this post was submitted on 26 Dec 2023
-51 points (30.5% liked)

Fediverse

28216 readers
485 users here now

A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).

If you wanted to get help with moderating your own community then head over to [email protected]!

Rules

Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration), Search Lemmy

founded 1 year ago
MODERATORS
 

Title says it. Apparently lemmy devs are not concerned with such worldly matters as privacy, or respecting international privacy laws.

top 50 comments
sorted by: hot top controversial new old
[–] BloodSlut 58 points 10 months ago (3 children)

GDPR is for companies/corporations to "respect" user's requests about their data.

Lemmy (ActivityPub, actually) isnt a company.

What you are saying is the equivalent of saying that the concept of writing is in direct violation of GDPR.

What you probably can do is request that an instance remove your content... And then do the same for every single other instance of any platform that implements ActivityPub (and not all of them will even have data coming from you) and is federated with your instance. And the only ones that would really need to comply are those that are based or operating in the EU.

This is still the internet, not some magical place.

Use some of the most basic fundamental internet safety rules and don't provide potentially compromising information for no reason whatsoever. Especially since this isnt a corporation such as Facebook or Google who require you do so in order to use their service.

[–] [email protected] 15 points 10 months ago (1 children)

You are slightly wrong. The GDPR applies to everyone dealing with personal data on the regular, which you always have to assume with open text boxes. There have been plenty rulings already imposing fines on individual, private citizens for their misconduct in violation of the gdpr.

While Lemmy as a system might be exempt, anyone running Lemmy for sure isn't, as long as it regularly processes data of EU citizens, which it does.

As for the devs, the gdpr does require privacy by design. One could argue the Devs themselves aren't running it at all, so their software doesn't have to adhere to it, but individual instance hosts could still be hit with fines for running it as is.

load more comments (1 replies)
[–] [email protected] 8 points 10 months ago

There are some great replies here

I think it's also worth putting in extra effort to educate users so they know early and not when they're expecting otherwise. The system has a benefit, and it'll be smoother if users aren't surprised

Data deletion and public vote records are the two big things that come to mind

[–] Zak 40 points 10 months ago (5 children)

It gets worse: everything you post to Lemmy is sent to multiple other servers automatically. Those servers may be in jurisdictions that have very different privacy laws than the server you post from, or that hosts the community you're posting to. You have no legal agreement with those servers.

We're not done though. The ActivityPub standard makes delete optional, and other servers could be running anything, not just Lemmy. Some of them are probably running somebody's janky pet project that implements half of ActivityPub, poorly, on a jailbroken smart light bulb or something.

Lemmy should implement proper post deletion, possibly with a delay to allow moderators and admins to inspect deleted posts, but expect anything you share via ActivityPub to follow the once on the internet, always on the internet rule even more than in the past.

[–] roofuskit 61 points 10 months ago

Delete buttons are just a placebo on the Internet anway. At least activitypub is honest about that.

[–] [email protected] 27 points 10 months ago

Almost like the entire platform is based on the idea that one server/owner can't be in charge of the data.

Don't get me wrong, not picking a fight, just what op said is kind of obvious to me. You're picking a social media that is democratized and is federated with everyone. The natural tradeoff is that your data is not housed on one server... Which obviously means it's not private.

Idk, the fediverse is a great place, but I would never post anything here I ever wanted to be private. It's not an accident, it's literally by design.

load more comments (3 replies)
[–] thefactremains 35 points 10 months ago* (last edited 10 months ago) (2 children)

This is a lot like spray painting a message on a public wall in a neighborhood and then complaining because the community won't paint over it (or destroy photos they took of it) when you realize how dumb it was.

You're writing on a public space for free with no business behind it. You're not the customer in this scenario.

load more comments (1 replies)
[–] [email protected] 24 points 10 months ago* (last edited 10 months ago) (1 children)

OP is simply incorrect.

