TLDR: While Fediverse won’t directly serve you ads, anonymous bad actors other than Meta can save, redistribute, and even dox you for any information you post here. Anything you post here can/will remain forever on some malicious instance that doesn’t honor deletion requests. So be careful!
That article is pure FUD. No new discoveries and is made to garner clicks.
This is applicable to every community based service. Twitter, Facebook, Discord, Forums, etc.
Like every other service, don’t post personal information about yourself online, and you won’t be doxxed.
Ofcourse, you can dox yourself in other text based sites like Twitter, Reddit.
But, ActivityPub has other applications like PixelFed. If someone doesn’t know about these privacy implications there private pictures can be exposed to even malicious accounts/instances that are not on theit followers list. It’s best for everyone to be aware of what they are getting into here.
You should probably stop considering anything you put online to be private…it’s not, ever.
Yeah, I just consider my record public. My username is my actual name. I don’t say shit I wouldn’t want anyone to know about. Simple.
Yes, but there is a reasonable assumption that your pictures will only be viewed by your followers on Instagram. I can’t see myself switching to PixelFed. I’ve completely switched from Reddit and Twitter to Mastodon, Lemmy, as I don’t tend to share my personal information there anyways.
It’s not reasonable, as it’s both public and said followers can just re-up the content elsewhere out of your control. Look at any popular account on any platform, and see how often it gets copied/reuploaded elsewhere
It is reasonable because I can have a trust basis with my followers who are my friends/family. If a malicious instance host can just use a plugin to view follower only post, that’s not going to be expected by an average user. That’s why I posted in YSK.
So, the article isn’t exactly FUD, all the things they say about how posts migrate are true. Once I hit “post” here, these words get sucked into this server, and then get sucked into other Fediverse servers. If you believe in the “right to be forgotten”, then this is indeed a nightmare, since you don’t really know all the places your post goes and can never really be certain you’ve deleted it everywhere, should you want to. And they are right that there is no real “vetting” of any entity here. Anyone can make a server for any reason. In fact, there is no reason to believe that Threads is Meta’s first Fediverse service, they may have been running others to learn about the protocol, hoovering up the data, and we would never know.
But where the article misleads is that the devs understood this, and have structured federation to leak as little information as possible. Your post is public, of course, as is your username. But when your post gets copied to other federated servers, it is not tracking you at all. As I understand it, all the assets of your post get physically copied to the federation server, so key Metadata for tracking (like IP address) stay on the source server.
The insidious thing about Facebook isn’t that they let people post publically, it’s all the tracking that is built in, that sucks in information from your phone or browser that you don’t know you are leaking. The Fediverse is much more transparent about this. It is oversharing precisely the things that participants want to share, and nothing more.
I think the best we can do here is ensure this is outlined in the privacy policy on each instance. I’ve tried to outline how it works, and why it works that way in my privacy policy. But it’s still a bit work in progress.
I think the most important thing to stress here is that only data required for federation is shared. We don’t build profiles, we don’t send any other data to any third parties and all the data sent to federated servers is available via a web link to anyone publicly too.
The best we can do for users that want to be forgotten is send the delete request. We cannot force other instances to delete content.
I would argue that’s the case for “big social media” too. Say for example I say to facebook “Hey under GDPR provisions I would like you to delete all data you have from my account”. They are obliged to do this. Sure. But what about all the third party advertisers that already have my data through the sharing agreements? Do you think facebook even tries to remove it from them? Do you think they will do it if they ask?
So, I think that’s kinda synonymous with the federation situation. So long as you make clear how it works, and as long as you make good faith attempts to delete a user’s data on request. I’m not sure there’s more we can be expected to do (and it’s already more than the big companies will do for you).
Yup, you have a good point with the third party advertisers not following GDPR. And I agree that the privacy policy should be as transparent as possible.
Yep, I just wish atleast the major instances outline this clearly to the users. Fediverse definitely has its merits that outweigh these pitfalls. Everyone should still be aware of this in as transparent way as possible