Privacy Concerns on Lemmy: A Call for More User Control

knobbysideup, 1 year ago

If you don’t want to share information on a public forum, then don’t.

LWD, 1 year ago

Chilling.

en.wikipedia.org/wiki/Chilling_effect

floofloof, 1 year ago (edited 8 months ago)

On Lemmy any comment you post gets federated out to other servers, so it’s available to anyone who sets up a server. So by design it is not possible to control who gets to see or archive your comments. I could set up a server to permanently archive every comment it sees, and if your server sends me your comment it goes into my archive. Probably people are already doing this for data mining. It’s not clear that you could bolt some kind of privacy control on to this architecture, which is fundamentally designed for sharing.

LWD, 1 year ago

Could ≠ Should.

Smarter defaults should be encouraged by products that are made for consumers, not corporations

andyburke, 1 year ago

Although I agree that is how things work now, one could imagine a different approach:

For instance, I could maybe control who my content gets federated to. That is, if I decide I don't particularly want my content blasted to certain places that my instance would not call any blocked ones with my data.

If that causes some issues with ActivityPub, you can imagine encrypted blobs that could only be opened by others with a shared key.

We don't need to achieve perfection out of the gate, to me these questions are worth discussing so that we can build out more high quality tech for the fediverse, let's not try to just immediately shut down discussion.

mr_satan, 1 year ago

How would you ensure other instances are not sharing your content?

To me this seems to be a question of ideology. I came here from Reddit because this is an open forum with transparent history.

Federetion by design ensures that accessibility (as far as I understand, correct me if I’m wrong). This design principle to me is the core. If that seems like an issue maybe this style of social media is not for you.

LWD, 1 year ago

Can you elaborate on what being “an open forum” means?

mr_satan, 1 year ago

In this context, it’s an open public digital space. Noone is obligated share anything.

The part that is discussed as a privacy issue is a design element. It is by design post are visible to everyone, it is by design that comments are visible to everyone.

How is it a privacy issue when the user desides what to post for everyone to see?

If you are looking for a different design ideology then maybe you need a different social media platform.

LWD, 1 year ago

So regarding an open, public digital space like Twitter, how do you feel about people having the ability to lock their accounts and instantly hide all their tweets from the public?

Mastodon doesn’t have that, but it could.

My reaction to adding something like that will always be “that would be rad” regardless of previous assumptions about how public an app should be, or truisms like “the Internet is forever”, because I believe strongly that trying to fix issues is better than letting them languish unchecked.

mr_satan, 1 year ago

I’ve never been on Twitter. Besides Reddit I really disliked all other main platforms. So answering your question: I don’t care, it’s a different platform for different style of social media interactions.

the Internet is forever

My position has nothing to do with this sentiment. Internet forgets, and often.

I like federated nature of Lemmy, I like that there is no “private” accounts. This is a feature not a bug.

I’m not trying to argue against privacy, but what you are describing isn’t a privacy issue or an issue at all. It’s a design element. And it’s this design is why I like it here.

As someone here has said, at some point the responsibility has to fall on the user. You don’t need to share anything. As long as the nature of the platform is clear (and it’s a separate discussion) the is no issue to be fixed.

If to you that is seems as an issue, well then maybe you are at the wrong place. And if the platform changes in the direction I don’t agree, I will leave.

LWD, 1 year ago

I like that there is no “private” accounts. This is a feature not a bug.

I’m not trying to argue against privacy…

I appreciate your honesty but this seems to conflict

mr_satan, 1 year ago

How is this conflicting? You are a private person same as I, I don’t know who you are, you don’t know who I am.

How is selective hiding of post and comments privacy?

If you don’t want it to be seen – don’t post it.

LWD, 1 year ago

Choosing who to share your data with has been considered a privacy setting since the inception of Facebook and the subsequent erosion of those same settings.

For example, privacy settings on Facebook are available to all registered users: they can block certain individuals from seeing their profile, they can choose their “friends”, and they can limit who has access to their pictures and videos.

mr_satan, 1 year ago

And that is the different premise for the social network.

You do have the equivalent choice here.

If you want Facebook, go to Facebook. It’s not worse or better it’s different.

Well Facebook is worse, but the reasons are corporate not design issues (it’s more complicated than that, but that’s beyond the point).

