this post was submitted on 20 Jan 2024

105 points (80.0% liked)

Privacy

31128 readers

690 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

Chat rooms

[Matrix/Element]Dead
Discord

much thanks to @gary_host_laptop for the logo design :)

founded 4 years ago

MODERATORS

105

Privacy Concerns on Lemmy: A Call for More User Control (github.com)

submitted 7 months ago by ChasingEnigma@lemmy.world to c/privacy@lemmy.ml

93 comments fedilink hide all child comments

I've been grappling with a concern that I believe many of us share: the lack of privacy controls on Lemmy. As it stands, our profiles are public, and all our posts and comments are visible to anyone who cares to look. I don't even care about privacy all that much, but this level of transparency feels to me akin to sharing my browser history with the world, a discomforting thought to say the least.

While the open nature of Lemmy can foster community and transparency, it also opens the door to potential misuse. Our post history can be scrutinized by creeps or stalkers, our opinions can be nitpicked based on past statements, and we can even become targets for mass downvoting. This lack of privacy control can deter users from actively participating in discussions and sharing their thoughts freely.

Even platforms like Twitter and Facebook, often criticized for their handling of user data, provide some level of access control. Users can choose who sees their timeline: friends/followers, the public or nobody. This flexibility allows users to control their online presence and decide who gets to see their content.

The current state of affairs on Lemmy forces us into a cycle of creating new accounts or deleting old posts to maintain some semblance of privacy. This is not only time-consuming but also detracts from the user experience. It's high time we address this issue and discuss potential solutions.

One possible solution could be the introduction of profile privacy settings, similar to those found on other social media platforms. This would give users the flexibility to choose their level of privacy and control over their content without having to resort to manual deletion or account purging.

I believe that privacy is a fundamental right, and we should have the ability to control who sees our content. I'm interested in hearing your thoughts on this matter. How do you feel about the current privacy settings on Lemmy? What changes would you like to see? Let's start a conversation and work towards making Lemmy a platform that respects and upholds our privacy.

top 50 comments

sorted by: hot top controversial new old

[–] Creddit@lemmy.world 59 points 7 months ago (3 children)

When you have privacy settings, what you really have is a lie.

It starts out with good intentions, like those in this post, but eventually everyone forgets that the platform still sees your posts and does not give a shit about selling them.

I would rather acknowledge from the very beginning that this entire system is not private, so there is never such a misunderstanding.

Everyone should post and comment with caution, just like you use caution with what you say in public places.

[–] user224@lemmy.sdf.org 13 points 7 months ago

Sup. And all this data would still be federating, it has to be. That just means that some data-collecting company could make a fake instance and get everything together. Or someone could just fork it back.

load more comments (2 replies)

[–] shortwavesurfer@lemmy.zip 47 points 7 months ago (1 children)

I have a feeling that you might be misunderstanding what the actual purpose of lemmy is. lemmy has taken quite a few design decisions from Reddit which is exactly the same way. Both platforms are public places where all content is shared. Anyone using them needs to be aware of that fact. Mastodon might be a better fit for you as it is more focused on individuals rather than public communities.

load more comments (1 replies)

[–] Steve@communick.news 37 points 7 months ago (1 children)

The very nature of Lemmy and most social media, is that what you put out there is public. If you don't want everyone in the world to read something you wrote, then social media may not be your kind of thing.

[+] LWD@lemm.ee 13 points 7 months ago* (last edited 7 months ago) (1 children)

[deleted]

[–] SnotFlickerman@lemmy.blahaj.zone 10 points 7 months ago* (last edited 7 months ago) (3 children)

And I believe privacy defeatism is unhealthy.

Is there such a thing as "perfect privacy?"

Because it seems that, to exist in society, is to give up some form of privacy by dint of existing in it.

You cannot stop yourself from being observed by other people, if they can see you. That's just basic reality.

To be completely private, you would have to live in the woods and not interact with anyone or speak with anyone.

Is it defeatist to be realistic about the limitations of the idea of privacy?

As someone who has spent a lot of time seeking internet privacy, I've learned that more often than not I'm making myself more conspicuous. That doesn't mean I'm going to give up on privacy, but it does mean that I'm going to consider its limitations.

