Sensationalist title yes, but this is something that is partially true.
TLDR; I am not spreading FUD. This space can be more safe than many, for the privacy aspect it was actually designed to maintain, which is the complete opposite privacy principle to where most new people are coming from. A monolith platform provides a measure of control over how public your engagement is while leaving you open to being tracked; open federated protects you from being tracked with a cost of having less control over how public your engagement is (and will remain). Some people do not understand this and will change the way they engage if they understand.
There is a lot of misinformation I am seeing (or at least glossed over information) that will potentially lead less informed to peril. I am hoping to provide clarity and maybe shift the attitude of some of the more technical among the community. Not everyone is educated in the same domains, and not every one will grasp some of these concepts easily.
Every thread started along the lines of āDiscovered X in Lemmy is not privateā is followed up with a comment āEh, not really an issue. And I reviewed the code myself, an account deletion removes everything from the dbā. I push my glasses up: āAckchyually, that isnāt really true in practice. If defederation happens, or otherwise disconnected, (which always will happen in some capacity) a copy will remain in Lemmiverse, foreverā. This is followed up with āwell duh, that is how federation works, and everything you post on the internet is copied and there forever. It is no different than a scrape or a screenshotā.
There are nuanced but very important distinctions to a scrape or screenshot and a federated, distributed, indexed copy. Those distinctions will change the way many engage with the platform.
Most people are not having screenshots taken of every post they make, when they make them. Most donāt have to be concerned with wildly compromising material tanking their run for office. It takes a high degree of intent and effort for someone to go to external, and unauthorized sources of duplication. It may not be a complete profile history. Most archives are not going to be indexed and easily searchable on mainstream search engines. Unauthorized archives can get sued into oblivion or otherwise disappear.
Not everyone is able to grasp a platform that acts kind of like a single entity but is not a single entity, especially if they are a refugee from a monolith platform. Many just see it as a single entity initially and when they see āremoved from the dbā they will assume any such action means platform wide.
A federated copy is automatic and effectively instant by design. A federated copy will be a complete profile. A federated copy will show up in federated searches. A federated copy could end up readily showing up in external indexes. A federated copy may have engagement the user isnāt notified of. A user on an instance where defederation has happened may easily come across an entire profile history in a frozen state. Attention can be brought to content that the user desires censored because it will say āeditedā or ādeleted by user Xā and a SnoopyJerkison could just switch to an instance account that has a copy with two clicks in the official app.
I have made an informed decision on how I will engage by recognizing this. Iāve accepted the folks my local are always going to see my spelling as impecabā¦ impeccibahhā¦ very good, while some other local may see me as the philistine that I am before an edit. I will inevitably doxx myself in some way but it might be nice to have a stalker. Itās just me and the damn dog on our private fiberglass island here and she isnāt much of a conversationalist. I am in a place in life where Iām pretty comfortable with myself and have no problem walking around here with no pants on. Not sure why I recently got onto using pant idioms at every opportunity, but I have accepted that if it follows me around with folks replying, āI know you, youāre that guy with no pants!ā, I wonāt be able to go back and remove the sources of the reference platform wide.
Iāve made comments I cringe a little at. Entirely benign and nothing Iām losing sleep over, but in haste they were not expressed in my usual voice nor really contributed to the discussion. If I had hesitated longer I would not have responded. Point being: Iām the one ringing alarm bells about this and I am still having to remind myself of the nature of federation.
Some people may not be comfortable with this, or could become less comfortable later. They should not be led to believe that it is a simple matter of āthe internet doesnāt forget, but you can delete it from the platformā and understand they need to be very cognizant and thoughtful in how they engage because federation is very unforgiving and really doesnāt forget. This is a feature, not a bug. At its core, federation is balancing many goals. From censorship resistance, community safety, to privacy. It can actually provide an extreme level of privacy. But people will make mistakes, that will remain here, right in their face, if they arenāt extra careful. It wonāt be in some dark archive. It wonāt be in a screenshot never taken and never posted. The reminder of an accidental slip up will be here to perpetually haunt them. They will leave (likely traumatized by it for years to come).
A federated copy will have the perception of being more legitimate, true or not. The common, non-technical, person wonāt understand if they find something you post hosted on a site you are ideologically opposed to, which it will be. Imagine my embarrassment at the next Pantless-Meeting-Pantless event when I get stopped at the door and shown the posts they believe I have actively made on ānever-nude.socialā. āButā¦ butā¦ federation!ā. āOk Captain Kirk. Hereās your pants. Now scram!ā
Some want to have assurance they can remove content platform wide for other reasons. Revoking support for a platform is one that seems to be in vogue right now. Iāve seen posts like āthat site we hate is restoring our retracted posts!ā. But Iāve seen cases right here on Lemmy where a user has censored all their content, only to come across that same content on other widely used instances completely intact.
