Anything put on the internet is forever. No one should be publicly posting anything with the expectation that they have any control of it after it goes out. If it’s not held by the server, there’s the way back machine or even just folks taking screenshots.
There's a difference between "there's no way to guarantee total privacy" and "the system is designed to guarantee no privacy", though. Even the best of us fuck up and say something they shouldn't on occasion, and plenty of people online were never given proper lessons or are too young to understand how serious revealing information is.
Exactly, when you put it out there it's out there on every single platform there is. It doesn't matter if you "delete it", the moment you share it you have lost control over it entirely.
For the same reasons I never understood why people post on Facebook with their own full name and life story out there in the open either.
I completely agree. I just don't see how there can be any realistic expectation of privacy when publishing something publicly.
I appreciate the idea of laws establishing a right to be forgotten and I think there's still some value in being able to take your data away from certain companies, but there's no guarantee it wasn't copied many times before the original location is taken down.
The Fediverse works like email. Once somebody hits send, there's no real way to claw that back.
Whether is Lemmy, federated, corporate owned, or even your own private site - nothing you put on the internet is ever truly private. If you have a public profile someone can access it and copy it.
The only things I'll say that I have an expectation of privacy is health related, everything else I fully expect someone else to read, copy, and multiply.
I think there should be, but I never expect there to be. Did people's parents not teach them about putting things on the internet they didn't want shared?
Did people's parents not teach them about putting things on the internet they didn't want shared?
They used to, then social media became a thing and they stopped. Suddenly, it was normal to put your entire life up online for other people to see, and if you didn't feel comfortable doing that you were the weird one.
My rule is, never post anything you wouldn't mind the media tracing back to you IRL and then making the top story of the day in your country. Because, while rare, that does occasionally happen!
My rule is, never post anything you wouldn't mind the media tracing back to you IRL and then making the top story of the day in your country.
So don't live, basically.
Or you can just maintain anonymity as best as you reasonably can and hope no one goes out of their way to identify you or the account(s). Making a new account after awhile is a safe practice. The goal is to decrease the likelihood of undesirable things, not make them impossible.
True but you should still be able to delete your account and your comments and username leave the service. Online privacy isn't about completely disappearing, but making yourself so hard to track the average person won't bother digging.
Which in turn decreases the likelihood of something happening. Like locking a door.
The saying "If somebody wants to get in they will." is a terrible one when left as is.
I mean yes but it's still bad practice to keep deleted content. It'll be a bad look to people interested in switching to lemmy and more people is really what it needs right now
It's the Internet Corrolary to Murphy's Law: your embarrassing posts will be available online forever, but any useful information you want to find later will have been deleted when you next look for it.
That's a poor answer to be honest. Total privacy is an illusion, but having the tools to delete some of the traces if wanted should be there. I would argue that the EU law about the right to be forgotten might want a word with someone.
I escaped Reddit, but i hold anyone else to a standard too.
Personally when I want to share what I'm saying with the world I write a letter, burn it, and snort the ashes. This is the only truly private way to do this.
As a life long anarchist, I personally find raddle to be a fucking embarrassment. The elitist bullshit is right up there with other political anarchist sites like anarchist news; they're all a fucking shit show and shows why anarchists will never accomplish anything.
I'd like to see a more completely decentralized implementation, but federation does seem like it's practical in that it's easier to implement and use while still having a lot of the benefits of decentralization.
Ideally I picture something like a lemmy application that runs it's own internal, persona instance, but I'm not sure how the protocol would deal with that many isolated instances.
Keeping an eye on things like holochain and locutus to see if one of them will end up being a viable protocol to build a fully decentralized forum app on.
In the mean time I mostly like lemmy because it's written in rust. Postmill looks cool, feature-wise, but I can't see myself contributing to it when I it's written in PHP. I already have to use too much PHP in my day job. When I come home I just want to use an enjoyable language.
That's a non issue. You just cannot expect to be able to delete anything you post on the internet. Even the great reddit with the awesome deletion feature cannot help you. You might be able to delete your comment there, but there is https://www.unddit.com/https://archive.is/https://web.archive.org/ and many others, where your comment will still be available.