EDIT: I'm reminded of an interview with Mark Hossler from Negativland. The interview is long gone from the internet (it was on an obscure website pre-youtube) but the center of it always stuck with me.

"If you really want full control of your art, don't show it to anybody, keep it in your home." His argument was Richard Dawkins' argument for memes. The human mind functions by copying and mimicking. When someone else has viewed your artwork, they've already created an internal image of it in their memory. That memory is inconsistent with reality, but if they have a good memory, they can recreate it relatively easily (if they have similar artistic skills). You can't really stop that kind of copying from happening, so the only way to fight it and keep "complete control" is to not share it at all.

Similarly, the only way to have complete control over your privacy is by not interacting with anyone at all.

load more comments (3 replies)

[–] knobbysideup@sh.itjust.works 36 points 7 months ago (1 children)

If you don't want to share information on a public forum, then don't.

load more comments (1 replies)

[–] amanneedsamaid@sopuli.xyz 32 points 7 months ago (1 children)

The way I see it, community-based social media is a public forum, where every post / comment is public (Obviously less applicable on an individualized platform like Instagram). Everyone has an inherent right to privacy, but not when they're using a platform like Lemmy. Twitter and Facebook are fundamentally different platforms. You can't expect privacy while using lemmy, so use a different platform to post private content.

[–] SnotFlickerman@lemmy.blahaj.zone 26 points 7 months ago* (last edited 7 months ago)

These people should be looking into spinning up Matrix servers if they want a private club with real privacy so bad.

It's definitely a weird thing to constantly be upset about: "People can see what I posted in public when I post them publicly!"

It's like complaining about people being able to take photos with you in the background in public. It's a public space, there is no expectation of privacy.

If you want a private internet experience, you have to put some work in.

[–] floofloof@lemmy.ca 26 points 7 months ago* (last edited 7 months ago) (2 children)

On Lemmy any comment you post gets federated out to other servers, so it's available to anyone who sets up a server. So by design it is not possible to control who gets to see or archive your comments. I could set up a server to permanently archive every comment it sees, and if your server sends me your comment it goes into my archive. Probably people are already doing this for data mining. It's not clear that you could bolt some kind of privacy control on to this architecture, which is fundamentally designed for sharing.

[–] andyburke@fedia.io 3 points 7 months ago (1 children)

Although I agree that is how things work now, one could imagine a different approach:

For instance, I could maybe control who my content gets federated to. That is, if I decide I don't particularly want my content blasted to certain places that my instance would not call any blocked ones with my data.

If that causes some issues with ActivityPub, you can imagine encrypted blobs that could only be opened by others with a shared key.

We don't need to achieve perfection out of the gate, to me these questions are worth discussing so that we can build out more high quality tech for the fediverse, let's not try to just immediately shut down discussion.

[–] mr_satan@monyet.cc 5 points 7 months ago (9 children)

How would you ensure other instances are not sharing your content?

To me this seems to be a question of ideology. I came here from Reddit because this is an open forum with transparent history.

Federetion by design ensures that accessibility (as far as I understand, correct me if I'm wrong). This design principle to me is the core. If that seems like an issue maybe this style of social media is not for you.

load more comments (9 replies)

load more comments (1 replies)

[–] the_post_of_tom_joad@sh.itjust.works 25 points 7 months ago

Nope, reading people's history is the number one reason i liked Reddit and now lemmy. It's just anonymous enough that you can keep your private life separate, and having a comment history stands in as an online barometer of who the other people your talking to are generally like

[–] leraje@lemmy.blahaj.zone 22 points 7 months ago

To me, it's an issue of personal responsibility.

Lemmy is, like a lot of Fediverse platforms, about as private as it can be. There's no trackers, you're not forced to use real names or any other identifying information, no adverts follow you from site to site, no browser fingerprinting and no instance owners are trying to sell your data.

Beyond that, what you choose to say on Lemmy is your responsibility and yours alone.

[–] SnotFlickerman@lemmy.blahaj.zone 21 points 7 months ago* (last edited 7 months ago) (5 children)

If you're not running your own server privacy policies are not even worth the pixels they're presented on.

Literally, you're just taking a random person's word for it (whoever the admin is). A website is a black box, you have no idea what's going on on the back-end.

The only way to be in complete control of your user data is to run your own server and be literally the only user on it.

