YSK: Your Lemmy activities (e.g. downvotes) are far from private

Lol. kids these days would psot their bank info online if the banks didn't prevent them from doing so.

Your home instance will act as a proxy and only they have access to your email and IP address.

Your home image typically doesn't proxy image loading, those are hotlinked to the Lemmy server that the image was uploaded to. So your IP address and browser string are going to other Lemmy servers.

I whole heartedly agree with this perspective.

Additionally, and this is an unpopular opinion, but trying to maintain a Nick or online identity over many years is folly. You end up with a huge repository of personal information, increasing the risk that it can be connected to you personally.

What about post views? Are those also stored?

You know, I came in here with the mindset that the topic of discussion here isn't a bad thing; I'm largely pro information-should-be-open-and-available. But you've argued a very solid point, and I've changed my mind on the issue. I appreciate you sharing this perspective!

I think your comment clearly illustrates what might go wrong with it. If they need this data for sorting or something else absolutely, then I would be happy if they just hashed the usernames/instances or used some other form of UID.

Lmao the internet finally realizing what companies and the govt have been doing for decades on the internet

Pretty easy to make an instance that would auto vote certain things with suspicious amounts of votes

As it stands now, they have to fake the origin of some of those votes. Not much of a barrier, the fediverse generally accepts any user an instance says exists, but still, it's a barrier

And of course any instance thats blatantly manipulating votes is going to be defederated, but I'm more concerned with an instance that behaves normally until it encounters a keyword or user is been set to, and then gives their posts a -5 or whatever

The problem that Reddit realized early on is that user voting is the engine behind the content aggregation. That aggregation is one of the main selling points of Reddit. The more users vote on what they see, the more information Reddit has for how to aggregate that content. That's what keeps the front page fresh, that's what keeps content moving up and down on the site. In a very real sense, the voting is the heart pumping blood through the site.

So it behooves the site to not give any reason for users not to vote how they feel. Keeping votes private was part of that. It is one of the most basic tenets of democracy: the only way to give people the freedom to vote honestly and frequently is to give them the privacy to do it.

The potential for retaliation against users, in any number of conceivable ways, far outweighs any benefits that come from making votes public.

The voting information also makes it insanely easy to automate mass blocking of any opinion under the sun. Nobody in this thread seems to grasp all the things you can do with that data to manipulate user interactions on this site. If you think troll armies are bad, wait till those troll armies have a shared automated block list of every single person that has ever downvoted them.

Agreed, especially because I believe we’re headed for a repressive regime here in the US in about 2 years.

Places like this will need to get very careful if they want to remain bastions of free speech and places where people can come to find the information that will no longer be available in mainstream channels.

Knowing they're visible on kbin made me realize that most Lemmy users probably weren't aware, as it's non-obvious.

One thing I really like is that it makes it easy to identify users to block. If there's a post stating that "Nazis are bad" and it has ten downvotes, it's very easy to use that to block future content from trolls and people I'm not interested in hearing from.

How about both are bad.

Ah, the old Reddit Lemmy switcharoo.

You are probably seeing two very different vocal minorities, and conflating the two.

Also, there's a very clear difference in expectations between posting/commenting and upvoting. I blame the UI. We naturally expect public actions to be easily visible. The lack of universal accessibilty to the public data makes people unaware that the data is public. Lemmy UIs, including apps, need to make this information (a list of upvoting users) universally publicly accessible before people will change their expectations.

It makes sense to me that people are more worried about potentially any corporation / bad actor accessing their data rather than one

I’m going to start throwing “edit: thanks for the gold kind stranger!” on the end of my comments just to induce some nostalgic cringe.

Redditisms are cringe and always have been. Yes I agree we should leave them behind.

This.

EDIT: Thanks for the awards kind stranger!

EDIT 2: Rip my inbox

This is all examples of reddit shit that is really dumb. We don't need to bring it over here

Agreed, I am incredibly confused by what seems to be the majority reaction to this.

I've never been particularly involved with the FOSS community, though I do use a few FOSS apps and generally appreciate their view on what FOSS means. I also strongly appreciate data privacy, and it was my observation that the FOSS community was (generally) relatively the same way. So to see this reaction is very surprising. It's quite literally the same terrible argument of "Why fear it if you have nothing to hide" used against multiple data privacy concerns throughout the years.