Do you think about Reddit "undeleting" posts? The reason for this is that your posts in privated subs make them disappear from your profile. So when they go public again, they are there.
Deleted comments remain on the server but hidden to non-admins, the username remains visible
This is a negative behavior by Lemmy, in my opinion. Deleted comments should be purged after some time. Tildes does the same thing - I think with 30 days?
Deleted account usernames remain visible too
These should be replaced with some random string of characters or something like DeleteUser or something.
Anything remains visible on federated servers!
This is just a concession of federation.
When you delete your account, media does not get deleted on any server
can't anyone who runs a lemmy instance script all that in the db? alternately, can't anyone who claims to do so just not do it in the db? it's not like you would ever know.
Honestly, this is definitely something that can be added - and in fact it might even be beneficial to server costs. Alongside optional deletion of cached data from other instances maybe a year or two after the data arrived.
People need to remember that Lemmy is an alpha software - we haven't even reached the big 1.0 release
I’m at a loss. You’re saying that things that you said publicly are private? Or you’re saying that they become private because you delete your account? Assume you dox someone. I need to find out if that happened. As an admin I’d be able to see that
you
publicly posted
their data
I would need to be able to provide this to authorities if they provided needed legal documentation. Why do you think that privacy dictates you should be able to commit a crime, and get away with it by deleting your account?
That’s a hard question to answer. My position is based on where I live and what legal council I have worked with has said in situations I’ve dealt with. My recommendation is, check with an attorney.
I don't think there is a legal requirement that you store that data, just that you make the data you store available, or in some situations, you add logging for valid law enforcement requests.
Apple for example does not have access to end-to-end iCloud data that is encrypted to my knowledge. They wouldn't be able to provide the contents of my notes application to law enforcement necessarily - and that is currently legal.
Apple (and Google, Microsoft, etc) are checking signatures of all files on their services to detect illegal stuff. They do it for copyrighted content and they do it for CSAM.
Checking against a known-malicious hash is very different than claiming to have access to the plain data. In fact, even for the known-malicious hashes, the companies doing the checks usually don't have access to the source data (so i.e. they don't even necessarily know what it contains).
I’m basing what I have said off of work I have done with attorneys in similar situations. I don’t know evidentiary law, but I wouldn’t want to be accused of destroying evidence of something. But my question stands. Why should someone who has doxed someone get away with it by deleting their account? How is that ethical?
So the key thing here is, "are you aware that the data is part of a legal proceeding or crime?"
If no, deleting it as part of normal operations is perfectly legal. There are plenty of VPNs which do not log user information, and will produce for the authorities all of the logs they retain (i.e. an empty log file).
From an ethical standpoint, keeping peoples' data which they want removed, against their wishes, based on the hypothetical that at some point someone might do something wrong, is by far the less ethical route.
"You might do something bad, so I'm going to keep all your data whether you like it or not!" <- the bad thing
Why should someone who has doxed someone get away with it by deleting their account?
Doxxing is not illegal in many places - the US included. Cyberstalking and harassment may be illegal, depending on location. That's beside the point, but this is an extremely specific example.
Ultimately users should, in my opinion, be in control of their data. Tildes, for example, preserves deleted comments for (I think) 30 days and then permanently removes them. It seems like that approach is a compromise that would work for your situation while still respecting privacy long term.
Wether or not doxing is unlawful depends on many things, even here in the U.S. Your absolute statement is false because it’s dependent on context that you haven’t considered.
I’m not the one that has to be satisfied with the solution. I just wanted to point out an example where it would matter that deleting an account could hide a crime. If you don’t like the doxing example, another example would be someone posting sensitive information (Airman Jack Teixeira).
Not sure what the point of "Mastodon's" opinion is? Firstly, Mastodon is pretty big and decentralised, and it has no-one who really speaks on behalf of all its users. Lemmy is not a privacy central network like a direct messenger service. It never claimed to be privacy centric as far as I know. The point is to share posts in communities, and the more that see them, the better.
