Privacy drove me off reddit, I looked around for these answers but not sure where to come across them.
- Am I sharing my IP address/ location with my host instance?
- is there a log of my view history
- are there general privacy concerns that I am not thinking of?
I do not want to be in a position where a Government creates an instance, and allows them to monitor.
I don’t know about 2 and 3, but every service and website you connect to has your IP address.
Optimally instances should have a tos or privacy statement, but out of the box you can expect a web server to collect your IP (if for nothing but know where to respond to your requests), a log of your requests, and any content you generate in using the instance (comments, votes, posts). login data (email, username, hashed password) are also stored to let you log in at all.
any other data will depend on the instance in question, how it is configured, and who is running it.
If you don’t want governments monitoring you, I really think you need to get off the public internet.
The tools are becoming too advanced, and they are legally allowed to do it by current law. In most places anyway. So, wave to the alphabet soup guys, everyone! Hiiiii~! Hope you all catch a terrorist! Have a good day!
I mean, if they’re legally allowed to monitor, then they’d just be dumb not to, you know? It’s our job to make that illegal if we don’t want it to happen, and we haven’t done that yet.
There was a thread that asks the same question (which I can’t find… somebody paste the link pls):
You can observe lemmy’s database schema on Github.
This links to current (as of me making this comment, the link links to fixed version of code, not “current latest”) version of “local_user” table.
Thank you for the answer, I cross posted my question to a couple threads. I cant read code, but I appreciate your link a bunch
I can answer question 1 confidently:
Yes, web host does know your IP, not limited to lemmy, this is how Internet works.
Partially answering question 3:
Someone said lemmy doesn’t comply with GDPR because deleted is a boolean (true/false) value
That is inaccurate, all that matters is that Personally Identifiable Information (PII) is gone. A provider has no obligation to delete any data/content if it doesn’t identify you personally. So, assuming your instance requires an email address (which some do, but not all, so clearly Lemmy allows to operate without it), or stuff like real name, phone number, etc (but I’m pretty sure no Lemmy instance requires that), all an admin would have to do to be in compliance would be to overwrite those PII fields with anonymous information, and they’d be in compliance. No records actually need to be deleted.
Source: I’m not a compliance expert, but I’m a software engineer who worked for some of the most major companies providing online services, at the time GDPR passed. They all spent many millions to align to GDPR because for some of them the liability would have been in the hundreds of millions of dollars, so they took it very seriously. Yet, of those that were soft-deleting records like that (with a Boolean), none of them stopped doing it. All of the efforts were around cleaning out the PII only.