This shouldn't come as a huge surprise. Meta is moving forward with their plans for Theads and the Fediverse, and their adjusted terms reflect a new impending reality for Fediverse users.
Public? Idk, maybe. I wouldn't generally consider my IP to username to be public. Comment and post stuff, sort of. But even if it's public, I still wouldn't want Meta consuming it.
Won't matter much in a democracy, but in a dictatorship or atcracy it means life & death.
In India, people have been imprisoned for posts & tweets for calling out Hindu supremacist Modi govt's anti-democratic policies & communal acts, Some of them have been violently assaulted in their homes by Hindu supremacist thugs for their posts and tweets because the dictatorial govt has stooges in both Meta & Twitter who access the ip address which is tracked down by the state.
Most of this is just part of Federation. When I saw this comment my client/server didn't have to fetch it from your server. It was pushed when you posted it so I had it locally.
Yes, but if you host an image, and my client prefetches it, it's going to exposed my IP to your image server. And if you have clauses saying you're collecting IPs...
Meta basically invented this shit. They'll do it again. It's what they do.
If a Threads user is following you, they need most of this information. It's literally how the Fediverse works. The only thing that isn't is your IP address, and that's something that I'm not sure they'd even get. That might be your host's IP address.
Remember, the Fediverse isn't a bunch of iframes looking at 3rd party websites. It works by mirroring remote content. A follow is literally a request to ingest posts from a user.
Yes, but many clients are going to go look up images manually. If it's a Threads post, it's likely hosted by Meta servers, and they can easily see your IP when doing that. And they're saying they might collect IPs from you even if you're not using their service directly.
if any of the big corperate socmed sites were just standard fedi instances I'd defed from them in an instant for a litany of things. just goes to show how abused we are on them.
Everybody, please understand what defederating means. It will not stop the defederated instance from getting the data. It just means you don't pull theirs.
If you want to actually control who gets data, you'd have to switch to a service like Streams. ActivityPub cannot prevent anyone from pulling data. It only allows an instance to decide not to pull from a specific location.
Everybody, please understand what defederating means. It will not stop the defederated instance from getting the data. It just means you don't pull theirs.
I'm OK with that. If I wanted to talk to facebook users I'd be on facebook.
Looks like there's a lot of FUD around this, so I decided to jump into the ActivityPub spec and see exactly what they can and can't get with the spec as is.
First off, they cannot get a users individual IP unless the instance owner publishes it in the profile data as part of a "public" activity stream. I don't know of any instance that does this currently (feel free to correct me if I'm wrong).
It looks like what Meta is looking to do is scrape the information in the "public" tagged activity streams:
In addition to [ActivityStreams] collections and objects, Activities may additionally be addressed to the special "public" collection, with the identifier https://www.w3.org/ns/activitystreams#Public.
Activities addressed to this special URI shall be accessible to all users, without authentication.
This is similar to what most instances do to show the posts of a user or community - they send a request to get "public" tagged data to publish to their end users. Within this data is all the activity information on that post - who upvoted what and who, and who commented. Again, this is the same way federation works now - your server has an activity stream of all your followed and followers that it can make available to view by tagging their activity as "public". Many instances have this information tagged as "public" as a default.
Now, this system works fine if you're dealing with small actors that don't have nefarious designs on the network, or the resources to dominate it.
When you have a digital behemoth with grand AI designs that's already embroiled in lawsuits where it was grabbing your medical data and regularly allows law enforcement to stroll through its records, it's an entirely different situation. Meta has the power and capacity to not only engage in an "embrance, extend, extinguish" campaign against the Fediverse, but also to seriously threaten the privacy and well-being of Fediverse users in a way no single instance owner can.
I think the solution here will be for individual instance owners to harden their security and if not outright de=federate from Threads, ensure that posts are private by default and that their users are made well aware in the TOS that following a Threads user will result in sharing data about their profile that could (and most likely will) be matched back to their Facebook account.
Instances that don't allow visibility control on posts, like Kbin and Lemmy, should look at adding an option to post only to the local server, or have the capacity to block threads.net outgoing publication based on user profile settings.
Instances that don't allow follow request filtering probably should look at adding it (Mastodon has it implemented - Kbin and I think Lemmy would need to catch up) - otherwise users could be unaware that they're sending their data to threads.net when someone from that service follows them.
I think it goes without saying that any data Meta gets will get the AI treatment - both to identify users and to sell your activity to marketers. That activity is the real goldmine for them - that's a stream of revenue for marketing that rivals what Meta tracks on its own platform.
As such, it may be worthwhile for instance owners to look at removing voting and boosting counts from the "public" activity feed. This would mean more fragmentation for communities whose populations span instances (vote counts would be more off than they are now), but it would prevent bad actors from easily scraping that data for behavioral analysis.
All in all, though, I don't believe it's going to be a positive event when Threads does start federating. One of the nice things about the Fediverse is that the learning curve is high enough to keep the idiot count down, and I don't really see our content or commentary here improving once Meta's audience enters the space.
We don't know what they'll do yet as there's nothing in the article about what they do with the data or how the protect it.
Setting everything to private by breaks the fediverse pretty much. Imagine if everyone on Twitter was only private. It severely limits everything.
A "public" instance is just one that publishes to other instances if I understand correctly. So they would get the IP of the server instance. Which most instances actually do.