LWD, 1 year ago

We were talking about the definition of privacy, and I was giving an example to bolster my definition of it. We can switch to a different topic if you want, but first I want to cement this definition.

exocrinous, 1 year ago

The admin of Blahaj is openly interested in exposing trans people’s alt accounts and outing them on their mains. And somehow it’s the biggest trans instance. We need a community and admin reaction in favour of defederating people who do that.

magnor, 1 year ago

Wait what? Do you have a source for this?

exocrinous, 1 year ago

lemm.ee/post/14609313

magnor, 1 year ago

I don’t see much proof. Did anyone corroborate?

exocrinous, 1 year ago

In order to show you proof I would have to help Ada in her attempts at doxxing, but I asked a friend who saw the whole thing to confirm.

magnor, 1 year ago

I understand this is hard to prove without doxxing. This situation is very concerning, and if true absolutely disgusting.

LWD, 1 year ago

There’s a grim tragedy in how many people in this comment section have either succumbed to defeat or actively seek to advocate against privacy.

The comments can mostly be boiled down to:

• My data is online already, and I give up
• Your data is online already, and you don’t deserve control over it
• I have nothing to hide and nothing to fear (and you should too)

You will find Fediverse types are far more cynical and antagonistic to privacy than people on other platforms.

Tangent5280, 1 year ago

But why? Is there a compromise taken on privacy in favour of visibility and mass adoption of whatever fediverse client they’re using? I don’t understand this, especially since I also find the strongest advocates for privacy right here.

LWD, 1 year ago

A lot of Lemmy adopters joined with rose tinted glasses, and came with a lot of good ideas, like getting data out of the hands of big companies, making it easy to access it (as Reddit locked down APIs), etc. Which is all good, but a subset of them believe “not officially belonging to one company” is good enough. As for how your data is handled online, a subset of them believe nothing can be improved, and a subset believes it shouldn’t be improved because your data shouldn’t belong to you at all.

And Lemmy is made up of all sorts, so there’s overlap between Reddit refugees and diehard fans. That interaction is a lot more implicit here, but the friction is a lot more visible on sites like Mastodon where similar privacy discussions have been happening.

Devorlon, 1 year ago

I’ve not seen any of these arguments. Though it may be all downvoted to hell and back.

My main gripe with adding privacy features to Lemmy is that the whole point of Lemmy is that all data is already publicly available and for Lemmy to continue working the way it does it’ll need to remain that way. And because of that there’s nothing that can be done to stop bad actors setting up an instance and selling all the data they collect.

At least in the EU (and UK to a lesser extent) no major corporation would be able to get away with selling that data, so the spent man hours on allowing privacy settings would be wasted time.

LemmyHead, 1 year ago

It doesn’t necessarily need to remain that way. For example,we should have the option to make our profiles private. We should also be able to create pseudonyms for content we submit. The content will still be federated, but not necessarily linked to one user ID

risencode, 1 year ago

The only privacy setting I can encourage on any social media site is don’t share private stuff about yourself and never link to your account from other accounts

LemmyHead, 1 year ago

That is part of the problem though. Proper privacy allows you to express what you want to, without self censorship. The issue is not: don’t speak about x, but rather: speak about it and feel comfortable that you can do it in a safe environment. I fully agree with the account linking though

mr_satan, 1 year ago

What you’re describing is an issue with all of social media. While your concerns are valid, I don’t see your arguments as privacy issue. I honestly prefer post and comment history being transparent and accessible. It’s much like Reddit and this format fits much better with an open forum style of platform.

Don’t post private information and it’s a non-issue.

Also, can’t you just delete posts and comments like on Reddit?

Outtatime, 1 year ago

Would still be nice to hide that information

drndramrndra, 1 year ago

Also, can’t you just delete posts and comments like on Reddit?

Not really AFAIK. Your comment is spread across many instances, and they’re not required to follow your deletion request.

mr_satan, 1 year ago

Oh, I see

LWD, 1 year ago

It’s no required, but if a server is misbehaving, people could notice and those servers could be defederated. By default, deletions are federated.

bamboo, 1 year ago

Also, can’t you just delete posts and comments like on Reddit?

Nothing ever dies on the Internet. With the federated nature of Lemmy, it’s possible for deletes to not sync across instances, especially if there’s defederation that happens.

mr_satan, 1 year ago

Makes sense, when I think about it

SnotFlickerman, 1 year ago (edited 8 months ago)

If you’re not running your own server privacy policies are not even worth the pixels they’re presented on.

Literally, you’re just taking a random person’s word for it (whoever the admin is). A website is a black box, you have no idea what’s going on on the back-end.

The only way to be in complete control of your user data is to run your own server and be literally the only user on it.

