This shouldn’t come as a huge surprise. Meta is moving forward with their plans for Theads and the Fediverse, and their adjusted terms reflect a new impending reality for Fediverse users.

  • Ottomateeverything@lemmy.world
    link
    fedilink
    arrow-up
    134
    arrow-down
    15
    ·
    edit-2
    1 year ago

    Provided that a Third Party User is followed by or following a Threads account, Meta will ingest these pieces of data specifically:

    Username

    Profile Picture

    IP Address

    Name of Third Party Service

    Posts from profile

    Post interactions (Follow, Like, Reshare, Mentions)

    So if you follow a threads user or even if a threads user just follows you, they pull all this data?

    IMO this seems like reason to defederate across the board. Someone else can leak your info to Meta.

        • Steeve@lemmy.ca
          link
          fedilink
          arrow-up
          23
          arrow-down
          11
          ·
          1 year ago

          Ok, so we’re back to defederation not because of any existing tangible evidence in this circumstance, but “because it’s Meta”. It’s fine if that’s your opinion and all, but let’s stop spreading misinformation on the dangers of collecting the data required by anyone for federation.

          And if you’re here and pretending to care about data privacy at least try to do the bare minimum in understanding how the Fediverse works.

          • Haui@discuss.tchncs.de
            link
            fedilink
            English
            arrow-up
            14
            arrow-down
            1
            ·
            1 year ago

            Hi, I agree that there needs to be discussion.

            But let’s be honest here. If meta made a lemmy/mastodon instance we would probably defederate them as well since every bit of data is for their financial gain and nothing else.

            I don’t see how the worlds master manipulator and anti trust poster child is even remotely worth discussing about. We have established time and time again that „meta bad“. Why would we now not just accept the fact?

            • imaqtpie@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              7
              arrow-down
              1
              ·
              edit-2
              1 year ago

              I think there is a bit of hysteria about Threads/Meta and some people are trying to push back. There are plenty of people in this thread that don’t fully understand federation and are knee-jerk reacting because it’s Meta.

              However, I totally agree with the sentiment being expressed, which is to keep Meta and large corporations as far away from Lemmy as possible. This is a community-run space that is a haven from the corporate internet, and indeed capitalist society in general. Protecting this space should be our highest priority.

              I feel that some of our more technical users are losing the forest for the trees in this discussion. Believe it or not, some Lemmings don’t come from a 30 year tech background and don’t fully understand how the platform, or indeed the internet as a whole, actually functions.

              This group of people, which includes me, are acting rationally by opposing any interaction with Meta on grounds of principle. We don’t know exactly what we are scared of, but we do know if there is any vulnerability or weakness that Meta is trying to exploit, they already know their plan and we won’t know until it’s too late. Meta is a terrifying behemoth just waiting for a chance to consume Lemmy. I would argue that a little bit of hysteria is justified in this case.

              Edit: just to clarify, this is more of a response to the parent comment, I think we are in agreement. I didn’t want to start another reply thread so I figured I would build off your point.

              • Haui@discuss.tchncs.de
                link
                fedilink
                English
                arrow-up
                2
                ·
                1 year ago

                Thanks for pointing that out. I‘m sort of between the two. Doing IT more or less professionally for 20+ yrs but I can’t tell you the definitive workings of the fediverse either. I understand the principles and I like them.

                Have a good one. :)

            • Steeve@lemmy.ca
              link
              fedilink
              arrow-up
              3
              arrow-down
              1
              ·
              1 year ago

              Like I said, that’s a fine opinion to hold. What isn’t fine is the constant spinning of facts and narratives to suit a personal bias, regardless of how I feel about that bias.

                • Steeve@lemmy.ca
                  link
                  fedilink
                  arrow-up
                  1
                  arrow-down
                  1
                  ·
                  edit-2
                  1 year ago

                  Not that I’m aware of? Not saying you personally did, I’m discussing the context. This post and the top level comments.

          • Rikudou_Sage@lemmings.world
            link
            fedilink
            English
            arrow-up
            6
            arrow-down
            2
            ·
            edit-2
            1 year ago

            not because of any existing tangible evidence in this circumstance

            Oh, we’re defederating exactly because of tangible evidence that Meta steals every information it can about you. I personally stripped Meta almost entirely out of my life, I definitely don’t want them crawling back just because someone else wants to use Threads.

            And if you’re here and pretending to care about data privacy at least try to do the bare minimum in understanding how the Fediverse works.

            Oh, I do. I’m my own instance admin, I work as a senior architect and grasped the concept of Fediverse quite fast.

            • Steeve@lemmy.ca
              link
              fedilink
              arrow-up
              2
              arrow-down
              2
              ·
              1 year ago

              not because of any existing tangible evidence in this circumstance

              If you’re going to quote me I’d appreciate if you didn’t cut out relevant parts of it to fit your argument.

              Oh, I do. I’m my own instance admin, I work as a senior architect and grasped the concept of Fediverse quite fast.

              The “you” in my comment was a generalized “you”, not you specifically.

