Federated services have always had privacy issues but I expected Lemmy would have the fewest, but it’s visibly worse for privacy than even Reddit.

  • Deleted comments remain on the server but hidden to non-admins, the username remains visible
  • Deleted account usernames remain visible too
  • Anything remains visible on federated servers!
  • When you delete your account, media does not get deleted on any server
  • aard@kyu.de
    link
    fedilink
    arrow-up
    7
    ·
    1 year ago

    Lemmy also seems to federate your matrix_user_id, that is clear personal data.

    Just like specifying an email address when signing up adding a matrix identifier is your personal choice. Lemmy is perfectly usable without either.

    It does not matter how the data gets to the federated server, this is still user data within the scope of the GDPR. It does not matter that that server does not have an agreement with the user, the instance that would ignore a GPDR related deletion request would be in direct violation of the GDPR.

    Not a lawyer, but I’d say the instance outside of EU, not targetting EU users would not be in violation - though EU instances transmitting data there might.

    Instances should actually delete data when that is requested, or instance hosts can get fined.

    With that part I agree - but it should be made clear when deleting something that this is a local deletion, which may or may not propagate to other instances, and will almost certainly not remove the data from the internet.

    • dan@upvote.au
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      EU instances transmitting data there might.

      This is an interesting thought, as data transfer between the US and EU has been an issue with other social networks. Federation between an EU instance and a US instance could be seen as the same thing - data for EU users is being transferred to non-EU servers.

      • lovesyouandhugsyou@beehaw.org
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        It’s very possible that an EU instance that comes under regulatory scrutiny for whatever reason will have to start requiring Data Processing Agreements (DPAs) from every instance it federates with.

        Ultimately that would likely result in a few paid, professionally run instances, which only federate with each other and maybe a few similar instances in other regions with the capacity to provide DPAs.

        And next to that, a forest of independent, non-conforming instances flying under the regulatory radar; an entirely separate fediverse from the centralized one where instances disappearing is a regular occurence.