cross-posted from: https://lemmy.blahaj.zone/post/7193618

The “free fediverses” are regions of the fediverse that reject Meta and surveillance capitalism. This post is part of a series looking at strategies to position the free fediverses as an alternative to Threads and “Meta’s fediverses”.

  • 𝕯𝖎𝖕𝖘𝖍𝖎𝖙@lemmy.world
    link
    fedilink
    English
    arrow-up
    15
    arrow-down
    5
    ·
    10 months ago

    You do realize that federating with meta doesn’t mean that the instances which allow federation with meta will be tracked more, right? Meta users are going to be tracked as much as meta users are going to be tracked. The old tricks that facebook used to do to track everyone with a facebook account everywhere on the net don’t really work any more in modern browsers and won’t ever work on an instance that doesn’t have a facebook “share this link” or “like button” integration.

    Technically, if an instance did have those buttons and facebook users in older browsers used those instances, that would be tracked by meta, even if the instance itself didn’t federate with meta.

    • The Nexus of Privacy@lemmy.blahaj.zoneOP
      link
      fedilink
      English
      arrow-up
      9
      arrow-down
      1
      ·
      10 months ago

      You do realize that instances federating with Threads will share data with Threads, and that Meta’s supplemental privacy policy specifically says that they’ll use all activity that federates to meta for tracking and ad targeting, right?

      So for example, if you’re on an instance that federates with Threads, and somebody on Threads is following you, all of your posts – including your followers-only posts – will get tracked by Meta. Or if somebody who boosts your post and they’ve got followers on Threads, your post will be tracked by Meta. Or if you like, boost, or reply to a post that originated on Threads, it gets tracked my Meta. And these are just the most obvious cases. What about if somebody on an instance that’s not Threads replies to a Threads post, and you reply to the reply? It depends on the how the various software implements replies – ActivityPub allows different possibilities here. And there are plenty of other potential data flows to Meta as well.

      Of course they’re still just at the early stages of federation so it’s hard to know just how it’ll work out. Individually blocking Threads might well provide a lot of protection. But in general, instances which federate with Meta will almost certainly be tracked significantly more than instances that don’t.

      • 𝕯𝖎𝖕𝖘𝖍𝖎𝖙@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        3
        ·
        10 months ago

        I just wrote a comment explaining in detail how tracking works and why it wouldn’t work with lemmy. I suggest you read it or skim it first https://lemmy.world/comment/6404079

        You do realize that instances federating with Threads will share data with Threads, and that Meta’s supplemental privacy policy specifically says that they’ll use all activity that federates to meta for tracking and ad targeting, right?

        If those instances choose to share data with Threads, you should not join those instances. Federating with threads shares “data” in the form of content, which is how the fediverse works. But this data is the content we are looking for - posts. The “data” you’re worried about being shared (tracking info, identifying info) won’t be shared. See the linked post for more details.

        So for example, if you’re on an instance that federates with Threads, and somebody on Threads is following you, all of your posts – including your followers-only posts – will get tracked by Meta. Or if somebody who boosts your post and they’ve got followers on Threads, your post will be tracked by Meta. Or if you like, boost, or reply to a post that originated on Threads, it gets tracked my Meta. And these are just the most obvious cases. What about if somebody on an instance that’s not Threads replies to a Threads post, and you reply to the reply? It depends on the how the various software implements replies – ActivityPub allows different possibilities here. And there are plenty of other potential data flows to Meta as well.

        I’ve got some bad news for you buddy: there’s defederating and there’s blocking. If meta or any other company wants to right now they can create a crawler for the entire fediverse, follow everyone and log everything. We have no evidence that people aren’t already doing this so I would assume that they are. Lemmy isn’t an isolated island, it’s a public internet-type software where content exists on the internet. Don’t want your content used by AI or linked to your pseudoanonymous lemmy account? Your only option is to join an instance that isn’t connected to the Internet (at least not publicly allowing access to accounts, something where all communities to community members only. Federation simply means that Threads users can’t interact with your instance and vice versa.

        Please keep in mind that there are open source developers who understand that facebook is just another silly site (i.e., isn’t the internet, isn’t the gods of the internet). The only way this tracking nightmare you’re describing comes true is if Lemmy developers decide to make instances track users and ship that private tracking data to facebook.

        As for “site A tracks users who interact with site A” yeah, that’s the internet for you.

        Of course they’re still just at the early stages of federation so it’s hard to know just how it’ll work out. Individually blocking Threads might well provide a lot of protection. But in general, instances which federate with Meta will almost certainly be tracked significantly more than instances that don’t.

