So. I thought about the potential of bad actors sniffing on lemmy data. In theory, you’ld have to trust your lemmy-instance hosted to not be a bad actor and every single server they federated with. That means, it should be really - REALLY - easy for a bad actor of even a nation state actor to set up an instance and just wait for the data of users to pour in.
Theoretically they could see all the posts you ever made, and, every post you upvoted. Which also gives clues on: When are you active, what region are you from, what you like and dislike (obviously), political views, etc.
I mean - Maybe I’m too suspicious but tbh the more I read into this, the more I get a bad feeling about this…
Yes, posts you make to public forums are public.
Yes - Indeed.
But: Not what I liked or disliked. Every federated server can see that in their logs. Normally this would at least need you to talk to reddit/meta/some other company in order to get a hold of this data, but here literally everyone with basic Linux knowledge can get everyone’s data very easy, very quick, and very reliable.
So you’re saying you can get my lemmy data easily?
You can literally go and setup your own lemmy instance in less than 10 minutes. Its so well documented that even the least tech savy person should be able to do that with a bit of research.
When you’ve done that just wait for the data to flow in. And thats it.
There’s nothing you can really do about it. Lemmy should encourage as much privacy as possible, and it’s plain to see that there is work to be done in that realm, however, you should always protect yourself from the servers you connect to and store data on, regardless of whether it’s oriented to privacy or otherwise.
Using VPN or TOR, not saying anything that could identify you, making multiple accounts, things like this.
It is better than what we have. Not ideal, but best to assume there is always the risk of people watching and knowing your activity.
I don’t think there is a way to post to public forums and be private at the same time if normal privacy practices aren’t followed.
This obviously will depend on your threat-model. I am breaking plenty of privacy focussed guidelines by posting here but I’m doing it anyway
