When you go to PM, it clearly shows a message reading "Warning: Private messages in Lemmy are not secure. Please create an account on Element.io for secure messaging."
It's a public message board, don't put anything you don't want public on it.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
much thanks to @gary_host_laptop for the logo design :)
When you go to PM, it clearly shows a message reading "Warning: Private messages in Lemmy are not secure. Please create an account on Element.io for secure messaging."
It's a public message board, don't put anything you don't want public on it.
Everything you do on the fediverse should be considered effectively public.
It seems that the IPs are not just logged at the web server level, i.e. it goes up to the Lemmy server too. Do you know if both the admins and the mods have access to the users' IP addresses?
The first and most important thing is that platforms in the fediverse that use activitypub protocol are not intended to be private communications entities, so you must be very aware that everything you post there will be publicly availabe on the internet.
Answering your questions: **1. What information does the instance(s) have on their users? **All the information you provide. Username, email, location, etc. plus some information about what you post (application, ip address). It could be different between platforms. You can check privacy policy for your platform/instance. For example mastodon.social privacy policy
2. What information can users get on other users? mainly the information you post in your profile and posts. again, it could be different between different platforms.
3. What information can the infrastructure providers get on users of the fediverse? I think this is the hardest question to answer and, maybe, an admin could have more information. So far i know, infrastructure providers cannot access any data from services they hosts. But it could depend on the provider policies.
Finally, private messages are not encrypted. You should consider just for casual communication. There are other ways to send private and encrypted direct messages.
My advice would be to sign up with email alias and use VPN for Lemmy.
Better yet, sign up without an email address.
Here's a category you didn't think of. 4) What information can OTHER instances get on you. If you subscribe to them, or post to somewhere that is federated... Then all your post data. up/down votes. etc...
Another thing to think of is WAF products like Cloudflare that does SSL interception.
Ultimately, ActivityPub (the standard that lemmy operates on) is not "secure" and isn't trying to be at all. "Secure" isn't it's purpose. Instances will broadcast all your comments, posts, votes, messages,profile information, etc to other instances.
My knowledge is similarly limited, but fwiw I think you're more or less correct on what you've reasoned about your first question. Regarding the second, this is going to vary for each federated service and what's involved, e.g. on Mastodon your social graph (who you follow, who follows you) may be either public or private depending on your settings.
As to whether instances have lists of subscribed communities (or channels/followed users/etc.), I think you may be right as well as this is how the All/Federated/Other servers feeds are produced. However on private messages, they are absolutely not end to end encrypted on any fediverse service that I'm aware. It's much better to call these direct messages or mentioned people only (depending on context) rather than private, as many of the services that permit this form of messaging are really doing just that, simply making a public post only visible to the mentioned or directly messaged individual.
In other words, the fediverse is not really suited to private communications unless it's explicitly described as such (e.g. end to end encrypted channels/spaces on Matrix instances), so it's still better to use services like Signal or the like for private comms.
Regarding your third question, I don't know enough on this to comment.
Hope this helps, and if I'm mistaken on any of these, please correct me as I'm also interested in learning more on this subject!
Also beware that for any web/app client that auto-retrieves the image links in a post/comment/message, the other person can put a tracker that can retrieve your IP address, and possibly your browser/other info as well. VPN/Tor would prevent this.
It's like your email client not retrieving the images automatically to prevent the spammers to get any info about your interactions with the spam emails.
Thank you for all your answers, they were very informative. Yes, in the end, it is a social network, it is normal that all activity us public. There also seems to be some trust involve when choosing an instance on which to create an account. And eventually, as one accesses other instances, the private information propagates.
From what I understand, it's also up to the instance to allow account creation with/without email. They also need to fight bots so most seem to require it.
The PM being public is a bit of a surprise and yes there is a warning at least.