Federated services have always had privacy issues but I expected Lemmy would have the fewest, but it’s visibly worse for privacy than even Reddit.
- Deleted comments remain on the server but hidden to non-admins, the username remains visible
- Deleted account usernames remain visible too
- Anything remains visible on federated servers!
- When you delete your account, media does not get deleted on any server
After reading some more comments, I think I came up with a good analogy to explain this issue, and I wanted to share.
Think of websites like a bar that also has an open mic.
Now, when I go to a bar, I don’t want to have to give the bouncers and staff my full name as well as my address. I also wouldn’t want them to know that I just came, for example, from a store where I was looking for a vacuum, and then have them warn a vacuum seller about it. A vacuum seller who is then going to sit next to me, while I’m trying to have a drink, and show me a pamphlet regarding the “amazing vacuum” he has for sale.
Ideally, I can also look for a bar that will allow me to come in costumed and not show my face. Or I could ask the bar to delete footage of me at some point, and to not store my ID if I do have to show it to a bouncer at the entrance.
All of that is relatively feasible and within the realm of reason; and all of that are things that privacy advocates might advocate for.
However, what is not feasible, or within the real of reason, or what privacy advocates tend to advocate for, is the ability for me to willingly go up on stage, say something on the mic which I immediately regret, and then ask everyone present to forget it ever happened and delete any footage they might have of it. No reasonable person would ask for something like that, because it is not a reasonable request.
That is how regular websites work. With federated websites, that becomes enhanced; it’s like if the bar you’re in has a camera pointed at the microphone, and transmits both video and audio directly into several other bars. So when you go up to that mic, you better make sure you’re okay with what you are saying being made public and available to anyone.
Allow me to pick your example apart a bit.
That’s not what is demanded. No one demands that the audience (users) forget what I said (the comment), much less: immediately. No one is asking for mind-erasing power or the ability to remove screenshots from other people’s client devices.
Now, that is where the actual demands come into play: As you pointed out, it is reasonable to demand that the bar deletes any recording of what I said on stage. But the way the footage is shared with the other bars can be regulated via a protocol. In your analogy, it’s like the other bars copy tapes from the original bar and show them at their place. Now, implementing a procedure of “delete that tape, please” is not impossible. In fact, it already works on Mastodon. If a bar doesn’t comply, it simply wont get any tapes from the other bars (it gets defederated).
AFAIK, there is already such a feature planned on github. Which is great. But that is exactly the reason why these things need to be brought up and “privacy realism” is counterproductive.
Well, that why it is an analogy; the forgetting is equivalent to erasing from someone else’s storage. You have no real control over it. Other people can say they do, but you don’t know that. And that is what is being demanded - right now I can already “delete” my comments and Beehaw will indicate to other instances that it was deleted, but it can’t control whether they do it, and it has no way to know if they really deleted something or just hid it from public view.
Differentiating between a client and a provider becomes extra tricky when you remember everyone can start up their own instance and still be essentially just a client - and, I think this is also worth mentioning, people can create their own backends that also federate using ActivityPub, but which are not open-source, and you’ll have no idea what goes on in their servers. In the bar analogy, this would be people watching a stream of the mic at home, or other places, other than bars with the same set-up, streaming and recording what goes on in that bar.
Also, if no one is demanding that things be deleted from client devices, then logically nothing should stop someone from sharing it with other people/clients. And if you believe otherwise, then as example: what if someone posts a comment, I reply, and then they edit it to put me in a bad light? Is it an invasion of privacy for me to show what it said previously?
This is not a privacy issue; you cannot demand privacy for something you shared willingly and publicly.
Respectfully, I find it more counterproductive, and even harmful, to encourage and spread the idea that people should have any expectation of privacy regarding things they have shared publicly.
With all due respect: I think your analogy made a strawman of what was originally demanded.
Originally, several less-than-ideal “privacy” (or whatever you call it) issues were pointed out.
No one demanded perfect privacy like with E2EE messengers, but rather: sensible protocol implementation of deletions.
No one is demanding that people shouldn’t be able to scrape stuff from the internet.
Still: There is a possibility of doing everything in your power to delete stuff that’s supposed to be deleted when you’re a developer.
And they actually do implement this stuff. That is why it is important to point these things out! The squeaky wheel gets the grease, as they say. Or is this issue counterproductive too, because it gives people the illusion that you can delete things on the internet?
If you think that “privacy” is the wrong term: granted. But sensible deletion protocols are not too much to ask for.
Well, that is in a nutshell what I am arguing. I’m not inherently against the ability to delete things, as it can be quite useful as a quick means to say “I take this back”, or “this information I shared is wrong, so I’m removing it” (although in that case I would opt to use an edit). Even “I’m embarrassed about this, so I don’t want more people to look at it” is a good enough reason that I would respect, and for which I would delete the thing if it was in my possession. Essentially, I just don’t think it should be treated as a privacy issue, because that might give a lot of people the wrong idea.
Ok, so I guess it’s a semantics issue then.
Thank you for a more productive conversation than any of the one I’ve had on twitter. Take care.
Wholesome award 🐻
web content is different from in-person content in the same way picking a lock in person is different from hacking hundreds of thousands of websites.
it’s muuuuuch easier to save a comment forever, compared to an off-hand comment at a bar you weren’t recording to start.
privacy is something no legal system was prepared for understanding, let alone digital privacy or authorship/IP.