- cross-posted to:
- fediverse@lemmy.world
- cross-posted to:
- fediverse@lemmy.world
Federated services have always had privacy issues but I expected Lemmy would have the fewest, but it’s visibly worse for privacy than even Reddit.
- Deleted comments remain on the server but hidden to non-admins, the username remains visible
- Deleted account usernames remain visible too
- Anything remains visible on federated servers!
- When you delete your account, media does not get deleted on any server
You must log in or register to comment.
In my opinion it’s unreasonable to think anything can truly be deleted in a federated system. Even if the official codebase is updated to do complete deletion & overwrite, it’s impossible to prevent some bad actor from federating in a fork that just ignores deletion requests.
Seems sensible to just not post anything that you don’t want to be available for the lifetime of the internet.
In my opinion it’s unreasonable to think anything can truly be deleted in a federated system.
yeah like. this is just a byproduct of how federation works currently. i don’t even know how you’d begin to design a federated system where some of these critiques can’t be levied
Anything that is visible to another party can be hijacked - even a 1:1 communication does not guarantee that the other party doesn’t capture the data and then spread it. The only things that are private are thoughts that you have which are not shared with others in any fashion. As soon as information is shared in any fashion, it is not private.
Past this point it’s a matter of how private you think is reasonably private. You could design a system where users are in control of their own data through a series of public and private keys, ensuring that keys must be active to view content, but as stated above even in such a case and the user revoking keys does not stop other people from making copies of said data. This is akin to screenshotting an NFT. For all intents and purposes, a copy of the data as it existed at the time of copying is now publicly available.
Quibbling over the fact that you’re the one who “truly owns” the data when it comes to something like social media feels like a mostly pointless endeavor because the outcome (data is available for others to view/consume/read/etc) is the same regardless of who “owns” it. Copyright law will apply to anything you produce, if it comes to legal problems (someone copies your artwork and sells it, for example) and having a system to prove you own it is primarily a formality to make it easier to prove ownership. Generally people aren’t arguing through this lens, however, and are instead arguing through the privacy/security lens - that they don’t want people stealing/selling their data, which lol, good luck. AI models are proof that no one in the world actually cares about this ownership if they reasonably think they can get away with using your data without any real incentive to not do so - interestingly copyright law and models being trained on corporate data such as movies are a vector by which the legality of this might actually stop or slow AI development and protect the end-users data.
I don’t expect my data to be fully deleted in a centralized system either. even if it was deleted from the central server someone might have made an archive of it
and reddit is definitely guilty of this since they were bringing back peoples deleted comments and accounts
This is how I treated Reddit too. And Twitter. And everything else. I have two modes; public and private. And private is private; strong encryption and local storage. Having some middle ground is a recipe for disaster.
Exactly. Even a server to just go down one day. Theoretically it has a snapshot in time
Yeah, I was thinking about jfs.
First - we’re all using alpha/beta software (Lemmy is 0.17.4, Kbin is 0.10.). None of these services are “production quality” software yet, so let’s keep that in our minds - we’re all early adopters.
The points mentioned in the OP are a bad look. Naturally. User should have expectation of their data being deleted on request - especially since this request might be regulatory privacy request (GDPR related). It’s a clear failure from the software and should be improved and iterated upon.
The expectation shouldn’t be “oh well it’s on the Internet, live with it”. While Facebook might keep mining your data after deletion request, our software shouldn’t behave like that, we should strive to be better with this stuff.
And finally, ensuring privacy in federated system is hard. Mastodon suffers from same problems. We shouldn’t give up on the idea though.
It is an early stage software and such things can be worked out, you’re right. But on the other hand, such basic elements should be based on a thorough concept before a single line is coded, and implementing something like a delete button with “Let’s just make it delete the most visible stuff for now, we can always improve that later when there is time” is recipe for disaster.
But is it solvable at all in principle? The only enforcement policy available is defederation, but that just means future posts won’t go to that instance, the older posts will still be there. Plus an instance could just lie when confirming delete requests and you’d never know unless the non-deleted posts leaked.
Not really, same as email. Once you send it out and it’s on somebody else’s server, you can request they delete it but that’s about it. They have a copy of your message and can do whatever they want with that.
This is not a principle that needs solving imo, it’s the nature of Internet. If you post it online then you should know that there’s a chance it’ll be there permanently.