              • Rikudou_Sage@lemmings.world
                link
                fedilink
                English
                arrow-up
                5
                ·
                1 year ago

                If you’re going to quote me I’d appreciate if you didn’t cut out relevant parts of it to fit your argument.

                Sure, edited the comment to include it, it doesn’t change my argument at all.

                The “you” in my comment was a generalized “you”, not you specifically.

                Hard to distinguish.

            • rbits@lemm.ee
              link
              fedilink
              arrow-up
              1
              arrow-down
              2
              ·
              1 year ago

              It’s not tangible evidence, it’s an extrapolation based on Meta’s previous actions. I mean, it’s still pretty convincing.

              Although I do wonder if Meta would be able to get away with it legally. That might not stop Meta though.

      • russjr08@outpost.zeuslink.net
        link
        fedilink
        English
        arrow-up
        8
        ·
        1 year ago

        Yes, this is why if you upvote a post or comment from Mastodon (and friends) from Lemmy/Kbin/etc it appears as a “Like” for them, as an example.

        Sans the IP address, that would be of the server your account is on, not your personal IP.

      • El Barto@lemmy.world
        link
        fedilink
        arrow-up
        52
        arrow-down
        7
        ·
        1 year ago

        It’s Meta. This is just the beginning. Stop them right from the start. Fuck these corporations.

        • xuxebiko@kbin.social
          link
          fedilink
          arrow-up
          35
          arrow-down
          5
          ·
          1 year ago

          Story of the punk bar bartender and nazis

          based on @iamragesparkle;s tweets

          I was at a shitty crustpunk bar once getting an after-work beer. One of those shitholes where the bartenders clearly hate you. So the bartender and I were ignoring one another when someone sits next to me and he immediately says, “no. get out.”

          And the dude next to me says, “hey i’m not doing anything, i’m a paying customer.” and the bartender reaches under the counter for a bat or something and says, “out. now.” and the dude leaves, kind of yelling. And he was dressed in a punk uniform, I noticed

          Anyway, I asked what that was about and the bartender was like, “you didn’t see his vest but it was all nazi shit. Iron crosses and stuff. You get to recognize them.”

          And i was like, ohok and he continues.

          "you have to nip it in the bud immediately. These guys come in and it’s always a nice, polite one. And you serve them because you don’t want to cause a scene. And then they become a regular and after awhile they bring a friend. And that dude is cool too.

          And then THEY bring friends and the friends bring friends and they stop being cool and then you realize, oh shit, this is a Nazi bar now. And it’s too late because they’re entrenched and if you try to kick them out, they cause a PROBLEM. So you have to shut them down.

          And i was like, ‘oh damn.’ and he said “yeah, you have to ignore their reasonable arguments because their end goal is to be terrible, awful people.”

          And then he went back to ignoring me. But I haven’t forgotten that at all.

        • Klear@sh.itjust.works
          link
          fedilink
          arrow-up
          1
          arrow-down
          1
          ·
          1 year ago

          How does defederating them stop them from getting this public information if they want it?

          • El Barto@lemmy.world
            link
            fedilink
            arrow-up
            2
            ·
            1 year ago

            Good point. I guess they could just fire up a shell instance and get all the good stuff. I wouldn’t be too surprised, actually.

            • MrScottyTay@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              They don’t even need an instance to get they can just scrape it, like anyone can with public info. They wouldn’t even need to make an account for the scraper.

      • Ottomateeverything@lemmy.world
        link
        fedilink
        arrow-up
        17
        arrow-down
        4
        ·
        1 year ago

        Public? Idk, maybe. I wouldn’t generally consider my IP to username to be public. Comment and post stuff, sort of. But even if it’s public, I still wouldn’t want Meta consuming it.

        • Durotar@lemmy.ml
          link
          fedilink
          arrow-up
          16
          ·
          1 year ago

          I wouldn’t generally consider my IP to username to be public.

          Are they talking about your IP address or the service’s? Does ActivityPub even share the user’s IP address with other nodes in the network? That’d be crazy, so I assume that it doesn’t. Then Meta can’t find out your IP address.

          • Oliver Lowe@lemmy.sdf.org
            link
            fedilink
            arrow-up
            18
            ·
            edit-2
            1 year ago

            Does ActivityPub even share the user’s IP address with other nodes in the network?

            No this is not in the specification.

            A malicious instance could in theory distribute this information but it would be non-standard. Of the 2 systems I’ve studied - Mastodon and Lemmy - neither do this.

            Are they talking about your IP address or the service’s?

            In this scenario they would be talking about the IP address(es) of the services.

            • lolgcat@lemmy.ml
              link
              fedilink
              arrow-up
              4
              ·
              edit-2
              1 year ago

              Thanks for the clarification. That claim seemed really off.

