It’s not always the case though. If you look at vivaldi.net and stackexchange, the creds take a CF-free path.

I think you can assume that your credentials go via Cloudflare.

That would be my natural assumption until the contrary is verified.

But the only thing you can do on lemmy is post stuff publicly, and presumably you are using randomised passwords, so what’s the cyber security risk?

I would not register on a CF site for anything AFAICT, and most certainly not a CF Lemmy site amid non-CF Lemmy sites (it would be a compromise for nothing and also help grow a walled garden that excludes people and centralizes the fedi to the detriment of undermining fedi philosophy). Lemmy.world is just a good example for my question because the code is obfuscated.

My problem is often that I register on a non-CF service then it becomes CF and it’s not always social media. Indeed I use unique unguessable passwords for each site. But that’s not what the masses do (I’m asking as well to work out how the masses could detect this - in principle their browser should tell them; what should I tell my grandma to look for?). I’m also trying to work out what diligent users do.

I’m not sure how many people will evade my question. So I'll try some examples to overcome that.

Example 1
Suppose my bank becomes Cloudflared, without announcement (thus no time to pull my money out before it happens), and they charge a high fee for paper statements. The customer may choose good unique passwords, but this does not mean that password does not need to be protected. Most banks’ terms of service make customers liable for sharing creds with a 3rd party, and the ToS also includes an indemnity/disclaimer for that bank. So if creds are compromised via CF the ToS is written to make the customer liable.

Example 2
Suppose I am reporting a GDPR offender to a regulator. I want my report to be complete. If they are sloppily passing sensitive info like login creds through Cloudflare, I should check that and if yes smear them for it in my report.

Examples aside, I’m asking how a diligent user checks whether their creds are shared with CF.

They’re not at odds. We don’t have to choose between protecting UDHR Art.3 and Art.17. It’s foolish to disregard some portion of the UDHR needlessly and arbitrarily.

The real problem with @Blaster_M@lemmy.world’s comment was to blame the victim. It may be sensible to blame the victim, but let’s not lose focus on the perp.

Don’t try to strawman this. Human rights are violated when someone is deprived of their property (their data in the case at hand). If food is withheld from starving people in Gaza, your argument is like saying:

“Claims human rights are being violated because someone failed to drive a truck”

beehaw.org defederated from lemmy.ml. And I don’t blame them. I actually try not to post to lemmy.ml or any of the Cloudflare-centralized nodes (lemmy.world, sh.itjust.works, lemm.ee, etc) but it slipped my mind when I posted here.

(edit) sorry, i'm confused. I thought beehaw.org defederated from lemmy.ml, but both the post herein and the original are on lemmy.ml yet you can reach this one. So I’m missing something. I wonder if you are able to see infosec.pub-mirrored content and maybe the original community has no infosec subscribers? hard to say.

You’re very trusting of your corporate overlords. I’m sure they are grateful for your steadfast loyalty and trust.

No amount of money you pay for your phone up-front will make that malicious code magically go away. You can pay cash, and you can even tip the seller. The code that reduces your control remains in that device. If you don’t control it, you don’t own it.

If you fail to use rights granted to you by free software licenses, you can blame yourself.

You’re not getting it. Again:

If you don’t control it, you don’t own it.

Buying something does not mean you control it. You might have bought an Amazon Ring doorbell but if Amazon does not like your behavior they can (and will) render it dysfunctional.

If you don’t control it, you don’t own it.

I guess a closer analogy would be rental storage. If you don’t pay your mini storage bill, in some regions the landlord will confiscate your property, holding it hostage until you pay. And if that fails, they’ll even auction off your contents.

So in the case at hand the creditor is holding the debtor’s data hostage. One difference is that the data has no value to the creditor and is not in the creditor’s possession. It would be interesting to know if the contracts in place legally designate the data as the creditor’s property. If not, the data remains the property of the consumer.

This is covered by human rights law. Universal Declaration of Human Rights, Article 17 ¶2:

“No one shall be arbitrarily deprived of his property.”

If the phone user did not sign off on repossession of their data, and thus the data remains their property, then the above-quoted human right is violated in the OP’s scenario.

I was imagining how a well-designed mail client might detect likely tracker pixels and signal the user. If MUAs were sufficiently evolved, that kind of convenience/sloppiness of transmitting tracker pixels but then putting the switch somewhere on the server wouldn’t fly. Anyway, I appreciate the insight. It certainly raises a transparency issue.