This loss of edit access happens fast. Every user at this local will be aware of the high profile cases of defederation. This is a feature by design, and one you can expect more of I suspect. There are also simply errors in federation at times. Iāve lost access to copies on a popular instance the second I posted them.
Maybe this will change. It will be a monumental challenge. And it isnāt the case now. Users have to fully understand this.
āSo what, screw the normies. Let them find out the hard way. Itās getting too crowded here anyway. Like you pantless sinnerdotbin! Git outta here if you donāt like it here in the wwwild-wild-westā.
Yet another aspect some are failing to recognize: many of the instances exist in places where they do take privacy very seriously. There are laws about disclosing collection, use and retention of data. One day you may visit your trusty local and you may find a blank page with a single statement: āI keep having very expensive embodied suits appear on my doorstep holding crisp manilla envelopes. I may be breaking the law. I am shuttering immediatelyā. Hope I didnāt want a reputation of wearing buttless-chaps instead of no pants ācause I aināt got access to modify any of it now.
Iāve seen admins advising others to block EU in their firewall because they are aware of this liability and the lack of a privacy policy. That is a big part of the world that will have limited contribution to this movement.
Policies go a long way to establish user trust. I have gained a high level of confidence in some admins. They are competent, capable, and thoughtful about their users. People have been investigating hardening beyond what I would expect from any admin. They could showcase this level of care and intent by explaining it in their policies.
Privacy policy frameworks can also help new admins navigate responsibilities that keep their users, and the wider platform, safe.
Donāt hand wave this aspect away with ādonāt post anything you donāt want public on the internetā. This is a totally different beast. Educate those not as fortunate as you to understand how this actually works. It is designed for your actual traceable information to be kept safe by the gatekeepers, the admins. Users must be highly aware: everything else you do here is public in a way you may never have experienced before.
Donāt hand wave the concern about post/profile/vote/message privacy, explain how the privacy goal is different here and how one might mitigate the aspects they are not comfortable with.
I have started a project where I intend to provide basic policy frameworks that one might use as a point of reference and I would very much like further input on it.
https://github.com/BanzooIO/federated_policies_and_tos/
These policies are going to be terrifying for the uninitiated. I have drafted an optional privacy policy preface that may help admins express the clear distinctions between their responsibility, their usersā responsibility, and the actual real privacy goals in this emerging space.
https://github.com/BanzooIO/federated_policies_and_tos/blob/main/optional-privacy-policy-intro.md
- End transmission, engage pantalon. Zip
That was an incredibly comprehensive, well articulated, and dare I say, exhaustive essay on some important issues you raised. On top of that, creating sample documents is next level.
Privacy
I donāt think the word āprivacyā is a good word for the concept. I believe āuser data controlā or āright to be forgottenā is more appropriate for the ādeletion issueā. However, there are few privacy issues such as instance admins having access to private messages and the potential for a hack to expose users e-mail addresses and usernames.
I believe you are 100% correct that we need to do a much better at communicating exactly who has access to their data and what (if any) control they have over that data once it is federated. I donāt believe we will ever have an guaranteed federated delete, and we need to make that crystal clear so users can proceed accordingly.
Legal
Running a self-hosted service is one thing, but running a public service raises a myriad of legal issues. In the US, children under 13 must not be allowed to have accounts (COPPA). CSAM (child pornography) is another problem that can expose admins to serious repercussions. In the US, it is not enough to delete it, it must be reported to the NCMEC. Federation will make this especially treacherous. Other issues such as criminal investigations, subpoenas, and possibly even national security letters are not a matter of āifā but āwhenā they will occur.
If Lemmy continues to grow, instance admins will need to be prepared for these issues. I would suggest that the public instance admins reach out to an organization like the EFF who has experience dealing with these issues. If not, Iām afraid a high profile incident may be all it takes to kill it.
This has been debated, and is very dependent on the context. It is a very broad concept to try to address and the lines do get blurred on the definition of what is āprivate dataā. The hope here is to partition the responsibilities of the admin from the user.
The whole CSAM issue is why Iād never personally run an instance, nor any other kind of server that allows users to upload content. Itās an issue I have no desire to have to deal with moderating nor the legal risks of the content even existing on a server I control.
While Iād like to hope that law enforcement would be reasonable and understand āoh, youāre just some small time host, just delete that stuff and youāre goodā, my opinion on law enforcement is in the gutter. I wouldnāt trust law enforcement not to throw the book at me if someone did upload illegal content (or if I didnāt handle it correctly). Safest to let someone else deal with that risk.
And even if you can win some case in court, just having to go to court can be ludicrously expensive and risk high impact negative press.
Praise your local admins! And help them out by petitioning them to study their local laws and come up with proper policy and TOS statements.