If you visit a popular community like /c/[email protected] with your web browser, the images shown are hotlinked from the Lemmy instance that the person posting the image utilized. This means that your browser makes a https request to that remote server, not your local instance, giving that server your IP address and web browser version string.

Assume that it is not difficult for someone to compile this data and build a profile of your browsing habits and patterns of image fetching - and is able to identify with high probability which comments and user account is being used on the remote instance (based on timestamp comparison).

For example, if you are a user on lemmy.ml browsing the local community memes, you see postings like these first two I see right now:

You can see that the 2nd one has a origin of pawb.social - and that thumbnail was loaded from a sever on that remote site:

https://pawb.social/pictrs/image/fc4389aa-bd4f-4406-bfd6-d97d41a3324e.webp?format=webp&thumbnail=256

Just browsing a list of memes you are giving out your IP address and browser string to dozens of Lemmy servers hosted by anonymous owner/operators.

  • @kadu
    link
    122 years ago

    deleted by creator

    • RoundSparrowOP
      link
      fedilink
      52 years ago

      Have a basic firewall enabled.

      This isn’t about a firewall. This is about some image hoster figuring out and keeping records of your usage times, location tracking, for your account that comments and posts.

      Lemmy is at a point where typical new-user sign-up had no terms of service, privacy policy, cookie policy - people need to understand that this is not a hardened and mature platform. There could be a lot of things that people didn’t expect - that a major corporation like Reddit or Twitter would be scrutinized more closely over.

    • @[email protected]
      link
      fedilink
      12 years ago

      GDPR believes an IP address is a private information. This can be used to mount a legal attack on EU-hosted lemmy instances.

      • Lenins2ndCat
        link
        fedilink
        2
        edit-2
        2 years ago

        If IP address sharing via hotlinked images, embedded content, etc were breaking GDPR I think the entire internet is breaking it. If I visit a blog, and then click an embedded video or image on that page, then my IP has been shared to someone else while visiting that page. This occurs on the vast majority of the internet.

        EDIT: It wouldn’t just be EU-hosted lemmy instances either. GDPR applies to servers outside of EU jurisdiction whenever they’re serving residents of the EU.

      • @[email protected]
        link
        fedilink
        12 years ago

        I’d imagine that applies to a website sharing or selling logs of user ips that visited, if you go hit some other server, you give them your ip so they can talk back to you. You’re basically doing this on almost every website because almost all will use third party cdns like fonts.google.com or others for Javascript libraries etc. If linking content from another site is the actual interpretation, the modern web basically can’t legally exist in the EU.

      • @[email protected]
        link
        fedilink
        12 years ago

        Most EU legislators don’t understand how the internet works, so that’s not really a surprise.

        I’m not saying that small organizations shouldn’t comply with their laws, but those laws shouldn’t be used to judge other practices.

    • finn
      link
      12 years ago

      Sharing IP on a message board is not optimal if it can be avoided. I’m curious if the solution is to serve content through the users current instance? That would have major implications for performance.