I was unsure where to cross-post this. But maybe we should discuss this to make sure Lemmygrad users are staying safe? Similar to the unspoken rule that we strongly discourage people using their real names or giving away too many personal details.

cross-posted from: https://mylemmy.win/post/89871

Edit: obligatory explanation (thanks mods for squaring me away)…

What you see via the UI isn’t “all that exists”. Unlike Reddit, where everything is a black box, there are a lot more eyeballs who can see “under the hood”. Any instance admin, proper or rogue, gets a ton of information that users won’t normally see. The attached example demonstrates that while users will only see upvote/downvote tallies, admins can see who actually performed those actions.

Edit: To clarify, not just YOUR instance admin gets this info. This is ANY instance admin across the Fediverse.

  • redtea@lemmygrad.mlOP
    link
    fedilink
    English
    arrow-up
    7
    ·
    1 year ago

    This is useful to know.

    I’m fairly sure that Lemmygrad admins don’t collect any data except for knowing your country code.

    Is that right? Maybe you know, @[email protected]?

    • CriticalResist8@lemmygrad.ml
      link
      fedilink
      English
      arrow-up
      11
      ·
      1 year ago

      The only person with any access to under-the-hood stuff is muad’dibber, who I don’t think really cares about your personal info haha

      otherwise the rest of the admin team doesn’t see anything you don’t, except the names of people who took actions in the modlog.

      • redtea@lemmygrad.mlOP
        link
        fedilink
        English
        arrow-up
        7
        ·
        1 year ago

        I did think this was the case. It’s reassuring to have it confirmed, though, thanks.

    • Red Wizard 🪄@lemmygrad.ml
      link
      fedilink
      English
      arrow-up
      8
      ·
      1 year ago

      To be clear, if I’m the operator of the Linux server on which Lemmy is deployed, I can use tools like tcpspy to pull information about the TCP/IP connections to my server on a given port. Obviously, this is simply the TCP/IP packets, which is going to be a sea of bots, internet crawlers, and other automated systems attempting to access my box because it’s on the internet, which will likely dwarf the legitimate connections to the box.

      I guess it’s more likely though, you’ll be monitoring the box between the outside internet and the actual server (like an Nginx reverse proxy) but I could probably extract which IPs were going to Mylemmy.ml instead of my boxes IP address directly, but that’s outside the scope of my knowledge. I simply know that, once you own the box that someone else is connecting to, there is networking data you now have access to that can lead to identifying a person.

      • redtea@lemmygrad.mlOP
        link
        fedilink
        English
        arrow-up
        7
        ·
        1 year ago

        Do you know if this would work if I viewed information on that instance/server through Lemmygrad? I.e. could the other instance associate my IP with my LG account even if LG doesn’t collect that data?

        • Red Wizard 🪄@lemmygrad.ml
          link
          fedilink
          English
          arrow-up
          7
          ·
          edit-2
          1 year ago

          Content is effectively “Synced” to Lemmygrad. So if you are reading something from [email protected], you’re actually reading it from the Lemmygrad server located at lemmygrad.ml/c/[email protected]. So no, unless you are connecting to their domain address explicitly, those domains are not getting your TCP/IP connection.

          I’ll note, this is why you should probably use a VPN to access the internet generally if you are concerned about privacy.

          • Your home network provider knows your IP address and what domain address (but not the pages contained within) you visit.
          • Your mobile provider knows your phone’s IMEI number and its assigned IP address (though I’m not 100% sure about this exactly because you might get a new IP depending on the tower or network you connect to while moving around the world). But your IMEI number uniquely identifies your device, and some website analytic systems capture that data. It should be assumed they have a historical record not unlike the one your ISP has.

          Using a VPN means all your ISP/Mobile provider sees is you sending data to a VPN server over HTTPS, and that’s it. Services like NordVPN claim they do not keep logs on their system, and so if a government was to request your account’s history, they likely can’t provide that. They operate a Warrant Canary, here which in principle should give you faith that they have upheld that mission statement.

          I use Nord on my phone and via their browser extension, and I have them set to auto-connect so they never turn off, and use their local discovery and bypass features to allow list sites and local services that get angry about my devices being on a VPN. I’ve been doing this for maybe two years now, and I’ve never noticed any material impact on the quality and speed of my connection.

          This is not an ad for Nord 😅, I just think they’re practicing what they preach.

          • redtea@lemmygrad.mlOP
            link
            fedilink
            English
            arrow-up
            4
            ·
            1 year ago

            That’s reassuring to know.

            I would assume that security services can log everything even for VPN users. Plus, as Sakai observes, relying on technology for the security of revolutionaries is only part of the solution. The main risk comes from other people (who may appear to be comrades but are spies).

            The state isn’t the only one to be worried about, though. With reactionary politics sliding into open fascism more and more, there are ordinary members of the public who don’t have access to the same powers as the state but who could get access to similar data if we’re not careful.

            One thing I’ve always wondered is whether using a VPN puts you in a list for trying to hide your internet activity. They’re paranoid. I’m paranoid. It’s the age of paranoia!