this post was submitted on 06 Mar 2024
307 points (88.9% liked)

Fediverse

28396 readers
304 users here now

A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).

If you wanted to get help with moderating your own community then head over to [email protected]!

Rules

Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration), Search Lemmy

founded 1 year ago
MODERATORS
 

Highlighting the recent report of users and admins being unable to delete images, and how Trust & Safety tooling is currently lacking.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 52 points 8 months ago (4 children)

You don't understand how open source works. You are not entitled to any features. Let the devs go on their own pace. A lot of open source projects shut down because of similar reasons.

[–] [email protected] 2 points 8 months ago (1 children)

We can expect them to follow the law. And yes this means implementing required features to comply with the law.

[–] [email protected] -3 points 8 months ago (1 children)

Nothing here is breaking any laws. I don't know why OP thinks the GDPR applies here, it doesn't.

[–] [email protected] 4 points 8 months ago (1 children)

It does apply, but not to the Lemmy devs, but to the instance admins.

As it stands, you can't legally host a Lemmy server in either the EU or the US (or places they can reach) and federate with the 'verse at large without fear that the authorities will come after you.

[–] [email protected] -2 points 8 months ago (1 children)

This is not true at all, you can host a instance in the USA for free and not be subjective to the GDPR. You're not selling anything, or marketing anything or doing any data collection to be sold. It %100 does not apply.

[–] [email protected] 1 points 8 months ago (1 children)

GDPR article 3, and the EU-US Data Protection Umbrella Agreement concluded in the US in December 2016 which makes it US law disagree.

[–] [email protected] 2 points 8 months ago (1 children)
[–] [email protected] 1 points 8 months ago* (last edited 8 months ago) (1 children)

Lemmy instances offer services to me as an in-EU data subject, and that makes it subject under the very Article 3/2 (a) you linked.

the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union

Since there is federation, a US-based instance would still be a data processor if it IP blocked be as coming from the EU.

I did in fact read it.

[–] [email protected] 1 points 8 months ago (1 children)

Read the rest of it, instead of cherry picking shit. The instance needs to be collecting your data and selling it or making some sort of money off of it.

[–] [email protected] 1 points 8 months ago (1 children)
[–] [email protected] 1 points 8 months ago (1 children)

the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or the monitoring of their behaviour as far as their behaviour takes place within the Union.

Lemmy doesn't sell anything and it doesn't monitor you or collect pii.

[–] [email protected] 2 points 8 months ago (1 children)

Anything that someone's identity can be even indirectly inferred is PII. The GDPR explicitly defines usernames as online identifiers as PII.

The whole "irrespective of whether a payment of the data subject is required" bit is so that it applies to free services like Lemmy as well. Lemmy provides me with a free service. It even monitors me through federation, since it scrapes my username and comments from other instances without my affirmative and explicit consent. Using a service, no matter its nature, is not consent as required by the GDPR.

There is an explicit cutout for services you offer yourself or your household members. The reason it is there is that free services like Lemmy absolutely do qualify.

[–] [email protected] 0 points 8 months ago (1 children)

No it doesn't, and good luck finding a case where someone has been fined for hosting a free service that doesn't sell anything.

[–] [email protected] 1 points 8 months ago (1 children)

There are dozens of cases of fines issued to municipalities, and government offices that don't do business. France fined a parliamentary candidate. Italy has fined the Italian Archery Federation, an NGO. Germany fined a bunch of individual police officers and an employee of a Covid testing centre.

Please either start backing up your claim of some supposed nonprofit exception, or go sealioning somewhere else.

[–] [email protected] 1 points 8 months ago (1 children)

Cool, so no forum owners of foss...got it.

[–] [email protected] 1 points 8 months ago (1 children)

Nice moving the goalposts there. You said "not selling anything". I think police officers or the "Association for the prevention and study of crimes, abuses and negligence in information technology and advanced communications" don't sell stuff, they were fined nevertheless.

If I put a link to for example this case where a small social media provider got fined for nothing more than not handling data well, you could move the goalposts even further.

Or you could look at the countless cases brought against private individuals where they of course are not selling things. Austria fined a guy under GDPR for having a dashcam!

So again, you made a claim that there is an exception under GDPR for "forum owners of foss". Let's see evidence for that claim.

[–] [email protected] 1 points 8 months ago (1 children)

Summary The company has sent invitations to contacts uploaded by its users without their consent or any other legal basis.