Even then, any public comments you make are, you know.... public.

[–] otp@sh.itjust.works 16 points 7 months ago

Even then, any public comments you make are, you know.... public.

As they should be.

Public comments is how you can find patterns of sketchy user behaviour.

[–] henfredemars@infosec.pub 7 points 7 months ago

Ask me no questions and I'll tell you no lies. It asks much less of my instance admins if it's understood that my information was never private to begin with.

[–] morrowind@lemmy.ml 6 points 7 months ago (1 children)

Well there's still the legal threat. You have to trust someone, unless you're creating your own hardware and never connecting to the internet

[–] SnotFlickerman@lemmy.blahaj.zone 7 points 7 months ago (1 children)

True! All your data will pass over other hardware owned by other people.

The only real online privacy is not connecting to the internet to begin with.

The whole system is based on trust.

Which is why I think some of these privacy demands are straight silly.

[–] FutileRecipe@lemmy.world 3 points 7 months ago

All your data will pass over other hardware owned by other people. The only real online privacy is not connecting to the internet to begin with.

And now we're entering into the realm of encryption, especially end-to-end. Generally speaking, just because you're sending information that touches other people's hardware, doesn't mean it's public and readable.

load more comments (2 replies)

[–] henfredemars@infosec.pub 21 points 7 months ago* (last edited 7 months ago)

I prefer the complete lack of privacy settings because it is open and honest about the reality of what Lemmy is able to provide.

Even if you're running your own instance, you are necessarily submitting your data to another party. I don't have to trust the platform as much when my data isn't private. It's much easier to engineer a system around that assumption.

If we suppose that anything I submit to Lemmy is submitted to the public, I can't be misled. My data cannot be leaked because I'm presenting it to the world already. Lemmy is a young social project with many problems to solve, still trying to gain traction and hold on to users and with an uncertain future. In brief: bigger fish to fry.

Maybe privacy controls could be on the list, but I don't think it addresses the main problems or applications of the platform and creates its own set of issues. Keep it simple and stupid.

[–] poVoq@slrpnk.net 19 points 7 months ago (1 children)

Given the state Lemmy is in (barely functional with loads of papercuts) and the barebones developer funding it has (barely above minimum wage), these honestly feel like low priority "nice to have" features for a software that is meant for public forums.

[–] SnotFlickerman@lemmy.blahaj.zone 7 points 7 months ago

No! How dare you suggest something so absurd!

I don't care how little money they have and how few developers they have, they need to bring a feature-set that is on par with corporations with billions of dollars at their disposal and thousands of developers! Fuck that, they need to even do better than those companies on the privacy issue!

Big fat /S

[–] Omega_Haxors@lemmy.ml 14 points 7 months ago* (last edited 7 months ago)

I personally enjoy that this sort of information is public, it keeps people honest and gives a tool to use against bad faith actors. People lie. Besides, it's not like anyone's forcing you to post personal information online. Some level of responsibility needs to be put on the user.

[–] chicken@lemmy.dbzer0.com 12 points 7 months ago (1 children)

I remember a little while ago a thread with someone from kbin gloating that they could see what everyone was voting, and accusing the people upvoting comments they disagreed with of being bigots in a vaguely threatening way obviously intended to produce a chilling effect, and people found this surprising because that information is not public on most instances.

I basically agree with the people saying open info is just the nature of posting on a public forum and of federation, but there could be improvements, even just in awareness of what is and isn't private.

[–] bamboo@lemmy.blahaj.zone 4 points 7 months ago (1 children)

This is a great point because in the Lemmy UI, this information isn't shown, and you can't even list out all posts you've upvoted. As most of us coming from Reddit, we're used to upvotes being private, and probably assume it's the same. I understand the technical reasons for having the information public, but it is not clear from a user perspective that it's public.

load more comments (1 replies)

[–] mr_satan@monyet.cc 12 points 7 months ago (3 children)

What you're describing is an issue with all of social media. While your concerns are valid, I don't see your arguments as privacy issue. I honestly prefer post and comment history being transparent and accessible. It's much like Reddit and this format fits much better with an open forum style of platform.

Don't post private information and it's a non-issue.

Also, can't you just delete posts and comments like on Reddit?

[–] bamboo@lemmy.blahaj.zone 4 points 7 months ago (1 children)

Also, can't you just delete posts and comments like on Reddit?