I think the worst are the bad faith "But Reddit...!" arguments. For one, we're not on Reddit anymore, this is about Lemmy's issues that can be corrected. And for two, whilst Reddit potentially outsourcing that data to the highest bidder is far from ideal, at the very least the data wasn't outright PUBLIC to anyone who wishes to set up a simple server.

I don't think it's possible to encrypt the data.

Say we have a rogue user that sends to the server multiple upvote requests for the same comment, how can the server reject the subsequent requests? After all, we can't let a user upvote a post or comment multiple times.

If that data is encrypted, the server cannot tell whether the user has upvoted a comment before.

I think you make a valid point about Lemmy, but "hidden from public"? Big tech literally sells your data for profit.

I don’t think you’re been harsh lol, the right to secrete ballot is literally in the universal declaration of human rights.

Open ballot is a well known method for intimidating and blackmailing participants, it’s absolutely crazy that Fedivese operates this way. But even worse, seeing so many people here supports it.

Here's an upvote to add to the database.

Not post, upvote. I find it interesting that you like Asian Babes (obviously you don't, it's just some information you wouldn't expect to be public or shared).

Probably safer to assume your password is public to

It is only shocking if the expectation was set that your votes are private. If you wanted to avoid linking an identifiable account with their votes then you could use a de-identified user account to track a user's votes.

You could to perform deterministic hashing prior to persisting a vote to ensure that those looking at the database can't go backwards to find the specific users who voted on a post. But any service that knows the salt and hashing algorithm can start with a user account and determine that user's voting history.

This allows you to track up/down votes per user without allowing over-priviledged DBAs or malicious actors from poking around voting histories of identifiable users.

I could say something about how great Nazis are right now, and have a bot programmed to read every single person that downvoted me, add those names to a shared blocklist, and viola, I’ve made myself and all my alts invisible to the people that would challenge me on a massive scale.

Damn

Posts and comments is one thing... It's inherently public. But I think being able to see up and down vote publically is a tough pill. If you don't realize your votes can be seen you risk your vote being held against you. If you do know it disincentivizes you to use the vote system to protect yourself from something that should be rather benign.

Still unexpected. And that's the problem.

Comments are obviously public because I can read them. But there is no "upvoted by xx people (and downvoted by xx)" link I can click to see the list of people who interacted this way with the post. It's only with API calls or similar that I can access the information.

Don't think people should be expected to be developers to consider their right to privacy on websites where contents meant to be private. Like online banking, instant messaging. Let's not strip devs of these services of their responsibility.

There are a number of things you can do, depending on how serious you want to get about it (think about who and what you want to protect against - harassment from other users? Admins?).

Create an account using an email alias or an email account not linked with something you can trace back to your real identity.

If you're concerned about retaliation/harassment from downvoting something, you could create 2 accounts - one for normal use and the other you only use for downvoting, or one for participating in discussions on controversial topics.

You could retire an account and start using a new one after a period of time, so your entire history isn't linked to a single account.

The above might be able to shield you from other users but not from admins.

If you want to stay anonymous from admins:

An admin would be able to see the IP address the account uses to connect to the service. If 2 accounts connect with the same IP address and the IP is consistently the same, they'd be able to conclude it's likely the same person (or someone else in their household) is connecting to the service with both accounts.

If you use a VPN or Tor when connecting to the site, that won't be as easy to see because many people would connect to the service from the same IP address and the account would likely frequently connect using different IP addresses.

Be aware that if you access the site on a mobile device app with a VPN, it's possible that the app could contact the server when the VPN is down (for example, if the VPN connection is closed when the device is locked). To avoid that, you could try using using something like OpenVPN with its "Kill Switch" enabled).

Note that the admin of the VPN service would be able to see your connections to Lemmy's servers (but not specially what you're doing on Lemmy), so you aren't fully anonymous. Lemmy's admins would see part of the picture, the VPN's admins would see another part, and you're counting on the 2 not talking to each other (and a good VPN service shouldn't, unless they're legally required to).

I use a VPN in general for all connections to the Internet but don't always care to keep my IP address hidden from some services (banking, primary email addresses, etc - services that will have my personal info anyway). It can be very challenging to keep your IP address hidden over the long haul with a frequently used service - you could end up connecting with the VPN down due to a technical reason or carelessness.

With some services I might have multiple accounts - on one I might not really care if my real IP is revealed, but another on the same service that I'm very careful with to keep hidden.

You could use a browser with protections against fingerprinting like Tor or Mullvad Browser.

To those of use who understand how it works, yes. Five minutes in Lemmy support makes it obvious that there are many people who DON'T understand how it works. Hence, YSK.

