this post was submitted on 19 Jun 2023
4 points (100.0% liked)

Technology

39528 readers
567 users here now

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:


This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 3 years ago
MODERATORS
 

Federated services have always had privacy issues but I expected Lemmy would have the fewest, but it's visibly worse for privacy than even Reddit.

  • Deleted comments remain on the server but hidden to non-admins, the username remains visible
  • Deleted account usernames remain visible too
  • Anything remains visible on federated servers!
  • When you delete your account, media does not get deleted on any server
(page 2) 41 comments
sorted by: hot top controversial new old
[–] GadgeteerZA@beehaw.org 1 points 2 years ago

Not sure what the point of "Mastodon's" opinion is? Firstly, Mastodon is pretty big and decentralised, and it has no-one who really speaks on behalf of all its users. Lemmy is not a privacy central network like a direct messenger service. It never claimed to be privacy centric as far as I know. The point is to share posts in communities, and the more that see them, the better.

But it is federated which means posts do get shared to other servers everywhere, and deleting those is not as easy as for a centralised server. Whatever I post on any sharing type service, I consider to be public.

[–] 0xtero@kbin.social 1 points 2 years ago (2 children)

First - we're all using alpha/beta software (Lemmy is 0.17.4, Kbin is 0.10.). None of these services are "production quality" software yet, so let's keep that in our minds - we're all early adopters.

The points mentioned in the OP are a bad look. Naturally. User should have expectation of their data being deleted on request - especially since this request might be regulatory privacy request (GDPR related). It's a clear failure from the software and should be improved and iterated upon.

The expectation shouldn't be "oh well it's on the Internet, live with it". While Facebook might keep mining your data after deletion request, our software shouldn't behave like that, we should strive to be better with this stuff.

And finally, ensuring privacy in federated system is hard. Mastodon suffers from same problems. We shouldn't give up on the idea though.

[–] aard@kyu.de 1 points 2 years ago (1 children)

The more important part for privacy: Mail address is optional, and IP addresses are not stored in the database. A correctly configured instance (at least for EU legislation) also will not log IP addresses in the web server - with that you can have profiles that can't be tied to an actual human, and you don't have location and movement data.

The data deletion is pretty much a nice to have - it's on the level of the Exchange feature to recall Emails: Sure, you can ask nicely, but outside of your own server pretty much nobody will care. Lemmy is federated over multiple jurisdictions, so even with full deletion implemented there'll almost certainly be instances which will ignore the deletion request - and it will be completely legal for them to do so. More important is education about what you publish, and a basic understanding of the technical and legal realities you'll have to deal with if you later decide you want that information gone.

I already had that discussion with my 6 year old when she wanted to publish some videos - and she understood the problems quite well.

[–] Pekka@feddit.nl 0 points 2 years ago (1 children)

but outside of your own server pretty much nobody will care. Lemmy is federated over multiple jurisdictions, so even with full deletion implemented there’ll almost certainly be instances which will ignore the deletion request - and it will be completely legal for them to do so

Lemmy also seems to federate your matrix_user_id, that is clear personal data. It does not matter how the data gets to the federated server, this is still user data within the scope of the GDPR. It does not matter that that server does not have an agreement with the user, the instance that would ignore a GPDR related deletion request would be in direct violation of the GDPR. Maybe it can do that without consequences, though.

I completely understand that making Lemmy fully GPDR compliant will probably be impossible, however I don't like the approach of "we will not succeed, so we don't make any attempt". Instances should actually delete data when that is requested, or instance hosts can get fined. For now, Lemmy has bigger issues to solve, but eventually they should do at least a best effort attempt to respect user data.

load more comments (1 replies)
load more comments (1 replies)
[–] loving_kindness@midwest.social 1 points 2 years ago (2 children)

Anything put on the internet is forever. No one should be publicly posting anything with the expectation that they have any control of it after it goes out. If it’s not held by the server, there’s the way back machine or even just folks taking screenshots.

load more comments (2 replies)
[–] heartlessevil@lemmy.one 1 points 2 years ago

What does this have to do with Mastodon?

The same privacy issues also exist with Mastodon and all distributed systems.

[–] knova@links.dartboard.social 1 points 2 years ago

BTW, the OP on Raddle was spamming that message around Reddit last week and directing people to Raddle. I think he has a bone to pick with the developers' politics more than anything.

