• jet@hackertalks.com
    link
    fedilink
    English
    arrow-up
    44
    arrow-down
    4
    ·
    1 year ago

    You’re 100% not anonymous. On Lemmy it’s trivial to see who you are. If your activities put you in danger from your local authorities, lemmy is going to be very dangerous for you.

    Let’s suppose your documenting human rights abuses in authoritarian country A. You post that documentation to a local Lemmy instance. That instance is federated. Your post makes it across the lemme verse. All is good. But repressive government A wants to kill that post. So they Target the original Lemmy instance, and all of the users using it, that they can exert control over. They may not know a specifically you, but an authoritarian government would have no problem talking to everybody using that instance.

    If you’re in danger from local authorities, you need to use more than just Lemmy. Use tor, using anonymous VPN, follow the EFFs guide for investigative journalists.

    https://ssd.eff.org/

    • Nath@aussie.zone
      link
      fedilink
      arrow-up
      21
      arrow-down
      1
      ·
      1 year ago

      I’m sorry, what?

      We are not a big instance, but there is no way on earth we are handing any details of our users to some foreign government. It would actually be against Australian law to do that if we even wanted to.

      Hell, we don’t even know anything about our users. Most of them have provided an email. That’s literally all we know about them.

      • jet@hackertalks.com
        link
        fedilink
        English
        arrow-up
        13
        ·
        edit-2
        1 year ago

        An oppressive government doesn’t need your cooperation, they can simply monitor the traffic and see who’s connecting to your instance from their country. Especially if the user isn’t using a VPN. Some governments are in the habit of logging all internet traffic, maybe not the data itself, but the flow information. So then they just look at who from their country was connected to your instance at the time of this post. And it becomes fairly easy for them to backtrack responsibility

        If it happens to be the government of the location of the server, they can physically take it and take the logs.

        If the country of the servers location, and the oppressive government have legal agreements, it could be part of a criminal investigation which gives up the users information, or civil discovery.

        Lemmy is decentralized, which is great, but it is not anonymous.

        Not to mention the Mosaic theory of information discovery, most users are probably outing themselves through all of their posts. If they post frequently. Especially if you have domestic information sources, you can take photos find locations, take all the constraints from all their posts and find a fingerprint for the person. You could do it for me. I’ve outed enough information from my posts where you can find who I am if you have enough ancillary data.

        • Nath@aussie.zone
          link
          fedilink
          arrow-up
          9
          arrow-down
          1
          ·
          1 year ago

          Our servers sit behind cloudfront, the same as half the Internet. All that foreign government will see is cloudfront traffic. That won’t tell them much. I don’t think Amazon will give out their data to some foreign government easily either, since that’s their whole business model.

          It isn’t as trivial to identify a user from their metadata as you seem to be saying.

          • jet@hackertalks.com
            link
            fedilink
            English
            arrow-up
            8
            ·
            edit-2
            1 year ago

            I stand behind my advice.

            Especially because the OP is posting from suppo.fi and not using your setup from Aussie.zone.

            If someone is at risk, they should follow the data hygiene suggested by the EFF. Especially if they’re concerned about their safety. Which was the implication in OP’s post.

            To your point about cloud front, not all web clients use encryptid hello yet, or encrypted DNS, so people monitoring connections to cloud front can see the domain you’re trying to connect to. This is exactly why CloudFront and AWS were upset with the signal foundation for doing domain front running when connecting to their services.

      • socsa@lemmy.ml
        link
        fedilink
        arrow-up
        4
        ·
        1 year ago

        I think there’s a real fear that federation can potentially leak a significant amount of user data, down to IPs and tracking fingerprints. Even if the version in the main git doesn’t do that, it’s not inconceivable that this kind of data mining could be quietly implemented as extensions/forks at some point. The threat surface just seems so massive with all the different servers involved in the trust model.

    • hoshikarakitaridia@sh.itjust.works
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      I wanna add to this that censoring is a bit more relaxed. Every post lies on an instance, and control is given to hosts of an instance. So to censor, an actor has to gain control of the instance or the account that made the post.

      That said, if you are in the confines of political oppression, as the commenter above me said, never take your anonymity for granted and take active steps to stay safe.