Why just blocking Meta's Threads won't be enough to protect your privacy once they join the fediverse
Why just blocking Meta's Threads won't be enough to protect your privacy once they join the fediverse
At least, not with today's software.
To be fair I do not expect any privacy protections from lemmy/mastodon in general, or from blocking/defederation in particular.
Lemmy/Mastodon protocols are not really private, as soon you place your data in one instance your data is accessible by others in the same instance. If that instance is federated this extends to other instances too. In other words the system can be seen as mostly public data since most instances are public.
The purpose of blocking or defederation (which is blocking at instance level) is to fight spam content, not to provide privacy.
I do sort of expect the Lemmy instance to protect my IP address, email associated with my account and whatever fingerprinting can be done in the browser as well as protect any Javascript they use from injections of third party Javascript, but only when accessing the instance, not when following external links or otherwise loading external content (e.g. images hosted elsewhere).
Fair point (IP, email, browser session data). Those should not be exposed via the federation in any way. And the existence of the federated network means we could switch instances if we are concerned our instance is a bad actor about this.
I did not mean to suggest the ecosystem is not valuable for privacy. I just really don't want people to associate federation with privacy protections about data that is basically public (posts, profile data, etc). Wrong expectations about privacy are harmful.
This isn't how any of this works at all. Defederation does not increase your privacy from them. That's not how federation works. They still will see your posts. Blocked or defederated. You just won't see theirs. Blocked means you filter out their content. But they could theoretically show up in comments. Defederated means it won't populate. But it doesn't mean your content won't get populated there. They simply can't comment on content from or direct message folks on a server that defederated them.
Privacy through obscurity is as bad as security through obscurity.
Any real danger Meta presents is looming regardless of federation. I'm not against defederation. I'm just against defederating without purpose. And to be honest, what I've heard so far leads me to believe defederation will be my likely call if and when Threads goes live with ActivityPub (well, defederate with their primary instances at least, not sure of the details of how one can defederate with every Threads based instance, though it may be simple). But I don't even know if they'll federate with Lemmy/Kbin to begin with and I do not want to start some trend of instances needing to act on hypotheticals.
Tl;Dr - defederation does not increase your privacy at all. Not saying you shouldn't defederate for other reasons, but your exposure is absolutely unchanged one way or the other. This article has federation entirely wrong.
Lemmy isnt't meant to be private, it's a public forum. One should fully expect everything one posts to be seen by anyone. Assume Meta is using all your Lemmy posts to try and build a profile on you - be careful how much personal info you post.
Also periodically delete your account and start a new one with a new name. Harder to build a profile on you if the data is spread between unrelated accounts that don't reference each other.
Or has AI made this untenable?
Depends what your trying to hide and from who. Someone trying to stay anonymous from creepy dudes is fine (ops sec best practices should be used if one wants to stay anonymous). If someone with resources (say some agency) wants to figure out who you are, they can de-anonymized instantly due to all the tracking that's out there, plus any subpoena power they might have, it's a wrap. "AI" doesn't even need to come into play (not that I even know what you mean by AI)
The case with Matisse is absolutely horrifying.
Sort of reminds me of that Google thing, I think it was when they started Google Plus when they had this braindead idea of adding everyone in your phone book without your consent.
All content on Lemmy are public by design, you can collect any data by just connecting to any instance, they don't need a full on federated instance. Threads changes nothing as far as privacy is concerning. Don't post anything you don't want to be spread all over the internet, with no way to remove it.
You should read the article first
Question - If Threads become a part of Fediverse, will they be able to collect the telemetry, such as who saw a post on their server, for how long did they look at an image etc, if we are using an instance other that Threads' official server?
Short answer, probably not. Long answer, they may try, but everything needs to be within spec of ActivityPub and that at least means if they do inject something like that, itll be easier to find and developers can filter it out. So I'm hoping Meta realizes it's a draw and not try. They could try to put in recommendations to the spec, but I don't see those getting passed very easily. W3C wouldn't bow to them that easily. They do have centralized power, but their power inside is fairly spread out, so they'd need to appeal to a lot of people, many of whom are very principled.
For example, a very basic concept is the tracking pixel. Embed an image the size of a pixel and host it on a server that tracks requests to it. It's not a very advanced tracking system, but it's common in emails and the like so as to guage how many people read an email or something. Broad metrics, but metrics nonetheless. If Meta automatically injects these into posts, it's easy enough for developers to either filter out images below a certain resolution or simply disallow images from certain hosts. And it's 'easy' because there's limited places where Meta can place it so folks who watch out for this kind of stuff will be able to see any trickery Meta tries to pull.
Edit to add: also, many local methods of preventing tracking may also help. Hardening your hosts file or setting up a DNS black hole like PiHole for example. I highly suggest looking into PiHole if you haven't already and are serious about not being tracked. It may not stop all, but it can stop a lot.
W3C wouldn’t bow to them that easily.
They don't do so for Google either, but Google still does shit like this.
They could absolutely include extensions to ActivityPub to their instances, even sell it in a freemium model for companies. Host your instance on Threads instead of Mastodon and get "analytics".
Here is a major red pill that no one from this community will ever shallow:
You will never be 100% anonymous.
Come on, Lemmy.world, take a moral stand now, I stead of "wait and see"- reminds me of appeasement just before ww2, and yes, I'm going to enact Godwin's law, meta are the fucking Nazis and guess who Hitler is.
(Written only somewhat tongue in cheek)
reminds me of appeasement just before ww2
Okay you can have that thing but no more! -- and repeat.