Federated services have always had privacy issues but I expected Lemmy would have the fewest, but it’s visibly worse for privacy than even Reddit.
- Deleted comments remain on the server but hidden to non-admins, the username remains visible
- Deleted account usernames remain visible too
- Anything remains visible on federated servers!
- When you delete your account, media does not get deleted on any server
After reading some more comments, I think I came up with a good analogy to explain this issue, and I wanted to share.
Think of websites like a bar that also has an open mic.
Now, when I go to a bar, I don’t want to have to give the bouncers and staff my full name as well as my address. I also wouldn’t want them to know that I just came, for example, from a store where I was looking for a vacuum, and then have them warn a vacuum seller about it. A vacuum seller who is then going to sit next to me, while I’m trying to have a drink, and show me a pamphlet regarding the “amazing vacuum” he has for sale.
Ideally, I can also look for a bar that will allow me to come in costumed and not show my face. Or I could ask the bar to delete footage of me at some point, and to not store my ID if I do have to show it to a bouncer at the entrance.
All of that is relatively feasible and within the realm of reason; and all of that are things that privacy advocates might advocate for.
However, what is not feasible, or within the realm of reason, or what privacy advocates tend to advocate for, is the ability for me to willingly go up on stage, say something on the mic which I immediately regret, and then ask everyone present to forget it ever happened and delete any footage they might have of it. No reasonable person would ask for something like that, because it is not a reasonable request.
That is how regular websites work. With federated websites, that becomes enhanced; it’s like if the bar you’re in has a camera pointed at the microphone, and transmits both video and audio directly into several other bars. So when you go up to that mic, you better make sure you’re okay with what you are saying being made public and available to anyone.
Allow me to pick your example apart a bit.
However, what is not feasible, or within the realm of reason, or what privacy advocates tend to advocate for, is the ability for me to willingly go up on stage, say something on the mic which I immediately regret, and then ask everyone present to forget it ever happened and delete any footage they might have of it. No reasonable person would ask for something like that, because it is not a reasonable request.
That’s not what is demanded. No one demands that the audience (users) forget what I said (the comment), much less: immediately. No one is asking for mind-erasing power or the ability to remove screenshots from other people’s client devices.
With federated websites, that becomes enhanced; it’s like if the bar you’re in has a camera pointed at the microphone, and transmits both video and audio directly into several other bars.
Now, that is where the actual demands come into play: As you pointed out, it is reasonable to demand that the bar deletes any recording of what I said on stage. But the way the footage is shared with the other bars can be regulated via a protocol. In your analogy, it’s like the other bars copy tapes from the original bar and show them at their place. Now, implementing a procedure of “delete that tape, please” is not impossible. In fact, it already works on Mastodon. If a bar doesn’t comply, it simply wont get any tapes from the other bars (it gets defederated).
AFAIK, there is already such a feature planned on github. Which is great. But that is exactly the reason why these things need to be brought up and “privacy realism” is counterproductive.
That’s not what is demanded. No one demands that the audience (users) forget what I said (the comment), much less: immediately. No one is asking for mind-erasing power or the ability to remove screenshots from other people’s client devices.
Well, that why it is an analogy; the forgetting is equivalent to erasing from someone else’s storage. You have no real control over it. Other people can say they do, but you don’t know that. And that is what is being demanded - right now I can already “delete” my comments and Beehaw will indicate to other instances that it was deleted, but it can’t control whether they do it, and it has no way to know if they really deleted something or just hid it from public view.
Differentiating between a client and a provider becomes extra tricky when you remember everyone can start up their own instance and still be essentially just a client - and, I think this is also worth mentioning, people can create their own backends that also federate using ActivityPub, but which are not open-source, and you’ll have no idea what goes on in their servers. In the bar analogy, this would be people watching a stream of the mic at home; or another place, other than a bar with the same set-up, streaming and recording what goes on in that bar.
Also, if no one is demanding that things be deleted from client devices, then logically nothing should stop someone from sharing it with other people/clients. And if you believe otherwise, then as example: what if someone posts a comment, I reply, and then they edit it to put me in a bad light? Is it an invasion of privacy for me to show what it said previously?
This is not a privacy issue; you cannot demand privacy for something you shared willingly and publicly.
Respectfully, I find it more counterproductive, and even harmful, to encourage and spread the idea that people should have any expectation of privacy regarding things they have shared publicly.
With all due respect: I think your analogy made a strawman of what was originally demanded.
Originally, several less-than-ideal “privacy” (or whatever you call it) issues were pointed out.
No one demanded perfect privacy like with E2EE messengers, but rather: sensible protocol implementation of deletions.
No one is demanding that people shouldn’t be able to scrape stuff from the internet.
