Title says it. Apparently lemmy devs are not concerned with such worldly matters as privacy, or respecting international privacy laws.
OP is simply incorrect.
I’m coding a Lemmy alternative right now and have been testing this functionality out extensively. Deletes of posts and comments certainly federate, I’ve seen the AP traffic to make it happen. Also, the docs: https://join-lemmy.org/docs/contributors/05-federation.html#delete-post-or-comment
I haven’t tested what happens when the ‘delete account’ button is clicked… Mastodon solves this by sending a ‘delete this user’ Activity to every fediverse instance so there’s nothing about ActivityPub that makes removing an account and all it’s posts in one go impossible.
Remind me again how things can be deleted from the internet?
/thread
there’s a delete button
Effect of ActivityPub, not Lemmy. All federating systems function similarly, because it’s a feature of the protocol.
If instances want, they can ignore delete requests and your content stays in their cache forever (remember Pleroma nazis from couple of years ago?) - now, that is an instance problem that might be a GDPR issue, but good luck reporting it to anyone who cares. At best you can block and defederate, but that doesn’t mean your posts are removed.The fediverse has no privacy, it’s “public Internet”. Probably a good idea to treat it as such.
I don’t know where this myth came from, but you don’t have a right to erase your public posts from there internet under GDPR. See, for example, https://law.stackexchange.com/questions/32361/does-a-user-have-the-right-to-request-their-forum-posts-deleted
If anything, you might have such rights under copyright law, if your posts cover the threshold for copyright. In that case, you can ask server admins to delete them, and they will have to comply. But the request has to reach them (if they’re defederated, the delete button won’t teach them, and you’ll have to contact them separately).
To my knowledge, these privacy laws prevent corporations from holding onto your data after you have requested to delete it. Lemmy is not a corporation, and there is no single entity that holds onto all of your data. That’s just a tradeoff of being decentralized.
Well it is pretty much impossible to delete any thing on any federated service. It is technically just not possible without opening a whole other world of problems.
I always like to think of the fediverse in some way like emails. If you send an E-Mail, the moment it leaves your mail providers server it is pretty much impossible to stop.
Basically think before you post. The internet never forgets, the fediverse especially so.
seems weird this expectation of privacy on public sites built for public consumption of public content posted by people publicly.
i mean, i get wanting to control your data. the software i use allows for this ( the 'bins offer a user-level purge).
but privacy? seems weird
I mean, to have a Lemmy account you already decided to put your trust in total strangers with questionable security credentials.
but… im not using lemmy
Mastadon works the same way, all ActivityPub services work the same way.
By being Federated that means data is being sent to remote servers. Sometimes that data doesn’t always make it, like a delete request. So someone on their own home-server deletes their post, but on some remote server where that post they made is cached, it’s not deleted, because the delete request never federated. For example, say you made a post on your own box, which you clearly have, and you delete a post, but it doesn’t get deleted over on say, Lemmy.world. That’s not purposeful, that’s something the developers also trying to fix, so I think it’s disingenuous to say they don’t care.
This is literally a consequence of how federation works. It’s not a purposeful violation of GDPR.
Oh no, that’s not even the half of it. The admin for your instance has access to literally anything on their server, including passwords afaik. If you want privacy, this ain’t it chief.
including passwords afaik
Nobody has access to passwords. They have access to password hashes, which are not the same thing. It would be the absolute most half baked of solutions to still be saving passwords in cleartext.
deleted by creator
Which isn’t to say it doesn’t happen. I still occasionally get my password emailed back to me from small handbuilt websites. Which is part of why you should at the very least never use the same password twice.
Yeah, the Fediverse is terrible for privacy. By design, I should add.
I’m pretty sure running a Lemmy server (or Mastodon server) in Europe in blacklist federation mode is illegal, as you’re exchanging data with external processors without any kind of validation about privacy arrangements. No DPAs, no competency decesions taken into account, data shared all over the world.
