Disclaimer, This is only for Lemmy.world.
I actually read the privacy policy. There are basically 3 segments of data:
- The one time when you signed up.
- All times you log in, after you’ve signed up.
- User generated data
For part one: They store your username and the IP address used when you create the account. They store a hashed version of your password, not the actual password. They’ll store that info for as long as you have an account with lemmy.world. They store the hashed password so you can log into your account.
For part two: They keep a log of the times you sign in, the device you signed in from (iOS, Android, web) and the IP address you do it from. They delete this data on a rolling basis, every 90 days from the date the login data was created (from the time you logged in).
For part three: These are your posts, comments, upvotes, downvotes, etc. This is stored this until you delete your comment/post or undo your upvote/downvote. When you delete your account, if you haven’t deleted your data, the connection (the association) between your account and the data itself is severed. This means that the comment will remain but the
usernamevalue will benull.tl;dr: I’m no expert but I think they keep a very small amount data. They probably do this to keep their costs as low as possible (but that is just my speculation).
If you’re really worried about data mining and data logging, you can always go back to reddit /s
If you’re really worried about data mining and data logging, you can always go back to reddit /s
Or just run your own lemmy instance.
I installed Jerboa and noticed that it grayed the titles of posts that I had already viewed even though I had viewed them on the web. That told me (unless I am somehow confused) that the server side tracks what posts you have read.
From my perspective that seems like a terrible invasion. I can understand some benefit to showing the post status in the UI, but if it is stored at all, the storage should be exclusively on the client side. I mentioned this also in the “issues” thread and got no reaction, so maybe I’m missing something or in error.
Isn’t that a browser thing, not a lemmy thing? Iirc, your jerboa history shows up in your default browser
Reddit tracked posts viewed as well.
Thanks, that is good to know, but that is a type of evil where I would hope Lemmy doesn’t follow Reddit. I sometimes posted to Reddit but I more often read passively without logging in, partly to avoid some of the tracking.
Sure. I think it’s good to be aware of for sure and I agree that it would be nice if Lemmy isn’t tracking as much. I also recognize that I’ve accepted a certain amount of tracking in my life over the years at this point.
Tracking posts is understandable. Tracking up and down votes is iffy. Tracking reading is inappropriate and invasive.
I don’t disagree really… Just pointing out that as long as you’re logged in Reddit has always tracked posts viewed as far as I’m aware… Facebook similarly tracks all activities and always has.
These are obviously not models to aspire to but I think that it’s helpful to be aware of what we’ve dealt with up until this point.
All I gave them are a private relay email address. So I am assuming there isn’t much else in terms of private data.
I am sure your ip address is logged somewhere for security. But beyond that I am not sure what else is there to store.
There’s tons more data than that that can be picked up. To start with, what posts you interact with and how. I’m sure there’s loads of other data points that can be tracked.
Thankfully the code is open source so a good answer can be had. Unfortunately not familiar with the code base
Ofc instances themselves may modify the code to track certain things. However this highlights the importance of using instances you trust.
I wonder if there is a checksum or something to verify what version of code an instance is using
True, open source is always better for the sake of transparency. Worth noting, though, that doesn’t mean the server you are browsing on uses the exact build they say they are.
DB schema for user info:
Just what you’d expect really (settings, profile data, posts/comments), not even user agent (what browser you use) is stored. But keep in mind any instance you sign up to could be using a forked version that inserts Google analytics or FB pixel or any other sort of tracking tech.
deleted -> Bool,:(
this indicates the user aint gonna be deleted, just marked as “deleted” but still actually exist ?
this is common practise, at least.
im a bit too lazy to look through all the code. maybe deleted users arent show, and their comments “content” is still there?
though technically my comments could be considered personal data and thus break gdpr
Data should never be actually deleted from the database, that breaks all the best practices. It can be overwritten with garbage though. But it should always be present.
For example, if you create a new account with email, username and password and get assigned some id like 42. Then after a while you want to delete your account. The account should stay intact, id number 42 should still be occupied, but your email, username and password should be replaced by null values.
