this post was submitted on 28 Jun 2023
25 points (96.3% liked)

No Stupid Questions

35440 readers
801 users here now

No such thing. Ask away!

!nostupidquestions is a community dedicated to being helpful and answering each others' questions on various topics.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules (interactive)

Rule 1- All posts must be legitimate questions. All post titles must include a question.

All posts must be legitimate questions, and all post titles must include a question. Questions that are joke or trolling questions, memes, song lyrics as title, etc. are not allowed here. See Rule 6 for all exceptions.

Rule 2- Your question subject cannot be illegal or NSFW material.

Your question subject cannot be illegal or NSFW material. You will be warned first, banned second.

Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.

Rule 4- No self promotion or upvote-farming of any kind.

That's it.

Rule 5- No baiting or sealioning or promoting an agenda.

Questions which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.

Rule 6- Regarding META posts and joke questions.

Provided it is about the community itself, you may post non-question posts using the [META] tag on your post title.

On fridays, you are allowed to post meme and troll questions, on the condition that it's in text format only, and conforms with our other rules. These posts MUST include the [NSQ Friday] tag in their title.

If you post a serious question on friday and are looking only for legitimate answers, then please include the [Serious] tag on your post. Irrelevant replies will then be removed by moderators.

Rule 7- You can't intentionally annoy, mock, or harass other members.

If you intentionally annoy, mock, harass, or discriminate against any individual member, you will be removed.

Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.

Rule 8- All comments should try to stay relevant to their parent content.

Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.

Rule 10- Majority of bots aren't allowed to participate here.

Credits

Our breathtaking icon was bestowed upon us by @Cevilia!

The greatest banner of all time: by @TheOneWithTheHair!

founded 1 year ago
MODERATORS
L3s
ja2
_MoveSwiftly
Rooki
Thekingoflorda
automodbeta
25
When I sign up under an instance, what information am I sharing to the host? (geddit.social)
submitted 1 year ago by [email protected] to c/nostupidquestions
12 comments fedilink hide all child comments
 

Privacy drove me off reddit, I looked around for these answers but not sure where to come across them.

  1. Am I sharing my IP address/ location with my host instance?
  2. is there a log of my view history
  3. are there general privacy concerns that I am not thinking of?

I do not want to be in a position where a Government creates an instance, and allows them to monitor.

top 12 comments
sorted by: hot top controversial new old
[–] Candelestine 9 points 1 year ago

If you don't want governments monitoring you, I really think you need to get off the public internet.

The tools are becoming too advanced, and they are legally allowed to do it by current law. In most places anyway. So, wave to the alphabet soup guys, everyone! Hiiiii~! Hope you all catch a terrorist! Have a good day!

I mean, if they're legally allowed to monitor, then they'd just be dumb not to, you know? It's our job to make that illegal if we don't want it to happen, and we haven't done that yet.

[–] [email protected] 6 points 1 year ago

Copying my reply of this exact same question to https://lemmy.ml/c/lemmy_support

Am I sharing my IP address/ location with my host instance?

You share your IP Address with ANY online service you interact with. This is how it talks back to you to send you content.

is there a log of my view history

Not by default. However, enabling verbose logging on the webserver can indeed log this information. Just- not in a pretty way.

are there general privacy concerns that I am not thinking of?

Anytime you comment, post, or vote, that data is stored in a database and sent to every other instance subscribed to the community for which you are interacting with, and then stored in their database as well.

So- tldr; lemmy isn't really a privacy-focused place. Although, its honestly not much different then reddit. Reddit logs EVERYTHING you do, and then shares that data with third parties for the purpose of advertising.

Although, there isn't anything in place in lemmy to prevent this data from doing the same thing. Silently, and without you knowing.

[–] [email protected] 4 points 1 year ago
  1. Am I sharing my IP address/ location with my host instance?

Yes to IP address. Your location info depends on what is knowable from the address (VPN location is not knowable).

  1. is there a log of my view history

I don't think Lemmy logs your views directly in postgres, but nginx can be set up to log all the traffic, so I would say yes, it could probably be reconstructed by a determined instance owner, although it might take a little basic scripting to do so.