That's not true, it's just very computationally expensive to make it secure and private. There are cryptographic solutions these problems.

So no known user will ever have a desire to join. Malicious actors will dig out their votes and expose it publicly. Could be massively damaging. You cannot do that with other social media. Obviously those companies have that information, but they do not share it.

It might also increase quality though. If people downvote out of spite and now it can be proven that they did, they might not do it and thus remove "bad" downvotes from the pool.

I still think in total it's probably better that they can not be seen, since anonymity usually gives more honest opinions.

It discourages people from voting if they’re concerned about other people seeing their activity. This could result in a lower quality of scoring for posts.

I strongly disagree with that. I think showing downvotes makes your votes more relevant. If something has 10k up votes and 10k down votes, it's probably a decent post. If it just shows 10k up votes, or 0 net total, the score doesn't reflect the nature of the post.

At the individual level, it lets you know if someone is just trolling. That's also a plus as far as reputation goes (not sure how people are scored here, or if they are).

and not interacting with anyone else.

If post views are public that’s a fairly poor implementation on the developers part. I’m sure it will change over time.

E.g. someone using your account to view illegal content in a community you are not a member of, and you being held accountable.

A lot of this needs to annonoymised imo. As you say. This is all product information meta will be looking to sell. I came here to not be a product anymore.

Unfortunately they could just spin up a lemmy instance on some anonymous server somewhere and do that anyway. I don't want them in here, but they can certainly already pull the data up. To me that necessitates some form of anonymizing protocol, or even a form of shared encryption making it so you can't simply pull data in, you need to be invited or allowed into the federation.

Thank you for considering that. There's certainly many people who left Reddit so they aren't "slurping up all their data" anymore. Missing the point that, yes, yes they are.

In fact, I'm tempted to say I WANT people to know I'm not the one downvoting them when I disagree.

People might ask you to provide context for your down vote.

Recently somebody got butthurt about being called out on it.

I think the feature is nice because you can spot shill ops, as those accounts travel in packs.

New articles for politicians are pretty obvious about it but so are generic karma farmers. Although I am not sure why farm karma on here.

listen i just don't want people to see all the furry porn i upvoted

Done. Thanks for setting me straight and the very polite manner of reminding me to RTFM.

I think its a massive improvement. Reddit did next to nothing about astro-turfing and vote manipulation. Lemmy gives people the tools needed to detect inorganic content.

People might have to stand behind their opinions if they choose to voice them. The horror!

(Although the user/account is still basically anonymous 🤷‍♂️)

I think the issue is just that having votes publicly accessible can lead to harassment. Sometimes I want to downvote bigots or idiots and not want the possibility of them engaging with me.

This^

I wouldn't say Lemmy doesn't care about your privacy, but probably they didn't have enough traffic before the death of Reddit to really prioritize it. I myself have security concerns, particularly with the storage of account data on servers that who knows where they are hosted or what the security is. But I would say Lemmy instances are much more likely to be targetted for attacks by malicious hackers than Reddit, because most instances are likely hosted on far less secure machines than Reddit servers.

I upvote my own posts too, I do try to avoid boosting my own posts. We're from kbin though, I think on Lemmy self-upvotes are automatic.

That's a point that I think a lot of people are missing. Since a lot of this data is propagated, it's not just their own instance admins they have to be concerned about, it's any instance admin across the globe. There's effectively zero cost to become an instance admin.

People are already using it for "good", e.g. correlating upvotes and downvotes to identify accounts that are related to each other for the purposes of stamping out bot activity. The same method could also be used correlate ALT-accounts, say for example, a hard-right leaning account that has an alternate that interacts regularly in support of LGBTQ+ communities.

So other instances outside the instance your user exist on, has access to this? Which means everyone, as anyone can create an instance?

If that is a solution you'd need to change the ActivityPub specification. You are more than welcome to submit your idea.

Also, there’s way too much trust in instances. Like, one person could easily make a post on lemmy.world, go on their personal instance, and just give themselves, say, 2000 upvotes.

I'd first have to create 2000 users, then I'd have to send 2000 upvotes. And then I'd get blocked by all instances.

Instances should have their own settings on what instances are allowed to keep a local copy.

This is also not compatible with the ActivityPub spec but even if it were you'd win nothing because as soon as you fetch the post it is still on the server.

And who helped. Via the database on my instance I can tell I was about the 8th person in the federation to upvote the original beans post.

