Federated services have always had privacy issues but I expected Lemmy would have the fewest, but it’s visibly worse for privacy than even Reddit.

  • Deleted comments remain on the server but hidden to non-admins, the username remains visible
  • Deleted account usernames remain visible too
  • Anything remains visible on federated servers!
  • When you delete your account, media does not get deleted on any server
  • ffmike@beehaw.org
    link
    fedilink
    English
    arrow-up
    5
    ·
    1 year ago

    In my opinion it’s unreasonable to think anything can truly be deleted in a federated system. Even if the official codebase is updated to do complete deletion & overwrite, it’s impossible to prevent some bad actor from federating in a fork that just ignores deletion requests.

    Seems sensible to just not post anything that you don’t want to be available for the lifetime of the internet.

    • pkulak@beehaw.org
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      This is how I treated Reddit too. And Twitter. And everything else. I have two modes; public and private. And private is private; strong encryption and local storage. Having some middle ground is a recipe for disaster.

    • alyaza [they/she]@beehaw.orgM
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      In my opinion it’s unreasonable to think anything can truly be deleted in a federated system.

      yeah like. this is just a byproduct of how federation works currently. i don’t even know how you’d begin to design a federated system where some of these critiques can’t be levied

      • Gaywallet (they/it)@beehaw.org
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 year ago

        Anything that is visible to another party can be hijacked - even a 1:1 communication does not guarantee that the other party doesn’t capture the data and then spread it. The only things that are private are thoughts that you have which are not shared with others in any fashion. As soon as information is shared in any fashion, it is not private.

        Past this point it’s a matter of how private you think is reasonably private. You could design a system where users are in control of their own data through a series of public and private keys, ensuring that keys must be active to view content, but as stated above even in such a case and the user revoking keys does not stop other people from making copies of said data. This is akin to screenshotting an NFT. For all intents and purposes, a copy of the data as it existed at the time of copying is now publicly available.

        Quibbling over the fact that you’re the one who “truly owns” the data when it comes to something like social media feels like a mostly pointless endeavor because the outcome (data is available for others to view/consume/read/etc) is the same regardless of who “owns” it. Copyright law will apply to anything you produce, if it comes to legal problems (someone copies your artwork and sells it, for example) and having a system to prove you own it is primarily a formality to make it easier to prove ownership. Generally people aren’t arguing through this lens, however, and are instead arguing through the privacy/security lens - that they don’t want people stealing/selling their data, which lol, good luck. AI models are proof that no one in the world actually cares about this ownership if they reasonably think they can get away with using your data without any real incentive to not do so - interestingly copyright law and models being trained on corporate data such as movies are a vector by which the legality of this might actually stop or slow AI development and protect the end-users data.

    • yourgodlucifer@kbin.social
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      I don’t expect my data to be fully deleted in a centralized system either. even if it was deleted from the central server someone might have made an archive of it

      and reddit is definitely guilty of this since they were bringing back peoples deleted comments and accounts

    • dudeami0@lemmy.dudeami.win
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Just as it’s impossible to stop scrapers from archiving data on traditional websites. “Deleted” data is probably in a database somewhere, being sold by someone. As you said, you lose some degree of control over your data as soon as you post it. Data is valuable, and if there is a will there is a way.

    • Contend6248@feddit.de
      link
      fedilink
      English
      arrow-up
      5
      ·
      edit-2
      1 year ago

      That’s a poor answer to be honest. Total privacy is an illusion, but having the tools to delete some of the traces if wanted should be there. I would argue that the EU law about the right to be forgotten might want a word with someone.

      I escaped Reddit, but i hold anyone else to a standard too.

      Lemmy, do better or it wont end well. https://gdpr.eu/right-to-be-forgotten/

  • NightOwl@lemmy.one
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Did anyone use reddit thinking it was private? With stuff like push shift and way back machine people shouldn’t be posting stuff they aren’t comfortable sharing anyways on a wide open message board.

    Always weirded me out the people who’d treat their reddit accounts like Facebook.

  • teawrecks@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 year ago

    This demonstrates a fundamental misunderstanding of digital privacy. You can never be guaranteed that data is deleted, just like you can never be guaranteed that someone has “forgotten” something. It doesn’t matter what any entity claims they are doing under the hood, you have to assume they can’t be trusted. That’s not an expectation you can have, and not something privacy advocates are asking for.

    I’m posting this comment publicly, and there’s nothing stopping any random user (or non-user) from scraping this lemmy instance and archiving the data themselves. I know that when I post it. Same for reddit, raddle, any mastodon instance, etc. I can copy the text and usernames of everyone involved in that raddle thread and do whatever I want with it, there’s nothing anyone can do to stop me.