Even then, any public comments you make are, you know… public.

otp, 1 year ago

Even then, any public comments you make are, you know… public.

As they should be.

Public comments is how you can find patterns of sketchy user behaviour.

henfredemars, 1 year ago

Ask me no questions and I’ll tell you no lies. It asks much less of my instance admins if it’s understood that my information was never private to begin with.

morrowind, 1 year ago

Well there’s still the legal threat. You have to trust someone, unless you’re creating your own hardware and never connecting to the internet

SnotFlickerman, 1 year ago

True! All your data will pass over other hardware owned by other people.

The only real online privacy is not connecting to the internet to begin with.

The whole system is based on trust.

Which is why I think some of these privacy demands are straight silly.

FutileRecipe, 1 year ago

All your data will pass over other hardware owned by other people. The only real online privacy is not connecting to the internet to begin with.

And now we’re entering into the realm of encryption, especially end-to-end. Generally speaking, just because you’re sending information that touches other people’s hardware, doesn’t mean it’s public and readable.

Danitos, 1 year ago

Even then, AMD, Intel and now Apple CPU chips are suspected to be backdored. NIST has been slow to adapt a standard post-quantun E2EE algorithm, with some rumours of self-sabotage mandated by NSA (like they have already done in the past). The Tor network is extremely vulnerable to traffic correlation by big parties.

Encryption theoretically gives you what you describe, but in reality you still need to put a lot of thrust in things like your own hardware.

LWD, 1 year ago (edited 8 months ago)

deleted_by_author

SnotFlickerman, 1 year ago (edited 8 months ago)

I think that’s worth considering: an open-source volunteer project requires and leaks way more data than a private corporation it’s mimicking.

It couldn’t be that one has had loads of VC funding for *checks notes… 15 years. Whereas one has been barely funded for five years and has more people complaining than adding code.

Actually, it makes perfect sense that an open source project that doesn’t have a big organization behind it isn’t going to have the same capability anywhere near as quickly. Reddit also makes money from advertising. The money for Lemmy is from donations and an abysmally small set of grants.

Hell, Matrix, an actual open source communications protocol is 9 years old and they still haven’t gotten encrypted video group chats working properly and if I recall correctly still offload a lot of that to JitsiMeet. I was using Matrix/Riot.IM (now Element) in 2016 and it was garbage that barely worked, and updates constantly broke what previously worked, etc. It took time to become better and Matrix does have a whole ass organization backing it.

For comparison, Lemmy has been around for about five years and they’ve had far less financial backing and developers contributing to the project. Matrix has governments like France and Germany lining up for services for private communications, which means they’ve literally got people paying them for the service of helping manage their Matrix servers. Lemmy doesn’t have the same advantages. They don’t have a service or ads to sell (no ads is part of the appeal.).

For what its worth, Veilid exists, if you’re looking for a better framework to start with than ActivityPub.

chicken, 1 year ago

I remember a little while ago a thread with someone from kbin gloating that they could see what everyone was voting, and accusing the people upvoting comments they disagreed with of being bigots in a vaguely threatening way obviously intended to produce a chilling effect, and people found this surprising because that information is not public on most instances.

I basically agree with the people saying open info is just the nature of posting on a public forum and of federation, but there could be improvements, even just in awareness of what is and isn’t private.

bamboo, 1 year ago

This is a great point because in the Lemmy UI, this information isn’t shown, and you can’t even list out all posts you’ve upvoted. As most of us coming from Reddit, we’re used to upvotes being private, and probably assume it’s the same. I understand the technical reasons for having the information public, but it is not clear from a user perspective that it’s public.

chicken, 1 year ago (edited 8 months ago)

What’s extra confusing is that I’ve seen people asking about how to get this information from the API, with the answer being that you can’t (I guess to protect privacy?). It’s only accessible to federated servers, but then those can do what they want with it including publishing it to everyone.

shortwavesurfer, 1 year ago

I have a feeling that you might be misunderstanding what the actual purpose of lemmy is. lemmy has taken quite a few design decisions from Reddit which is exactly the same way. Both platforms are public places where all content is shared. Anyone using them needs to be aware of that fact. Mastodon might be a better fit for you as it is more focused on individuals rather than public communities.

LWD, 1 year ago

Well, not exactly.

