this post was submitted on 31 Aug 2023
328 points (91.8% liked)

Fediverse

17698 readers
3 users here now

A community dedicated to fediverse news and discussion.

Fediverse is a portmanteau of "federation" and "universe".

Getting started on Fediverse;

founded 5 years ago
MODERATORS
 

This shouldn't come as a huge surprise. Meta is moving forward with their plans for Theads and the Fediverse, and their adjusted terms reflect a new impending reality for Fediverse users.

top 50 comments
sorted by: hot top controversial new old
[–] Ottomateeverything@lemmy.world 117 points 1 year ago* (last edited 1 year ago) (11 children)

Provided that a Third Party User is followed by or following a Threads account, Meta will ingest these pieces of data specifically:

Username

Profile Picture

IP Address

Name of Third Party Service

Posts from profile

Post interactions (Follow, Like, Reshare, Mentions)

So if you follow a threads user or even if a threads user just follows you, they pull all this data?

IMO this seems like reason to defederate across the board. Someone else can leak your info to Meta.

[–] candyman337@sh.itjust.works 73 points 1 year ago (2 children)

Question, is this not how every activitypub server works?

[–] rikudou@lemmings.world 50 points 1 year ago (1 children)

Yes, but not every server is owned by Meta.

[–] Steeve@lemmy.ca 12 points 1 year ago (5 children)

Ok, so we're back to defederation not because of any existing tangible evidence in this circumstance, but "because it's Meta". It's fine if that's your opinion and all, but let's stop spreading misinformation on the dangers of collecting the data required by anyone for federation.

And if you're here and pretending to care about data privacy at least try to do the bare minimum in understanding how the Fediverse works.

[–] Haui@discuss.tchncs.de 13 points 1 year ago (6 children)

Hi, I agree that there needs to be discussion.

But let’s be honest here. If meta made a lemmy/mastodon instance we would probably defederate them as well since every bit of data is for their financial gain and nothing else.

I don’t see how the worlds master manipulator and anti trust poster child is even remotely worth discussing about. We have established time and time again that „meta bad“. Why would we now not just accept the fact?

load more comments (6 replies)
load more comments (4 replies)
load more comments (1 replies)
[–] MrScottyTay@sh.itjust.works 31 points 1 year ago (14 children)

Isn't this just public information anyway, what's the problem with them taking it?

[–] elbarto777@lemmy.world 45 points 1 year ago (4 children)

It's Meta. This is just the beginning. Stop them right from the start. Fuck these corporations.

[–] xuxebiko@kbin.social 29 points 1 year ago

Story of the punk bar bartender and nazis

based on @iamragesparkle;s tweets

I was at a shitty crustpunk bar once getting an after-work beer. One of those shitholes where the bartenders clearly hate you. So the bartender and I were ignoring one another when someone sits next to me and he immediately says, “no. get out.”

And the dude next to me says, “hey i’m not doing anything, i’m a paying customer.” and the bartender reaches under the counter for a bat or something and says, “out. now.” and the dude leaves, kind of yelling. And he was dressed in a punk uniform, I noticed

Anyway, I asked what that was about and the bartender was like, “you didn’t see his vest but it was all nazi shit. Iron crosses and stuff. You get to recognize them.”

And i was like, ohok and he continues.

"you have to nip it in the bud immediately. These guys come in and it’s always a nice, polite one. And you serve them because you don’t want to cause a scene. And then they become a regular and after awhile they bring a friend. And that dude is cool too.

And then THEY bring friends and the friends bring friends and they stop being cool and then you realize, oh shit, this is a Nazi bar now. And it’s too late because they’re entrenched and if you try to kick them out, they cause a PROBLEM. So you have to shut them down.

And i was like, ‘oh damn.’ and he said “yeah, you have to ignore their reasonable arguments because their end goal is to be terrible, awful people.”

And then he went back to ignoring me. But I haven’t forgotten that at all.

load more comments (3 replies)
[–] otl@lemmy.sdf.org 38 points 1 year ago* (last edited 1 year ago) (1 children)

Yes, by design: https://docs.joinmastodon.org/methods/accounts/

IMO, the problem is not them taking the information per se, but in abusing that info to further the massive surveillance apparatus that harms society.

load more comments (1 replies)
[–] Ottomateeverything@lemmy.world 13 points 1 year ago (1 children)

Public? Idk, maybe. I wouldn't generally consider my IP to username to be public. Comment and post stuff, sort of. But even if it's public, I still wouldn't want Meta consuming it.

[–] Durotar@lemmy.ml 16 points 1 year ago (2 children)

I wouldn’t generally consider my IP to username to be public.

Are they talking about your IP address or the service's? Does ActivityPub even share the user's IP address with other nodes in the network? That'd be crazy, so I assume that it doesn't. Then Meta can't find out your IP address.

[–] otl@lemmy.sdf.org 18 points 1 year ago* (last edited 1 year ago) (1 children)

Does ActivityPub even share the user's IP address with other nodes in the network?

No this is not in the specification.

A malicious instance could in theory distribute this information but it would be non-standard. Of the 2 systems I've studied - Mastodon and Lemmy - neither do this.

