This shouldn’t come as a huge surprise. Meta is moving forward with their plans for Theads and the Fediverse, and their adjusted terms reflect a new impending reality for Fediverse users.
I don’t know what you’re getting excited about here; this is all publicly available information which Facebook could scrape at any time they wanted (federated or not), even right this very second.
They probably already do.
Shhh, I train my AI here.
Looks like there’s a lot of FUD around this, so I decided to jump into the ActivityPub spec and see exactly what they can and can’t get with the spec as is.
First off, they cannot get a users individual IP unless the instance owner publishes it in the profile data as part of a “public” activity stream. I don’t know of any instance that does this currently (feel free to correct me if I’m wrong).
It looks like what Meta is looking to do is scrape the information in the “public” tagged activity streams:
In addition to [ActivityStreams] collections and objects, Activities may additionally be addressed to the special “public” collection, with the identifier https://www.w3.org/ns/activitystreams#Public.
Activities addressed to this special URI shall be accessible to all users, without authentication.
This is similar to what most instances do to show the posts of a user or community - they send a request to get “public” tagged data to publish to their end users. Within this data is all the activity information on that post - who upvoted what and who, and who commented. Again, this is the same way federation works now - your server has an activity stream of all your followed and followers that it can make available to view by tagging their activity as “public”. Many instances have this information tagged as “public” as a default.
Now, this system works fine if you’re dealing with small actors that don’t have nefarious designs on the network, or the resources to dominate it.
When you have a digital behemoth with grand AI designs that’s already embroiled in lawsuits where it was grabbing your medical data and regularly allows law enforcement to stroll through its records, it’s an entirely different situation. Meta has the power and capacity to not only engage in an “embrance, extend, extinguish” campaign against the Fediverse, but also to seriously threaten the privacy and well-being of Fediverse users in a way no single instance owner can.
I think the solution here will be for individual instance owners to harden their security and if not outright de=federate from Threads, ensure that posts are private by default and that their users are made well aware in the TOS that following a Threads user will result in sharing data about their profile that could (and most likely will) be matched back to their Facebook account.
Instances that don’t allow visibility control on posts, like Kbin and Lemmy, should look at adding an option to post only to the local server, or have the capacity to block threads.net outgoing publication based on user profile settings.
Instances that don’t allow follow request filtering probably should look at adding it (Mastodon has it implemented - Kbin and I think Lemmy would need to catch up) - otherwise users could be unaware that they’re sending their data to threads.net when someone from that service follows them.
I think it goes without saying that any data Meta gets will get the AI treatment - both to identify users and to sell your activity to marketers. That activity is the real goldmine for them - that’s a stream of revenue for marketing that rivals what Meta tracks on its own platform.
As such, it may be worthwhile for instance owners to look at removing voting and boosting counts from the “public” activity feed. This would mean more fragmentation for communities whose populations span instances (vote counts would be more off than they are now), but it would prevent bad actors from easily scraping that data for behavioral analysis.
All in all, though, I don’t believe it’s going to be a positive event when Threads does start federating. One of the nice things about the Fediverse is that the learning curve is high enough to keep the idiot count down, and I don’t really see our content or commentary here improving once Meta’s audience enters the space.
deleted by creator
One idea I have is that if you look at posts from their instances, they could embed images or other content that tracks you the same way the Facebook Pixel does.
deleted by creator
Pretty much wanted to say similar. Ip address isn’t known beyond your local instance (and any retention time and purposes should be stated in their privacy policy).
The rest is standard data any federation app will collect upon seeing content from a user.
It’s also worth noting that in general the user URL (which provides this user data) is generally also public. So if you know the user url you can get this too.
Having said that, I do wonder how much they can monetize third party data about people that have not agreed to their privacy policy that grants such uses. It’ll be interesting to see.
deleted by creator
We don’t know what they’ll do yet as there’s nothing in the article about what they do with the data or how the protect it.
Setting everything to private by breaks the fediverse pretty much. Imagine if everyone on Twitter was only private. It severely limits everything.
A “public” instance is just one that publishes to other instances if I understand correctly. So they would get the IP of the server instance. Which most instances actually do.
The instance owner determines what’s on their “public” tagged activity feeds. If they remove the “public” tag from a post or user account, it’s restricted from non-authenticated requests from outside servers. You’re correct that this shouldn’t grab user IP addresses, but they could if an instance owner is including that information in what they mark as “public” profile feed data. I should reiterate that I know of no instance that does this, but the capability is there in theory (and I do know that certain forum software packages outside the Fediverse collect and publish this level of information, although it’s a dying practice).
I’m not advocating instance owners turn everything private, but it’s clear they’re going to have to examine what they’re providing through their feeds to Threads if they’re serious about their users’ security and privacy. The safest bet is to defederate from Threads until it’s clear what Meta’s intentions are (aside from their rhetoric, which is always deceitful when it comes to user privacy).
