this post was submitted on 17 Feb 2025
368 points (95.5% liked)

Fediverse

37492 readers
138 users here now

A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).

If you wanted to get help with moderating your own community then head over to !moderators@lemmy.world!

Rules

Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration)

founded 2 years ago
MODERATORS
 

Upvotes seem to just federate as likes and dislikes.

you are viewing a single comment's thread
view the rest of the comments
[–] flamingos@feddit.uk -5 points 8 months ago (2 children)

Lemmy likes aren't meant to be public, this is just other software failing to respect the privacy Lemmy indicates.

[–] smeg@feddit.uk 15 points 8 months ago (1 children)

Oh. If the only thing stopping the votes being public is a label saying pretty please don't make this public then it does seem very open to abuse.

[–] Natanael@infosec.pub 7 points 8 months ago

Especially in federated networks where the data isn't under access control, doubly so if the privacy extension is optional

[–] Draconic_NEO@lemmy.world 8 points 8 months ago (1 children)

That's almost as bad as using robots.txt to claim sites are private and secure and just whining that people/bots should respect it.

You should assume voter data is fully public and fully open. It otherwise is in the federated ecosystem.

[–] flamingos@feddit.uk -3 points 8 months ago* (last edited 8 months ago) (3 children)

The comparison doesn't work because both Lemmy and Mbin are implementing the same standard, while robots.txt is mostly an honour system.

You should assume voter data is fully public and fully open. It otherwise is in the federated ecosystem.

Information not being private isn't the same thing as information being public.

[–] Draconic_NEO@lemmy.world 5 points 8 months ago (1 children)

Except ActivityPub data is by in large already not private, it is handed out to any tom dick and harry who run a server and have subscribed to actors on this one, and most of the time, it doesn't even really require extra authorization. That is fundamentally how ActivityPub and federation work, but you can't have any expectation of privacy in this system when it comes to the content shared. Expecting it to be private because it's labeled is as dumb as expecting your website not to get scraped because you said so in robots.txt.

[–] flamingos@feddit.uk -2 points 8 months ago* (last edited 8 months ago) (1 children)

I didn't say it was private, I said it wasn't public, there's a difference. If you asked me what number I was thinking of I'd tell you, but that's not the same thing as the number I'm thinking of being public information. ActivityPub is, at its core, about consent. We have consented to having our data be sent to any person able to serve 200 responses on an inbox endpoint by using instances with open federation. We could, if that makes us uncomfortable, moved to a closed federation system where we only accept request from an allowlisted set of instances, with software that follows the spec's public addressing system.

[–] Draconic_NEO@lemmy.world 4 points 8 months ago

I think you're misunderstanding just like the Mastodon users who think every tool should be opt-in. The consent piece IS moving to a closed system with whitelisted federation. If you're giving data out publicly with no restrictions but trying to put stipulations on how it's used, it's the same as trying to enforce control through robots.txt, which is by the way a standard protocol.

So if you're going to whine about votes being shown, you should be using a whitelist to block those actors from seeing it, and should be using authorized fetch to limit access to those whitelisted instances specifically, otherwise this is every stupid argument about "why robots.txt should be respected".

[–] JcbAzPx@lemmy.world 3 points 8 months ago

Information not being private isn't the same thing as information being public.

I'm not sure that is a realistic expectation these days.

[–] Irelephant@lemm.ee 1 points 8 months ago (1 children)

idk, the label is also an honor system, if it can be just ignored like robots.txt.

[–] flamingos@feddit.uk 3 points 8 months ago

I didn't explain what I meant very well. To scrape a website you don't need to understand robots.txt, implementing robots.txt is something you do to be a good netizen. But to get like info from Lemmy, implementing ActivityPub is a requirement.

Now I'll admit, it's not a great system and I do wish we had something better, but I also don't think "this isn't a good way to communicate preferences" is a good reason to ignore them.