        Federation isn’t complex. I explained this in the linked post. The one point I want to put across here is, if your instance decides to defederate from threads, your instance is still going to be tracked by meta and everyone else, and you probably won’t care because you haven’t in the past. It’s a different kind of tracking, not the 3rd party web-based tracking we’re used to when just visiting any site. There’s some exceptions to this which I’ve outlined in the linked post.

        • The Nexus of Privacy@lemmy.blahaj.zoneOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          10 months ago

          𝕯𝖎𝖕𝖘𝖍𝖎𝖙: If those instances choose to share data with Threads, you should not join those instances.

          Also 𝕯𝖎𝖕𝖘𝖍𝖎𝖙: Federating with threads shares “data” in the form of content

          I appreciate all the time and energy you’re putting into the comments here, but what it comes down to is that you’re not concerned about the difference between the federation scenario – where this data is given to Threads under an agreement that explicitly consents to giving Meta the right to use the data for virtually whatever they want – and the situation today – where Meta and others can do the work to non-consensually scrape public data on sites that don’t put up barriers.

          We’re not going to convince each other, and we’ve both got enough walls of text up that at this point neither of us are going to convince people reading the thread who aren’t already convinced, so let’s save ourselves the time and energy and leave it here.

          • 𝕯𝖎𝖕𝖘𝖍𝖎𝖙@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            2
            ·
            10 months ago

            I pretty clearly described the difference in “data” between the data we want and data we don’t want. Try re-reading that and if it still doesn’t make sense I’ll explain in more detail.

            I appreciate all the time and energy you’re putting into the comments here, but what it comes down to is that you’re not concerned about the difference between the federation scenario – where this data is given to Threads under an agreement that explicitly consents to giving Meta the right to use the data for virtually whatever they want – and the situation today – where Meta and others can do the work to non-consensually scrape public data on sites that don’t put up barriers.

            Buddy, that’s the internet:

            where this data is given to Threads under an agreement that explicitly consents to giving Meta the right to use the data for virtually whatever they want

            This is how data is exchanged on the internet. It’s less of an agreement and more of a protocol. If you’re trying to claim here that an artist putting up a peice of work on a fediverse site means that facebook now has full rights to that work, I think you’re mistaken. Yes, as part of how the fediverse operates, if you are federated with my server, you are giving me permission to federate the federated content with my server’s users. This is currently happening right now across all federated instances.

            We’re not going to convince each other, and we’ve both got enough walls of text up that at this point neither of us are going to convince people reading the thread who aren’t already convinced, so let’s save ourselves the time and energy and leave it here.

            It’s a shame, because we have the same goal in mind: not being tracked by facebook / meta. We aren’t on opposing sides of this issue. My point is that defederating from meta doesn’t stop meta from tracking you online. If you want to stop meta from tracking you online, you need to do the following:

            1. don’t participate in meta’s services. This means facebook, instagram, threads, the entire ecosystem that meta has created. Deactivate, delete your accounts, etc.
            2. don’t participate in the fediverse via meta’s servers (this is the same as #1 really).
            3. Use an anonymous handle on the fediverse
            4. Use a modern web browser that is up to date (which blocks 3rd party cookies by default, or configure your browser to do so)
            5. Block content from facebook domains at a router level if possible to protect your entire house.

            Defederating isn’t on the list because defederating from meta doesn’t stop meta from tracking you.

            • The Nexus of Privacy@lemmy.blahaj.zoneOP
              link
              fedilink
              English
              arrow-up
              2
              ·
              10 months ago

              Yes, you described what you see as the difference between data and “data” clearly. And I described what I see as the implications clearly. If anybody’s still reading the thread, they can make their own conclusions.

              It’s less of an agreement and more of a protocol.

              Threads Supplemental Privacy Policy begs to differ that there’s not an agreement here.

              My point is that defederating from meta doesn’t stop meta from tracking you online.

              I never claimed it did. It eliminates one path of consensually sharing data (or “data”, in your terms) with Meta.

              In terms of your list, my perspective is that a server that federates with Threads is part of Meta’s ecosystem – #1 in your list. You don’t seem to see it that way, and that’s what we’re not going to convince each other about.

              • 𝕯𝖎𝖕𝖘𝖍𝖎𝖙@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                arrow-down
                1
                ·
                10 months ago

                Threads Supplemental Privacy Policy begs to differ that there’s not an agreement here.

