- cross-posted to:
- [email protected]
- [email protected]
- cross-posted to:
- [email protected]
- [email protected]
TLDR: While Fediverse won’t directly serve you ads, anonymous bad actors other than Meta can save, redistribute, and even dox you for any information you post here. Anything you post here can/will remain forever on some malicious instance that doesn’t honor deletion requests. So be careful!
So, the article isn’t exactly FUD, all the things they say about how posts migrate are true. Once I hit “post” here, these words get sucked into this server, and then get sucked into other Fediverse servers. If you believe in the “right to be forgotten”, then this is indeed a nightmare, since you don’t really know all the places your post goes and can never really be certain you’ve deleted it everywhere, should you want to. And they are right that there is no real “vetting” of any entity here. Anyone can make a server for any reason. In fact, there is no reason to believe that Threads is Meta’s first Fediverse service, they may have been running others to learn about the protocol, hoovering up the data, and we would never know.
But where the article misleads is that the devs understood this, and have structured federation to leak as little information as possible. Your post is public, of course, as is your username. But when your post gets copied to other federated servers, it is not tracking you at all. As I understand it, all the assets of your post get physically copied to the federation server, so key Metadata for tracking (like IP address) stay on the source server.
The insidious thing about Facebook isn’t that they let people post publically, it’s all the tracking that is built in, that sucks in information from your phone or browser that you don’t know you are leaking. The Fediverse is much more transparent about this. It is oversharing precisely the things that participants want to share, and nothing more.
I think the best we can do here is ensure this is outlined in the privacy policy on each instance. I’ve tried to outline how it works, and why it works that way in my privacy policy. But it’s still a bit work in progress.
I think the most important thing to stress here is that only data required for federation is shared. We don’t build profiles, we don’t send any other data to any third parties and all the data sent to federated servers is available via a web link to anyone publicly too.
The best we can do for users that want to be forgotten is send the delete request. We cannot force other instances to delete content.
I would argue that’s the case for “big social media” too. Say for example I say to facebook “Hey under GDPR provisions I would like you to delete all data you have from my account”. They are obliged to do this. Sure. But what about all the third party advertisers that already have my data through the sharing agreements? Do you think facebook even tries to remove it from them? Do you think they will do it if they ask?
So, I think that’s kinda synonymous with the federation situation. So long as you make clear how it works, and as long as you make good faith attempts to delete a user’s data on request. I’m not sure there’s more we can be expected to do (and it’s already more than the big companies will do for you).
Yup, you have a good point with the third party advertisers not following GDPR. And I agree that the privacy policy should be as transparent as possible.
Yep, I just wish atleast the major instances outline this clearly to the users. Fediverse definitely has its merits that outweigh these pitfalls. Everyone should still be aware of this in as transparent way as possible