Reddit	Lemmy
Content is public	Content is public
API access is limited	API access is limitless
Vote data is inaccessible	Vote data is accessible
No email needed	Email or something else often required
One privacy policy	Basically no privacy policy

Zerush, 1 year ago

What irritates me many times when I enter Lemmy is that instead of my Nick at the top right, someone else’s Nickname appears for a moment, before changing it to mine. This is a sign of an open account sharing channel, which is quite serious and should be fixed quickly. Security at Lemmy is apparently non-existent.

Sal, 1 year ago

Do you see a random nickname from a stranger, or a nickname of an account that was previously logged into using the same computer?

What is an open account sharing channel?

Zerush, 1 year ago (edited 8 months ago)

It occurres sometimes, I see a random nick from strangers. It means that my account obviously is públic and even shared. I will be attentive and I will try to take a screenshot, before the nickname changes to mine while Lemmy loads.

Sal, 1 year ago

I will also pay close attention and see if I can catch that happening.

Zerush, 1 year ago

It’s not easy to catch, because it’s only a moment when Lemmy loads and just sometimes. For now I always have my eyes to the top right corner when I enter Lemmy.

morrowind, 1 year ago

I strongly agree, I wrote a post on this type of privacy and why it matters, which I’ve dubbed “casual privacy”. coship.bloggi.co/casual-privacy

pop, 1 year ago (edited 8 months ago)

pull requests would work a lot better than blog posts.

morrowind, 1 year ago

It’s not smart to make a pull request before getting developers approval

MajorHavoc, 1 year ago (edited 8 months ago)

It gets weird fast, because before privacy controls in the Lemmy source code mean anything, we need trusted third party verification of a server’s patch level, and security controls.

That can be done, and I think Lemmy has a shot at getting to that point, but it’ll be awhile.

In the meantime, I suspect the Lemmy developers are hesitant to add and advertise features that you can’t be sure are actually correctly enabled on your instance.

But yeah, let’s not let perfect be the enemy of moving toward better.

Edit: Assuming you completely trust your instance admin, we could start adding some basic privacy to actions taken on your home instance.

But as soon as the user starts interacting via federation, all bets are off - because the federated instance may he malicious.

I think we might see one or more “trusted fediverse” groups emerge in the next few years, with instance admins making commitments to security controls, moderation, code of conduct, etc.

So, in theory, the lemmy software could start implementing privacy controls that allow users to limit their visibility to whichever part of the fediverse their instance admin has marked as highly trusted.

But even then, there’s risks from bad actors on highly trusted instances that still allow open signups.

Anyway, I totally agree with you. It’s just a genuinely complex problem.

SnotFlickerman, 1 year ago (edited 8 months ago)

If all the people complaining would just contribute to the codebase this wouldn’t even be an issue.

Often, you even see the devs coming into threads like this and making suggestions, like “make a pull request.” They want more people contributing.

It’s tons of people whining, very few people contributing. Guess what? While at a certain point, adding developers stops increasing productivity, there’s a small window where adding developers does increase productivity.

If I am correct, Lemmy only has four main developers. That’s well within the range to add more developers and increase the productivity, making new features and security come faster.

So I get it, but things take time, and are complicated, which you thankfully can see.

People whinging about it in threads does nothing to change it. Donating to Lemmy’s development costs or contributing code does.

So much of it sounds like it sounds like its from less-technically-inclined people (some of its valid critique from experts, but they generally… write bug reports and do pull requests…) who just want it to be better but the only way they know how is to “bring awareness.” Well, all that “awareness-bringing” just amounts to spreading FUD.

Sal, 1 year ago

I think we might see one or more “trusted fediverse” groups emerge in the next few years, with instance admins making commitments to security controls, moderation, code of conduct, etc.

There is now at least one system in place for admins to vouch for other instances being non-malicious, and to report suspected instances. It is called the fediseer: gui.fediseer.com

MajorHavoc, 1 year ago

Very cool.

toastal, 1 year ago

If Lemmy cared about privacy, contributing source code & opening tickets would not require opening accounts with a for-profit, US-based, closed, prorietary service owned by a publicly-traded megacorporation that has shareholders to appease & a history (as well as current) record of EEE (embrace, extend, extinguish).

Omega_Haxors, 1 year ago (edited 8 months ago)

that also uses your code for their AI.

drndramrndra, 1 year ago (edited 8 months ago)

Copilot gets trained on Dessalines’ essays and becomes a Marxist

toastal, 1 year ago

I mean it took the code production of from workers for the Commons, packaged it up, & sold it back to the workers—often in violation of the license if not the spirit of free, ethical, or similar software. All AI generations should be CC0 / 0BSD licensed.

toastal, 1 year ago

Choosing proprietary tools and services for your free software project ultimately sends a message to downstream developers and users of your project that freedom of all users—developers included—is not a priority.

