Hi all, I’m pretty new to the fediverse and have tried learning about the way it works. I have tried finding some information in vain, so I have ended up mostly reasoning about it by drawing parallels with other non federated systems but I feel it’s not accurate.
I am trying to understand three things:
- What information does the instance(s) have on their users?
- What information can users get on other users?
- What information can the infrastructure providers get on users of the fediverse?
To answer (1), I am guessing the admins of the instances have access to the typical metadata relating to the device from which a user accesses (IP address, device info, app/browser).
Regarding (2), it’s not as clear. As of yet, it seems it is only possible to look at posts and comments and creation date. It doesn’t seem possible to get a list of subscribed communities nor email address used for registration (when applicable).
Now I wonder if the instances do have all lists of subscribed communities? I’m guessing yes. What about private messages, are they end to end encrypted and inaccessible to the fediverse?
And finally, what access do the internet infrastructure providers have access to? All the same information as the instance admins/mods? More? Less?
Thank you for helping me weed through this new environment and learn about the fediverse.
Also, if you have some best practices on how to mindfully navigate in the fediverse with privacy in mind, please share, I would be grateful.
Thank you for all your answers, they were very informative. Yes, in the end, it is a social network, it is normal that all activity us public. There also seems to be some trust involve when choosing an instance on which to create an account. And eventually, as one accesses other instances, the private information propagates.
From what I understand, it’s also up to the instance to allow account creation with/without email. They also need to fight bots so most seem to require it.
The PM being public is a bit of a surprise and yes there is a warning at least.
Also beware that for any web/app client that auto-retrieves the image links in a post/comment/message, the other person can put a tracker that can retrieve your IP address, and possibly your browser/other info as well. VPN/Tor would prevent this.
It’s like your email client not retrieving the images automatically to prevent the spammers to get any info about your interactions with the spam emails.
My advice would be to sign up with email alias and use VPN for Lemmy.
The first and most important thing is that platforms in the fediverse that use activitypub protocol are not intended to be private communications entities, so you must be very aware that everything you post there will be publicly availabe on the internet.
Answering your questions: **1. What information does the instance(s) have on their users? **All the information you provide. Username, email, location, etc. plus some information about what you post (application, ip address). It could be different between platforms. You can check privacy policy for your platform/instance. For example mastodon.social privacy policy
2. What information can users get on other users? mainly the information you post in your profile and posts. again, it could be different between different platforms.
3. What information can the infrastructure providers get on users of the fediverse? I think this is the hardest question to answer and, maybe, an admin could have more information. So far i know, infrastructure providers cannot access any data from services they hosts. But it could depend on the provider policies.
Finally, private messages are not encrypted. You should consider just for casual communication. There are other ways to send private and encrypted direct messages.
- Same thing ALL webpages can store on you. IP information and whatever information you directly furnish (username, password… etc.)
- Profile… and every post/message they send… that’s about it. If you consider the Admins as “other users”… then effectively everything. Mods are a bit less than admins.
- It’s send publicly but over https. So metadata/flow data. I would consider it MUCH less than admins.
Here’s a category you didn’t think of. 4) What information can OTHER instances get on you. If you subscribe to them, or post to somewhere that is federated… Then all your post data. up/down votes. etc…
Another thing to think of is WAF products like Cloudflare that does SSL interception.
Ultimately, ActivityPub (the standard that lemmy operates on) is not “secure” and isn’t trying to be at all. “Secure” isn’t it’s purpose. Instances will broadcast all your comments, posts, votes, messages,profile information, etc to other instances.
