If you visit a popular community like /c/[email protected] with your web browser, the images shown are hotlinked from the Lemmy instance that the person posting the image utilized. This means that your browser makes a https request to that remote server, not your local instance, giving that server your IP address and web browser version string.

Assume that it is not difficult for someone to compile this data and build a profile of your browsing habits and patterns of image fetching - and is able to identify with high probability which comments and user account is being used on the remote instance (based on timestamp comparison).

For example, if you are a user on lemmy.ml browsing the local community memes, you see postings like these first two I see right now:

You can see that the 2nd one has a origin of pawb.social - and that thumbnail was loaded from a sever on that remote site:

https://pawb.social/pictrs/image/fc4389aa-bd4f-4406-bfd6-d97d41a3324e.webp?format=webp&thumbnail=256

Just browsing a list of memes you are giving out your IP address and browser string to dozens of Lemmy servers hosted by anonymous owner/operators.

  • jbaber@lemmy.sdf.org
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    A “solution” to this might be for lemmy instances/apps to have the option to “load remote images” the way e-mail providers do. So I have to actively click to load the images. Could even be done per subscription, so I could declare that I just want everything loaded when I see lemmy.ml/c/pics but not in general, where I usually want text.

  • MarionWheeler@beehaw.org
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    IP Address isn’t extremely precise, and I always run on the latest version of whatever browser I’m on, be it Safari or Edge.

  • Dick Justice@lemmy.world
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    Is rhere anything end users can do about it, or is it a choice between using the fediverse or not using the fediverse?

  • RGB@lemmyfi.com
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    This applies to any website. by visiting the website you give them your IP. the only way to mitigate this is to use a VPN.

  • Kushan@beehaw.org
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    Big instances surfing up content from smaller instances is invariably going to cripple them unless larger instances start locally caching that content.

    • liori@lemm.ee
      link
      fedilink
      arrow-up
      0
      ·
      1 year ago

      GDPR believes an IP address is a private information. This can be used to mount a legal attack on EU-hosted lemmy instances.

      • Lenins2ndCat@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        edit-2
        1 year ago

        If IP address sharing via hotlinked images, embedded content, etc were breaking GDPR I think the entire internet is breaking it. If I visit a blog, and then click an embedded video or image on that page, then my IP has been shared to someone else while visiting that page. This occurs on the vast majority of the internet.

        EDIT: It wouldn’t just be EU-hosted lemmy instances either. GDPR applies to servers outside of EU jurisdiction whenever they’re serving residents of the EU.

        • liori@lemm.ee
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          Indeed. Most of the web is broken under GDPR’s privacy requirements.