              I’ve assumed that what you see publicly is basically what’s synced. Obv. your instance can have a few more meta details on you, like IP, device info, possibly all the exif they’ve stripped from uploaded photos, but these things aren’t in the ActivityPub outbox

          • Ottomateeverything@lemmy.world
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            If a Threads user posts an image, and Meta hosts it, and I scroll through my feed and see it, my client will hit their server for said image. And Meta can collect my IP.

            Meta basically invented this shit.

        • MrScottyTay@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          7
          arrow-down
          2
          ·
          1 year ago

          I’m wide awake, isn’t this just the information transferred when federating? But they just have to put it into a TOS because they’re an actual company with liability? I really don’t see the issue with them having this information.

          • Joël de Bruijn@lemmy.ml
            link
            fedilink
            arrow-up
            2
            ·
            1 year ago

            They correlate the content of your posts with all the other data they have about you, taken from every app (besides WhatsApp, FB etc) that has FB trackers built in. Then that aggregated profile will be used with AdTech to serve ads and make money. I personally object to Meta making money with my personal data without me using their products.

            • MrScottyTay@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              2
              arrow-down
              1
              ·
              1 year ago

              That’s just how adtech works in general. Every ad company has a profile on who they think you are, well more technically a cohort of potential similar profiles. Also not all profiles can equated to a single person and a single person may have multiple. That’s how wishy washy the whole tech is. It’s good enough though. Way better than seeing those flashy “download these smiley trail mouse cursors” ads the old internet used to have. Still. I don’t see the problem here, it’s just about making ads more relevant to you. If you’re not the kind to let ads sway you anyway than what’s the big deal? And if you are the kind to be swayed at least they’ll be actually relevant to what you’re into.

              • Joël de Bruijn@lemmy.ml
                link
                fedilink
                arrow-up
                1
                ·
                edit-2
                1 year ago

                The big deal is I help others make money of me without my consent or getting something back in return. At least not usefull to me. On top of that they track the hell out of me with surveillance.

      • xuxebiko@kbin.social
        link
        fedilink
        arrow-up
        5
        arrow-down
        1
        ·
        1 year ago

        Won’t matter much in a democracy, but in a dictatorship or atcracy it means life & death.

        In India, people have been imprisoned for posts & tweets for calling out Hindu supremacist Modi govt’s anti-democratic policies & communal acts, Some of them have been violently assaulted in their homes by Hindu supremacist thugs for their posts and tweets because the dictatorial govt has stooges in both Meta & Twitter who access the ip address which is tracked down by the state.

    • jhulten@infosec.pub
      link
      fedilink
      arrow-up
      20
      arrow-down
      2
      ·
      1 year ago

      Most of this is just part of Federation. When I saw this comment my client/server didn’t have to fetch it from your server. It was pushed when you posted it so I had it locally.

      • Ottomateeverything@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        1 year ago

        Yes, but if you host an image, and my client prefetches it, it’s going to exposed my IP to your image server. And if you have clauses saying you’re collecting IPs…

        Meta basically invented this shit. They’ll do it again. It’s what they do.

    • Kichae@kbin.social
      link
      fedilink
      arrow-up
      15
      ·
      1 year ago

      If a Threads user is following you, they need most of this information. It’s literally how the Fediverse works. The only thing that isn’t is your IP address, and that’s something that I’m not sure they’d even get. That might be your host’s IP address.

      Remember, the Fediverse isn’t a bunch of iframes looking at 3rd party websites. It works by mirroring remote content. A follow is literally a request to ingest posts from a user.

      • Ottomateeverything@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        Yes, but many clients are going to go look up images manually. If it’s a Threads post, it’s likely hosted by Meta servers, and they can easily see your IP when doing that. And they’re saying they might collect IPs from you even if you’re not using their service directly.

    • Steeve@lemmy.ca
      link
      fedilink
      arrow-up
      16
      arrow-down
      2
      ·
      1 year ago

      Yeah, no shit, they literally can’t federate without this data, that’s how ActivityPub works lol.

      Why do you think you can see lemmy.ca votes on lemmy.world?

    • pjhenry1216@kbin.social
      link
      fedilink
      arrow-up
      4
      arrow-down
      1
      ·
      1 year ago

      No, if you’re on the fediverse and someone from a threads instance interacts with your instance.

      The IP address is only of the instance server, not yours.

    • csm10495@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      2
      ·
      1 year ago

      … why? All of this is more / less public information about you? Even if you defederate, they could crawl and get all of this info (except maybe ip).

      • OscarRobin@lemmy.world
        link
        fedilink
        arrow-up
        2
        arrow-down
        3
        ·
        1 year ago

        Exactly. That fact makes the mountains of defed stuff ridiculous because it makes no difference.

    • Uranium3006@kbin.social
      link
      fedilink
      arrow-up
      2
      arrow-down
      1
      ·
      1 year ago

      if any of the big corperate socmed sites were just standard fedi instances I’d defed from them in an instant for a litany of things. just goes to show how abused we are on them.

    • rastilin@kbin.social
      link
      fedilink
      arrow-up
      2
      arrow-down
      1
      ·
      1 year ago

      I don’t get it, third party users can’t consent to your stupid license agreement anyway. You’re still stealing their data.