Nothing ever dies on the Internet. With the federated nature of Lemmy, it's possible for deletes to not sync across instances, especially if there's defederation that happens.

load more comments (1 replies)

[–] drndramrndra@lemmygrad.ml 3 points 7 months ago (2 children)

Also, can't you just delete posts and comments like on Reddit?

Not really AFAIK. Your comment is spread across many instances, and they're not required to follow your deletion request.

load more comments (2 replies)

load more comments (1 replies)

[–] TexMexBazooka@lemm.ee 9 points 7 months ago

Bruh what? If you’re repeatedly making new accounts because you don’t want people reading your post history you’re doing something wrong.

[–] MajorHavoc@programming.dev 7 points 7 months ago* (last edited 7 months ago) (3 children)

It gets weird fast, because before privacy controls in the Lemmy source code mean anything, we need trusted third party verification of a server's patch level, and security controls.

That can be done, and I think Lemmy has a shot at getting to that point, but it'll be awhile.

In the meantime, I suspect the Lemmy developers are hesitant to add and advertise features that you can't be sure are actually correctly enabled on your instance.

But yeah, let's not let perfect be the enemy of moving toward better.

Edit: Assuming you completely trust your instance admin, we could start adding some basic privacy to actions taken on your home instance.

But as soon as the user starts interacting via federation, all bets are off - because the federated instance may he malicious.

I think we might see one or more "trusted fediverse" groups emerge in the next few years, with instance admins making commitments to security controls, moderation, code of conduct, etc.

So, in theory, the lemmy software could start implementing privacy controls that allow users to limit their visibility to whichever part of the fediverse their instance admin has marked as highly trusted.

But even then, there's risks from bad actors on highly trusted instances that still allow open signups.

Anyway, I totally agree with you. It's just a genuinely complex problem.

[–] Sal@mander.xyz 4 points 7 months ago (1 children)

I think we might see one or more “trusted fediverse” groups emerge in the next few years, with instance admins making commitments to security controls, moderation, code of conduct, etc.

There is now at least one system in place for admins to vouch for other instances being non-malicious, and to report suspected instances. It is called the fediseer: https://gui.fediseer.com/

load more comments (1 replies)

[–] SnotFlickerman@lemmy.blahaj.zone 3 points 7 months ago* (last edited 7 months ago)

If all the people complaining would just contribute to the codebase this wouldn't even be an issue.

Often, you even see the devs coming into threads like this and making suggestions, like "make a pull request." They want more people contributing.

It's tons of people whining, very few people contributing. Guess what? While at a certain point, adding developers stops increasing productivity, there's a small window where adding developers does increase productivity.

If I am correct, Lemmy only has four main developers. That's well within the range to add more developers and increase the productivity, making new features and security come faster.

So I get it, but things take time, and are complicated, which you thankfully can see.

People whinging about it in threads does nothing to change it. Donating to Lemmy's development costs or contributing code does.

So much of it sounds like it sounds like its from less-technically-inclined people (some of its valid critique from experts, but they generally... write bug reports and do pull requests...) who just want it to be better but the only way they know how is to "bring awareness." Well, all that "awareness-bringing" just amounts to spreading FUD.

[–] LunarVoyager@lemmy.world 2 points 7 months ago* (last edited 7 months ago)

I think we might see one or more "trusted fediverse" groups emerge in the next few years, with instance admins making commitments to security controls, moderation, code of conduct, etc.

So, in theory, the lemmy software could start implementing privacy controls that allow users to limit their visibility to whichever part of the fediverse their instance admin has marked as highly trusted.

You put into words something I was thinking abouy earlier but better. The whole point of a federation is that every member of the federation is more or less on the same page. Currently it seems that federation/defederation decisions are being made on an individual basis rather than a collective pne.

[–] solrize@lemmy.world 6 points 7 months ago* (last edited 7 months ago) (1 children)

Lemmy has many privacy problems that have nothing to do with public comments you make. For example, the "hide posts that you have already read" option requires that the server track what posts you have read. There is no public activity involved in reading a post. So the Lemmy server should not track that info. If that feature is to exist at all, it should be implemented purely on the client. The same can be said about subscriptions, and for that matter about voting (server should discard voting info after a brief interval for abuse detection). The Lemmy software in many ways naive about this stuff.