Hmm, it’s an interesting problem. I’m afraid you are right and there’s really nothing left but defederation - on the other hand, then it’s the same as with stuff like the parsers that could show deleted reddit messages, or things like waybackmachine, which basically do the same, so the core logic of base lemmy source should be as privacy-respecting as possible.
I remember few years ago when I was reading about Signal that there is some way how you can verify that their server is running on the same code as the one published (and audited heavily), so you can be 100% sure that there were no modifications. Wouldn’t something like that be a solution? That would prevent servers from modifying the code that deletes data. I don’t know how it works, and I couldn’t find it when I tried looking for it again, but assuming such a thing is possible, each Lemmy instance could just have a verify widget on their VCS and you could be sure that this instance really does delete your data, since they didn’t modify the deletion code.
But this is just a theorycrafting, I wouldn’t really have enough experience to create something like that and I can imagine that it’s not an easy thing. But if anyone knows more details about the way Signal verification works, assuming I’m just didn’t misunderstood something (since it’s literally a memory I have of a single sentence from one random article when I was researching best private messages app), I would love to read more about the way it works!
But yeah, outside of that, I’m afraid that the following set of features is mutually exclusive:
- An user is able to delete their data, and it’s guaranteed that they are deleted from everywhere.
- If a lemmy instance dies, it’s data is not lost.
- There is not a single centralized authority for anything.
Another option would be to create some kind of reputation system, where self-hosted bots could check for servers that still provide posts and comments that should be deleted, and flag offenders. But that’s overengineering anyway, and as I’ve already said - there’s still no way how to stop scraper or anyone from simply copying your data when they see it.
Did anyone use reddit thinking it was private? With stuff like push shift and way back machine people shouldn’t be posting stuff they aren’t comfortable sharing anyways on a wide open message board.
Always weirded me out the people who’d treat their reddit accounts like Facebook.
It is reasonable that people should be able to delete their posts / comments. However I don’t see how is this related to “privacy”. How can something you post on a public forum be private?
its the principle behind the ‘right to be forgotten’
if you posted something to a public forum and changed your mind, deciding it shouldnt be public after all, you should have that option
While this makes sense for corporations - it doesn’t really make sense on the internet. People will archive, take screenshots, etc. Anything that is public on the internet will likely stay on someone’s computer for years no matter how much we try to delete things.
It is kind of naive to think that the right to be forgotten will be respected by anyone other than the service provider.
I’m also not sure how it’s enforceable in a distributed system.
Blockchains have the property of being append-only, so a blockchain is precisely what makes it impossible to delete transactions. That being said, in a distributed system, once the message leaves trusted servers, it is obviously also impossible to delete it.
Why are you bringing up blockchain?
Lovely, the parent comment mentioned blockchain but was since edited… Trust me I would not have brought it up otherwise.
What does this have to do with Mastodon?
The same privacy issues also exist with Mastodon and all distributed systems.
The illusion of Privacy is Mastodon (or social media in general)
There’s a reason why when you go to “private mentions” on Mastodon, this appears:
While yes, we should be able to delete our content if we want, but it’s a bit naive to think there could be true privacy in any decentralised social media platform.
There’s a reason why one of the think people tell you when you come to the fediverse is not to share personal and sensible information.
The only decentralised social media that has some level of privacy is Matrix, and that’s why it has it’s own protocol and only federates within/between its own servers.
In general I think we should go back to separating personal identities from internet identities on discussion forums like these. There are already platforms for promoting your personal identity that are way better than these types of forums
I completely agree. I’d add that. in general I wouldn’t put any type of personal information on the internet, no social media site, is really private.
The line gets a little blurry if you start posting into a geographical community though. Sometimes it’s hard to stay 100% anonymous
I was rather peeved I had to give an email to create an account on Lemmy. It shouldn’t be needed.
I have an email that I specifically use for the fediverse. I wasn’t asked to give email here, but otherwise it would have been hard to know when and whether my join in request was approved or not.
While yes, we should be able to delete our content if we want, but it’s a bit naive to think there could be true privacy in any decentralised social media platform.
Especially an email or “reddit” threaded conversation systems where quoting of messages is routine. Here I am, quoting you.
You are putting a billboard up in public, on a bulletin board in the center of the Internet, the assumption should be that anyone can photograph it.
Exactly.
That with the addition that the function of thread-like social media is being a place to discuss topic and share information/knowledge. So content needs to be kept even if the account that posted it exist no more. The contain remaining when the account gets deleted is a feature, because otherwise important information could be lost.