    • Hazelnoot [she/her]@beehaw.org
      link
      fedilink
      English
      arrow-up
      24
      ·
      1 year ago

      I agree that this is nothing to panic over, but I want to clarify that Lemmy is not safe from this. Lemmy and Mastodon both use the same protocol (ActivityPub) and that’s also the protocol that Threads will use to federate. Just as Mastodon users can like, boost, and reply to Lemmy threads / comments, Threads users will be able to do the same. That’s why it’s important to defederate Threads on all ActivityPub-enabled instances.

        • Hazelnoot [she/her]@beehaw.org
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          Defederating actually does stop Meta from accessing data (at least through ActivityPub) if you enable AUTHORIZED_FETCH / similar. That setting requires remote instances to authenticate themselves, which prevents blocked instances from querying anything. IIRC, Lemmy either already supports or plans to support that same feature.

          Meta could, of course, just use web scraping, but that can be prevented with DISALLOW_UNAUTHENTICATED_API_ACCESS. Although admittedly, I don’t think Lemmy has this feature yet.

      • Nougat@kbin.social
        link
        fedilink
        arrow-up
        5
        ·
        1 year ago

        kbin includes a “microblog” feature which is a mastodon-like implementation of ActivityPub.

          • Nougat@kbin.social
            link
            fedilink
            arrow-up
            2
            ·
            1 year ago

            I don’t use it, so I’m not super clear on it. It does feel like a bit of an afterthought.

            I do know that I’ve interacted with Mastodon users in fediverse comment threads via kbin in the “regular, reddit-like” interface. My understanding is that APub is APub is APub, and the client implementations define the format you see content in, and implement or do not implement different APub features based on how the developer(s) want to shape their client.

    • Zak@lemmy.world
      link
      fedilink
      arrow-up
      15
      ·
      1 year ago

      Threads is not Mastodon. Both are microblogging, while Lemmy is better described as a forum or link aggregator.

      It’s possible to interact with Lemmy from Mastodon. I do so regularly by tagging a community in myastodon post. Following a community from Mastodon is also possible, but the UX is rough.

    • Cethin
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      1
      ·
      1 year ago

      Good job on W, but I’m pretty sure it’s L.

    • paraphrand@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      edit-2
      1 year ago

      You can follow lemmy stuff via Mastodon accounts. 🤔 No? Do I not quite understand how and why that works?

      Your point about slowing the fuck down still stands though.

        • paraphrand@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          Ok, that was my experience. I haven’t found a great context/use case for it yet.

          It does seem a client could be made that uses the functionality. Or a purpose deployed instance or community could make use of it too.

          But I agree, it’s hard to imagine a good use. And your point still stands about how panicking is unhelpful.

    • Ottomateeverything@lemmy.world
      link
      fedilink
      arrow-up
      6
      arrow-down
      3
      ·
      1 year ago

      Meta says, for Threads to federate, they access the same data any instance does when it federates.

      Okay, but like, I don’t want Meta consuming that data? At least if they wanted to scrape through reddit to put that together, they’d be going out of their way. This data is now just coming through the same API “for free”.

      If I didn’t mind Meta scraping through all this, why wouldn’t I just use Threads?

      This is exactly the kind of shit that pushed me here - I don’t want Meta sifting through all my shit. Its unlikely that some other instance host is going to start building psychological advertising profiles on me and sell it to the highest bidder. But you bet your ass Meta will try.

      • JoYo@lemmy.ml
        link
        fedilink
        English
        arrow-up
        8
        arrow-down
        2
        ·
        1 year ago

        If I didn’t mind Meta scraping through all this, why wouldn’t I just use Threads?

        I’m curious what precautions you have taken to prevent web scraping of your posts.

          • JoYo@lemmy.ml
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            1
            ·
            1 year ago

            They admitted to federating for research back around bluesky’s announcement.

            If you don’t want your data scraped you’ll need to use e2ee.

  • moreeni@lemm.ee
    link
    fedilink
    arrow-up
    79
    ·
    edit-2
    1 year ago

    If someone had any doubts about federation with Threads, they shouldn’t by now. Facebook is trying to turn Fediverse into Shittyverse and Fedizens should resist that

    • Krapulaolut@sopuli.xyz
      link
      fedilink
      arrow-up
      32
      arrow-down
      1
      ·
      1 year ago

      Lemmy needs an option for a user to block an instance.

      If your local instance is not going to defederate with meta then an average user can’t do anything about it.

      Yeah sure you can create a new user in other instance or selfhost an instance, but who would actually go through that?

      • Rikudou_Sage@lemmings.world
        link
        fedilink
        arrow-up
        22
        arrow-down
        3
        ·
        1 year ago

        Everyone should change their instance to one they agree with. If you don’t want to be federated to Meta, go to an instance that’s not federated.

        User blocks are pretty much a simple filter, Meta will still have your data if you block them individually instead of defederating.