Not particularly useful knowledge but I find it fascinating, nonetheless.

On Reddit and Twitter most people would presume that admins aren't going to be making attempts to correlate those accounts and that those platforms would have checks in place to prevent such abuse.

No such checks exist within Lemmy. Some people are already using this data to correlate bot accounts and activities. It certainly has the potential to correlate burner accounts with mains. Being that anybody in the world can be an instance admin that's a lot more potential people who could abuse the data in such a manner.

Obviously, but this info might extend to emails and such as well.

It's important to be aware that unlike reddit employees who are liable to their company and the law, some rando with a grudge isn't, and there's very little recourse if they choose to abuse their access.

It's not that it's intrinsically bad to do this, but it's something that should be clearly explained and signposted to the users.

ETA: Apparently account details are only on your "home instance", so pick your home instance well I guess.

Displaying the internal information publicly is indeed the more honest approach. Still, people need to understand that Social Media is Public Media. Deleting and editing depends on the goodwill of the receiver. Just imagine you were sending an email when you send something here. It is about the same level of control. It is not like you had much more control on Facebook or Reddit.

While I agree with others that it is perfectly fine for everything to be irrevocable like email is (there's no real way the system could work otherwise), I do think the Lemmy web UI and popular Lemmy native clients could do a better job making sure users are aware of that. Maybe when writing a comment there could be a little info bar that says "Content posted to Lemmy cannot be permanently deleted. (Learn more)". And then when you click Delete on something, it could have a similar explanation, adding something like "Deleting this comment will remove it from the feed/thread, but it can still be retrieved from the federated database by any instance administrator. (Learn more)"

I think it is still useful to have a Delete function, or maybe rename it to "Remove" or something, because maybe you realize what you wrote isn't contributing to the discussion or for some other reason isn't useful for most people to have in their feed. There's a difference between deleting data and removing content from the canonical "discussion", and just because we can't have the former doesn't mean there's no value in the latter. Also, the delete function does have meaningful effects like making it impossible for people to reply to the deleted comment, which can still help with harassment. 99.9% of users will never see that comment again.

Which is why either

• Votes should be publicly viewable like they are in kbin. Not necessarily readily viewable to save server resources, but through a click through or something. No need to hide something that is, in essence, public info.
• Votes should not be federated at all, but that would be awful for very small instances, though this is how Mastodon has always done it.
• Votes should be federated in aggregate, but this would kind of break federation because it's a new type of Activity.

Say you have critical information that you want to delete

Then you shouldn't have uploaded it publicly.

other instances can just ignore this deletion request, than I could technically write a plugin that uses an extra instance, to always display all deleted comments to me

The same was always possible with Reddit and was even implemented. Why is this a problem now?

For other sites you’d need a crawler

Only if they don't have an API.

I don't think that's a non-issue. If you host an instance an can see everything on it, that's one thing, but if everyone with an instance can see these things from all other instances, that's a different story. That way literally everyone can see all your up and downvotes. That's not the end of the world but that's definitely an issue imo. I can already see people getting canceled not because of an old tweet but because they upvoted something controversial years ago lol.

It's not presented as an "issue that needs to be fixed," rather "an issue you need to be mindful of."

Read his edit, it's a bit weird that such a thing even exists. Total sum of up and down votes sure. But according to OP it's all of it.

I'll contribute that my intent with this post is not evangelism. I like the voting system and would be disappointed to see it disappear.

A vote in Reddit was, from a practical perspective, anonymous. While it was recorded in the database and admins had access to this information there were mitigations in place to deter abuse and the end result was that the person you up or down voted was not going to know that YOU, personally, downvoted them. It was also of limited value to external data sifters in creating social graphs.

Since Lemmy votes are non-anonymously propagated across the Fediverse and, literally, anyone can be an admin there are people who may want to reconsider whether they upvote or downvote a particular post or comment. The actual reasons may vary; they don't want to be outed as sympathetic to a political view or cause, they don't want it used a social graph for targeted advertising or even spear-phishing. In many cases there will be people who don't care at all.

Just trying to contribute to transparency. Not everyone can read code, sift data or visualize how a social network would work behind the scenes. There's plenty of opportunities for others to use our data, good and evil. I believe that efforts to bring to light non-obvious consequences of actions is good citizenship.

Yes.