  1. are there general privacy concerns that I am not thinking of?

Don't do anything you'd be uncomfortable about explaining in view of the above.

[–] [email protected] 3 points 1 year ago

I don't know about 2 and 3, but every service and website you connect to has your IP address.

[–] axzxc1236 3 points 1 year ago* (last edited 1 year ago) (1 children)

There was a thread that asks the same question (which I can't find... somebody paste the link pls):

You can observe lemmy's database schema on Github.

This links to current (as of me making this comment, the link links to fixed version of code, not "current latest") version of "local_user" table.

[–] [email protected] 2 points 1 year ago (1 children)

Thank you for the answer, I cross posted my question to a couple threads. I cant read code, but I appreciate your link a bunch

[–] axzxc1236 5 points 1 year ago (1 children)

I can answer question 1 confidently:

Yes, web host does know your IP, not limited to lemmy, this is how Internet works.

Partially answering question 3:

Someone said lemmy doesn't comply with GDPR because deleted is a boolean (true/false) value

[–] ritswd 1 points 1 year ago (1 children)

That is inaccurate, all that matters is that Personally Identifiable Information (PII) is gone. A provider has no obligation to delete any data/content if it doesn’t identify you personally. So, assuming your instance requires an email address (which some do, but not all, so clearly Lemmy allows to operate without it), or stuff like real name, phone number, etc (but I’m pretty sure no Lemmy instance requires that), all an admin would have to do to be in compliance would be to overwrite those PII fields with anonymous information, and they’d be in compliance. No records actually need to be deleted.

Source: I’m not a compliance expert, but I’m a software engineer who worked for some of the most major companies providing online services, at the time GDPR passed. They all spent many millions to align to GDPR because for some of them the liability would have been in the hundreds of millions of dollars, so they took it very seriously. Yet, of those that were soft-deleting records like that (with a Boolean), none of them stopped doing it. All of the efforts were around cleaning out the PII only.

[–] RightHandOfIkaros 1 points 1 year ago (1 children)

A provider has no obligation to delete any data/content if it doesn’t identify you personally.

They should though. The personal data laws that protect people (not businesses) should be updated to include all content a person creates on a platform. There is no reason a business should be allowed to continue to profit off of someone's content after that person deletes their account.

[–] ritswd 1 points 1 year ago

I don’t necessarily disagree, but it’s not what the GDPR law is written to protect against, so it doesn’t have bearing on Lemmy’s GDPR compliance. Now, is it the right design for a privacy-minded solution, that’s another question, though.

That being said, hard deletes are always technically tedious. You can’t always make it do the correct thing at the model layer depending the use case, so the entire logic may need to be written to be resilient to missing records anywhere. If everything is a soft-delete, then it’s a whole class of crashes that can’t exist. So maybe the data model here is still right for a privacy-minded solution, and there should be a native feature that overwrites a variety of fields on those records that go beyond just the PII fields. That’d be nice.

[–] [email protected] 3 points 1 year ago
  1. How else is your host instance supposed to communicate if it doesn't know your IP?
    Knowing just an IP can give a rough geographical location. If sharing your IP/Location is part of what you consider privacy; I recommend a VPN with location services. Then you can be anywhere/everywhere and the Instance only talks to your VPN IP.
  2. Your instance geddit.social would be best to answer questions regarding the operation of their instance. I'm fairly certain that would be the only place a history could be saved.
  3. Privacy/Security starts at home, see #1.

A "Government Instance" would have to have approval from your instance to Federate with your instance. It'd be easier for them to call/email your ISP or skip the ISP and talk to your modem.

[–] [email protected] 2 points 1 year ago

Optimally instances should have a tos or privacy statement, but out of the box you can expect a web server to collect your IP (if for nothing but know where to respond to your requests), a log of your requests, and any content you generate in using the instance (comments, votes, posts). login data (email, username, hashed password) are also stored to let you log in at all.

any other data will depend on the instance in question, how it is configured, and who is running it.