[–] db0@lemmy.dbzer0.com 1 points 2 years ago (1 children)

The same is true for raddle. They kid themselves if they think anyone can't record anything in there forever.

Anyway it's also inaccurate. Deleted accounts are purged from the DB, so they're definitelly not visible anymore

Likewise you you edit your comment, it's edited in the DB.

[–] minkshaman@lemmy.perthchat.org 0 points 2 years ago (1 children)

So what your saying is that it’s just like Reddit in that respect.

Yeah, I can live with that, as long as everyone knows that if they really want something deleted, edit over it first.

[–] furrowsofar@beehaw.org 1 points 2 years ago

For a humbling experience just seach for your Reddit and Lenny IDs on a seach engine. You will get a list of everything you have posted. Also some account info. It is all public. What happens when deleted, depends on who has scraped the data and their retension. This is just how public forums are and that goes all the way back to Usenet and listservs.

[–] kool_newt@beehaw.org 1 points 2 years ago* (last edited 2 years ago) (1 children)

The fediverse is the real internet, it's not a company providing a service. On the real internet, once something gets out there, there can never be a guarantee that it's taken back. Even on Reddit, once you post something, Reddit might fully delete it but someone out there may have copied it.

[–] marco@beehaw.org 1 points 2 years ago (1 children)

Multiple people reported Reddit undeleted stuff they had deleted from their accounts recently ...

Ive been doing daily PowerDeleteSuite cleanses of my reddit profile, stuff just keeps re-appearing

[–] tmpod@lemmy.pt 1 points 2 years ago* (last edited 2 years ago)

I didn't know anything about Raddle besides the name until now. But gosh, is that a needlessly toxic pit. There's a poor guy there getting completely beaten up by an admin and some others which seem to be enjoying their time-wasting public bullying. Oh well...

[–] The_Terrible_Humbaba@beehaw.org 0 points 2 years ago* (last edited 2 years ago) (1 children)

After reading some more comments, I think I came up with a good analogy to explain this issue, and I wanted to share.

Think of websites like a bar that also has an open mic.

Now, when I go to a bar, I don't want to have to give the bouncers and staff my full name as well as my address. I also wouldn't want them to know that I just came, for example, from a store where I was looking for a vacuum, and then have them warn a vacuum seller about it. A vacuum seller who is then going to sit next to me, while I'm trying to have a drink, and show me a pamphlet regarding the "amazing vacuum" he has for sale.

Ideally, I can also look for a bar that will allow me to come in costumed and not show my face. Or I could ask the bar to delete footage of me at some point, and to not store my ID if I do have to show it to a bouncer at the entrance.

All of that is relatively feasible and within the realm of reason; and all of that are things that privacy advocates might advocate for.

However, what is not feasible, or within the realm of reason, or what privacy advocates tend to advocate for, is the ability for me to willingly go up on stage, say something on the mic which I immediately regret, and then ask everyone present to forget it ever happened and delete any footage they might have of it. No reasonable person would ask for something like that, because it is not a reasonable request.

That is how regular websites work. With federated websites, that becomes enhanced; it's like if the bar you're in has a camera pointed at the microphone, and transmits both video and audio directly into several other bars. So when you go up to that mic, you better make sure you're okay with what you are saying being made public and available to anyone.

load more comments (1 replies)
[–] lowleveldata@programming.dev 0 points 2 years ago* (last edited 2 years ago) (2 children)

It is reasonable that people should be able to delete their posts / comments. However I don't see how is this related to "privacy". How can something you post on a public forum be private?

[–] fidodo@beehaw.org 0 points 2 years ago* (last edited 2 years ago) (1 children)

I'm also not sure how it's enforceable in a distributed system.

load more comments (1 replies)
[–] CrateDane@feddit.dk 0 points 2 years ago (1 children)

That is generally true, with exceptions like leaking someone else's private information.

But it implicates the adjacent "right to be forgotten" rather than narrowly defined "privacy". This could be a real legal issue in the EU.

[–] hoshikarakitaridia@lemmy.fmhy.ml 0 points 2 years ago (1 children)

It is. GDPR in the EU dictates that every user which requests their information has to get it in 30 days, and every user who removes their information has to be able to get it removed (I think the time span for that is even shorter, so more pressure for the server admins)

load more comments (1 replies)
load more comments
view more: ‹ prev next ›