As to what Meta will do, they absolutely will scrape that activity data for marketing use, if they aren’t already. It’s what their entire business model on Facebook is built around - targeted ads based on user activity. Anything they say about protecting that data is lip service at best given their past performances and lawsuits. It also very likely that they’ll merge it with their existing data hoards, and do their best to de-anonymize accounts so that they can increase their data accuracy and thus their profit margin.
Can’t speak for kbin but Lemmy doesn’t collect or store IP addresses at all.
Like tentacles of a blood sucking octopus…
For all the fucks’ sakes, people.
Yes, Meta sucks. But at least get your shit together before you all start falling over each other to say how these ToS changes mean that Zuck has now given birth to Time Travelling Baby Hitler or some shit.
Meta says, for Threads to federate, they access the same data any instance does when it federates.
And as far as LEMMY.world defederating from Threads… LEMMY. That’s like saying Twitter (or W, or whatever the hell it is now), shouldn’t put Facebook posts in its timeline. Threads is a Mastodon concern. Not Lemmy.
🤦♂️ Ya fuckin’ tinfoil hat nerds. I love you all. But God damn.
deleted by creator
If all you’re looking for is eloquence and footnotes, this person in this post’s comments already has you covered…
https://kbin.social/m/fediverse@lemmy.ml/t/410613/-/comment/2032665
deleted by creator
Threads is not Mastodon. Both are microblogging, while Lemmy is better described as a forum or link aggregator.
It’s possible to interact with Lemmy from Mastodon. I do so regularly by tagging a community in myastodon post. Following a community from Mastodon is also possible, but the UX is rough.
Good job on W, but I’m pretty sure it’s L.
You can follow lemmy stuff via Mastodon accounts. 🤔 No? Do I not quite understand how and why that works?
Your point about slowing the fuck down still stands though.
You can follow @user@instance or @community@instance on Mastodon. But you just get blasted by every post and comment, one by one, in unthreaded CHRONOLOGICAL order.
So while you can do it, the question is… should you?
Ok, that was my experience. I haven’t found a great context/use case for it yet.
It does seem a client could be made that uses the functionality. Or a purpose deployed instance or community could make use of it too.
But I agree, it’s hard to imagine a good use. And your point still stands about how panicking is unhelpful.
Mastodon users can post on lemmy
Watch this
Meta says, for Threads to federate, they access the same data any instance does when it federates.
Okay, but like, I don’t want Meta consuming that data? At least if they wanted to scrape through reddit to put that together, they’d be going out of their way. This data is now just coming through the same API “for free”.
If I didn’t mind Meta scraping through all this, why wouldn’t I just use Threads?
This is exactly the kind of shit that pushed me here - I don’t want Meta sifting through all my shit. Its unlikely that some other instance host is going to start building psychological advertising profiles on me and sell it to the highest bidder. But you bet your ass Meta will try.
If I didn’t mind Meta scraping through all this, why wouldn’t I just use Threads?
I’m curious what precautions you have taken to prevent web scraping of your posts.
Probably none. For all he knows Meta already owns a couple small instances.
They admitted to federating for research back around bluesky’s announcement.
If you don’t want your data scraped you’ll need to use e2ee.
I agree that this is nothing to panic over, but I want to clarify that Lemmy is not safe from this. Lemmy and Mastodon both use the same protocol (ActivityPub) and that’s also the protocol that Threads will use to federate. Just as Mastodon users can like, boost, and reply to Lemmy threads / comments, Threads users will be able to do the same. That’s why it’s important to defederate Threads on all ActivityPub-enabled instances.
Technically. Yes.
But doing so is onerous enough that I can’t see it as any sort of “threat”.
And again… Defederating does absolutely zero to restrict Meta from being able to access your info. Defederating means you don’t see Meta. It doesn’t block Meta from seeing you.
You don’t even need to dip your toes into ActivityPub to scrape most of the data. It’s public – aside (I think) from just user IP addresses on Mastodon. And in the case of Lemmy, I don’t think there’s anything you can’t access from outside of ActivityPub.
Defederating actually does stop Meta from accessing data (at least through ActivityPub) if you enable AUTHORIZED_FETCH / similar. That setting requires remote instances to authenticate themselves, which prevents blocked instances from querying anything. IIRC, Lemmy either already supports or plans to support that same feature.
Meta could, of course, just use web scraping, but that can be prevented with DISALLOW_UNAUTHENTICATED_API_ACCESS. Although admittedly, I don’t think Lemmy has this feature yet.
Even DISALLLOW_UNAUTHENTICATED_API_ACCESS can be easily bypassed by creating a client that logs into mastodon.social (for example), and just gobbles up the Federated feed.
