Looked through the docs a bit and it’s not really clear to me: I’m posting this on lemmy.ca, does that mean only that instance knows my IP? Or does every instance it federates with get my ip alongside this post?

This seems maybe important, did I miss a privacy guide to Lemmy someplace? Cursory searching didn’t come up with much official. Are there other aspects we should be thinking about here? I’d come across some mention of deleted posts being still available everywhere they were sent but that sorta makes sense – hard to “unpublish” anything.

  • @[email protected]
    link
    fedilink
    492 years ago

    I gave a cursory look at the source code.

    So, from what I can tell, nobody can see your IP address through Lemmy. But the person who runs the server that your Lemmy instance runs on can trace IPs by looking at access logs. That doesn’t get shared with other servers, or even people who adminster your Lemmy instance but don’t have access to the underlying server.

    • @MiddleWeigh
      link
      112 years ago

      Hey thanks. I’m trying to be more mindful of how tech interacts with my life, and as a non techie, I appreciate you doing this, and I found it to be useful information even for my idiot self, even if only to understand the lemmyverse a little better.

      • @macgregor
        link
        5
        edit-2
        2 years ago

        Fyi As a (non-lemmy) backend developer, this is completely normal/standard use of IP addresses in a system not designed around harvesting your personal data. IP addresses are commonly used for efficiently and securely (security for the server more than you) handling active (inflight) requests so you generally only see it in specific network logs like those of the reverse proxy, not stored long term in a DB. Most of us who aren’t in advertising or government want to know as little about you as possible.

        Being privacy mindful is good, but it is a deep and creepy rabbit hole to go down. Stay safe out there 🙂.

        • @MiddleWeigh
          link
          12 years ago

          I enjoy deep rabbit holes for sure, that’s probably why, more than any sort of concern, it is very interesting to me, like a study in human nature.

          I guess that was sort of my point, coming from a tech ignorant perspective at least. It seems once personal gain is removed, ie money, we are just here. I’d imagine the rabbit hole is deep because of how interconnected we are, and our collective knowledge is an open book on a platform like this, and the only mining happening is learning and bettering ourselves. Once you introduce money, then greed, the waters get muddied as far as social interaon goes.

    • @[email protected]OP
      link
      fedilink
      72 years ago

      Great, thanks for this. I did glance there but saw the migrations and blithely presumed I’d have to run them to see the resulting schema.

      And ya, there’s no way I can connect to an instance without revealing my IP to whoever controls that host, I’d be on a VPN if I was that concerned. Mostly just wanted to confirm someone with a self-hosted instance and a script kiddie hobby wouldn’t be able to directly mess with the system of whichever hapless commentor says something they take umbrage at.

    • @[email protected]
      link
      fedilink
      12 years ago

      That sounds just about right. That fact that it is open source, already give me a good peace of mind.

      Thanks for the information. 😊

  • @[email protected]
    link
    fedilink
    82 years ago

    Unlike Mastodon, one of the good things is that only you’re instances system administrator has access to your IP: no mods nor site admins.

    You can then use a VPN on top of that.

    • @MiddleWeigh
      link
      32 years ago

      So privacy is sort of baked into the set up? Cool shit. Assuming the admin is a good person ofc.

    • @[email protected]OP
      link
      fedilink
      12 years ago

      Interesting! Mastodon surfaces those things? But still just within an instance and not across them as activitypub itself doesn’t include such metadata (or it’s extensible enough that’s moot?) I wonder why? You wouldn’t need to expose the IP to admins to offer them the ability to add it to a blocklist…

      • @[email protected]
        link
        fedilink
        32 years ago

        Mastodon lets every moderator, not just admins, see your last few IP addresses and and email address.

        Only for local users, though. Not remote users fortunately.

    • @[email protected]
      link
      fedilink
      12 years ago

      That’s cool. Makes me glad I went to the privacyguides instance, since I’ve trusted their recommendations for a while.

  • @[email protected]
    link
    fedilink
    8
    edit-2
    2 years ago

    While I don’t have a source for it, afaik only the instance you use knows your ip. The rest just see your post proxied through them

  • ono
    link
    fedilink
    2
    edit-2
    1 year ago

    Sorry for replying late; I just saw this question.

    It’s worth noting that images that people include in their posts are hosted on their instance, not your home instance. That means the admins of those other instances can see your IP address and (normally) page you were reading when your browser loads those images.

    Browser extensions exist that will let you block off-site images if you want to.

    • @[email protected]OP
      link
      fedilink
      11 year ago

      Good point! And ya, when I open umatrix on a comment thread I see a whole menagerie of instances serving me images as I guess that goes for the profile image too.

      But I find that somehow less concerning as they just know “someone at this IP viewed this thread containing these images” than “the user at this IP wrote this comment (or post)”.

      Hmmm, but if DMs allow images and they work like this, a user with their own instance who wants to know which IP wrote a comment could perhaps send a message to the author with a unique image…

      • ono
        link
        fedilink
        11 year ago

        Yeah, it can be abused. I don’t want to raise an alarm about it because I don’t think it’s worth scaring people who are just dipping their toes in the fediverse waters, and because it can be fixed.

        For now, I block remote images by default and allow them from a few specific instances.

        • @[email protected]
          link
          fedilink
          11 year ago

          I don’t want to raise an alarm about it because I don’t think it’s worth scaring people who are just dipping their toes in the fediverse waters, and because it can be fixed.

          Informing people is always the right move. People should be as aware of the security situation as possible & it’d be irresponsible to withhold that info.

          The warning should also come with the solution: use Tor. That solution would solve countless other problems stemming from the marginalization of the Tor community. The advice should be:

          1. install Tor
          2. get on the fedi