                Threads is a company and it needs a legal document to describe how the social media site operates. A website needs to copy and distribute content in order to show content. Federated websites need to copy and distribute content from other federated servers and their own server in order to show content. This is how lemmy.world and blajah.zone can speak as if we are on the same server. Each fediverse should also include a similar privacy policy as it describes how their content is distributed on the internet. Facebook’s privacy policy likely describes how your content may be seen on other facebook products and in facebook apps. These legal documents spell out how systems operate. You assume a similar risk with each site you operate on.

                I never claimed it did. It eliminates one path of consensually sharing data (or “data”, in your terms) with Meta.

                (data, ‘data’, data, “data”) are all the same term. Let’s use better terms:

                • posts (the content that you give to a federated site: your handle, your comments, your OC, etc…)
                • public identity (the information about who posted the content that is publicly accessible: e.g., your handle, your display name, bio, profile picture, maybe your IP address, user agent, email address, matrix handle, skype, other contact info if you’ve provided it and if that instance makes that information public)
                • private identity (the information that we assume will be kept private and not shared with others: the token that identifies you to the server via a 1st party cookie (i.e., your “token” that allows you to stay logged into the site you are currently using), any personally-identifyable-data (PII) that you may have given to a site in order to operate - not something that I’ve seen with lemmy sites but would be true if you’ve ever had to upload this information to the server, such as with setting up an account with a financial institution, basically anything that could be used to track you, specificially online and offline.

                Facebook is evil for a lot of reasons but their original sin was the 3rd party tracking which, thanks to their assets (images) being put everywhere because site owners wanted better SEO and engagement with facebook users, facebook could send a cookie with a random id that specifes some user as it travels from site to site and then link that random id with the facebook user when that user logs into facebook. This allowed facebook to track its users everywhere on the internet. However, this didn’t allow facebook to identify non-facebook users like it could with facebook users. All facebook would end up with when tracking non-facebook users is information about what a random user viewed on the web - this isn’t great (and can only be stopped if you just block facebook at the router or browser level) but at least that user stayed anonymous. The motivation for this tracking was to push more targeted advertisements to facebook users, where facebook actual stands to earn a profit. There isn’t a lot of profit in just identifying users online if those users stay anonymous… except of course of internet advertising (programmatic advertisements). This is why it’s also important to interact with sites which do not have programmatic advertisements - these are most advertisements now a days, especially if that ad feels targeted specifically to you based on a site you’ve been to. You want to worry about tracking, look into how the programmatic ad industry works - of which facebook is a part but most importantly doesn’t involve federation because that’s something totally separate and something which actually protects against tracking.

                Think of federation as a site downloading an image and reserving it to you. Tracking happens in the serving of an asset (image, video, etc), so if you are getting that content from the site you trust won’t track you, then … you won’t be tracked. A nasty site that wants to track you cannot get your information via the fediverse, since the federated site simply copies and privately redistributes the copy to its users, leaving the nasty site only knowing that “this instance with thousands of users received our content” - not very useful for tracking, advertising or for ad revenue, doesn’t provide any data that would be valueable for data sellers either.

                In terms of your list, my perspective is that a server that federates with Threads is part of Meta’s ecosystem – #1 in your list. You don’t seem to see it that way, and that’s what we’re not going to convince each other about.

                Please stop putting words in my mouth. I am capable of speaking on my own terms. Also, by your perspective, a server that receives and processes email from meta is part of meta’s ecosystem. That statement would be correct if you replace “meta” with “the internet”.

                Also, why are we discussing this with Meta when there’s a log bigger threat out there (ABC/Google, search engines and scrapers)? And by “threat” I mean “how the web has always operated”. I feel like writing an application that showed users how easily they could be tracked on the fediverse even if that instance were not federated by any other servers.

                • The Nexus of Privacy@lemmy.blahaj.zoneOP
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  10 months ago

                  Meta is a company whose business model depends on exploiting the data it gathers, and its privacy policies are carefully written to give it as much flexibility as possible. It’s true that if you’re on an instance that federates with Threads you’re assuming that risk. If you compare their language to a policy that’s written with a goal of privacy – like eu.social’s the differences are clear.

                  Please stop putting words in my mouth.

                  OK, then, speak for yourself: do you see instances that federeate with Threads as being part of Meta’s ecosystem?

                  • 𝕯𝖎𝖕𝖘𝖍𝖎𝖙@lemmy.world
                    link
                    fedilink
                    English
                    arrow-up
                    1
                    arrow-down
                    1
                    ·
                    10 months ago

                    do you see instances that federeate with Threads as being part of Meta’s ecosystem?

                    That depends on what you mean by “Meta’s ecosystem”. If we consider Meta’s ecosystem to contain only the entities which directly help Meta earn money in exchange for tracking data, then the answer is no, for reasons I have explained.