I'm coding a Lemmy alternative right now and have been testing this functionality out extensively. Deletes of posts and comments certainly federate, I've seen the AP traffic to make it happen. Also, the docs: https://join-lemmy.org/docs/contributors/05-federation.html#delete-post-or-comment

I haven't tested what happens when the 'delete account' button is clicked... Mastodon solves this by sending a 'delete this user' Activity to every fediverse instance so there's nothing about ActivityPub that makes removing an account and all it's posts in one go impossible.

[–] ttmrichter 5 points 10 months ago (1 children)

Deletion of entities is optional in ActivityPub. That, by definition, makes known-removal of an account and all its posts in one go impossible, because a server can just ignore the deletion activity.

[–] [email protected] 10 points 10 months ago* (last edited 10 months ago) (7 children)

Yes, although the server will not ignore the deletion activity if that server is running Lemmy. We're talking about Lemmy here, not the fediverse as a whole. OP singled out Lemmy in the post title and said "lemmy devs are not concerned with..."

I'm sure there is more to be done in this area. It'd be great to know for sure which software treats deletion activities properly (I'm really unsure about Kbin, I think it does not) and which does not so instance admins can make informed decisions about who they federate with. Perhaps this information could be made available right within the UI that Lemmy admins use to control their instance, rather than an obscure documentation page somewhere...

IMO having deletes federate should be part of a minimum standard all fediverse software has to meet (plus mod tools, spam control, csam filters, etc) before it is allowed to federate but obviously we're nowhere near having that sort of social organisation.

load more comments (7 replies)
[–] [email protected] 17 points 10 months ago* (last edited 10 months ago) (2 children)

Remind me again how things can be deleted from the internet?

load more comments (2 replies)
[–] [email protected] 16 points 10 months ago (2 children)

All your posts on the fediverse are effectively a public blog of your thoughts that will be scraped and stored in servers you have no control over.

If you care about privacy, which I understand, you probably want to leave quickly.

Here’s a rundown from someone who got fed up with the fediverse and kinda rage quit: https://blog.bloonface.com/2023/07/04/the-fediverse-is-a-privacy-nightmare/

Another example of this is that it’s not just about lemmy. One way in which lemmy actually federated well worth microblogs like mastodon is that users can be followed from mastodon etc.

So any number of servers running a number of open source easy to run platforms could be taking up everything you specifically post.

[–] donio 27 points 10 months ago* (last edited 10 months ago) (1 children)

If you care about privacy, which I understand, you probably want to leave quickly.

Just because you care about privacy it doesn't mean that you have to stay indoors all the time. You can still hang around on the town square you just have to be conscious about what you do where.

A big part of caring about privacy is understanding how the platforms you use work and using them accordingly. With proprietary platforms this is often opaque and the rules can change. Open platforms are transparent and you can actually understand them - if you make the effort.

[–] [email protected] 12 points 10 months ago (8 children)

It's not like deleting your comments or posts off of Reddit would magically remove them from all the various Reddit archives that exist around the Internet, either. Reddit only controls what happens on Reddit, and that problem is now generalized across the whole Fediverse.

load more comments (8 replies)
[–] [email protected] 5 points 10 months ago

Thank you for posting that link. I'm not fed up (completely?) yet I suppose but it was eye-opening. I'll have to be a lot more careful about posting, possibly not post again.

[–] [email protected] 15 points 10 months ago (1 children)

seems weird this expectation of privacy on public sites built for public consumption of public content posted by people publicly.

i mean, i get wanting to control your data. the software i use allows for this ( the 'bins offer a user-level purge).

but privacy? seems weird

[–] [email protected] 9 points 10 months ago (4 children)

I mean, to have a Lemmy account you already decided to put your trust in total strangers with questionable security credentials.

load more comments (4 replies)
[–] [email protected] 9 points 10 months ago

Effect of ActivityPub, not Lemmy. All federating systems function similarly, because it's a feature of the protocol.
If instances want, they can ignore delete requests and your content stays in their cache forever (remember Pleroma nazis from couple of years ago?) - now, that is an instance problem that might be a GDPR issue, but good luck reporting it to anyone who cares. At best you can block and defederate, but that doesn't mean your posts are removed.