    To think otherwise reminds me of that first day on the internet kid meme. “I deleted my comments off of their servers, hah, they’ll never get them now!”

    What I can demand is: if I send a message directly to another party, I want to be able to verify that that party and ONLY that party can read the message (end-to-end encryption). I can also demand that they not require me to dox myself to them, that they not run weird js-based fingerprinting/port scanning processes on my system/network, and that I am allowed to connect to their services through a VPN should I so choose.

    • Ivyymmy@lemmy.one
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Knowing that any information you share publicly can be stolen, I think the way Lemmy’s instances have the original comment after you deleted it could help counteract people manipulating what you said after you deleted it, such as making a quote and editing “your” original post after it was deleted. But this could give a lot of power to the admins as well, as they could be the ones manipulating.

  • rubywingedflier@possumpat.io
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I understand the impulse but the way some people get so hung up on trying to make a way to permanently and universally delete posts made on public facing social media and framing it as a “privacy” issue feels kinda like saying something you regret on mic at a town hall and being mad that you can’t permanently delete the memory of it from the minds of everyone present, and claiming that they violated your privacy by remembering it

    • mythmon@beehaw.org
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      it’s an interesting idea, but it doesn’t vibe with the reality of the laws in the EU which has “right to be forgotten” rules

      • wet_lettuce@beehaw.org
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        The “right to be forgotten” rules are, with all due respect to the EU regulators, pretty shortsighted.

        I think the initial “right to be forgotten” lawsuit that Google faced from that Spanish guy-- where he claimed bankruptcy years prior. People( potential lenders?) kept finding that information online through google searches. He sued to have Google remove those sites from the index. He won and the Spanish Judge told Google they had to remove those results from searches.

        But it didn’t change that the information was still on each site. Those sites, the ones that actually held the information didn’t get sued, just Google.

        It also opened the door for oppressive governments covering up human rights abuses or hide other information they dont want widely available.

        Google appealed and won: https://www.bbc.com/news/technology-49808208

        I also want to point out that this Spanish guy’s situation is very different from “posting publicly on social media”. He was getting written about by others and the courts eventually said “no, this can stand. This information should remain available”. So I imagine, public statements made by an individual certainly wouldn’t qualify to be forgotten.

        At the end of the day, to me, this is a technical decision not a privacy one.

  • nerodessertking@beehaw.org
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    i mean raddle is a site that has an anti doctor post pinned in the mental health community … like c’mon I and many others need medicine to survive and you are encouraging anti-psychiatrist posting, Church of Scientology levels of anti-medicalist posting

  • GadgeteerZA@beehaw.org
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Not sure what the point of “Mastodon’s” opinion is? Firstly, Mastodon is pretty big and decentralised, and it has no-one who really speaks on behalf of all its users. Lemmy is not a privacy central network like a direct messenger service. It never claimed to be privacy centric as far as I know. The point is to share posts in communities, and the more that see them, the better.

    But it is federated which means posts do get shared to other servers everywhere, and deleting those is not as easy as for a centralised server. Whatever I post on any sharing type service, I consider to be public.

  • MrEUser@lemmy.ninja
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I’m at a loss. You’re saying that things that you said publicly are private? Or you’re saying that they become private because you delete your account? Assume you dox someone. I need to find out if that happened. As an admin I’d be able to see that

    1. you
    2. publicly posted
    3. their data

    I would need to be able to provide this to authorities if they provided needed legal documentation. Why do you think that privacy dictates you should be able to commit a crime, and get away with it by deleting your account?

    • mainfrog@beehaw.org
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      1 year ago

      I don’t think there is a legal requirement that you store that data, just that you make the data you store available, or in some situations, you add logging for valid law enforcement requests.

      Apple for example does not have access to end-to-end iCloud data that is encrypted to my knowledge. They wouldn’t be able to provide the contents of my notes application to law enforcement necessarily - and that is currently legal.

      • MrEUser@lemmy.ninja
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        I’m basing what I have said off of work I have done with attorneys in similar situations. I don’t know evidentiary law, but I wouldn’t want to be accused of destroying evidence of something. But my question stands. Why should someone who has doxed someone get away with it by deleting their account? How is that ethical?

      • Mark@lemmy.ca
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Apple (and Google, Microsoft, etc) are checking signatures of all files on their services to detect illegal stuff. They do it for copyrighted content and they do it for CSAM.

  • russjr08@outpost.zeuslink.net
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    So, I was born in the late 90’s - I don’t know if they still have “computer literacy” as a core course in schools these days, but they did when I was going through K-12 (or, well K-9… once you were in high school they assumed you knew the basics of how to use a computer, and had more advance courses).

