If you visit a popular community like /c/[email protected] with your web browser, the images shown are hotlinked from the Lemmy instance that the person posting the image utilized. This means that your browser makes a https request to that remote server, not your local instance, giving that server your IP address and web browser version string.

Assume that it is not difficult for someone to compile this data and build a profile of your browsing habits and patterns of image fetching - and is able to identify with high probability which comments and user account is being used on the remote instance (based on timestamp comparison).

For example, if you are a user on lemmy.ml browsing the local community memes, you see postings like these first two I see right now:

You can see that the 2nd one has a origin of pawb.social - and that thumbnail was loaded from a sever on that remote site:

https://pawb.social/pictrs/image/fc4389aa-bd4f-4406-bfd6-d97d41a3324e.webp?format=webp&thumbnail=256

Just browsing a list of memes you are giving out your IP address and browser string to dozens of Lemmy servers hosted by anonymous owner/operators.

  • RGB@lemmyfi.com
    link
    fedilink
    arrow-up
    2
    ·
    1 year ago

    This applies to any website. by visiting the website you give them your IP. the only way to mitigate this is to use a VPN.

    • RoundSparrow@lemmy.mlOP
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      1 year ago

      This applies to any website. by visiting the website

      Most people think ‘visit a website’ means typing it in the address bar. period.

      the only way to mitigate this

      There are a lot of conventions that can be considered to mitigate this. The “only” way isn’t just a VPN. The Lemmy server operators have a lot to do with the choice of hotlinking.