        • zaphod@feddit.de
          link
          fedilink
          arrow-up
          5
          ·
          1 year ago

          Sounds great, but in the end it just means everyone has to host their own instance. That could be interesting, but I doubt everyone would want to do that.

        • whiskers@lemmings.world
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          They are still getting the data even if we defederate them, right? It’s only us who don’t get their data. This was my understanding on how federation works

      • MBM@lemmings.world
        link
        fedilink
        arrow-up
        12
        arrow-down
        3
        ·
        1 year ago

        Moving instances is easy, I don’t see why you wouldn’t do it. If you as a user block Threads then it’ll probably only hide their stuff from you, while still sharing your posts and comments.

    • Eufalconimorph@discuss.tchncs.de
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      Defederation means you don’t see their posts. It does NOT mean they can’t see your posts.

      I still don’t think federating with them is a good idea, but defederating won’t preserve privacy. It’ll just cut down on the “influencer” BS Meta promotes.

  • pjhenry1216@kbin.social
    link
    fedilink
    arrow-up
    66
    arrow-down
    1
    ·
    1 year ago

    Everybody, please understand what defederating means. It will not stop the defederated instance from getting the data. It just means you don’t pull theirs.

    If you want to actually control who gets data, you’d have to switch to a service like Streams. ActivityPub cannot prevent anyone from pulling data. It only allows an instance to decide not to pull from a specific location.

    • be_excellent_to_each_other@kbin.social
      link
      fedilink
      arrow-up
      20
      arrow-down
      1
      ·
      1 year ago

      Everybody, please understand what defederating means. It will not stop the defederated instance from getting the data. It just means you don’t pull theirs.

      I’m OK with that. If I wanted to talk to facebook users I’d be on facebook.

      • pjhenry1216@kbin.social
        link
        fedilink
        arrow-up
        29
        arrow-down
        1
        ·
        edit-2
        1 year ago

        Ok, but the number of people that think defederation is in anyway going to prevent this is fairly high.

        • be_excellent_to_each_other@kbin.social
          link
          fedilink
          arrow-up
          20
          ·
          1 year ago

          I see it less about preventing than about sending a clear “DO NOT WANT” message.

          I’ve been around since the prevailing attitude across all common internet services was anti-corporate, anti-commercialism. You sound like maybe you have too. We lost that battle. It’d be nice to win this one, even if in a way that matters only to Fediverse users. I know at the end of the day Meta won’t care, and it won’t stop them from slurping up our data.

          I still think there is value to the DO NOT WANT message, and when Musk or MS try the same thing, I hope we send the same message to them. Let there be one tiny corner of the internet that isn’t monetized and enshittified to death. Let the users who are happy to use those companies’ platforms use those companies platforms.

          I get that this is tangential to your complaint here, and I get it. I don’t care what peoples’ reasons are though. Every instance should support the fedipact, and when Meta finally starts federating I’ll leave my comfy kbin.social home 30 minutes later if it doesn’t.

          I hope each new revelation convinces more instance owners to do so, and more users to ask their instance owners to do so.

          • Klear@sh.itjust.works
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            Yeah, I can get behind this “DO NOT WANT” plan. Sounds sensible. Most of the other comments here sound like a knee-jerk reaction without any understanding of the way fediverse works, just panicking mob mentality.

            But then again I don’t understand shit about the fediverse myself, so I’m not putting too much stock into my own impression. We’ll see how things shake out.

    • ag_roberston_author@beehaw.org
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      1
      ·
      1 year ago

      There’s nothing stopping them from scraping the data or getting it from the API already.

      If you put something on the internet, it is public.

  • fsxylo@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    61
    arrow-down
    3
    ·
    1 year ago

    Mother fuckers are moving to take ownership of the fediverse by calling us “third party users”.

    • Sean Tilley@lemmy.mlOPM
      link
      fedilink
      English
      arrow-up
      41
      arrow-down
      2
      ·
      1 year ago

      I’m pretty sure they mean respective to themselves and their own walled garden, but it definitely doesn’t scan well.

    • BraveSirZaphod@kbin.social
      link
      fedilink
      arrow-up
      4
      arrow-down
      7
      ·
      1 year ago

      You’ll be able to call them third party users as well, if that’s something that you’re really super sensitive to.

  • Arotrios@kbin.social
    link
    fedilink
    arrow-up
    58
    arrow-down
    3
    ·
    1 year ago

    Looks like there’s a lot of FUD around this, so I decided to jump into the ActivityPub spec and see exactly what they can and can’t get with the spec as is.

    First off, they cannot get a users individual IP unless the instance owner publishes it in the profile data as part of a “public” activity stream. I don’t know of any instance that does this currently (feel free to correct me if I’m wrong).

    It looks like what Meta is looking to do is scrape the information in the “public” tagged activity streams:

    In addition to [ActivityStreams] collections and objects, Activities may additionally be addressed to the special “public” collection, with the identifier https://www.w3.org/ns/activitystreams#Public.

    Activities addressed to this special URI shall be accessible to all users, without authentication.