It’s what the FediBuzz relays are now doing in order to keep single-user instances viable and not funnel everyone to the same 3 instances.
Unfortunately, if Meta wants to be shitty, they’ll be shitty. Even stuff like robots.txt & nofollow tags are just polite requests that can be ignored by shitheads.
kbin includes a “microblog” feature which is a mastodon-like implementation of ActivityPub.
Without jumping through flaming hoops, though… does the “Threads” tab really ever talk to the “Microblog” tab? (aside from your kbin account being able to interface with both)
(I do find it funny that kbin’s “Threads” is their Lemmy/Reddit-like, and not their Mastodon/Threads/Twitter-like)
I don’t use it, so I’m not super clear on it. It does feel like a bit of an afterthought.
I do know that I’ve interacted with Mastodon users in fediverse comment threads via kbin in the “regular, reddit-like” interface. My understanding is that APub is APub is APub, and the client implementations define the format you see content in, and implement or do not implement different APub features based on how the developer(s) want to shape their client.
This will be the death knell of any instance that does no defederate/blacklist them.
All instances should start blocking them. Lemmy.world Admins should be on high alert but something tells me they won’t block meta.
Guys, everyone move to small instances so that all the power doesnt go to one instance. I joined aussie.zone just for this reason.
Any instance that federates with this garbage should be mass defederated
Defederating won’t stop this. Defederating means you don’t pull their data, not the other way around.
That would require blocking their servers/domains/IP adresses at the firewall level I guess? Preferably taken from a curated list like NextDNS does?
Partially. It’d help a little bit. But if you federate with another instance that doesn’t block it, that data will still get out.
Essentially the protocol would have to be updated to carry a blacklist that all instances would adhere to, but basically via an honor system.
The only method that could truly protect your data would be whitelisting, but that would severely hamper and fracture the fediverse.
deleted by creator
Yeah I agree. Can’t be federating with Instagram: comments section™, owned by Facebook®.
If someone had any doubts about federation with Threads, they shouldn’t by now. Facebook is trying to turn Fediverse into Shittyverse and Fedizens should resist that
Lemmy needs an option for a user to block an instance.
If your local instance is not going to defederate with meta then an average user can’t do anything about it.
Yeah sure you can create a new user in other instance or selfhost an instance, but who would actually go through that?
Yeah sure you can create a new user in other instance or selfhost an instance, but who would actually go through that?
A lot of people
https://github.com/CMahaff/lasim makes it two clicks
Moving instances is easy, I don’t see why you wouldn’t do it. If you as a user block Threads then it’ll probably only hide their stuff from you, while still sharing your posts and comments.
Yes it’s easy but you need to erase all content you made in that instance first.
There is a ticket for moving profile between instances in lemmy, but it’s still open since Dec 10 2021.
Lemmy needs an option for a user to block an instance.
Looks like they are working on it!
Agree
Everyone should change their instance to one they agree with. If you don’t want to be federated to Meta, go to an instance that’s not federated.
User blocks are pretty much a simple filter, Meta will still have your data if you block them individually instead of defederating.
Sounds great, but in the end it just means everyone has to host their own instance. That could be interesting, but I doubt everyone would want to do that.
Not really? There are plenty instances which defederate from Threads. If that’s important to you, you should join one of those.
This isn’t exlusively about Threads.
They are still getting the data even if we defederate them, right? It’s only us who don’t get their data. This was my understanding on how federation works
Defederation means you don’t see their posts. It does NOT mean they can’t see your posts.
I still don’t think federating with them is a good idea, but defederating won’t preserve privacy. It’ll just cut down on the “influencer” BS Meta promotes.
Unless I’m misunderstanding, that is simply a privacy policy that covers what is saved via federation. The same is true for any federated service, including my server, as I follow
!fediverse@lemmy.ml, I save all your likes, shares, profile pictures etc. for this community.Technically, yes, you save metadata of all of those things. However: you are not a company that profits from vast amounts of data ingestion.
But if they really wanted to profit off this information could they not set up another instance without a public announcement? It seems like you’re mad they collect information every other instance collects “because they can profit off it” without any concrete reason.
However: you are not a company that profits from vast amounts of data ingestion.
The entire current Fediverse isn’t vast data by Meta, Google, Microsoft, and Apple standards.
You aren’t making the point you think you’re making. Sure, at somewhere between 8 to 11 million accounts, the Fediverse is a small pond. Meta is a gigantic whale. Ingesting the entire graph of everyone on the network would be relatively trivial for them, storage-wise.
Yes, but do you analyse this information to sell it to advertisers? Will you start posting sponsored content based on this information? And will the money you collect benefit the community you live in, or will it buy you another politician?
But it’s still no news in any way. This article is simply saying “Threads still plans to federate, eventually”, nothing else changed.