    One of the very first things we learned about the internet is that once you put something on the internet, there is no way to take it back. At the time, uploading pictures to the “cloud” and such wasn’t really a thing so we learnt this by using email: Once you’ve sent an email to someone, you cannot “unsend” it. You can kindly ask the other party to delete the copy of the email without opening it, but you cannot guarantee that the email wasn’t saved on another computer, or saved somewhere else along the route between your computer and the receiver’s computer. Clicking the send button was taught to us as “etching your letter into stone”.

    Because of this, I’ve always (or at least, as far as I can remember) made sure that anything I put on the internet, or even “put into digital form” (such as even writing something in a file on your computer - you can recover deleted files from a hard drive unless you really put in the effort to actually erase it… there is a huge difference between erasing a file, and marking it as “deleted”) is something that I’m okay being tied with me forever. I’m sure if you looked hard enough, you could find me participating on message boards as a young teenager - and to that I just say “Oh well”. Is some of it probably very cringe-inducing and embarrassing? I have no doubt.

    (This is also why you should take extreme caution when talking about say, your friend, on the internet - if you post something about them on the internet, you’re condemning them to this same exact thing)

    Now funnily enough, as far as I understand the ActivityPub protocol, it is for all intents and purposes the exact same as email in this regard. Once you’ve sent something, there are no “take backs”. All you can do is kindly ask others to delete their copy, and that comes with zero guarantees. If I had a mastodon server, and someone deletes their toot - I could take down my server and my server would never receive that delete request. Or, just simply change the source code of the Mastodon instance on my server to straight up ignore deletion requests.

    Would it be nice for Lemmy to have a way to actually delete your content? Sure. But that’s not technically feasible, and personally (as controversial as it may seem) I would rather Lemmy not try to give you the false sense that everything was completely gone forever. I’m not saying that you shouldn’t be able to delete your account off a Lemmy instance, but it shouldn’t come with an option that says “Check here to remove your data/media from all federated instances” because Lemmy/no one can promise that, and I really hate it when software (or really anyone/anything) attempts to make a promise in bad-faith knowing that they can’t possibly ever uphold it.

    Anyone who thinks Reddit is “better” than Lemmy in this regard probably doesn’t realize that Reddit is making a claim they can’t keep. The most obvious example of this is all of these subreddits that have gone dark? You can bring up most of their posts on the Wayback Machine or Google Cache. That would be the case regardless of whether they were set to private, or even if they were just straight up “deleted”.

    We really should not be setting the belief for people that there exists a way to completely nuke a piece of data off the internet, because you cannot make a guarantee of that being the case.

    • Mikina@programming.dev
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I don’t really agree with this. The core behavior of Lemmy should be to make a reasonable effort to delete it, which as I’ve understood it doesn’t really.

      And you don’t have to give people a false belief - the button shouldn’t only say “Request removal of data from all Federated instances”, but also add that “But keep in mind that it’s not possible to enforce deletion from all instances in a Federated environment, and some instances may refuse to comply”.

      I think we should strive for privacy as much as possible, and by default the instances should comply. Sure, there’s nothing stopping anyone from not complying, but that doesn’t mean that we shouldn’t at least attempt to do it.

    • rothaine@beehaw.org
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      Not a guarantee, but a reasonable effort would be good.

      Consider doxxing. It would be better if instances propagated delete requests to the fullest extent possible so that that information would be as hard as possible to find.

  • mainfrog@beehaw.org
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Deleted comments remain on the server but hidden to non-admins, the username remains visible

    This is a negative behavior by Lemmy, in my opinion. Deleted comments should be purged after some time. Tildes does the same thing - I think with 30 days?

    Deleted account usernames remain visible too

    These should be replaced with some random string of characters or something like DeleteUser<numberhere> or something.

    Anything remains visible on federated servers!

    This is just a concession of federation.

    When you delete your account, media does not get deleted on any server

    This is an issue, too, in my opinion.

    • t3rmit3@beehaw.org
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      can’t anyone who runs a lemmy instance script all that in the db? alternately, can’t anyone who claims to do so just not do it in the db? it’s not like you would ever know.

      • mainfrog@beehaw.org
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        A sketchy instance operator isn’t really a solid defense against implementation of better privacy features in the source code.

  • Retronautickz@beehaw.org
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 year ago

    The illusion of Privacy is Mastodon (or social media in general)

    There’s a reason why when you go to “private mentions” on Mastodon, this appears:

    Private mentions. Post on mastodon are not end-to-end encrypted.Do not share any sensitive information over Mastodon

    While yes, we should be able to delete our content if we want, but it’s a bit naive to think there could be true privacy in any decentralised social media platform.