    This is similar to what most instances do to show the posts of a user or community - they send a request to get “public” tagged data to publish to their end users. Within this data is all the activity information on that post - who upvoted what and who, and who commented. Again, this is the same way federation works now - your server has an activity stream of all your followed and followers that it can make available to view by tagging their activity as “public”. Many instances have this information tagged as “public” as a default.

    Now, this system works fine if you’re dealing with small actors that don’t have nefarious designs on the network, or the resources to dominate it.

    When you have a digital behemoth with grand AI designs that’s already embroiled in lawsuits where it was grabbing your medical data and regularly allows law enforcement to stroll through its records, it’s an entirely different situation. Meta has the power and capacity to not only engage in an “embrance, extend, extinguish” campaign against the Fediverse, but also to seriously threaten the privacy and well-being of Fediverse users in a way no single instance owner can.

    I think the solution here will be for individual instance owners to harden their security and if not outright de=federate from Threads, ensure that posts are private by default and that their users are made well aware in the TOS that following a Threads user will result in sharing data about their profile that could (and most likely will) be matched back to their Facebook account.

    Instances that don’t allow visibility control on posts, like Kbin and Lemmy, should look at adding an option to post only to the local server, or have the capacity to block threads.net outgoing publication based on user profile settings.

    Instances that don’t allow follow request filtering probably should look at adding it (Mastodon has it implemented - Kbin and I think Lemmy would need to catch up) - otherwise users could be unaware that they’re sending their data to threads.net when someone from that service follows them.

    I think it goes without saying that any data Meta gets will get the AI treatment - both to identify users and to sell your activity to marketers. That activity is the real goldmine for them - that’s a stream of revenue for marketing that rivals what Meta tracks on its own platform.

    As such, it may be worthwhile for instance owners to look at removing voting and boosting counts from the “public” activity feed. This would mean more fragmentation for communities whose populations span instances (vote counts would be more off than they are now), but it would prevent bad actors from easily scraping that data for behavioral analysis.

    All in all, though, I don’t believe it’s going to be a positive event when Threads does start federating. One of the nice things about the Fediverse is that the learning curve is high enough to keep the idiot count down, and I don’t really see our content or commentary here improving once Meta’s audience enters the space.

    • pjhenry1216@kbin.social
      link
      fedilink
      arrow-up
      9
      arrow-down
      1
      ·
      1 year ago

      We don’t know what they’ll do yet as there’s nothing in the article about what they do with the data or how the protect it.

      Setting everything to private by breaks the fediverse pretty much. Imagine if everyone on Twitter was only private. It severely limits everything.

      A “public” instance is just one that publishes to other instances if I understand correctly. So they would get the IP of the server instance. Which most instances actually do.

      • Arotrios@kbin.social
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        The instance owner determines what’s on their “public” tagged activity feeds. If they remove the “public” tag from a post or user account, it’s restricted from non-authenticated requests from outside servers. You’re correct that this shouldn’t grab user IP addresses, but they could if an instance owner is including that information in what they mark as “public” profile feed data. I should reiterate that I know of no instance that does this, but the capability is there in theory (and I do know that certain forum software packages outside the Fediverse collect and publish this level of information, although it’s a dying practice).

        I’m not advocating instance owners turn everything private, but it’s clear they’re going to have to examine what they’re providing through their feeds to Threads if they’re serious about their users’ security and privacy. The safest bet is to defederate from Threads until it’s clear what Meta’s intentions are (aside from their rhetoric, which is always deceitful when it comes to user privacy).

        As to what Meta will do, they absolutely will scrape that activity data for marketing use, if they aren’t already. It’s what their entire business model on Facebook is built around - targeted ads based on user activity. Anything they say about protecting that data is lip service at best given their past performances and lawsuits. It also very likely that they’ll merge it with their existing data hoards, and do their best to de-anonymize accounts so that they can increase their data accuracy and thus their profit margin.

    • r00ty@kbin.life
      link
      fedilink
      arrow-up
      5
      ·
      1 year ago

      Pretty much wanted to say similar. Ip address isn’t known beyond your local instance (and any retention time and purposes should be stated in their privacy policy).

      The rest is standard data any federation app will collect upon seeing content from a user.

      It’s also worth noting that in general the user URL (which provides this user data) is generally also public. So if you know the user url you can get this too.

      Having said that, I do wonder how much they can monetize third party data about people that have not agreed to their privacy policy that grants such uses. It’ll be interesting to see.

      • maynarkh@feddit.nl
        link
        fedilink
        arrow-up
        4
        ·
        1 year ago

        One idea I have is that if you look at posts from their instances, they could embed images or other content that tracks you the same way the Facebook Pixel does.

  • Atemu@lemmy.ml
    link
    fedilink
    arrow-up
    36
    arrow-down
    1
    ·
    1 year ago

    I don’t know what you’re getting excited about here; this is all publicly available information which Facebook could scrape at any time they wanted (federated or not), even right this very second.