But it is federated which means posts do get shared to other servers everywhere, and deleting those is not as easy as for a centralised server. Whatever I post on any sharing type service, I consider to be public.
I don't even understand why the OP calls this "Mastodon's" opinion. The link doesn't go to Mastodon. I think the parent post is being a bit of a troll honestly :( The criticisms at the link don't make sense, the person posting the link doesn't seem to think the criticisms are good, and they attribute the criticism to Mastodon while posting "Raddle". It's like they're only doing this to get everybody riled up
Here is the title of the Raffle post that was linked: "Warning: Lemmy doesn't care about your privacy, everything is tracked and stored forever, even if you delete it".
But wouldn't Mastodon instances be able to automatically backup posts, comments, edits, and deletions? Hell, users would be able to do it too yeah?
The whole idea of this being a privacy issue kind of goes against the whole internet archival movement and is really a moot point.
I can see this maybe being a problem with privacy regulations though.
Mastodon is where the link to the raddle article appeared. The post on Mastodon basically said they wouldn't use Lemmy because of what the article stated.
Am I missing something or isnt it that no matter what Lemmy does all those same problems would still exist, just from the internet archival sites instead. Sure the privacy could be better to deter some of it, but none of those issues are fully solveable so long as thise archival sites run. I guess the media not deleting is likely the biggest thing you could effect that archives would be less likely to store in the first place.
After reading some more comments, I think I came up with a good analogy to explain this issue, and I wanted to share.
Think of websites like a bar that also has an open mic.
Now, when I go to a bar, I don't want to have to give the bouncers and staff my full name as well as my address. I also wouldn't want them to know that I just came, for example, from a store where I was looking for a vacuum, and then have them warn a vacuum seller about it. A vacuum seller who is then going to sit next to me, while I'm trying to have a drink, and show me a pamphlet regarding the "amazing vacuum" he has for sale.
Ideally, I can also look for a bar that will allow me to come in costumed and not show my face. Or I could ask the bar to delete footage of me at some point, and to not store my ID if I do have to show it to a bouncer at the entrance.
All of that is relatively feasible and within the realm of reason; and all of that are things that privacy advocates might advocate for.
However, what is not feasible, or within the real of reason, or what privacy advocates tend to advocate for, is the ability for me to willingly go up on stage, say something on the mic which I immediately regret, and then ask everyone present to forget it ever happened and delete any footage they might have of it. No reasonable person would ask for something like that, because it is not a reasonable request.
That is how regular websites work. With federated websites, that becomes enhanced; it's like if the bar you're in has a camera pointed at the microphone, and transmits both video and audio directly into several other bars. So when you go up to that mic, you better make sure you're okay with what you are saying being made public and available to anyone.
However, what is not feasible, or within the realm of reason, or what privacy advocates tend to advocate for, is the ability for me to willingly go up on stage, say something on the mic which I immediately regret, and then ask everyone present to forget it ever happened and delete any footage they might have of it. No reasonable person would ask for something like that, because it is not a reasonable request.
That's not what is demanded. No one demands that the audience (users) forget what I said (the comment), much less: immediately. No one is asking for mind-erasing power or the ability to remove screenshots from other people's client devices.
With federated websites, that becomes enhanced; it's like if the bar you're in has a camera pointed at the microphone, and transmits both video and audio directly into several other bars.
Now, that is where the actual demands come into play: As you pointed out, it is reasonable to demand that the bar deletes any recording of what I said on stage. But the way the footage is shared with the other bars can be regulated via a protocol. In your analogy, it's like the other bars copy tapes from the original bar and show them at their place. Now, implementing a procedure of "delete that tape, please" is not impossible. In fact, it already works on Mastodon. If a bar doesn't comply, it simply wont get any tapes from the other bars (it gets defederated).
AFAIK, there is already such a feature planned on github. Which is great. But that is exactly the reason why these things need to be brought up and "privacy realism" is counterproductive.
That’s not what is demanded. No one demands that the audience (users) forget what I said (the comment), much less: immediately. No one is asking for mind-erasing power or the ability to remove screenshots from other people’s client devices.
