Does the instance owners read your DMs? Does Reddit read your DMs? You never really know.
Jokes on them. I already know what’s in my DMs. /j
Just post everything in public and never have to worry about it in the first place.
deleted by creator
I’m very curious to see how (actual) websites / ways to access this data will change how Lemmy not only deals with this as a potential security issue, but how it will change the culture of Lemmy and they way people interact on here
Obviously I’m concerned with the ramifications as well, but I’m also very intrigued how things will go
I think it would be good to have some kind of a concept of “trust levels” between federated instances where the default level isn’t full trust. Then the amount of information that gets shared depends on the trust level.
Things these days should be designed with the fact that there’s bad actors out there, some driven purely by greed, some driven to specifically cause problems either for individuals (trolls) or society in general (troll farms). And it isn’t always clear who is who.
Yeah, trust is a critical part of socializing
Removed by mod
Yeah your comments on this situation are fascinating!
Just kidding I’m not doing any of this.
Aw, I was looking forward to seeing my profile and having you save me the trouble of compiling some of that data for myself.
I’m not going to out my instance for everyone to know it as the one to defederate.
Should be fairly straightforward to figure out, if I was interested. I’d create an instance of my own and have it present slightly different information to each of the other instances that federate with me, probably creating a different fictional user to send a few votes from to each of them. Then just check to see which of those fictional users shows up in your data and your data-collection instance’s identity is revealed.
Removed by mod
I guess it’ll become a standard feature for every default installation of Lemmy or Kbin to create a random “trap user” (analogous to the fake “trap streets” in maps used to detect whether someone copied them) for each federated partner, then. You’ll have no idea which ones are actually paying attention to who’s harvesting their data, just that everyone potentially could be.
Personally, as I said, I have no particular qualm with a service like this existing. I’d find it handy and if you really think that you’ll be able to sell the data it collects I expect a dozen competitors would spin up immediately to soak up whatever profit potential it had. But I think the advantage lies with those who are trying to spot your “watcher” instances, they’re going to have to federate and subscribe with everyone so they’ll be pretty prominent in the Fediverse.
I think you’d do much better if you dropped the “muahaha, I’m so evil!” Act and just provided the service. There are plenty of Reddit analogues and nobody cares about them.
Lmao I was wondering if this will be the beginning of the new era of karmawhoring in lemmy because now you could figure out your total karma without busting out a calculator.
WefWef already displays point totals, as will many other 3rd party apps I’m sure. It’s also public in Kbin so you can just view your account from there to check your “Reputation” as they call it there.
Thanks for mentioning wefwef. I just installed it in my instance.
That YSK thread from yesterday inspired me to create a new account with an anonymous relay email, instead of my personal email. I’m not sure how much I would’ve actually had to worry about if I kept using my personal email, but I figure it’s better to be safe than sorry.
I also probably could’ve just changed the email in my first account instead of creating a brand new account, but I don’t really know how data is persisted or anything. That was another case of better to be safe than sorry.
Well nothing is stoping you from doing both. It’s not an issue to get another relay email.
This was the first time I personally used a relay email and I’m glad I did. I also made a mastodon account using the same email but I’m curious if I change my mind on that or not. Personally I think you did the right thing just making a whole new account. Chances are you didn’t use the first account long enough for it to matter.
I appreciate the illustration (and even warning) here. I predict things like this will just lead to more people having throwaway accounts. Now instead of just having throwaway accounts for posting shameful stories, you’ll also find people with their “commenting” accounts separate from their “voting” accounts.
The more I see kbin users calling people out for downvoting them, the faster I expect the votes to just become gamed instead of natural. Anything that’s used to draw attention to the way people vote will make this worse.
We’re in the early stages, but as soon as we start seeing communities that ban users based on their voting records, people will just find other ways to obscure things, which will make it even harder for instance admins to address massive misuse of the voting system.
Removed by mod
I think the biggest concern is getting all participating instances to agree on how to handle the issue.
We’ll start to see more fragmentation of the Fediverse as different instance owners have different views on what should be done. But many of the measures to fight this will only work if all participating instances do the same, whether actively, or by using a new version of the federation standard. Some instances may think the way is to be more transparent, while others may think the way is to obscure the votes more. Now you’ll have the “transparent” fediverse and the “obscure” fediverse with fundamental disagreements with each other on the way things work.
It’s interesting times ahead. Personally, I don’t think federation is the simple answer to all our social media woes like some folks around seem to think. There’s a lot that needs to be addressed, which will be uncovered as more companies like Meta try to get in on it.
Removed by mod
Nothing is stopping you. Apart from laws that regulate data collection maybe. IANAL.
Removed by mod
Indeed if it’s not a mage corp then it’s a government. There is no winning here.
Skip gpt4 and go with something else
That’s a fucking cute as hell illustration. I’d wear that
Removed by mod
Man that is so amazingly clean for AI, really scary
Capitalists gonna try and capitalise. I’ve seen lots of people try and create services like this for mastodon.
Great post BTW.
Removed by mod
Was with you until the money point. It’s extremely easy to get this data and there will be many open source versions doing this thing.
But I agree that who upvoted a post shouldn’t be federated.
But I agree that who upvoted a post shouldn’t be federated.
This also surprised me. I wonder is it necessary for technical reasons to prevent repeated upvoting of a submission by the same user?