    There’s a reason why one of the think people tell you when you come to the fediverse is not to share personal and sensible information.

    The only decentralised social media that has some level of privacy is Matrix, and that’s why it has it’s own protocol and only federates within/between its own servers.

    • KitemanHellYeah@lemm.ee
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      In general I think we should go back to separating personal identities from internet identities on discussion forums like these. There are already platforms for promoting your personal identity that are way better than these types of forums

      • Retronautickz@beehaw.org
        link
        fedilink
        English
        arrow-up
        0
        ·
        1 year ago

        I completely agree. I’d add that. in general I wouldn’t put any type of personal information on the internet, no social media site, is really private.

        • wewbull@feddit.uk
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          I was rather peeved I had to give an email to create an account on Lemmy. It shouldn’t be needed.

          • fedi@geddit.social
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Unfortunately there has been a wave of fake accounts being created on lemmy. Requiring email on signup is one way to try to prevent this from happening.

          • Retronautickz@beehaw.org
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            I have an email that I specifically use for the fediverse. I wasn’t asked to give email here, but otherwise it would have been hard to know when and whether my join in request was approved or not.

  • 0xtero@kbin.social
    link
    fedilink
    arrow-up
    0
    ·
    1 year ago

    First - we’re all using alpha/beta software (Lemmy is 0.17.4, Kbin is 0.10.). None of these services are “production quality” software yet, so let’s keep that in our minds - we’re all early adopters.

    The points mentioned in the OP are a bad look. Naturally. User should have expectation of their data being deleted on request - especially since this request might be regulatory privacy request (GDPR related). It’s a clear failure from the software and should be improved and iterated upon.

    The expectation shouldn’t be “oh well it’s on the Internet, live with it”. While Facebook might keep mining your data after deletion request, our software shouldn’t behave like that, we should strive to be better with this stuff.

    And finally, ensuring privacy in federated system is hard. Mastodon suffers from same problems. We shouldn’t give up on the idea though.

    • YMS@kbin.social
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      It is an early stage software and such things can be worked out, you’re right. But on the other hand, such basic elements should be based on a thorough concept before a single line is coded, and implementing something like a delete button with “Let’s just make it delete the most visible stuff for now, we can always improve that later when there is time” is recipe for disaster.

    • aard@kyu.de
      link
      fedilink
      arrow-up
      0
      ·
      1 year ago

      The more important part for privacy: Mail address is optional, and IP addresses are not stored in the database. A correctly configured instance (at least for EU legislation) also will not log IP addresses in the web server - with that you can have profiles that can’t be tied to an actual human, and you don’t have location and movement data.

      The data deletion is pretty much a nice to have - it’s on the level of the Exchange feature to recall Emails: Sure, you can ask nicely, but outside of your own server pretty much nobody will care. Lemmy is federated over multiple jurisdictions, so even with full deletion implemented there’ll almost certainly be instances which will ignore the deletion request - and it will be completely legal for them to do so. More important is education about what you publish, and a basic understanding of the technical and legal realities you’ll have to deal with if you later decide you want that information gone.

      I already had that discussion with my 6 year old when she wanted to publish some videos - and she understood the problems quite well.

      • Pekka@feddit.nl
        link
        fedilink
        arrow-up
        0
        ·
        1 year ago

        but outside of your own server pretty much nobody will care. Lemmy is federated over multiple jurisdictions, so even with full deletion implemented there’ll almost certainly be instances which will ignore the deletion request - and it will be completely legal for them to do so

        Lemmy also seems to federate your matrix_user_id, that is clear personal data. It does not matter how the data gets to the federated server, this is still user data within the scope of the GDPR. It does not matter that that server does not have an agreement with the user, the instance that would ignore a GPDR related deletion request would be in direct violation of the GDPR. Maybe it can do that without consequences, though.

        I completely understand that making Lemmy fully GPDR compliant will probably be impossible, however I don’t like the approach of “we will not succeed, so we don’t make any attempt”. Instances should actually delete data when that is requested, or instance hosts can get fined. For now, Lemmy has bigger issues to solve, but eventually they should do at least a best effort attempt to respect user data.

        • appel@whiskers.bim.boats
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          I had a look into the wording of the gdpr (more specifically the Data protection act as it is implemented in the UK) it seems to refer to organisations. I think most, if not all, instances are not hosted by organisations. (Just some group or individual hosting it on personal or rented hardware). Laws such as this are designed with centralization in mind, and kind of don’t make sense in the context of decentralisation.