[–] SnotFlickerman@lemmy.blahaj.zone 5 points 7 months ago* (last edited 7 months ago) (1 children)

I don't disagree on those points, but I think it's the nature of Lemmy being decentralized that makes all those things necessary.

server should discard voting info after a brief interval for abuse detection

What if the server has not federated out the votes yet? Some of that stuff can get backed up in a queue. There's definitely a possibility that votes could get "lost" on the way. Hell, that already happens, and that's with a system that tracks them.

Servers have to keep a lot of this info to pass to other servers. If I upvote something on Lemmy.blahaj.zone, it doesn't mean that upvote has been federated outward to hundreds of other servers yet. I would assume this is part of how Lemmy is able to keep things "organized" between all servers.

In other words, a lot of the privacy complaints come from technical limitations of how Lemmy works. Lemmy, by it's decentralized nature, has to transfer tons of data back and forth between all Lemmy instances.

However, there are technologies that are trying to work around this kind of technical limitation. You might be interested in something like Veilid. I'm not sure about the details of putting together a Veilid-based social-network, but I'm willing to believe it's possible.

[–] solrize@lemmy.world 2 points 7 months ago (1 children)

I don't see anything in your post that indicates any reason to track what posts a person has read. That should not be tracked at all. Reading posts should be completely anonymous.
I don't see why voting necessarily has to track who casts the votes. But, because untracked voting can be abused so easily, I can understand deciding to retain the info for let's say 24 hours. Hopefully that is also enough to handle those propagation issues.

Really, imho, server instances shouldn't have a web interface at all, just an API. Web apps would make API calls to the server and reformat the response for use by the browser. The API call to read a post should not require any identifying info or require the user to be logged in. Read tracking and subscriptions should be handled by the client, and in the case of a public client (web app shared by many users), the private user info should be encrypted in case of a server breakin or seizure. The encryption key would be based on the user password and transformed to a browser cookie when the user logs in, so it is never stored by the web app. With most people using mobile clients these days, alternatively, the info can be kept completely on the client device and maintained by the mobile app.

[–] loki@lemmy.ml 4 points 7 months ago

Good features. If you make a fork, people would be interested in trying it out.

[–] turkalino@lemmy.yachts 6 points 7 months ago

Idk, doesn't quite seem appropriate for a federated reddit clone. I think you're better off on a chan board

[–] csm10495@sh.itjust.works 4 points 7 months ago

Technical question: How would posts federate if private?

[–] SheeEttin@programming.dev 3 points 7 months ago

You can control who sees it by how and where you post it. If you don't want people to see it, just don't put it on the Internet at all. Even sites with fine-grained privacy controls can have flaws that result in information leaks.

[–] Eggyhead@kbin.social 3 points 7 months ago* (last edited 7 months ago)

While I think most of us forum users are, I get the impression that the biggest proponents of activity pub and the fediverse as a whole aren’t even seeing privacy as even relevant. It’s a lot of talk of businesses having their very own instances to interface with the public rather than needing to rely everything on the whims of Facebook, twitter, LinkedIn, etc. Nothing with regards to the implications for surveillance, identity theft, spam, privacy or security.

Right now, we’re relatively under the radar because the fediverse hasn't really hit the mainstream yet. But I think it will, and once it does, everything we’ve ever posted will just get slurped up by data trawlers and the flood of spam will be inevitable. We’ll be juggling social media accounts just like we do with emails.

I don’t know if this is relevant, but I’d like to someday have my own kbin instance hosted on my own personal server exclusively for family. I imagine the instance being able to federate content from bigger instances, allowing members to follow people they like on microblogs or participate in federated forums from this privately maintained instance. But if anyone wanted a thread or magazine to be available to users from outside the instance, they would have to specifically opt-in to that option when creating it, and it would only apply to that one thread or magazine. Any other instance would just see our humble little family instance with only that one thing to federate. The rest of the instance would be an ecrypted enclave specifically for family accounts, and completely invisible to the fediverse.

[–] risencode@lemmy.ml 3 points 7 months ago (1 children)

The only privacy setting I can encourage on any social media site is don't share private stuff about yourself and never link to your account from other accounts

load more comments (1 replies)

load more comments