Well, that why it is an analogy; the forgetting is equivalent to erasing from someone else's storage. You have no real control over it. Other people can say they do, but you don't know that. And that is what is being demanded - right now I can already "delete" my comments and Beehaw will indicate to other instances that it was deleted, but it can't control whether they do it, and it has no way to know if they really deleted something or just hid it from public view.
Differentiating between a client and a provider becomes extra tricky when you remember everyone can start up their own instance and still be essentially just a client - and, I think this is also worth mentioning, people can create their own backends that also federate using ActivityPub, but which are not open-source, and you'll have no idea what goes on in their servers. In the bar analogy, this would be people watching a stream of the mic at home; or another place, other than a bar with the same set-up, streaming and recording what goes on in that bar.
Also, if no one is demanding that things be deleted from client devices, then logically nothing should stop someone from sharing it with other people/clients. And if you believe otherwise, then as example: what if someone posts a comment, I reply, and then they edit it to put me in a bad light? Is it an invasion of privacy for me to show what it said previously?
This is not a privacy issue; you cannot demand privacy for something you shared willingly and publicly.
Respectfully, I find it more counterproductive, and even harmful, to encourage and spread the idea that people should have any expectation of privacy regarding things they have shared publicly.
No one demanded perfect privacy like with E2EE messengers, but rather: sensible protocol implementation of deletions.
No one is demanding that people shouldn't be able to scrape stuff from the internet.
Still: There is a possibility of doing everything in your power to delete stuff that's supposed to be deleted when you're a developer.
And they actually . That is why it is important to point these things out! The squeaky wheel gets the grease, as they say. Or is this issue counterproductive too, because it gives people the illusion that you can delete things on the internet?
If you think that "privacy" is the wrong term: granted. But sensible deletion protocols are not too much to ask for.
If you think that “privacy” is the wrong term: granted. But sensible deletion protocols are not too much to ask for.
Well, that is in a nutshell what I am arguing. I'm not inherently against the ability to delete things, as it can be quite useful as a quick means to say "I take this back", or "this information I shared is wrong, so I'm removing it" (although in that case I would opt to use an edit). Even "I'm embarrassed about this, so I don't want more people to look at it" is a good enough reason that I would respect, and for which I would delete the thing if it was in my possession. Essentially, I just don't think it should be treated as a privacy issue, because that might give a lot of people the wrong idea.
It could, but actually policing it would be difficult. I don’t think there is any “yeah I’ll do that” response and even if there is an instance could say it will delete it and still do nothing.
You could defederate with instances running versions that don't delete federated posts. Removing compatipility with older protocol implementations is not unheard of.
while this is certainly feasible, it is just a compliance checkmark of "doing your best". It wouldn't actually prevent someone attempting to persist that data. For example, I just need to maintain an insert-only copy of my deletion-compliant lemmy instance DB, and none of the deletions would be reflected on that.
I could then host that copy publicly on some unrelated lemmy instance, and without systematically de-federating from all other instances, you wouldn't know which one was retaining the data.
Which is indeed a problem as it makes it impossible for any admin to host in the EU or for EU citizens, in theory. GDPR §7 makes it very clear that complete deletion of all personal data (and yes,a Lemmy comment is personal data) must be facilitated by the original data collection point.
I don't think it's quite that bad/simple. Viewing your main instance as the Controller and other instances as Processors in GDPR terms won't work, because instances don't have the necessary control over each other for that, as you say.
However, you could circumvent that issue by making the case that each instance actually acts as an independent Controller. By participating on a federated service, you are explicitly agreeing to the data you provide (your profile, posts, comments, etc.) being made public and shared with other compatible services. That should be enough as the basis for other instances to reasonably assume you want your data to be processed by them, which (I think, not a lawyer) is sufficient justification for processing the data independently, as long as it's in line with how you generally expect the fediverse to work.
This would mean that each federated instance is its own, independent entity that processes your data, and to make use of your rights under GDPR, you need to do that with each of them individually. They effectively become their own "original data collection point", in your words, even if that data collection was not explicitly triggered by you.
