💡 This article has been updated.

As far as the Threadiverse is concerned, Lemmy seems to be in an enviable position: they have a vast base of users, supporters, and donors. Their ongoing crowdfunding efforts pull in €3,966 (about $4,304) per month from over 1,162 supporters. The project is also listed as the third largest Fediverse platform in FediDB, just behind Misskey and Mastodon.

Lemmy benefits heavily from being the first movers in their space. Which is why it’s so surprising that the most matured Threadiverse platform lacks a basic feature: users and admins can’t delete uploaded images.

Wait, what?

Recently, Michael Altfield posted an intriguing piece to his blog titled Nightmare on Lemmy Street (A GDPR Horror Story). It’s a fascinating read, and highlights a user mistake that’s all too common: fumbling around on a phone, it’s possible to hit the wrong button and upload something sensitive. Federated or not, it’s a common expectation for platforms to offer tooling to clean that out of storage.

PSA: you can't delete photos uploaded to #lemmy. So don't (accidentally) upload a nude to lemmy. That would be bad ?

https://tech.michaelaltfield.net/2024/03/04/lemmy-fediverse-gdpr/

Oh, and if you delete your account? It doesn't delete your uploaded photos. And good luck getting your instance admin to delete it; it requires a manual db query, api call, and — oh, none of this is documented? Welcome to my #fediverse #GDPR nightmare ??

— Michael Altfield ?? (@MichaelAltfield) 2024-03-04T16:08:55.929Z

Lemmy is a little bit more complicated than other platforms, architecturally speaking, because image hosting is actually handled as an auxiliary service called pict-rs, which runs alongside a given Lemmy instance. While pict-rs itself works fine for handling uploads, downloads, and modifications to pictures, the devs neglected to add anything to Lemmy’s interface to handle deletions. In fact, the platform as a whole lacks any tooling for moderating images whatsoever.

Interacting with Lemmy’s Devs

Michael wrote up a handful of reports in the project repo [1, 2, 3, 4] scoped to specific bugs and feature requests. In their initial reactions to a request concerning image deletions and GDPR compliance, the Lemmy devs offered a frosty reception.

“I dont believe that GDPR applies to Lemmy unless it is provided as a commercial service,” Nutomic wrote. When corrected on this point, he became more hostile.

“You are not a lawyer so I wont take your unqualified opinion as fact. I also have to point you to the license under which Lemmy is provided to you for free,” he said, citing the GNU AGPL, “So there is no legal nor moral responsibility to implement any features that you personally want. However you are free to implement it yourself, pay someone else to implement it, or stop using Lemmy and use one of countless alternative platforms instead.”

“Would you mind if we set some of your priorities also?” co-contributor Dessalines chimed in, “You’re asking us to do free labor for you, that you’re unwilling to do yourself. Do not put ultimatums and demands on people making FOSS, or I won’t hesitate to block you from these repos.”

Some Progress

Eventually, the two core Lemmy devs reflected on it, and switched gears.

“Unfortunately there was some miscommunication in this issue and we failed to get to the root cause,” Nutomic wrote, “In fact the Lemmy backend has an option to delete all content when an account is deleted. This used to be the default behaviour but was changed in 0.19 so you need to set a parameter delete_content. We failed to add a checkbox for this parameter to lemmy-ui.”

While this is at least some kind of improvement, the other three issues remain largely unanswered, beyond a half-hearted statement from the other dev: “Unfortunately, I can’t work on that right now, if someone else can do it, that would be helpful.” UPDATED, SEE BELOW

Why is this Important?

There are a couple of reasons as to why this is so surprising. Firstly, the Trust & Safety aspect: a few months ago, several Lemmy servers were absolutely hammered with CSAM, to the point that communities shut down and several servers were forced to defederate from one another or shut down themselves.

Simply put, the existing moderation tooling is not adequate for removing illegal content from servers. It’s bad enough to have to jump through hoops dealing with local content, but when it comes to federated data, it’s a whole other ball game.

The second, equally important aspect is one of user consent. If a user accidentally uploads a sensitive image, or wants to wipe their account off of a server, the instance should make an effort to comply with their wishes. Federated deletions fail sometimes, but an earnest attempt to remove content from a local server should be trivial, and attempting to perform a remote delete is better than nothing.

Moving Forward

The fact that Lemmy’s core team is taking a fairly laissez faire position on moderation, user safety, and tooling is problematic, and could be a serious blocker for communities currently hosted on Lemmy.

At this point, most of the solutions the ecosystem has relied on have been third-party tools, such as db0’s fantastic Fediseer and Fedi-Safety initiatives. While I’m sure many people are glad these tools exist, the fact that instances have to rely solely on third-party solutions is downright baffling.

A growing amount of Lemmy users and admins have become unhappy their relationship with the people building it, and are starting to look at other Threadiverse platforms such as Kbin, Mbin, Sublinks, and PieFed. Given that NodeBB and Discourse are also implementing ActivityPub, they might just overshadow Lemmy in the long term.

It may be that such a move is necessary, even if transitioning communities and user accounts might be painful. For now, users, admins, and developers need to think hard about raising the quality level on user and community safety.

Giving Credit Where Credit is Due

The Lemmy devs are working on a feature to deal with the crux of these problems right now. This is an incredibly welcome development, and showcases that they were motivated to solve the core issue.

In the comments section for this article on lemmy.ml, both Nutomic and Dessalines expressed that they felt this coverage was one-sided and unfair, with Nutomic going as far to describe it as “a hit piece” and declaring that I’m not doing responsible journalism because I “hate their project”. (For the record: I don’t hate it. You don’t constantly use a platform for years and years because you hate it.)

Lemmy has been doing a substantial amount of work over the course of the 0.19 release in improving admin and moderation capabilities for Lemmy. This includes:

• Instance Blocks for Users
• Auto-Resolve Reports for Deleted Comments
• Log for Image Uploads
• Overhaul of moderation / content actions
• Protections against downvote trolling
• Support for Reports from Mastodon and Kbin

These two guys basically work on Lemmy full-time, and in addition to the above improvements, do a lot of heavy lifting on infrastructure, federation, testing, feature development, and standards guidance. It’s a massive body of work, and I can imagine that carrying this out on a daily basis, while effectively surviving on donations, is probably very stressful.

The thing that really gets me with these, is that we are 2-4 devs working on software used by over 40k ppl. It is absolutely impossible to please everyone, and fix every issue, there just isn’t enough of us.

Oftentimes we ask for ppl to do the open source thing, and contribute a PR, and many of them do.

Dessalines, Lemmy Dev

The Lemmy devs are currently rallying up their fundraising efforts, with the goal being to comfortably support both of them with reasonable median salaries. If you’re inclined to donate, please do so.

 Share