Just muddling around I've built queries that: (a) list all of my post & comments, everybody who voted on them, and their votes (b) tally how many times specific users have upvoted or downvoted me. (c) identifies the most prolific voters across the Fediverse and the communities they are voting in (d) identifies users with the same username or display name across all instances and correlates the activities across those accounts.

These are all for the sake of learning and are innocuos the way I'm using them. It is plain to see that someone with skills and an agenda could make more out of it than I have.

How is this different than any other website?

YSK: Your Lemmy activities (e.g. downvotes) are far from private

False excuse. It is possible to design protocols that make it impossible to designed entities to see anything.

Agreed. I think it's fair to say that most people will consider the fact that their instance admins have access to this data.

What many probably won't consider is that ANY instance admin across the fediverse has access to much of it. It's near-zero cost to become an instance admin so the potential number of people who have access is limitless.

Transparency is the only way auditing and validation can be done. People should own their actions.

The things I upvote and downvote are in line with my personal values and I am not ashamed of that.

Sounds an awfull lot like I have nothing to hide therefore I don't need privacy. The goal of crypto etc is to design protocols that allow you not having to trust anyone. I don't want to trust anyone, and I don't.

it isn't about you, it's a security risk and a massive vulnerability leaving servers open to data collection for data they shouldn't be collecting.

Not everybody shares the same habits.

Here's a scenario... Some admins are using data to build correlations between accounts. Linking main account to alternates. So far that I've seen the purpose has been to identify bot activity. A good thing.

The same analysis could also be used to build correlation between a main account that's hard right leaning and an alt-account that may be sympathetic to left-leaning or progressive topics, such as LGBTQ+ rights. Not so much a good thing.

I think it's fair to say that many people will not consider the fact that, literally, anybody in the world can have access to much of this data. It's not limited to your two or three instance administrators.

That information is not tracked in the application itself. A "home instance" admin could correlate their web access logs with the database to draw this kind of conclusion but it's not federated info.

I think you need to clarify how they can see the password. It’s not stored in plaintext, but when the user logs in, the server administrator can see the password in the HTTP post data if they log it in the lemmy sourcecode. All apps are subject to this and it’s why to have to trust the instance owner.

How do you know that an admin has my plain text password? Typically passwords are stored hashed. Do Lemmy instances not do this?

What you are saying is somewhat misleading 😒
But did you know over 50k people can see your Facebook password 🤔

But seriously, everything you send to a website/server can, of course, also be seen by it.
This has always been the case everywhere. I am a little surprised that this is suddenly something new..

It was. You could disable the ability for people to see what you voted on.

To be fair, I don't feel comfortable with that. I believe people are so excited about ditching reddit, that they're in denial about any possible flaw or inconvenience about lemmy.

I hope future updates bring more privacy to the users.

I had to run an experiment on this one.

It appears that changing you vote causes the old vote to be completely deleted from the database and a new vote cast and propagated.

Edit: The above description is what happens in the COMMENT_LIKE or POST_LIKE table HOWEVER the ACTIVITY table reflects both actions, which makes sense since it's a complete transaction log. So, it's a slightly more complex query but the history is maintained.

Depends on the rest of the structure of those tables and the supporting procedures that modify them. I haven't checked, but I'm very interested in using this as a sample dataset.

Maybe it will encourage us to downvote only those comments that don't contribute to the conversation, and not every comment we disagree with. Like how Reddit was supposed to be until it turned into a shouting match.

honestly I don't give a damn if people know I downvoted, otherwise what's the down vote worth lol

Sometimes I just upvote downvoted things because I think it's not so bad. Not because I want to recommend it.

This is actually a very important point: Things being hidden from public view but yet not properly anonymous creates a mismatch of privacy expectation vs. reality. Votes may or may not terribly important information, but the user should be sovereign of their own data and to implement that in practice we can't rely on people reading the code, or a TOS, or something, it has to be there for everyone to see:

If things can be seen on the backend then they should be seen by the public, if they can't then they shouldn't (well, also, can't), as a general principle, not just for votes. One other big point is private messages, afaik they aren't currently end-to-end encrypted. Gets a bit more iffy because key storage but "only the instance admin of the recipient's instance can see messages" is low-hanging fruit.

Some people take unkindly to downvotes. On Reddit they’d just add and “Edit: fuck you guys and your downvotes… pussies!” And be gone.

On Lemmy they can target you personally. Maybe search your post history in an attempt to dox you. Redditors would expect this possibility if they commented and might refrain from doing so to avoid the potential harassment. Most people would never suspect that it could happen as the result of a simple upvote.

