Edit: obligatory explanation (thanks mods for squaring me away)…

What you see via the UI isn’t “all that exists”. Unlike Reddit, where everything is a black box, there are a lot more eyeballs who can see “under the hood”. Any instance admin, proper or rogue, gets a ton of information that users won’t normally see. The attached example demonstrates that while users will only see upvote/downvote tallies, admins can see who actually performed those actions.

Edit: To clarify, not just YOUR instance admin gets this info. This is ANY instance admin across the Fediverse.

  • madsen@lemmy.world
    link
    fedilink
    English
    arrow-up
    40
    ·
    edit-2
    1 year ago

    Good find, albeit a bit horrifying.

    I wonder what the GDPR implications of this is. As far as I understand, even free, privately run services are required to abide by GDPR and offer data insight and deletion. They’re also required to state clearly what happens to user data.

    Edit: Apparently people have varying takes and feelings on what the GDPR does and does not say, so I urge you to please read the summary of GDPR data privacy here: https://gdpr.eu/data-privacy/ as well as the summary of what constitutes personal data here: https://gdpr.eu/eu-gdpr-personal-data/ It’s easier to have a good and fruitful discussion if we talk about what the GDPR actually says.

    • Obinice@lemmy.world
      link
      fedilink
      English
      arrow-up
      12
      ·
      1 year ago

      I’ve been wondering exactly this, Lemmy will have to be shut down in the EU if it doesn’t comply with GDPR, and considering that means each individual instance and the individual/group/company running it…

      I just don’t see how this is ever going to be secure enough to fully comply with GDPR. Not when huge security holes like this exist, where anybody with a tiny bit of knowledge and a few hours can access so much data on people anywhere…

      • madsen@lemmy.world
        link
        fedilink
        arrow-up
        7
        ·
        edit-2
        1 year ago

        if you want data deleted, you can do that, but you’ll have to send that request to every server you (or your instance on your behalf) sent it to.

        According to the GDPR an “organization” has to specify exactly who processes the user’s data (i.e. every instance in a federation — past and present), and everyone that processes that data must make it easy to make data/deletion requests, to that’s hopefully baked into Lemmy from the get-go because otherwise someone is going to find themselves in the middle of a GDPR nightmare sooner rather than later. It’s not enough to say in the privacy policy that “user data spreads to federated instances” or something to that effect.

        And given that usernames are connected to the votes, I’m pretty sure that it does not comply with the GDPR to just say that it “will place this interaction in the user’s outbox and immediately deliver it on the user’s behalf to all”.

        Edit: Added link.

          • madsen@lemmy.world
            link
            fedilink
            arrow-up
            5
            arrow-down
            2
            ·
            1 year ago

            I don’t think email is a good example because you’re in complete control of who you send an email to. However, I’m not in control of who Lemmy sends my voting data to (because I don’t control who a given instance is federated with), but GDPR grants me the right to know that.

              • madsen@lemmy.world
                link
                fedilink
                arrow-up
                3
                arrow-down
                1
                ·
                1 year ago

                Still not a good example because I’m still in control of what I choose to send and whether or not I choose to send it at all. I can’t choose whether or not Lemmy broadcasts my username in conjunction with my votes to whoever may be listening, but I can choose not to send an email to a mailing list stating who I am and how I vote on Lemmy posts.

                Organizations handling EU citizens’ data are required to abide by the GDPR and I can assure you that Gmail and others do that, they were among the first scrutinized when the GDPR went into effect. Just because I can send any data via email, doesn’t mean that email providers can do whatever they want with the data. If an email provider processes the contents of your email in order to do targeted advertising, then they have to very clearly state that in their privacy policy.

                This isn’t specifically aimed at you, @cwagner@lemmy.cwagner.me, but more of a general observation. Lots of people in this thread appear to be unfamiliar with the GDPR and how it works, and that’s completely fair — especially if you’re not from Europa and/or haven’t worked with it. I just wish they would actually check how it works instead of making assumptions. This is a good start: https://gdpr.eu/data-privacy/

                  • madsen@lemmy.world
                    link
                    fedilink
                    arrow-up
                    3
                    arrow-down
                    1
                    ·
                    1 year ago

                    It doesn’t matter if you post your +1 via lemmy or via email.

                    It absolutely does. When sending an email, you fill in the recipient and decide where your data goes, but when you press ‘upvote’ on Lemmy, you don’t have a say in who that information is broadcast to — especially not in its current form. And it’s on whoever runs the Lemmy server to comply with the GDPR and make data processors known. It really doesn’t matter how similar you think it is to email, the GDPR treats it differently and that’s the reality you have to accept.

                    Your argument could easily be extended to every piece of information floating across the internet. No one is forcing anyone to upload an image to Facebook, but Meta is still responsible for documenting who handles the image and for what purposes, they can’t just say, “you uploaded it, we let 3rd parties have their way with it”.

                    And I’ve also worked with the GDPR, both as a developer implementing systems to accommodate requests for data insight and erasure, and implementing controls to make sure data was being handled correctly and e.g. not stored for longer than allowed, and I’ve worked with it from a security perspective in order to protect the personal data of about a couple of million people, and finally I’ve worked with it in management to implement safe and GDPR compliant data handling strategies in a couple of companies.

            • sab@lemmy.world
              link
              fedilink
              arrow-up
              4
              arrow-down
              2
              ·
              1 year ago

              I don’t think email is a good example because you’re in complete control of who you send an email to.

              You can easily check which instances your server is federated with in the footer of your server. If any of those external servers have subscriptions to the community you’re posting in, they will receive an update, so it’s safe to assume it’s being sent to all of them.

              • madsen@lemmy.world
                link
                fedilink
                arrow-up
                4
                ·
                1 year ago

                Problem is that it’s not historical. If a server was defederated yesterday, it doesn’t appear in that list. And again, GDPR takes this stuff seriously, and “look at the bottom” is not sufficient. It needs to specify what data goes where.

    • kat@feddit.de
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      I wonder how deletion of user data is supposed to work in that regard. Since everything is synced to all federated instances, I guess one would have to file a request for deletion with every instance separately (?)

      • slowcurrent@vlemmy.net
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        I have extensive experience with complying with GDPR and I feel like they wouldn’t care that it is decentralized. They’d go after Lemmy as a whole and anyone involved. Having to request your data wiped from each instance is not something they are going to accept.