Other people in that thread have pointed out that it isn’t showing posts being delivered to Threads despite the block. That should be testable with other instances, but not Threads since it’s not receiving any content from Mastodon at the moment. The concerning thing there is the user still being able to view content from people they’ve blocked, but that seems to be a bug if it’s reproducible.

In the EU companies can’t scrape personally identifiable information without consent, even if it’s already publicly available. IANAL, and there’s probably ways they can sneak around the GDPR, but at least it’s not a free for all. It’s unclear though how it works for federation. It’s definitely not the same legally though.

The reason for not directly federating content to Threads isn’t so nobody there can ever see my amazing posts, it’s so Meta can’t easily profile me. Scraping public posts on a different platform would probably be illegal, at least in the EU, and reposts don’t give them a lot of data about me. Federating content, however, would give them most of the same data that Mastodon has on me without even having to ask.

This post from Eugen Rochko mentions that blocking Threads at the user level “stops your posts from being delivered to or fetched by Threads”. Basically, the user-level instance block is bidirectional.

Limited federation mode is a different feature, at the admin level. It doesn’t really affect the delivery of posts in either direction, it just hides the blocked instance’s content from the global feed. Defederation on the other hand is indeed bidirectional, but again it’s on the admin level rather than users’.

Mastodon instance blocks are already bidirectional AFAIK: if you block an instance your content does not get federated with them. I was actually surprised that this does not seem to be the case for Lemmy. I don’t think this break any core abstraction of AP…

Interesting demo! Does this use the user agent string for identifying clients?

Oh I mean, sure, but I don’t think IP logging is the main privacy concern with spy pixels.

I’m assuming this trick uses the user agent string and other request metadata to identify clients. Even if it didn’t recognize Jerboa as a client, it did guess that I was on mobile. That’s not possible just by tracking IPs, unless they’re cross-referencing it with other datasets. Also, I was on VPN anyway, so the IP would have been useless.

It should be possible for clients to obfuscate/fake the metadata of image requests to make tracking with spy pixels less effective.

Can countermeasures be implemented in the clients to mitigate privacy risks, while not having to proxy images?

Awesome work folks, thanks!

What you’re trying to do is often called “domain delegation” or “well-known delegation”. Here’s an example of the documentation for the same thing in matrix-synapse. I don’t know if the Lemmy server supports this yet, my suggestion would be to join the matrix chat for the development and ask there. You should find a link to the chat room on the github page. If it does support it then most likely the process is the same as the one I linked for matrix.

Look, if you understand what a DHT is I also expect you to understand the amount of effort it would take to implement such a feature. The fact that the tech exists does not mean you can just plug it in and go. It took the devs weeks to move from websockets to HTTP, a feature like this would take months and take time away from a lot of other important work.

Sure, but this isn’t finding new instances, just new communities on known instances. Indeed, this is not difficult to implement. The reason it’s not done already is for resource economy. A lot of instances are already struggling to scale, making them process and store a lot more content with little value for most users of the instance isn’t feasible for a lot of servers right now.

Social media and torrents are pretty damn different. There’s a reason no federated platform has implemented automatic discovery, even ones with much more resources than Lemmy, like Mastodon.

I don’t know why you folks keep pointing at missing features and saying “Lemmy doesn’t have this pretty advanced network feature, so it’s not really decentralized”, or “it cannot organize”, or “it’s useless”… It’s basically two people’s passion project that only blew up in the past month because reddit fucked up. You’re not paying for it, are you? So I really don’t see how this attitude is warranted.

Sure, but now this system has a dependency on the “centralized” lemmyverse.net service. And also your instance now has to receive and store a copy of almost the entire network’s content. Lots of instances are already struggling to sustain the load, this would make the problem even worse.

If a single instance decides that it can sustain the increased load and doesn’t mind depending on lemmyverse.net sure, nothing’s stopping them. But it shouldn’t be the default behavior for all instances.

In order to avoid this restriction you would need a global instance discovery mechanism, which is extremely hard to implement without a central server that keeps a list of all instances in the network. And if you do implement instance discovery through a central server you really are losing the whole point of decentralization.

Additionally, it’s good that each instance does not federate with everyone else by default. If it did, it would have to process all activity and keep a local copy of all the content in the entire network. This would be insanely inefficient, and make it prohibitively expensive to run even a tiny instance with 1 user and no communities.

Decentralization isn’t useless if you can’t immediately see everything in the network, come on… We’re just spoiled by centralized services.