The only thing missing for that to be legal (again, in my layman's view) is transparency about who's processing your data and how, which is necessary under GDPR. Every instance that receives your data via federation would need to let you know about that, and make available to you information on how exactly your data is processed and how you can make use of your rights under GDPR with them. That, in turn, would probably be easiest if the protocol spoken between fediverse servers were extend with automated and standardized ways to propagate GDPR requests from your home instance to any other instance that is processing your data, so that you don't have to actually deal with every single server yourself to get your rights enacted. Defederation in the meantime might be a problem, but there's ways around that, too.
The first point is indeed the only one I see atm that might be working. If one can reasonably argue that the node/instance is not voluntarily giving away the data and has no way to prevent that without massively hampering operation of the plattform it might be acceptable in front of a court.
Again: With a lots of might/could/ifs.
Because simply the fact that the nodes themselves are build for connecting to each other and very much do so (and you can effectively block other nodes from federating your content to a extent) speaks against that reasoning. But it worked for e.g. data scrubbers,etc.
However, you could circumvent that issue by making the case that each instance actually acts as an independent Controller. By participating on a federated service, you are explicitly agreeing to the data you provide (your profile, posts, comments, etc.) being made public and shared with other compatible services. That should be enough as the basis for other instances to reasonably assume you want your data to be processed by them, which (I think, not a lawyer) is sufficient justification for processing the data independently, as long as it’s in line with how you generally expect the fediverse to work.
That sadly explicitly does not work. Any consent given must be under definitive circumstances - a 'card blanc' consent is not possible under the GDPR. You must absolutely know where, by whom and what for your data is processed or transfered. And the initial data processor still has the obligation for a data processing agreement.
From what I understand instance 1 has to delete data if requested, but instance 2 has no obligation to unless requested. Just like data remains archived in sites like internet archive or other private archives. Just like it works on reddit or any other site currently.
Yes and no. The Web achieve and other data scrubbers are seen differently here as the data collection is done involuntarily. E g. your website will get crawled by the Web Achieve if you want it or not and it is doing it by using the same method a intended user does.
This cannot be applied to a federated instance where content is voluntarily transfered via the Federation interface. This makes the first data collection operator liable for securing the rights of the data owner and to get a processing agreement with the data processing operator that it transfers data to.
it can't make it impossible. If facebook sold data to amazon, so now amazon has a copy, and then facebook's user asks their data to be deleted, facebook can't just march into amazon's servers and delete the data themselves. The best they can do is send a formal notice to amazon requesting it be deleted, which sounds like what lemmy does. At this point it's up to the federated server if they comply with the law...
Actually that is exactly what the GDPR stipulates. In your example Facebook needs a data processing agreement that ensures that all rights of the data owners are secured and the GDPR is followed. Facebook is liable here, not Amazon - the user must explicitly NOT ask Amazon to delete as the user may not even know where the data went to/should not be bothered to write requests to a huge amount of different data processing locations.
But, @hikaru755 added another interesting point: The Instance may or may not be seen as a single data processing entity that does not voluntarily hands over data to other instances. That could indeed be a reasonable cause as e.g. data scrubbers are not within the sphere of influence of e.g. a service publicly displaying data. But as the whole network is build on interconnected nodes I wouldn't count on it if that reasoning would fly in front of a court. It may. Or it may not.
The originating instance definitely cannot be held responsible for failing to force a separate instance in another country to delete its cached copy of user data imo. I think what is more likely is that EU courts could force European Jimmy instances to only federate with GDPR-compliant instances. (so federation by whitelist rather than blacklist)
This is incorrect if the data transfer was done voluntarily/planned. This also applies to EU data outside the EU - Meta has been fined a 1.2 billion euro for that.
And no, the definitive definition of the data transfer extent is a key point of the GDPR. Each and every data owner has the right to know where their data is stored exactly. So a "EU only" would not be enough - It is basically already mandatory as transfer to other countries is a major problem after Schrems 2.
Add comment