• chagall@lemmy.world
    link
    fedilink
    English
    arrow-up
    13
    ·
    edit-2
    1 year ago

    Disclaimer, This is only for Lemmy.world.

    I actually read the privacy policy. There are basically 3 segments of data:

    1. The one time when you signed up.
    2. All times you log in, after you’ve signed up.
    3. User generated data

    For part one: They store your username and the IP address used when you create the account. They store a hashed version of your password, not the actual password. They’ll store that info for as long as you have an account with lemmy.world (although they reserve the right to keep it for up to 12 months after you’ve deleted your account). They store the hashed password so you can log into your account.

    For part two: They keep a log of the times you sign in, the device you signed in from (iOS, Android, web) and the IP address you do it from. They delete this data on a rolling basis, every 90 days from the date the login data was created (from the time you logged in).

    For part three: These are your posts, comments, upvotes, downvotes, etc. This is stored this until you delete your comment/post or undo your upvote/downvote. When you delete your account, if you haven’t deleted your data, the connection (the association) between your account and the data itself is severed. This means that the comment will remain but the username value will be null.

    tl;dr: I’m no expert but I think they keep a very small amount data. They probably do this to keep their costs as low as possible (but that is just my speculation).

    If you’re really worried about data mining and data logging, you can always go back to reddit /s

    • Bezerker03@lemmy.bezzie.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      If you’re really worried about data mining and data logging, you can always go back to reddit /s

      Or just run your own lemmy instance.

  • KhalBrogo@lemm.ee
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    All I gave them are a private relay email address. So I am assuming there isn’t much else in terms of private data.

    I am sure your ip address is logged somewhere for security. But beyond that I am not sure what else is there to store.

    • danc4498@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      There’s tons more data than that that can be picked up. To start with, what posts you interact with and how. I’m sure there’s loads of other data points that can be tracked.

      • frostphunk@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Thankfully the code is open source so a good answer can be had. Unfortunately not familiar with the code base

        Ofc instances themselves may modify the code to track certain things. However this highlights the importance of using instances you trust.

        I wonder if there is a checksum or something to verify what version of code an instance is using

        • danc4498@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          True, open source is always better for the sake of transparency. Worth noting, though, that doesn’t mean the server you are browsing on uses the exact build they say they are.

  • key@lemmy.keychat.org
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    DB schema for user info:

    https://github.com/LemmyNet/lemmy/blob/63d3759c481ff2d7594d391ae86e881e2aeca56d/crates/db_schema/src/schema.rs#L380

    https://github.com/LemmyNet/lemmy/blob/63d3759c481ff2d7594d391ae86e881e2aeca56d/crates/db_schema/src/schema.rs#L545

    Just what you’d expect really (settings, profile data, posts/comments), not even user agent (what browser you use) is stored. But keep in mind any instance you sign up to could be using a forked version that inserts Google analytics or FB pixel or any other sort of tracking tech.

    • Nioxic@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      1 year ago
          deleted -> Bool,
      

      :(

      this indicates the user aint gonna be deleted, just marked as “deleted” but still actually exist ?

      this is common practise, at least.

      im a bit too lazy to look through all the code. maybe deleted users arent show, and their comments “content” is still there?

      though technically my comments could be considered personal data and thus break gdpr

      • Aux@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Data should never be actually deleted from the database, that breaks all the best practices. It can be overwritten with garbage though. But it should always be present.

        For example, if you create a new account with email, username and password and get assigned some id like 42. Then after a while you want to delete your account. The account should stay intact, id number 42 should still be occupied, but your email, username and password should be replaced by null values.

  • sauron@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I have yet to go through it all myself but from what I’ve seen of the Lemmy code it seems pretty straight forward. I doubt anything is being tracked other than what is required. Obviously your IP has to be taken down so they can route traffic to you. Username and all info you put on your profile or post. List of liked/disliked posts, subscribed or blocked communities and people, perhaps metadata of any photos or videos you upload, the package name for whatever mobile app you use, etc.

    All the code is available on GitHub for you to check out if you’d like, 80% of it is written in Rust. But I am looking through it myself to see what kind of privacy I can expect from Lemmy. It’s already ahead of Reddit though, where I couldn’t view the source code and just had to trust what the company said.

  • solrize@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    2
    ·
    edit-2
    1 year ago

    I installed Jerboa and noticed that it grayed the titles of posts that I had already viewed even though I had viewed them on the web. That told me (unless I am somehow confused) that the server side tracks what posts you have read.

    From my perspective that seems like a terrible invasion. I can understand some benefit to showing the post status in the UI, but if it is stored at all, the storage should be exclusively on the client side. I mentioned this also in the “issues” thread and got no reaction, so maybe I’m missing something or in error.

    • Myriadblue@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Isn’t that a browser thing, not a lemmy thing? Iirc, your jerboa history shows up in your default browser

      • solrize@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        arrow-down
        1
        ·
        1 year ago

        I browsed and posted on Lemmy for a while through a desktop browser on my laptop, then installed Jerboa on my phone and started playing with it, and immediately noticed that posts I had previously read through the browser were marked in Jerboa. The only ways Jerboa could have gotten that info are: 1) the server recorded the info from the browser and relayed it to Jerboa, or 2) I was confused somehow and had also read those posts through Jerboa.

        #2 above is something of a possibility but that leaves #1 as still not dispelled suspicion. I was hoping that someone familiar with the implementation would comment.

    • aski3252@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I noticed previously that stuff I read in the browser does not show up as read in the mobile app. I also just tested it with different browsers and as far as I can see, read posts are marked as unread when I use another browser.

      So are you actually sure about your claim? This is very easily testable, so I hope you have actually confirmed this before you accuse lemmy of participating in a “terrible invasion” of privacy…

      • solrize@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        I have said several times that I am not completely sure. I will see if I can do some better tests. It is something that I noticed when I installed Jerboa, so I asked about it, and people seemed to confirm that there was server side tracking.

      • solrize@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        1 year ago

        Thanks, that is good to know, but that is a type of evil where I would hope Lemmy doesn’t follow Reddit. I sometimes posted to Reddit but I more often read passively without logging in, partly to avoid some of the tracking.

        • scottywh@lemmy.world
          link
          fedilink
          English
          arrow-up
          0
          ·
          1 year ago

          Sure. I think it’s good to be aware of for sure and I agree that it would be nice if Lemmy isn’t tracking as much. I also recognize that I’ve accepted a certain amount of tracking in my life over the years at this point.

          • solrize@lemmy.world
            link
            fedilink
            English
            arrow-up
            0
            arrow-down
            2
            ·
            edit-2
            1 year ago

            Tracking posts is understandable. Tracking up and down votes is iffy. Tracking reading is inappropriate and invasive.

            • scottywh@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              I don’t disagree really… Just pointing out that as long as you’re logged in Reddit has always tracked posts viewed as far as I’m aware… Facebook similarly tracks all activities and always has.

              These are obviously not models to aspire to but I think that it’s helpful to be aware of what we’ve dealt with up until this point.