The instance owner determines what's on their "public" tagged activity feeds. If they remove the "public" tag from a post or user account, it's restricted from non-authenticated requests from outside servers. You're correct that this shouldn't grab user IP addresses, but they could if an instance owner is including that information in what they mark as "public" profile feed data. I should reiterate that I know of no instance that does this, but the capability is there in theory (and I do know that certain forum software packages outside the Fediverse collect and publish this level of information, although it's a dying practice).
I'm not advocating instance owners turn everything private, but it's clear they're going to have to examine what they're providing through their feeds to Threads if they're serious about their users' security and privacy. The safest bet is to defederate from Threads until it's clear what Meta's intentions are (aside from their rhetoric, which is always deceitful when it comes to user privacy).
As to what Meta will do, they absolutely will scrape that activity data for marketing use, if they aren't already. It's what their entire business model on Facebook is built around - targeted ads based on user activity. Anything they say about protecting that data is lip service at best given their past performances and lawsuits. It also very likely that they'll merge it with their existing data hoards, and do their best to de-anonymize accounts so that they can increase their data accuracy and thus their profit margin.
Pretty much wanted to say similar. Ip address isn't known beyond your local instance (and any retention time and purposes should be stated in their privacy policy).
The rest is standard data any federation app will collect upon seeing content from a user.
It's also worth noting that in general the user URL (which provides this user data) is generally also public. So if you know the user url you can get this too.
Having said that, I do wonder how much they can monetize third party data about people that have not agreed to their privacy policy that grants such uses. It'll be interesting to see.
I don't know what you're getting excited about here; this is all publicly available information which Facebook could scrape at any time they wanted (federated or not), even right this very second.
Stupid question, couldn't instances just say they don't allow scraping specifically from Facebook in their ToS and then report them for GDPR violations if they do?
As in say that have the ToS says that "we'll give your data to other instances because that's how the Fediverse works, we won't give your data to Facebook" and also "Facebook is not allowed to federate, and is not allowed to pull data".
Then just say that your data subjects don't consent to any data pulling by Facebook, and Facebook scraping your system even through ActivityPub is a violation of GDPR.
If there service is affecting a service in the EU then they will have to abide by Gdpr. Fact is if your server is in the EU and they scrape it they are active in the EU.
They're literally just taking data they need to federate, like all the other instances. Eventually people around here are going to get sick of this paranoid "fuck Meta because it's Meta" attitude because people keep posting lame misinformation like this. I know I'm getting sick of it.
It’s not just because it’s meta, it’s because they are going to scrape up all the data they can get (even if it’s just normal fediverse stuff) and pipe it into their data mining operation. They could probably easily do it without us noticing, but if we know they’re doing it… then it’s worth talking about. And reasonable for people to dislike.
Do they get my IP if I reply to somebody or a post on Threads?
I was under the impression that I submit to my instance and then that passes the message along.
I had a quick look at the posts and comments bits of the schema and it doesn't appear to list an IP address field, unless I'm blind. Which is always possible.
Normally not, but depending on how your Fediverse instance handles images they might get it that way. For example on Lemmy (since there is only limited image caching) they would probably get your IP, because your browser would load images from the threadsnet server.
This wouldn't matter. Defederating means you don't pull their data, not the other way around.
The article is just describing how ActivityPub works. What would be more important is how they claim to use that data. But that they collect that data is inherent to how the protocol works. They'd have to mention they collect it legally.
Ostensibly, yes. However, as a company whose business model is primarily predicated on sale of personal data and analytics, this does create something of a conflict of interest, especially because of Meta's extensive involvement in surveillance capitalism.
Per the article, I really like Mike Macgirvin's stance of "I'll give you the bare minimum of data to make basic interactions work, but not one thing more."
Can someone please explain why this matters. Almost all madtadon instances are public and can be data mined by any company. Why is it such a large concern if threads is able to see a portion of the posts on the fediverse like any other mastadon instance. To me the only thing threads federation changes is allowing me to view posts on threads without the amount of MS my cursor is over the podt being data mined to know what food Ill be craving in a week.
There seems to be a general consesnus that feddiverse users don't want anything to do with meta and that instances will defederate with threads. I'm curious if the majority will follow this trend to avoid yet another EEE, or if there will be some exceptions. I bet meta will be open to pay good money to instance admins for "colaboration" if the instance is big enough.
I think the policy has more to do with your server's IP address. The language on the page is a bit vague, since they absolutely collect the IP addresses of their own users.
That's not how I read it, but I'm not going to claim to be a fediverse expert. That post specifically says:
Provided that a Third Party User is followed by or following a Threads account, Meta will ingest these pieces of data specifically:
To me, this reads as, even if a Threads user follows you, your info gets chewed up by Meta.
In other words, if you post somewhere on the Fediverse, and some Threads user bumps into it, they can follow you, and that will send all that data to Meta. And it looks to include data well beyond the post the Threads user saw.
To me, this is a "sound the alarm" moment. If you came here to avoid Meta's data harvesting, this sounds like you at least need to be on an instance defederated from threads, but I'm not sure even that's enough.
if you post somewhere on the Fediverse, and some Threads user bumps into it, they can follow you, and that will send all that data to Meta. And it looks to include data well beyond the post the Threads user saw.
exactly
and that is why #hubzilla and #streams have a permission system to avoid that... you can set up rules and decide who can see your posts and what they can to with it...