    • Sean Tilley@lemmy.mlOPM
      link
      fedilink
      English
      arrow-up
      25
      arrow-down
      1
      ·
      1 year ago

      Technically, yes, you save metadata of all of those things. However: you are not a company that profits from vast amounts of data ingestion.

      • nave
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        1
        ·
        1 year ago

        deleted by creator

      • woelkchen@lemmy.world
        link
        fedilink
        arrow-up
        1
        arrow-down
        1
        ·
        1 year ago

        However: you are not a company that profits from vast amounts of data ingestion.

        The entire current Fediverse isn’t vast data by Meta, Google, Microsoft, and Apple standards.

        • Sean Tilley@lemmy.mlOPM
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          You aren’t making the point you think you’re making. Sure, at somewhere between 8 to 11 million accounts, the Fediverse is a small pond. Meta is a gigantic whale. Ingesting the entire graph of everyone on the network would be relatively trivial for them, storage-wise.

    • El Barto@lemmy.world
      link
      fedilink
      arrow-up
      11
      arrow-down
      1
      ·
      1 year ago

      Yes, but do you analyse this information to sell it to advertisers? Will you start posting sponsored content based on this information? And will the money you collect benefit the community you live in, or will it buy you another politician?

        • Sean Tilley@lemmy.mlOPM
          link
          fedilink
          English
          arrow-up
          8
          ·
          1 year ago

          Altering the language of a service policy (or, writing a new one) is usually a good indication that something is indeed about to change at a larger level.

          • danielton@lemmy.world
            link
            fedilink
            arrow-up
            2
            arrow-down
            2
            ·
            1 year ago

            I’m gonna play Devil’s Advocate here…

            What’s to stop them from scraping the Fediverse without federating? If they really want the data, they could very well find a way. At least they’re spelling it out here and announced an attempt at proper federation.

            • JakenVeina@lemm.ee
              link
              fedilink
              arrow-up
              3
              ·
              1 year ago

              The article discusses this, a bit. One of the other platforms is considering an enhancement to require request signatures on non-ActivityPub APIs, I.E. Meta can make unsigned requests, where the server doesn’t know who they’re from, but only get minimal (or no) data back, or Meta can make signed requests, and instance owners get to decide what data (if any) they’re okay with sharing to Meta, based on Meta’s privacy policies. Beyond API’s, you’re talking about web scraping, which is something the industry has been handling for decades.

        • El Barto@lemmy.world
          link
          fedilink
          arrow-up
          5
          arrow-down
          1
          ·
          1 year ago

          It also says exactly what they’re planning to collect for starters. That was news to me.

        • sab@lemmy.world
          link
          fedilink
          arrow-up
          3
          ·
          1 year ago

          I wouldn’t put it past them to put tracking images into posts though. Either way… I wouldn’t be happy on a server that is connected to threads.

          Speaking of which… I see lemmy world see still hasn’t defederated from Threads. I guess it’s time for me to kill my account here.

  • maynarkh@feddit.nl
    link
    fedilink
    arrow-up
    26
    ·
    1 year ago

    Stupid question, couldn’t instances just say they don’t allow scraping specifically from Facebook in their ToS and then report them for GDPR violations if they do?

    As in say that have the ToS says that “we’ll give your data to other instances because that’s how the Fediverse works, we won’t give your data to Facebook” and also “Facebook is not allowed to federate, and is not allowed to pull data”.

    Then just say that your data subjects don’t consent to any data pulling by Facebook, and Facebook scraping your system even through ActivityPub is a violation of GDPR.

    • Razp@lemm.ee
      link
      fedilink
      arrow-up
      24
      ·
      1 year ago

      But GDPR is the European thing, and Threads isn’t even available in Europe.

      • Squizzy@lemmy.world
        link
        fedilink
        arrow-up
        21
        arrow-down
        1
        ·
        1 year ago

        If there service is affecting a service in the EU then they will have to abide by Gdpr. Fact is if your server is in the EU and they scrape it they are active in the EU.

      • Ctri@beehaw.org
        link
        fedilink
        English
        arrow-up
        16
        arrow-down
        1
        ·
        1 year ago

        GDPR is a protection that applies to European citizens, regardless of where they’re situated. companies don’t get a pass because they blocked IP addresses coming from Europe.

        now, enforcement outside the EU is a challenge, but the law is written in such a way that it covers the personal info of every EU citizen regardless of location.

    • pjhenry1216@kbin.social
      link
      fedilink
      arrow-up
      4
      arrow-down
      1
      ·
      1 year ago

      Defederating won’t stop this. Defederating means you don’t pull their data, not the other way around.

      • Joël de Bruijn@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        That would require blocking their servers/domains/IP adresses at the firewall level I guess? Preferably taken from a curated list like NextDNS does?

        • pjhenry1216@kbin.social
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          Partially. It’d help a little bit. But if you federate with another instance that doesn’t block it, that data will still get out.

          Essentially the protocol would have to be updated to carry a blacklist that all instances would adhere to, but basically via an honor system.

