And if you're here and pretending to care about data privacy at least try to do the bare minimum in understanding how the Fediverse works.
Hi, I agree that there needs to be discussion.
But let’s be honest here. If meta made a lemmy/mastodon instance we would probably defederate them as well since every bit of data is for their financial gain and nothing else.
I don’t see how the worlds master manipulator and anti trust poster child is even remotely worth discussing about. We have established time and time again that „meta bad“. Why would we now not just accept the fact?
Isn't this just public information anyway, what's the problem with them taking it?
It's Meta. This is just the beginning. Stop them right from the start. Fuck these corporations.
Story of the punk bar bartender and nazis
based on @iamragesparkle;s tweets
I was at a shitty crustpunk bar once getting an after-work beer. One of those shitholes where the bartenders clearly hate you. So the bartender and I were ignoring one another when someone sits next to me and he immediately says, “no. get out.”
And the dude next to me says, “hey i’m not doing anything, i’m a paying customer.” and the bartender reaches under the counter for a bat or something and says, “out. now.” and the dude leaves, kind of yelling. And he was dressed in a punk uniform, I noticed
Anyway, I asked what that was about and the bartender was like, “you didn’t see his vest but it was all nazi shit. Iron crosses and stuff. You get to recognize them.”
And i was like, ohok and he continues.
"you have to nip it in the bud immediately. These guys come in and it’s always a nice, polite one. And you serve them because you don’t want to cause a scene. And then they become a regular and after awhile they bring a friend. And that dude is cool too.
And then THEY bring friends and the friends bring friends and they stop being cool and then you realize, oh shit, this is a Nazi bar now. And it’s too late because they’re entrenched and if you try to kick them out, they cause a PROBLEM. So you have to shut them down.
And i was like, ‘oh damn.’ and he said “yeah, you have to ignore their reasonable arguments because their end goal is to be terrible, awful people.”
And then he went back to ignoring me. But I haven’t forgotten that at all.
Yes, by design: https://docs.joinmastodon.org/methods/accounts/
IMO, the problem is not them taking the information per se, but in abusing that info to further the massive surveillance apparatus that harms society.
This and the constant lying while doing it!
Public? Idk, maybe. I wouldn't generally consider my IP to username to be public. Comment and post stuff, sort of. But even if it's public, I still wouldn't want Meta consuming it.
I wouldn’t generally consider my IP to username to be public.
Are they talking about your IP address or the service's? Does ActivityPub even share the user's IP address with other nodes in the network? That'd be crazy, so I assume that it doesn't. Then Meta can't find out your IP address.
Does ActivityPub even share the user's IP address with other nodes in the network?
No this is not in the specification.
A malicious instance could in theory distribute this information but it would be non-standard. Of the 2 systems I've studied - Mastodon and Lemmy - neither do this.
Are they talking about your IP address or the service's?
In this scenario they would be talking about the IP address(es) of the services.
Most of this is just part of Federation. When I saw this comment my client/server didn't have to fetch it from your server. It was pushed when you posted it so I had it locally.
expired
If a Threads user is following you, they need most of this information. It's literally how the Fediverse works. The only thing that isn't is your IP address, and that's something that I'm not sure they'd even get. That might be your host's IP address.
Remember, the Fediverse isn't a bunch of iframes looking at 3rd party websites. It works by mirroring remote content. A follow is literally a request to ingest posts from a user.
Yeah, no shit, they literally can't federate without this data, that's how ActivityPub works lol.
Why do you think you can see lemmy.ca votes on lemmy.world?
Everybody, please understand what defederating means. It will not stop the defederated instance from getting the data. It just means you don't pull theirs.
If you want to actually control who gets data, you'd have to switch to a service like Streams. ActivityPub cannot prevent anyone from pulling data. It only allows an instance to decide not to pull from a specific location.
Everybody, please understand what defederating means. It will not stop the defederated instance from getting the data. It just means you don't pull theirs.
I'm OK with that. If I wanted to talk to facebook users I'd be on facebook.
Ok, but the number of people that think defederation is in anyway going to prevent this is fairly high.
I see it less about preventing than about sending a clear "DO NOT WANT" message.
I've been around since the prevailing attitude across all common internet services was anti-corporate, anti-commercialism. You sound like maybe you have too. We lost that battle. It'd be nice to win this one, even if in a way that matters only to Fediverse users. I know at the end of the day Meta won't care, and it won't stop them from slurping up our data.
I still think there is value to the DO NOT WANT message, and when Musk or MS try the same thing, I hope we send the same message to them. Let there be one tiny corner of the internet that isn't monetized and enshittified to death. Let the users who are happy to use those companies' platforms use those companies platforms.
I get that this is tangential to your complaint here, and I get it. I don't care what peoples' reasons are though. Every instance should support the fedipact, and when Meta finally starts federating I'll leave my comfy kbin.social home 30 minutes later if it doesn't.
I hope each new revelation convinces more instance owners to do so, and more users to ask their instance owners to do so.
Mother fuckers are moving to take ownership of the fediverse by calling us "third party users".
I'm pretty sure they mean respective to themselves and their own walled garden, but it definitely doesn't scan well.
Looks like there's a lot of FUD around this, so I decided to jump into the ActivityPub spec and see exactly what they can and can't get with the spec as is.
First off, they cannot get a users individual IP unless the instance owner publishes it in the profile data as part of a "public" activity stream. I don't know of any instance that does this currently (feel free to correct me if I'm wrong).
It looks like what Meta is looking to do is scrape the information in the "public" tagged activity streams:
In addition to [ActivityStreams] collections and objects, Activities may additionally be addressed to the special "public" collection, with the identifier https://www.w3.org/ns/activitystreams#Public.
Activities addressed to this special URI shall be accessible to all users, without authentication.
This is similar to what most instances do to show the posts of a user or community - they send a request to get "public" tagged data to publish to their end users. Within this data is all the activity information on that post - who upvoted what and who, and who commented. Again, this is the same way federation works now - your server has an activity stream of all your followed and followers that it can make available to view by tagging their activity as "public". Many instances have this information tagged as "public" as a default.
Now, this system works fine if you're dealing with small actors that don't have nefarious designs on the network, or the resources to dominate it.
When you have a digital behemoth with grand AI designs that's already embroiled in lawsuits where it was grabbing your medical data and regularly allows law enforcement to stroll through its records, it's an entirely different situation. Meta has the power and capacity to not only engage in an "embrance, extend, extinguish" campaign against the Fediverse, but also to seriously threaten the privacy and well-being of Fediverse users in a way no single instance owner can.
I think the solution here will be for individual instance owners to harden their security and if not outright de=federate from Threads, ensure that posts are private by default and that their users are made well aware in the TOS that following a Threads user will result in sharing data about their profile that could (and most likely will) be matched back to their Facebook account.
Instances that don't allow visibility control on posts, like Kbin and Lemmy, should look at adding an option to post only to the local server, or have the capacity to block threads.net outgoing publication based on user profile settings.
Instances that don't allow follow request filtering probably should look at adding it (Mastodon has it implemented - Kbin and I think Lemmy would need to catch up) - otherwise users could be unaware that they're sending their data to threads.net when someone from that service follows them.
I think it goes without saying that any data Meta gets will get the AI treatment - both to identify users and to sell your activity to marketers. That activity is the real goldmine for them - that's a stream of revenue for marketing that rivals what Meta tracks on its own platform.
As such, it may be worthwhile for instance owners to look at removing voting and boosting counts from the "public" activity feed. This would mean more fragmentation for communities whose populations span instances (vote counts would be more off than they are now), but it would prevent bad actors from easily scraping that data for behavioral analysis.
All in all, though, I don't believe it's going to be a positive event when Threads does start federating. One of the nice things about the Fediverse is that the learning curve is high enough to keep the idiot count down, and I don't really see our content or commentary here improving once Meta's audience enters the space.
I don't know what you're getting excited about here; this is all publicly available information which Facebook could scrape at any time they wanted (federated or not), even right this very second.
Shhh, I train my AI here.
Wtf. Can't they just be defederated. Get that shit outta here.
A server admin can block any other server, including Threads.
Stupid question, couldn't instances just say they don't allow scraping specifically from Facebook in their ToS and then report them for GDPR violations if they do?
As in say that have the ToS says that "we'll give your data to other instances because that's how the Fediverse works, we won't give your data to Facebook" and also "Facebook is not allowed to federate, and is not allowed to pull data".
Then just say that your data subjects don't consent to any data pulling by Facebook, and Facebook scraping your system even through ActivityPub is a violation of GDPR.
But GDPR is the European thing, and Threads isn't even available in Europe.
If there service is affecting a service in the EU then they will have to abide by Gdpr. Fact is if your server is in the EU and they scrape it they are active in the EU.
No, they don't. Please leave the click-baity bullshit out of here.
They're literally just taking data they need to federate, like all the other instances. Eventually people around here are going to get sick of this paranoid "fuck Meta because it's Meta" attitude because people keep posting lame misinformation like this. I know I'm getting sick of it.
It’s not just because it’s meta, it’s because they are going to scrape up all the data they can get (even if it’s just normal fediverse stuff) and pipe it into their data mining operation. They could probably easily do it without us noticing, but if we know they’re doing it… then it’s worth talking about. And reasonable for people to dislike.
Do they get my IP if I reply to somebody or a post on Threads?
I was under the impression that I submit to my instance and then that passes the message along.
I had a quick look at the posts and comments bits of the schema and it doesn't appear to list an IP address field, unless I'm blind. Which is always possible.
All instances should start blocking them. Lemmy.world Admins should be on high alert but something tells me they won't block meta.
Guys, everyone move to small instances so that all the power doesnt go to one instance. I joined aussie.zone just for this reason.
@deadsuperhero Well, they have to collect this data to be able to federate. Question is only, what they are doing with this data. When they don't block communication with European servers, they have to follow GDPR here. And these rules limit what they are allowed to do - and the fines for breaching the rules hurt even large companies.
One additional point: Most (all?) AP services perform signed requests when querying the profile and the profile related endpoints. So in the current Friendica version we already added a coding, so that unsigned requests only get some basic data that is needed for the communication, but nothing more. AFAIK some other services are doing so as well.
This coding can be extended so that signed requests from Threads will always result in only returning the basic profile data.