A couple of users on the genzedong matrix chat expressed concern over Lemmygrad’s lack of privacy policy. Lemmy already supports setting legal information in the site admin settings (although it’s hard to find the legal page if you don’t already know about it since there are no links to there).

It could also be worth letting admins on other instances know about this feature, as I’m sure many of them would want to add privacy policies to their instances as well.

  • Red Wizard 🪄English
    12·
    1 year ago

    Things that are stored and federated:

    • Your publicly visible profile information (user name, display name, etc)
    • Your posts, comments, upvotes, and down votes (for posts and comments)

    Things that are stored only on your instances database:

    • Your email (optional)
    • Your encrypted password

    Things that are shard between instances but not federated:

    • Your direct messages

    I believe things like the modlog are also federated. So any comment or post that is removed by moderators or admins will be federated via the mod log.

    Lemmy does not collect network information, geolocation data, device identification numbers, or any other demographic information.

    This is what I understand after my own personal audit of the Lemmy code (Lemmy and Lemmy-UI). Others are welcome to perform their own audits of the code and confirm or clarify my understandings.

    • Muad'DibberAEnglish
      9·
      1 year ago

      One correction: private messages (if from one server to another) are also stored and federated, and the server admins of both servers can see them if they look in the database. That’s why matrix should always be preferred for private messages.

      All federated systems (email, matrix, the fediverse, etc) have these issues, to the point that you could consider them database replication systems (unless they have federation turned off).

      The best security practice online is username / content anonymity: don’t post any personally identifying information, and don’t use a username that could identify you. The NSA could start an instance and start collecting content, but if all they have is a username and no identifying information, its useless.

      • Red Wizard 🪄English
        6·
        1 year ago

        That’s fair, I guess I was thinking about federation in terms of communities when I wrote that. Federated in the grander context just means “these severs communicate with each other.”

        I didn’t want someone to misconstrue what DM federation means, because I could see someone thinking it means their DMs are “synced” to other instances outside of the two instances communicating.

        Regardless! Your last point is the most important. Treat systems you communicate with as suspect, even if they seem trustworthy.