I'm sure that someone will dox themselves, then somewhere else mention where they work. Post on some gonewild pages (is that a thing here) and then make a poorly worded opinion on a sensitive subject and lose their job. Of course Internet hygiene is important and you shouldn't dox yourself but after several years you'll slip up and these things will bite you .

But let’s be honest, if you’d be embarrassed by something you’re looking at, maybe you shouldn’t be looking at it. Just my 2¢.

This guy out here forgetting porn exists

If I understand it right, due to the federated nature where each server has to sync with other servers, any admin from any instance (that is not defederated) can read this data. Which may be a pretty big problem from Lemmy. One of the main selling points is that you're on instances where you are not the product, but it looks like that all an advertising company that collects and sells user data for profit needs is to just quietly set up an innocent looking Lemmy instance for quarter of a cost, and just get call the data served to them from all other servers. For free.

That's actually way worse that just giving your data to one company that sells it later, because you at least know who has it.

I don't know what's the extent of data that are shared between instances, but I think you can create a pretty good picture of someone from their upvotes

Cue tactical voting, virtue signalling and influencing. By having them anonymous you don't have to worry about those things. There's a reason voting on a political party or candidate is anonymous, and voting on opinions and posts should be so too.

I've been wondering exactly this, Lemmy will have to be shut down in the EU if it doesn't comply with GDPR, and considering that means each individual instance and the individual/group/company running it...

I just don't see how this is ever going to be secure enough to fully comply with GDPR. Not when huge security holes like this exist, where anybody with a tiny bit of knowledge and a few hours can access so much data on people anywhere...

Only your instance admin can see your IP.

There's a bit of a difference here...

Suppose I'm the President of the Democratic People's Republic of Leopards Eating People's Facia, And now, I want to post a propaganda piece on how Leopards are friendly, cuddly, and do not eat people's faces.

On Reddit, I can post this and get downvoted to oblivion, I could try to request Reddit to hand over the list of users that downvoted my post, but I'm most likely going to be told to kick rocks and I can't do anything. (Assuming I'm not the US/a five eyes country).

With Lemmy/Kbin, I don't even need to ask the owner for this information. All I need to do is spin up my own separate instance and the original server will happily send over the list of usernames that have downvoted the original post. Maybe I can use this list and send out a few friendly leopards...

It's quite literally anyone who has 30 min to set up an instance has access to this data. There's some discussions on GitHub on how to potentially fix this but right now this is the case.

Not just YOUR server admin... Anybody capable of setting up a Lemmy instance has access to this data.

While most people at discuss.tchncs.de may assume that /u/milan and /u/erAck can see this type of thing, it may not be obvious that so can /u/muddybulldog@mylemmy.win or /u/ruud@lemmy.world and every other instance admin in the world can, as well.

Your original post made it seem like anyone has access to this data.

Literally anyone can access this data. It's not private at all just by the way ActivityPub works.

Good stuff. That’s my entire motivator, transparency. KBin makes it obvious that up/down isn’t anonymous, Lemmy doesn’t. Much like Reddit, Lemmy also doesn’t delete posts, they just get tagged as deleted and not shown via the interface.

When literally anybody in the world can be an admin with no vetting process and no “internal controls” that you would expect from a commercial platform, having a clear view of how things work is critical so that people can make informed decisions on how (or even if) they use the platform.

Yes. While I see no reason that private message would exist anywhere other than the instance of the sender and receiver, the admins of those instances CAN see the contents of the message and whether or not they have been read.

My perspective is that most people are not going to realize that this visibility extends to ANY admin of ANY instance in the fediverse, not just the admin of their own servers.

There's zero cost of entry in setting up an instance. Anybody in the world can become one is a matter of minutes.

If you want privacy on the fediverse, use an alias. It's as easy as that. This is akin to the old adage "don't tell your real name on the internet" which Facebook destroyed.

The application doesn’t, which is a very good thing, in my opinion. Instance admins will still have that data but that’s limited to your local administrator. It’s not federated.

It's not that it stores data, it's what data it stores. Your votes construct a very detailed profile that doesn't mean anything to another human but an AI can read it like a very simple book. They don't necessarily need to be so strongly associated with your account thanks to simple technology like hashing.

Deleted items just get marked as 'removed', the content remains in the database. I can see the comment you deleted on https://lemmy.world/post/955546.

Overwrites appear to replace the original content. I can see when you edited this comment but can't see what the edit was.