Altering the language of a service policy (or, writing a new one) is usually a good indication that something is indeed about to change at a larger level.
I’m gonna play Devil’s Advocate here…
What’s to stop them from scraping the Fediverse without federating? If they really want the data, they could very well find a way. At least they’re spelling it out here and announced an attempt at proper federation.
The article discusses this, a bit. One of the other platforms is considering an enhancement to require request signatures on non-ActivityPub APIs, I.E. Meta can make unsigned requests, where the server doesn’t know who they’re from, but only get minimal (or no) data back, or Meta can make signed requests, and instance owners get to decide what data (if any) they’re okay with sharing to Meta, based on Meta’s privacy policies. Beyond API’s, you’re talking about web scraping, which is something the industry has been handling for decades.
It’s also an indication they’re following US law. They can’t collect data without stating it.
It also says exactly what they’re planning to collect for starters. That was news to me.
Again, that’s just what federates and automatically gets saved. You could have gotten that information by checking any proper Mastodon instance privacy policy or reading about the Fediverse on a more technical level.
It still news to me.
Ip address is only sent to a users home server though.
No idea how it works for Mastodon, but for Lemmy they will have the IP of the server, nothing else is available and they can’t magically get it.
I wouldn’t put it past them to put tracking images into posts though. Either way… I wouldn’t be happy on a server that is connected to threads.
Speaking of which… I see lemmy world see still hasn’t defederated from Threads. I guess it’s time for me to kill my account here.
I’m glad I have my own instance where I only defederate from instances creating issues.
I might end up using a personal instance as well. But in that case I’ll probably end up with an instance whitelist, rather than defederating from disliked ones.
I’m currently defederated from only 2 instances. You would be unable to have this discussion with me if you went your way, unless you whitelisted all those mini-instances and regularly checked for new ones.
Ah, bummer. I thought I’d be in the clear because we’re having this conversation on Lemmy.ml. Thanks for straightening me out.
deleted by creator
Spookbook is
. Everything you say and do on there will be held against you. The company is notorious for 
fishing expeditions.So if I read this right, no big deal as long as you don’t interact with threads stuff on the fediverse?
It’s definitely creating more of a case to defederate from it if it ever tries to federate
That’s not how I read it, but I’m not going to claim to be a fediverse expert. That post specifically says:
Provided that a Third Party User is followed by or following a Threads account, Meta will ingest these pieces of data specifically:
To me, this reads as, even if a Threads user follows you, your info gets chewed up by Meta.
In other words, if you post somewhere on the Fediverse, and some Threads user bumps into it, they can follow you, and that will send all that data to Meta. And it looks to include data well beyond the post the Threads user saw.
To me, this is a “sound the alarm” moment. If you came here to avoid Meta’s data harvesting, this sounds like you at least need to be on an instance defederated from threads, but I’m not sure even that’s enough.
if you post somewhere on the Fediverse, and some Threads user bumps into it, they can follow you, and that will send all that data to Meta. And it looks to include data well beyond the post the Threads user saw.
exactly
and that is why #hubzilla and #streams have a permission system to avoid that… you can set up rules and decide who can see your posts and what they can to with it…
have a look at this FEDI projects
Correct. Though interaction also means, a Threads user following you or replying to one of your comments or posts.
I finally got a nice little piece of hardware. I wanted to spin up my own private instance and the first thing I’m doing is defederating with Meta.
Provided I can get my kBin instance up and running 😅
They’re literally just taking data they need to federate, like all the other instances. Eventually people around here are going to get sick of this paranoid “fuck Meta because it’s Meta” attitude because people keep posting lame misinformation like this. I know I’m getting sick of it.
It’s not just because it’s meta, it’s because they are going to scrape up all the data they can get (even if it’s just normal fediverse stuff) and pipe it into their data mining operation. They could probably easily do it without us noticing, but if we know they’re doing it… then it’s worth talking about. And reasonable for people to dislike.
They 100% could already be doing that far easier without threads. It’s not actually worth doing it though.
Whether they need it to federate or not, it’s still reasonable to not want an entity as large and powerful as Meta to consume this data. Fuck Meta because it’s Meta, which has a history of being particularly heinous with user data.
If that’s your opinion then great, that was always allowed. What I’m sick of is spinning facts and narratives to suit biases, regardless of whether or not I agree with those biases.
If you don’t want Meta having this data you should not post it. They vacuum up everything.
Of course, but that doesn’t mean people aren’t allowed to distain making that connection closer.
I don’t imagine Meta is bothering to scrape Lemmy instances anyway. The signs would be pretty obvious I’d imagine.
I don’t imagine Meta is bothering to scrape Lemmy
Why not? Citation needed.
Wtf. Can’t they just be defederated. Get that shit outta here.
A server admin can block any other server, including Threads.