Still: There is a possibility of doing everything in your power to delete stuff that’s supposed to be deleted when you’re a developer.
And they actually do implement this stuff. That is why it is important to point these things out! The squeaky wheel gets the grease, as they say. Or is this issue counterproductive too, because it gives people the illusion that you can delete things on the internet?
If you think that “privacy” is the wrong term: granted. But sensible deletion protocols are not too much to ask for.
If you think that “privacy” is the wrong term: granted. But sensible deletion protocols are not too much to ask for.
Well, that is in a nutshell what I am arguing. I’m not inherently against the ability to delete things, as it can be quite useful as a quick means to say “I take this back”, or “this information I shared is wrong, so I’m removing it” (although in that case I would opt to use an edit). Even “I’m embarrassed about this, so I don’t want more people to look at it” is a good enough reason that I would respect, and for which I would delete the thing if it was in my possession. Essentially, I just don’t think it should be treated as a privacy issue, because that might give a lot of people the wrong idea.
Ok, so I guess it’s a semantics issue then.
Thank you for a more productive conversation than any of the ones I’ve had on twitter. Take care.
I understand the impulse but the way some people get so hung up on trying to make a way to permanently and universally delete posts made on public facing social media and framing it as a “privacy” issue feels kinda like saying something you regret on mic at a town hall and being mad that you can’t permanently delete the memory of it from the minds of everyone present, and claiming that they violated your privacy by remembering it
That’s a strawman. No one demands mind-altering powers. Records to be deleted: that’s another story.
Being able to delete tweets doesn’t stop people from screengrabbing them. It’s still good that the option exists.
I find all the “privacy isn’t possible on the clearnet, lol” Commets quite troubling. Yes, the internet doesn’t forget and we should always behave on the internet as if our moms could read it.
But that kind of “privacy realism” fosters an additude that doesn’t care about privacy at all; no matter how it could be improved (even if it’s never perfect). Just because anyone on the street can follow me home and therefore can find my home address, I’m not carrying a sign with my address when going to a protest.
According to this comment, privacy is worse than with mastodon. And while data always can be scraped, it still isn’t too much to ask to properly federate deletions.
Yes, the internet is a public place and reddit is bad and you might not like raddle, but come on, people. Have you all given up on improving things already? And do only tech-savvy people with the knowledge and resources to run their own servers have a right to privacy on the internet?
That’s a non issue. You just cannot expect to be able to delete anything you post on the internet. Even the great reddit with the awesome deletion feature cannot help you. You might be able to delete your comment there, but there is https://www.unddit.com/ https://archive.is/ https://web.archive.org/ and many others, where your comment will still be available.
Eh. Often times I want to delete it particularly on reddit or some other place. Just so that it doesn’t hang on my profile
Well, reddit doesn’t actually allow you to delete things anymore, so tough luck.
Do you think about Reddit “undeleting” posts? The reason for this is that your posts in privated subs make them disappear from your profile. So when they go public again, they are there.
I switch accounts after some time and use other ones. It’s quiet okay this way
The same is true for raddle. They kid themselves if they think anyone can’t record anything in there forever.
Anyway it’s also inaccurate. Deleted accounts are purged from the DB, so they’re definitelly not visible anymore
Likewise you you edit your comment, it’s edited in the DB.
This is assuming your local is still federated. If your local gets defederated you currently have no control over any previously federated copies of your posts / comments / votes.
And it also assumes, no one made a screenshot or used the web archive, crawled it and stored it in their own DB or any other way of copying stuff. Of course!
If you post any thing publicly on the internet, there is no way to be 100% sure it can be ever deleted again.
That isn’t what I am speaking to, and the fact someone could make a copy or it is archived somewhere doesn’t make the statement that you can always remove your data from the platform true. And there is a difference between a potential copy and an original federated, distributed, and indexed version. There are also reasons someone might want to remove their data other than simply being worried about the actual content of it.
People need to be aware of the persistence of data, but people also have to understand the technology they are using to make their own informed decisions on how they engage.
People need to be aware of the persistence of data, but people also have to understand the technology they are using to make their own informed decisions on how they engage.
Exactly. Federation as well as the internet has restrictions in whether you can deleted your data. This should be known. Non federated data has the same problem, but the other way around. Someone running the site wants your stuff gone? It is now.
I know, what you are talking about, but there are things one has to accept, this being one of them.
the fact someone could make a copy or it is archived somewhere doesn’t make the statement that you can always remove your data from the platform true.
Why would someone think that?
And there is a difference between a potential copy and an original federated, distributed, and indexed version.
What is this difference? What do you think happens more often, screenshotting weird/compromizing stuff someone said or defederation?
But there can be a way around All that and that is deleting all Content from defederated sources. Maybe someone could make an issue or implemented it themselves…