Are they talking about your IP address or the service's?

In this scenario they would be talking about the IP address(es) of the services.

load more comments (1 replies)
load more comments (1 replies)
load more comments (11 replies)
[–] jhulten@infosec.pub 18 points 1 year ago (2 children)

Most of this is just part of Federation. When I saw this comment my client/server didn't have to fetch it from your server. It was pushed when you posted it so I had it locally.

[–] 7heo@lemmy.ml 15 points 1 year ago* (last edited 1 year ago)
load more comments (1 replies)
[–] Kichae@kbin.social 15 points 1 year ago (1 children)

If a Threads user is following you, they need most of this information. It's literally how the Fediverse works. The only thing that isn't is your IP address, and that's something that I'm not sure they'd even get. That might be your host's IP address.

Remember, the Fediverse isn't a bunch of iframes looking at 3rd party websites. It works by mirroring remote content. A follow is literally a request to ingest posts from a user.

load more comments (1 replies)
[–] Steeve@lemmy.ca 14 points 1 year ago

Yeah, no shit, they literally can't federate without this data, that's how ActivityPub works lol.

Why do you think you can see lemmy.ca votes on lemmy.world?

load more comments (6 replies)
[–] moreeni@lemm.ee 66 points 1 year ago* (last edited 1 year ago) (2 children)

If someone had any doubts about federation with Threads, they shouldn't by now. Facebook is trying to turn Fediverse into Shittyverse and Fedizens should resist that

[–] Krapulaolut@sopuli.xyz 31 points 1 year ago (6 children)

Lemmy needs an option for a user to block an instance.

If your local instance is not going to defederate with meta then an average user can't do anything about it.

Yeah sure you can create a new user in other instance or selfhost an instance, but who would actually go through that?

[–] rikudou@lemmings.world 19 points 1 year ago (4 children)

Everyone should change their instance to one they agree with. If you don't want to be federated to Meta, go to an instance that's not federated.

User blocks are pretty much a simple filter, Meta will still have your data if you block them individually instead of defederating.

load more comments (4 replies)
load more comments (5 replies)
load more comments (1 replies)
[–] pjhenry1216@kbin.social 64 points 1 year ago (2 children)

Everybody, please understand what defederating means. It will not stop the defederated instance from getting the data. It just means you don't pull theirs.

If you want to actually control who gets data, you'd have to switch to a service like Streams. ActivityPub cannot prevent anyone from pulling data. It only allows an instance to decide not to pull from a specific location.

[–] be_excellent_to_each_other@kbin.social 18 points 1 year ago (1 children)

Everybody, please understand what defederating means. It will not stop the defederated instance from getting the data. It just means you don't pull theirs.

I'm OK with that. If I wanted to talk to facebook users I'd be on facebook.

[–] pjhenry1216@kbin.social 28 points 1 year ago* (last edited 1 year ago) (1 children)

Ok, but the number of people that think defederation is in anyway going to prevent this is fairly high.

[–] be_excellent_to_each_other@kbin.social 20 points 1 year ago (3 children)

I see it less about preventing than about sending a clear "DO NOT WANT" message.

I've been around since the prevailing attitude across all common internet services was anti-corporate, anti-commercialism. You sound like maybe you have too. We lost that battle. It'd be nice to win this one, even if in a way that matters only to Fediverse users. I know at the end of the day Meta won't care, and it won't stop them from slurping up our data.

I still think there is value to the DO NOT WANT message, and when Musk or MS try the same thing, I hope we send the same message to them. Let there be one tiny corner of the internet that isn't monetized and enshittified to death. Let the users who are happy to use those companies' platforms use those companies platforms.

I get that this is tangential to your complaint here, and I get it. I don't care what peoples' reasons are though. Every instance should support the fedipact, and when Meta finally starts federating I'll leave my comfy kbin.social home 30 minutes later if it doesn't.

I hope each new revelation convinces more instance owners to do so, and more users to ask their instance owners to do so.

load more comments (3 replies)
load more comments (1 replies)
[–] fsxylo@sh.itjust.works 59 points 1 year ago (2 children)

Mother fuckers are moving to take ownership of the fediverse by calling us "third party users".

[–] deadsuperhero@lemmy.ml 38 points 1 year ago

I'm pretty sure they mean respective to themselves and their own walled garden, but it definitely doesn't scan well.

load more comments (1 replies)
[–] Arotrios@kbin.social 54 points 1 year ago (8 children)

Looks like there's a lot of FUD around this, so I decided to jump into the ActivityPub spec and see exactly what they can and can't get with the spec as is.

First off, they cannot get a users individual IP unless the instance owner publishes it in the profile data as part of a "public" activity stream. I don't know of any instance that does this currently (feel free to correct me if I'm wrong).

It looks like what Meta is looking to do is scrape the information in the "public" tagged activity streams:

In addition to [ActivityStreams] collections and objects, Activities may additionally be addressed to the special "public" collection, with the identifier https://www.w3.org/ns/activitystreams#Public.

Activities addressed to this special URI shall be accessible to all users, without authentication.