          The only method that could truly protect your data would be whitelisting, but that would severely hamper and fracture the fediverse.

    • millionsofplayers@lemmy.one
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      1 year ago

      here before some random dude who forgot to defederate from threads gets called a meta supporter and is defederated from like a billion instances

  • Steeve@lemmy.ca
    link
    fedilink
    arrow-up
    30
    arrow-down
    11
    ·
    1 year ago

    They’re literally just taking data they need to federate, like all the other instances. Eventually people around here are going to get sick of this paranoid “fuck Meta because it’s Meta” attitude because people keep posting lame misinformation like this. I know I’m getting sick of it.

    • NightAuthor@lemmy.world
      link
      fedilink
      English
      arrow-up
      15
      arrow-down
      1
      ·
      1 year ago

      It’s not just because it’s meta, it’s because they are going to scrape up all the data they can get (even if it’s just normal fediverse stuff) and pipe it into their data mining operation. They could probably easily do it without us noticing, but if we know they’re doing it… then it’s worth talking about. And reasonable for people to dislike.

      • ryathal@sh.itjust.works
        link
        fedilink
        arrow-up
        1
        arrow-down
        1
        ·
        1 year ago

        They 100% could already be doing that far easier without threads. It’s not actually worth doing it though.

    • zagaberoo@beehaw.org
      link
      fedilink
      arrow-up
      12
      arrow-down
      1
      ·
      1 year ago

      Whether they need it to federate or not, it’s still reasonable to not want an entity as large and powerful as Meta to consume this data. Fuck Meta because it’s Meta, which has a history of being particularly heinous with user data.

      • Steeve@lemmy.ca
        link
        fedilink
        arrow-up
        6
        ·
        1 year ago

        If that’s your opinion then great, that was always allowed. What I’m sick of is spinning facts and narratives to suit biases, regardless of whether or not I agree with those biases.

      • Esqplorer
        link
        fedilink
        arrow-up
        2
        arrow-down
        2
        ·
        1 year ago

        If you don’t want Meta having this data you should not post it. They vacuum up everything.

        • zagaberoo@beehaw.org
          link
          fedilink
          arrow-up
          4
          arrow-down
          1
          ·
          1 year ago

          Of course, but that doesn’t mean people aren’t allowed to distain making that connection closer.

          I don’t imagine Meta is bothering to scrape Lemmy instances anyway. The signs would be pretty obvious I’d imagine.

          • Esqplorer
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            I don’t imagine Meta is bothering to scrape Lemmy

            Why not? Citation needed.

  • YⓄ乙 @aussie.zone
    link
    fedilink
    English
    arrow-up
    22
    arrow-down
    3
    ·
    edit-2
    1 year ago

    All instances should start blocking them. Lemmy.world Admins should be on high alert but something tells me they won’t block meta.

    Guys, everyone move to small instances so that all the power doesnt go to one instance. I joined aussie.zone just for this reason.

  • Blizzard
    link
    fedilink
    English
    arrow-up
    20
    arrow-down
    2
    ·
    1 year ago

    Petition your instance admin to defederate from Threads!

    • pjhenry1216@kbin.social
      link
      fedilink
      arrow-up
      12
      arrow-down
      1
      ·
      1 year ago

      This wouldn’t matter. Defederating means you don’t pull their data, not the other way around.

      The article is just describing how ActivityPub works. What would be more important is how they claim to use that data. But that they collect that data is inherent to how the protocol works. They’d have to mention they collect it legally.

      • Hazelnoot [she/her]@beehaw.org
        link
        fedilink
        English
        arrow-up
        5
        ·
        1 year ago

        Defederation actually does work both ways if the instance enables AUTHORIZED_FETCH. That setting requires 3rd party systems to prove their identity before they can retrieve any data, which allows an instance to block defederated domains. I don’t know if Lemmy or Kbin supports that, but practically all of the microblogging fedi software does (that being Mastodon / GlitchSoc, Pleroma / Akkoma, Misskey / FoundKey / FireFish, and GoToSocial).

        • pjhenry1216@kbin.social
          link
          fedilink
          arrow-up
          3
          arrow-down
          1
          ·
          1 year ago

          Except that means you defederate from everyone but whitelisted instances in that scenario. If I recall, it doesn’t work as a blacklist, but as a whitelist.

            • pjhenry1216@kbin.social
              link
              fedilink
              arrow-up
              1
              ·
              1 year ago

              Looking into it, aren’t both of these only Mastodon and not part of ActivityPub itself? I can’t find details on them outside of Mastodon.

              And what prevents the post from getting published to other instances from different sources?

              • Hazelnoot [she/her]@beehaw.org
                link
                fedilink
                English
                arrow-up
                2
                ·
                1 year ago

                They are mastodon-specific, but most fedi software has a similar feature. Or at least, all of the mainstream microblogging software does, as well as some of the image / video sharing platforms. I’m unsure about Lemmy and Kbin. Here are the equivalent settings for FireFish: