Lemmy Support

Join lemmy.dbzer0.com, the admin would rather die than to share any info with any government agency.

host your own instance and use that for your account.

if you can't host, you'll have to trust somebodies instance like you do with reddit etc

The project is open source so you can see what they are logging, if you can read the code.

But simply some things that are logged:

• IPs are logged but I don't see them being associated with a user account. This looks to mainly be for rate limiting.
• What posts/comments you've looked at are logged. This is so the UI can gray out posts you've already seen or mark replies to you own comments as read.

From what I can tell neither of these data points are federated so only the instance your logged into has that information.

** Don't use this as an exhaustive list. These are just the two items you specifically asked about and what I've seen looking through the code so far. **

1st one is yes and it has to be yes in order for you to use internet.

Ok, so by visiting a server you are sharing your IP (obviously you could use VPN/Tor to prevent that). By clicking your username I can see your posts but I cannot see what you view. I'm not even sure if a server admin could see that, but they could potentially correlate your IP with the pages you request. However, I don't think a server admin with federation would be able to see what you visit since the federated content is duplicated on your home server, so i think it would still only be visible to your server's admin. Not 100% sure tho, hopefully someone will chime in that knows more

But this is a great example of why you need to find a server admin you trust, because servers could also run modified lemmy code or be tracking user data, etc

Every time you visit any website someone will know your IP address. Unless very specific measues are taken that "someone" will be whoever operates that website.

Lemmy has features (I think they are optional) that will tell you that you viewed a post and how many new comments a post has from the last time you viewed it, that necessarily requires tracking. I cannot say whether turning this feature off disables the tracking or just doesn't show you that information without digging into the code, this is only local to your instance.

There is also likely to be some level of logging at the server and any reverse proxy layers that could, with effort, be used to figure out what you looked at with reasonable accuracy. Again, this is only on your instance. Some instances may not create/store logs, but it is usually important to do so to troubleshoot if things go wrong, especially with as immature a software project Lemmy is.

Any time you visit a website you are putting a large amount of trust in the site operator, your ISP, your DNS provider, etc. if state actors are in your threat model.

Am I sharing my IP address/ location with my host instance?

You share your IP Address with ANY online service you interact with. This is how it talks back to you to send you content.

is there a log of my view history

Not by default. However, enabling verbose logging on the webserver can indeed log this information. Just- not in a pretty way.

are there general privacy concerns that I am not thinking of?

Anytime you comment, post, or vote, that data is stored in a database and sent to every other instance subscribed to the community for which you are interacting with, and then stored in their database as well.

So- tldr; lemmy isn't really a privacy-focused place. Although, its honestly not much different then reddit. Reddit logs EVERYTHING you do, and then shares that data with third parties for the purpose of advertising.

Although, there isn't anything in place in lemmy to prevent this data from doing the same thing. Silently, and without you knowing.

You need to separate what the instance owner sees vs what other federated instances see about you.

The instance owner will have access to everything, including your IP and view history. That is true for every website.

Other instance owners could potentially see what content you fetch from them. Not always, because usually it's them sending the info over to your server, but there are "signed fetch requests" that the ActivityPub protocol supports and become relevant when you try to load content your instance hasn't seen before.

Your upvotes and downvotes are currently also visible across instances.

The best way to use the fediverse is with a pseudonymous account with a username that isn't tied to your identity.