• tal@lemmy.today
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    8 months ago

    I’d wager that it’s probably not that hard to obtain a lemmy user’s IP address, whether the admin hands it over or not.

    Lemmy permits – arguably not the greatest design decision from a privacy standpoint – for inline remote images in comments. E.g.:

    ![](https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png)
    

    Yields:

    As soon as that image is loaded, the remote http server knows the IP address of the client viewing the image.

    I bet that it does in private messages too, though I haven’t tested it. Send a private message to a user, referencing an image on a server you control – maybe even a one-pixel, transparent image, a tactic that has been used in Web tracking in the past – and the server knows their IP when the image is viewed. Even if it doesn’t, you could probably just respond to a few comments by a user in regular threads, and they’re probably going to be the first to view the image (and probably the only to view all of them).