Lemmy lacks proper delete functionality (you can edit to replace the contents with an empty string, though). In theory you could exercise your rights and demand thst the administrator deletes all your PII, and instructs any data processors that PII was hared with to do the same. If they do not or cannot comply, that should be grounds for a complaint with your local DPA.
I’m not aware of any international privacy law, but this is going to be A Thing now that Meta and Tumblr and Foursquare are joining the Fediverse. My guess is that they’ll consult at least one DPA (probably the Irish one, they’re usually located there for tax reasons) for guidelines. I wouldn’t be surprised if data they severely restrict Fediverse activity within EU/EEA borders because of privacy laws.
Even more interesting will be what would happen if a user sued the instance admins of a European server that’s more than just a person. Several Fediverse instances are backed by organisations, which means they need to comply with the terms of the GDPR if they operate within Europe, and the way the open Fediverse operates just isn’t compatible.
This is one of the reasons I don’t see the Fediverse lasting long. Unless you add some kind of validation system to verify that you’re exchanging data within certain borders, the entire system as it stands simply cannot be run legally by anything bigger than private individuals.
However, it’s important to note that privacy law generally only applies to PII. Your works (blog posts, comments, etc.) are probably not covered by privacy laws. Your username probably is, though.
I think the fact there’s a privacy oriented community on Lemmy is pretty hilarious. Of course, privacy is irrelevant if you choose to share information willingly, but the entire protocol is a giant privacy violation.
As an added bonus: this applies to most other federated protocols as well (Bluesky, Matrix, XMPP, you name it) unless those servers are configured to only communicate with known-compliant servers.
Very bad indeed! This is the beginning of the end for lemmy.
Ps for those who don’t know, copying a deleted comment makes it appear in your pastbin
That’s a pretty uncharitable interpretation, especially considering Lemmy is developed in and funded in part by the EU, and the “staying online forever” thing is a consequence of Federation (and one they’re working on remedying).
If you were worried about this sort of thing, perhaps you should have done your research about the platform before making an account so you could bitch about it here. You definitely don’t sound like the voice of reason when you couldn’t be arsed to figure this out before you made an account.
So you can’t make an account on this platform if you don’t agree with how it operates? By that logic no criticism of the platform by its users is possible, which is a great way to ensure it never gets better.
Edit: Let me make this clearer:
Saying in effect “yet you participate in lemmy” to dismiss the OP’s concerns is ridiculous. If this logic were taken to its endpoint, there would be no valid criticism of anything lemmy ever did.
Maybe that’s your goal, but I would rather not blindly defend lemmy because I like it. I’d rather make it better, and that starts with criticism.
I mean, yes?
If you do not agree to the terms of a service, do not use the service. This is the case for essentially every system ever. You can go complain about it on Reddit or something if you like.
Okay, since you clearly carefully read and completely agree and support eveything in the Lemmy TOS, please tell me where it says it will keep your comments forever.
deleted by creator
deleted by creator
deleted by creator
I’m not saying that the terms can’t be more transparent, because they absolutely can be.
But if you have become aware of this practice and you continue to participate, you have de facto agreed to it. You can of course agree to the terms and continue to criticize them, but you don’t get to sign up for a soccer game and then claim that the rules against using your hands don’t actually apply to you. If you don’t want to face the consequences of how distributed services like this fundamentally work, don’t use them.
It’s been a problem for a while. Considering major social media companies have already gotten massive fines from the EU for violating the GDPR, maybe the lemmy devs will put more effort in setting up a deletion system once the EU sends them a fine for breaking the law?
The EU doesn’t have global jurisdiction, if an instance developer or admin has no EU presence then they could just ignore them.
Sure. Lemmy does have such a presence though.
“Lemmy” is a piece of software. A piece of software can’t violate the GDPR, it’s just a blob of data. You need to be running a server to do something that would break the GDPR. Those server-running admins are the ones that need to be concerned about their EU presence.
Maybe some of the people developing Lemmy are in that category and might get in trouble, but it will be because they’re running servers not because they’re developing Lemmy. If they get arrested or whatever it has no effect on Lemmy-the-software.