Content deletion should be an option, but the content remaining if you delete your account its a needed feature for this type of platform
https://github.com/LemmyNet/lemmy/issues/2977
It’s not like they’re doing it on purpose, there’s a lot of things being worked on, and this is one of them.
The fediverse is the real internet, it’s not a company providing a service. On the real internet, once something gets out there, there can never be a guarantee that it’s taken back. Even on Reddit, once you post something, Reddit might fully delete it but someone out there may have copied it.
Multiple people reported Reddit undeleted stuff they had deleted from their accounts recently …
i mean raddle is a site that has an anti doctor post pinned in the mental health community … like c’mon I and many others need medicine to survive and you are encouraging anti-psychiatrist posting, Church of Scientology levels of anti-medicalist posting
That’s fucking ghoulish.
— someone who has to do that shit in order to have a stable life where I don’t want to end it all on a daily basis
This demonstrates a fundamental misunderstanding of digital privacy. You can never be guaranteed that data is deleted, just like you can never be guaranteed that someone has “forgotten” something. It doesn’t matter what any entity claims they are doing under the hood, you have to assume they can’t be trusted. That’s not an expectation you can have, and not something privacy advocates are asking for.
I’m posting this comment publicly, and there’s nothing stopping any random user (or non-user) from scraping this lemmy instance and archiving the data themselves. I know that when I post it. Same for reddit, raddle, any mastodon instance, etc. I can copy the text and usernames of everyone involved in that raddle thread and do whatever I want with it, there’s nothing anyone can do to stop me.
To think otherwise reminds me of that first day on the internet kid meme. “I deleted my comments off of their servers, hah, they’ll never get them now!”
What I can demand is: if I send a message directly to another party, I want to be able to verify that that party and ONLY that party can read the message (end-to-end encryption). I can also demand that they not require me to dox myself to them, that they not run weird js-based fingerprinting/port scanning processes on my system/network, and that I am allowed to connect to their services through a VPN should I so choose.
Knowing that any information you share publicly can be stolen, I think the way Lemmy’s instances have the original comment after you deleted it could help counteract people manipulating what you said after you deleted it, such as making a quote and editing “your” original post after it was deleted. But this could give a lot of power to the admins as well, as they could be the ones manipulating.
Opposite to Instagram or Facebook, on Lemmy or Mastodon you can create an anonymous account. Yes it will be logged (normal public internet), but you won’t be treacable. The UI doesn’t have any tracking scripts, and many instances don’t require an email even to sign up. Use the Tor browser to spoof your IP.
Damn, Raddle seems worse than Reddit when it comes to toxic attitudes. I never looked much into it since it’s just another centralized platform like Reddit with different management, but boy oh boy are those comments just awful. Great community you folks got over there 😬
Given the beta status of Lemmy, I don’t even think it’s a great idea to give the appearance of privacy. I think the core purpose of a webapp like Lemmy is public messages.
I think it’s a can of worms for server operators to get into the business of thinking they can safely hold private messages between users/strangers. None of the Lemmy instances I’ve joined have had a “terms of service” or anything like that on SIgn Up, I really think the message should be sent far and wide that Lemmy is about posting IN PUBLIC and that messages are being FEDERATED to peers, even people that you don’t know could be collecting the data for a search engine.
With small-time server operators opening up hundreds of Lemmy instances, without giving away their experience or human identity, how can you have any confidence that someone is properly securing a server they only have part-time job to update and operate? Major corporations are having their database stolen, Valve, Sony, Nintendo, health care companies, mobile network companies (AT&T)… you think a low-budget shoestring server by a hobbyist running Lemmy should be held to the same standards as a corporation who has an entire team and services to defend their data?
Exactly my thoughts. People looking for privacy on these public forums/platforms with o real audit or checks in place is really ironic in my opinion.
One thing that mastodon does is proxying all the media from the federated servers, lemmy does not do this… (yet)
For example on this comment page there are 9 domains trying to connect directly to me according to ublock origin. I suggest blocking all third party requests on your instance using ublock origins advanced mode because the website works fine without them, it might be mostly avatars?
For example on this comment page there are 9 domains trying to connect directly to me according to ublock origin.
ublock origin isn’t a firewall. They aren’t connecting inbound to your system, you are loading content from those servers.
It is all public just as most forums on Reddit. No real difference. No difference with Usenet either. Relax.