—Matt Lee, www.linuxjournal.com/…/opinion-github-vs-gitlab

solrize, 1 year ago (edited 8 months ago)

Lemmy has many privacy problems that have nothing to do with public comments you make. For example, the “hide posts that you have already read” option requires that the server track what posts you have read. There is no public activity involved in reading a post. So the Lemmy server should not track that info. If that feature is to exist at all, it should be implemented purely on the client. The same can be said about subscriptions, and for that matter about voting (server should discard voting info after a brief interval for abuse detection). The Lemmy software in many ways naive about this stuff.

SnotFlickerman, 1 year ago (edited 8 months ago)

I don’t disagree on those points, but I think it’s the nature of Lemmy being decentralized that makes all those things necessary.

server should discard voting info after a brief interval for abuse detection

What if the server has not federated out the votes yet? Some of that stuff can get backed up in a queue. There’s definitely a possibility that votes could get “lost” on the way. Hell, that already happens, and that’s with a system that tracks them.

Servers have to keep a lot of this info to pass to other servers. If I upvote something on Lemmy.blahaj.zone, it doesn’t mean that upvote has been federated outward to hundreds of other servers yet. I would assume this is part of how Lemmy is able to keep things “organized” between all servers.

In other words, a lot of the privacy complaints come from technical limitations of how Lemmy works. Lemmy, by it’s decentralized nature, has to transfer tons of data back and forth between all Lemmy instances.

However, there are technologies that are trying to work around this kind of technical limitation. You might be interested in something like Veilid. I’m not sure about the details of putting together a Veilid-based social-network, but I’m willing to believe it’s possible.

solrize, 1 year ago

1. I don’t see anything in your post that indicates any reason to track what posts a person has read. That should not be tracked at all. Reading posts should be completely anonymous.
2. I don’t see why voting necessarily has to track who casts the votes. But, because untracked voting can be abused so easily, I can understand deciding to retain the info for let’s say 24 hours. Hopefully that is also enough to handle those propagation issues.

Really, imho, server instances shouldn’t have a web interface at all, just an API. Web apps would make API calls to the server and reformat the response for use by the browser. The API call to read a post should not require any identifying info or require the user to be logged in. Read tracking and subscriptions should be handled by the client, and in the case of a public client (web app shared by many users), the private user info should be encrypted in case of a server breakin or seizure. The encryption key would be based on the user password and transformed to a browser cookie when the user logs in, so it is never stored by the web app. With most people using mobile clients these days, alternatively, the info can be kept completely on the client device and maintained by the mobile app.

loki, 1 year ago

Good features. If you make a fork, people would be interested in trying it out.

Steve, 1 year ago

The very nature of Lemmy and most social media, is that what you put out there is public. If you don’t want everyone in the world to read something you wrote, then social media may not be your kind of thing.

LWD, 1 year ago (edited 8 months ago)

deleted_by_author

SnotFlickerman, 1 year ago (edited 8 months ago)

And I believe privacy defeatism is unhealthy.

Is there such a thing as “perfect privacy?”

Because it seems that, to exist in society, is to give up some form of privacy by dint of existing in it.

You cannot stop yourself from being observed by other people, if they can see you. That’s just basic reality.

To be completely private, you would have to live in the woods and not interact with anyone or speak with anyone.

Is it defeatist to be realistic about the limitations of the idea of privacy?

As someone who has spent a lot of time seeking internet privacy, I’ve learned that more often than not I’m making myself more conspicuous. That doesn’t mean I’m going to give up on privacy, but it does mean that I’m going to consider its limitations.

EDIT: I’m reminded of an interview with Mark Hossler from Negativland. The interview is long gone from the internet (it was on an obscure website pre-youtube) but the center of it always stuck with me.

“If you really want full control of your art, don’t show it to anybody, keep it in your home.” His argument was Richard Dawkins’ argument for memes. The human mind functions by copying and mimicking. When someone else has viewed your artwork, they’ve already created an internal image of it in their memory. That memory is inconsistent with reality, but if they have a good memory, they can recreate it relatively easily (if they have similar artistic skills). You can’t really stop that kind of copying from happening, so the only way to fight it and keep “complete control” is to not share it at all.

Similarly, the only way to have complete control over your privacy is by not interacting with anyone at all.