                    If you consider “Meta’s ecosystem” to be “ActivityPub federated instances which do not block ActivityPub data from going to Meta” then the answer is yes, but that’s an arbitrary definition. How does meta profit from this? By showing more and different memes to its existing userbase? You could argue that by giving meta more content, the engaged users on meta’s properties will be more engaged and more likely to see an ad served by meta’s property to the user, leading to higher time on site. It’s a weak argument if your concern is being tracked by meta, as ActivityPub doesn’t share tracking information between servers.

                    I personally define “Meta’s ecosystem” to be meta’s properties and I suppose by extension any site which helps meta do its tracking: any site which shows facebook buttons served directly from facebook, therefor allowing tracking in older browsers. I consider ActivityPub to be a protocol not that far off from RSS or even Email, although RSS is a better comparison as it also happens over HTTP[S]. I define it this way because of my work as a web developer who has also built tracking systems similar to how Facebook’s tracking works, though not as sinister (I used 1st party cookies and pixels, similar to Google Analytics, prior to GA being free years ago). I’ve also worked for some websites that relied on ad views, and learned how programmatic works (tl;dr: each ad you see is an action for your eyeballs based on the data collected by hundreds of other agencies you may not even know of). I’ve also worked for startups where a large part of generating a high valuation for the company involved simply having contact information of hundreds of users as well as some basic information about their preferences. A startup like that would then have data to sell to a broker for programmatic ads.

                    Ultimately, websites (and instances) require money to stay up. Money comes from volunteers, donations or ad revenue / subscriptions. Programmatic ads can be included inside any website or app, and most importantly, an instance owner could choose to provide tracking data to facebook and other data brokers just to show advertisements, all while choosing to defederate from Meta’s fediverse properties either knowingly or unknowingly. It’s kind of like adding high-security locks on your doors and then leaving your windows open. If the end goal is to provide an instance which respects privacy of its users, that instance needs to choose to show ethical advertising (not programmatic, databroker-based ads which require sending the user’s data with each ad visit). Federating or defederating from meta’s properties won’t send any data to meta’s properties that every instance owner doesn’t already get as a part of ActivityPub federation.

    • Valmond@lemmy.mindoki.com
      link
      fedilink
      English
      arrow-up
      2
      ·
      10 months ago

      But where will meta put its ads, and how can it filter what you see if you can’t (as a user of an instance blocking meta/threads/…) subscribe to meta instances?

      I mean it’s just a hot mess, so I’m all for blocking those predatory psycopaths even if it theoretically isn’t needed in some cases.

      • 𝕯𝖎𝖕𝖘𝖍𝖎𝖙@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        3
        ·
        10 months ago

        Ask your same question about any other instance.

        For example, what’s keeping me from setting up my own instance that just spams ads across every community? Answer: nothing.

        What could owners of instances do to prevent seeing advertisements? Answer: defederate.

        How much are users of instances that don’t defederate from my spam instance tracked? Answer: the same as any other site.

        Tracking online works by communication with a client and server, ideally with identifying information. Everyone on the web has some identifying information, such as IP address and user agent. The problem is, IP addresses are shared with many people, the same as user agents. The only way to uniquely identify a user online is with cookies. Facebook used 3rd party cookies to track users who visted site A when site A has a image serve from facebook servers. Facebook gives the visitor a 3rd party cookie “You are now 93ga3490f” and logs that the cookie was served to visitor 93ga3490f on site A. That visitor then goes to site B and sees a facebook like image button, but this time when the user asks for the like button from facebook, the browser says “Hello, I am 93ga3490f requesting the facebook like button” and facebook records that 93ga3490f also visited Site B. Honestly this is still pretty useless until that user logs into their facebook account. At this point, the browser tells facebook, “Hello, I am 93ga3490f logging into facebook with email xyz@example.com” and facebook records xyz@example.com as visitor of Sites A and B (formerly user 93ga3490f.)

        How does tracking work with federation? Answer: it doesn’t. Federation you can think of as a server subscribing to another server. You’re offline, and instanceXYZ downloads a copy of new content uploaded to instanceABC, since instanceABC and instanceXYZ are federated with one another. You go online, log onto your instance (instanceXYZ) and instanceXYZ serves you the downloaded content that it previously got from instanceABC. instanceABC doesn’t know you’ve viewed this, doesn’t know you’ve downloaded this. All instanceABC knows is that instanceXYZ copied this content for all of its users. The only way you can be tracked here is:

        1. instanceXYZ decides to track what it serves to you.
        2. OR instanceXYZ decides to include a facebook like / share button for each post AND you are using an outdated web browser to use lemmy AND you have a facebook account.