This is similar to what most instances do to show the posts of a user or community - they send a request to get "public" tagged data to publish to their end users. Within this data is all the activity information on that post - who upvoted what and who, and who commented. Again, this is the same way federation works now - your server has an activity stream of all your followed and followers that it can make available to view by tagging their activity as "public". Many instances have this information tagged as "public" as a default.

Now, this system works fine if you're dealing with small actors that don't have nefarious designs on the network, or the resources to dominate it.

When you have a digital behemoth with grand AI designs that's already embroiled in lawsuits where it was grabbing your medical data and regularly allows law enforcement to stroll through its records, it's an entirely different situation. Meta has the power and capacity to not only engage in an "embrance, extend, extinguish" campaign against the Fediverse, but also to seriously threaten the privacy and well-being of Fediverse users in a way no single instance owner can.

I think the solution here will be for individual instance owners to harden their security and if not outright de=federate from Threads, ensure that posts are private by default and that their users are made well aware in the TOS that following a Threads user will result in sharing data about their profile that could (and most likely will) be matched back to their Facebook account.

Instances that don't allow visibility control on posts, like Kbin and Lemmy, should look at adding an option to post only to the local server, or have the capacity to block threads.net outgoing publication based on user profile settings.

Instances that don't allow follow request filtering probably should look at adding it (Mastodon has it implemented - Kbin and I think Lemmy would need to catch up) - otherwise users could be unaware that they're sending their data to threads.net when someone from that service follows them.

I think it goes without saying that any data Meta gets will get the AI treatment - both to identify users and to sell your activity to marketers. That activity is the real goldmine for them - that's a stream of revenue for marketing that rivals what Meta tracks on its own platform.

As such, it may be worthwhile for instance owners to look at removing voting and boosting counts from the "public" activity feed. This would mean more fragmentation for communities whose populations span instances (vote counts would be more off than they are now), but it would prevent bad actors from easily scraping that data for behavioral analysis.

All in all, though, I don't believe it's going to be a positive event when Threads does start federating. One of the nice things about the Fediverse is that the learning curve is high enough to keep the idiot count down, and I don't really see our content or commentary here improving once Meta's audience enters the space.

load more comments (8 replies)
[–] Atemu@lemmy.ml 33 points 1 year ago (2 children)

I don't know what you're getting excited about here; this is all publicly available information which Facebook could scrape at any time they wanted (federated or not), even right this very second.

load more comments (2 replies)
[–] iHUNTcriminals@lemm.ee 28 points 1 year ago (1 children)

Wtf. Can't they just be defederated. Get that shit outta here.

[–] Zak@lemmy.world 14 points 1 year ago

A server admin can block any other server, including Threads.

[–] victron@programming.dev 24 points 1 year ago

No, they don't. Please leave the click-baity bullshit out of here.

[–] maynarkh@feddit.nl 22 points 1 year ago (1 children)

Stupid question, couldn't instances just say they don't allow scraping specifically from Facebook in their ToS and then report them for GDPR violations if they do?

As in say that have the ToS says that "we'll give your data to other instances because that's how the Fediverse works, we won't give your data to Facebook" and also "Facebook is not allowed to federate, and is not allowed to pull data".

Then just say that your data subjects don't consent to any data pulling by Facebook, and Facebook scraping your system even through ActivityPub is a violation of GDPR.

[–] Razp@lemm.ee 17 points 1 year ago (3 children)

But GDPR is the European thing, and Threads isn't even available in Europe.

[–] Squizzy@lemmy.world 19 points 1 year ago

If there service is affecting a service in the EU then they will have to abide by Gdpr. Fact is if your server is in the EU and they scrape it they are active in the EU.

[–] Ctri@beehaw.org 15 points 1 year ago

GDPR is a protection that applies to European citizens, regardless of where they're situated. companies don't get a pass because they blocked IP addresses coming from Europe.

now, enforcement outside the EU is a challenge, but the law is written in such a way that it covers the personal info of every EU citizen regardless of location.

load more comments (1 replies)
[–] Steeve@lemmy.ca 20 points 1 year ago (6 children)

They're literally just taking data they need to federate, like all the other instances. Eventually people around here are going to get sick of this paranoid "fuck Meta because it's Meta" attitude because people keep posting lame misinformation like this. I know I'm getting sick of it.

[–] NightAuthor@lemmy.world 13 points 1 year ago (1 children)

It’s not just because it’s meta, it’s because they are going to scrape up all the data they can get (even if it’s just normal fediverse stuff) and pipe it into their data mining operation. They could probably easily do it without us noticing, but if we know they’re doing it… then it’s worth talking about. And reasonable for people to dislike.

load more comments (1 replies)
load more comments (5 replies)
[–] Blackmist@feddit.uk 13 points 1 year ago (4 children)

Do they get my IP if I reply to somebody or a post on Threads?

I was under the impression that I submit to my instance and then that passes the message along.

I had a quick look at the posts and comments bits of the schema and it doesn't appear to list an IP address field, unless I'm blind. Which is always possible.

load more comments (4 replies)
load more comments
view more: next ›