The fediverse has no privacy, it's "public Internet". Probably a good idea to treat it as such.

[–] [email protected] 9 points 10 months ago (1 children)

Thats why I stay as anonymous as possible.

[–] BloodSlut 7 points 10 months ago

always remember to throw in false information to throw others off your tail

completely unrelated, but I am a 45lb chihuahua with alopecia from Reno, Nevada.

[–] [email protected] 9 points 10 months ago* (last edited 10 months ago) (1 children)

This is definitely a con of Lemmy for me. I like to be more privacy focused but Lemmy gives you 0 privacy on whatever you do on the website. Anyone who wants more privacy on Lemmy is told you have no right to privacy, don't expect any privacy, everything you do is public on the internet, etc. A massive boner killer for me. I think basic things like deleting your own post or comments should actually get removed from all servers, PMs should not be viewable by anyone except the recipients, and what you vote on or subscribe to should be private. Lemmy doesn't sell your data but that's because anyone can take the data for free. I thought this stuff was because Lemmy is still new and will get to it eventually but the push back seems to say this was a choice or is not broken. I ended up exploring different social media alternatives but I like the style of Lemmy better since it is more reddit-like with an active user base plus has different android clients. I don't like kbin because it shows who upvoted or downvoted something to everyone - it's not accountability when it erodes your privacy.

I used to comment on Lemmy more but then I ran into this problem when juggling multiple accounts, Liftoff sucks ass at letting you know which account you are logged into (I use Summit now and it is better at it) so I ended up getting my accounts' wires crossed when I thought using the drop down on your accounts changed your account but no you have to go to manage instances to switch which was not intuitive. I ended up abandoning the accounts when I couldn't figure out how to actually delete the post from the server.

Edit: man I wish I saw this sooner, might be time for me to either stop posting again or look somewhere else.

[–] Zak 7 points 10 months ago

While I didn't find any factual issues in a quick skim of that article, I really don't agree with its tone.

The Fediverse is radically public. That's the nature of a protocol like ActivityPub, not a bug to be fixed. Using it for anything you're not comfortable with being public forever is a mistake.

[–] ttmrichter 7 points 10 months ago (8 children)

GDPR is international now? Do I need to break out Nelson Muntz when some Euro type thinks European law is extraterritorial?

Don't make me break out Nelson Muntz, please.

load more comments (8 replies)
[–] [email protected] 7 points 10 months ago

there's a delete button

[–] YoBuckStopsHere 6 points 10 months ago* (last edited 10 months ago) (2 children)

Mods and admins can remove posts and they don't stay on the server. If you delete it yourself, then it stays. Comments stay deleted, though and is replaced with a 'deleted by creator' message.

[–] [email protected] 5 points 10 months ago

Mods and admins can remove posts but they do stay only if they're "removed". But if they're "purged", then they're deleted from the server.

load more comments (1 replies)
[–] ttmrichter 5 points 10 months ago

You know, I think I'm going to make some software that just siphons every ActivityPub message (ignoring delete requests except to log them) and call it "GDPR THIS". The amount of mysticism and confusion around two very basic concepts (ActivityPub works by copying profusely, and the GDPR has no weight outside of the EU) just leaves me baffled here.

[–] [email protected] 5 points 10 months ago

Lemmy lack of central control is a feature. But it can still be GDPR compliant. GDPR did not make useNet illegal. GDPR does not make peer-to-peer illegal.

As an EU citizen you can still write letters to the editor of newspapers, and those letters can be published in those newspapers of record. Sending a message to Lemmy is akin to publishing publicly and opinion piece in a newspaper.

Certainly you can use GDPR to talk to an lemmy admin to remove your data on the instance you registered and account on. But due to the nature of Lemmy, it's architecture, you can't go out and retract all of the newspapers that have been published. That's a physical impossibility.

Even if you could somehow talk to every administrator of every instance, you can't prove you were that user who posted that data.

load more comments
view more: next ›