I’m pretty sure there is no particular reason why it’s done this way. It’s just the easiest method to coomunicate upvotes across different servers. There are already a lot of ideas for doing it differently or more efficient (e.g. vote aggregation) but that requires a more sophisticated architecture:
- Vote aggregation also makes faking votes much more efficient and requires different detection methods. Of course, a spam server can also invent users or votes but it’s a bit more complicated.
- Aggregation in any form can be hard to implement because it should be flexible enough to reduce load but not increase delay or make tracking a consistent state even harder. Finding the right configuration will be difficult and go through a lot of trial and error. Should be easier though now that more people are working on the code.
- Keep in mind that Lemmy should also be able to communicate with other services across the Fediverse like Mastodon via ActivityPub. I’m not sure if there is something in the standard for message aggregation yet. It’s definitely being discussed because Mastodon, Pixelfed and Peertube all have or went thorugh the same growth problems as Lemmy in terms of scaling, spam and security concerns. If there’s a good solution it will likely come through the AP standard.
Removed by mod
I really think Lemmy, Kbin, and Mastodon need to figure out a way to have a default terms of service that ship with their product which forbids using the API to collect data for commercial purposes.
Additionally, there should be a way for users to indicate licensing for individual posts, with a default license instance admins can set.
That way for-profit instances could be forced to filter out posts with licenses that do not allow for-profit use. Honestly, even just a simple check mark “[ ] allow for-profit republication”, and have two licenses that can be attached: one that allows for-profit use and one that does not.
Whoever’s doing this wouldn’t be using Lemmy, Kbin, or Mastodon code. They’d likely write up some custom ActivityPub service that listened in on that protocol. ActivityPub is an open protocol so trying to put some kind of “no profit” restriction on it at this point would be impossible, and having it on there from the start would have killed its adoption.
Lemmy, Kbin, and Mastodon are all currently licensed under the GPL so good luck trying to retroactively put that genie back in the bottle too. The GPL allows for-profit companies to run the code with no further restrictions.
Europe’s got the GDPR, if you really want to try some kind of legal route to counter this, but I don’t think it’s very likely to work well.
Even if this was real, I think it’s irrelevant. If you make a public post, then that’s what that means, it’s public. What happened to the saying that once uploaded to the internet, it’s there forever? I always thought this was common knowledge. To prevent these things, it shouldn’t be possible by design. That’s why in Lemmy and Mastodon, the fact I can click anyone’s username and see their entire post history is insane to me. Why there no option to make that private, and why the hell is it public by default?
The same people crying about possible data scraping are the same ones who see zero issue with all your profile data being completely public to any possible random internet query.
The problem is that it is not immediately clear to a user that their voting history is public as an average user cannot view that information.
Not even that, but that is also a huge glaring issue, but I’m referring that I can click on your username and see every comment/post you made since the beginning of your account. Why is that even possible, why is it default, and why is there no option to disable that?
I assumed on Reddit/Twitter they did it so people can be “influencers” or whatever and people can read their feed as content. I don’t want that in the fedi.
Every single thing you do here is visible to absolutely everyone. By the very nature of how the fediverse works, where everyone can set up a server and participate, there is no way around it.
What you can do to mitigate, if you really feel it is a problem, is to have multiple accounts for different communities. This will limit how much of a profile other users can build on you.
You could also rotate accounts over time, and create new ones every month, for example.
How I think it should be is that for Lemmy for example, is that when ActivityPub queries a thread, it should only find replies that way. If querying a user profile, only basic information should be returned that the user set. Their post/comment history shouldn’t be visible from their profile, only the threads they’re commenting on. Maybe let them see the profile comment/posts if they’re following you.
People are blowing my mind right now at how ridiculous they are being. The fediverse is an open system that shares information with any server that connects to it. This system cannot work if the information is not shared.
Even if it didn’t, that would be trivial for anyone to do with the API. If you’re saying things you don’t want people to know you said, don’t use your name. Posting public, discoverable content is the entire point of Lemmy. Hiding what you’re doing wouldn’t solve the problem.
Definitely not trivial, you’d have to crawl every single post and every comment to build up profile data on a person. That’s significantly more effort then just pulling an entire post history from a single API call from a user. You’d also be bound to miss data. But I also think posts should have the option to expire, like auto delete this comment or thread after X amount of time, with the option of leaving things be permanent. Who is it really benefiting by making posts stay indefinitely? Mastodon has that feature and it’d be nice to see on Lemmy.
Auto-deleting posts has the problem of destroying any future benefit. In my opinion, the greatest benefit of Reddit is the ability for the public to find answers to niche questions but sharing discussions. Every single person with a problem for looking for an opinion, doesn’t have to find relevant people to ask anew for an answer.
Again, if someone wants to have a private discussion that people can’t just look up, I question why they would Lemmy at all. Something like Matrix or Signal is far more suited to that goal.
Have you thought maybe people don’t want that? Yeah I don’t care about that, I want my privacy and stuff to auto delete, not to be publicly archived forever.
Hiding what you did would only make people think it’s private, giving a false sense of privacy, as it’s obviously visible via the API, and anyone could fetch your whole profile history anyways. Then we would have posts about: “YSK: Your posts and comment history is not private”
I’m a data nerd even though I’m still noob so this sounds amazing
Nope, it’s an absolute nightmare. The post basically outlines how you could feasibly exploit data across a majority of the Lemmy network without much effort at all.
With a bit more effort you could also link the Lemmy accounts to the users email, as becoming an admin is as simple as hosting your own instance and getting users to join.
Boom you have a business case of profiling people on Lemmy and selling those profiles to advertisers, stalkers and perverts alike.
Removed by mod