Let's see, in the EU and was a company that sold and processed data.

All you have done is provided that companies that hold pii in the EU have been fined before.

I'll ask again, please provide a instance of a person who holds no pii operating a forum or instance that is free, sells no data and makes no profit off the instance being fined.

[–] [email protected] 1 points 8 months ago* (last edited 8 months ago)

I was going to write a long ass answer to this, but tbh I'm tired of you asking and me answering the same question over and over again while not providing any source for your claims.

  • Lemmy holds PII. Usernames and other online identifiers are PII according to GDPR Art 4/1 and legal practice as well. Photos people upload of themselves, people claiming to be Jews or from some country in comments are all PII. You have just said "oh but they are not" without backing up your claims. If nothing else, the fact that Reddit, the site which this is a clone of, holds PII should convince you if the relatively plain words of the law don't.

  • Lemmy processes data. According to GDPR Art 4/1 data processing does not involve sales of data, just "any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction". Again, you have not found anything to back up your claim that "it actually doesn't and selling and processing is the same".

  • GDPR applies to nonprofits, even non-commercial entities, private individuals, government institutions as evidenced by fines. You claim an exception for "forum owners for free instances" without even trying to back it up, and are asking me to prove a negative, again without providing any evidence of your own.

So the real question is, let's say you're an admin of some instance that grows to some noticeable size. Would you trust your gut feeling of "I hate EU regulations, and they shouldn't apply to me either" before some random country you probably never heard of sends you a letter that you pay them some large amount of money? Or would you implement basic delete functionalities on your website and sleep easy?

[–] [email protected] 11 points 8 months ago* (last edited 8 months ago) (1 children)

You don't know how social networks work. They only survive based on network effects, if they don't have the most basic functionality that users expect (like complying with privacy legislation), then they will fail to reach critical mass and be outcompeted and die.

If the devs don't want to provide the most basic functions that any user of a social network would expect, they're welcome to be downvoted to hell and have their project go back to being one of the millions of forgotten and unviewed personal github projects.

Open source projects die because it takes both technical talent and attention to your users to make a project successful, and for-profit companies often pay different people to do those.

[–] [email protected] 14 points 8 months ago* (last edited 8 months ago) (1 children)

The entire point of the “fediverse” is to combat the network effect. Don’t like Lemmy? Move to another app and still communicate with people on Lemmy. Plus it’s all open, can’t find an app you like? Build one or wait for someone to build one you like.

[–] [email protected] 7 points 8 months ago

The entire point of the “fediverse” is to combat the network effect.

No, it's not.

The purpose of the fediverse is to decentralize control of the network, it does not eliminate network effects in any way shape or form. At the end of the day a social network is only as valuable as the users using it and contributing content to it. If they don't find lemmy pleasant to use, they're not going to say "let me jump to mastodon" they're going to go to Reddit.

Build one or wait for someone to build one you like.

You really don't understand network effects if you think you can just sit around and wait for basic functionality and expect your network not to die.

[–] [email protected] 38 points 8 months ago* (last edited 8 months ago) (1 children)

Likewise, an open source project can totally die if they refuse to engage with the needs of the users. The lack of moderation and content management tools have been a longstanding criticism of Lemmy, and instances will migrate to alternatives that address these concerns. It is a genuine legal liability for instance operators if they are unable to sufficiently delete CSAM/illegal content or comply with EU regulations.

[–] [email protected] 7 points 8 months ago* (last edited 8 months ago) (1 children)

But opensource projects are more likely to get dropped by devs than losing their userbase from what I've seen. I could be wrong. Both our points are true. That's the best part of fediverse. If one doesn't like lemmy, they are free to choose an alternative. I just don't agree with demanding features from open source developers. There is a distinct line between demanding and requesting. I'm not saying lemmy is perfect. Maybe Sublinks would be better. Let's wait. But even Sublinks won't be sustainable if users do not respect developers time and patience.

[–] [email protected] 12 points 8 months ago (1 children)

I think there is also a distinct line between demanding, for example, a new animated avatar feature and demanding a way to delete child porn.

[–] [email protected] 2 points 8 months ago
[–] [email protected] 27 points 8 months ago* (last edited 8 months ago)

While I think you're correct about it ultimately being their project, and that users are in no place to demand or expect anything, this thing takes on whole other dimensions once a project is all about building a social platform. Particularly one where volunteers host part of the network themselves.

It's one thing to look at some random demand to write everything in a P2P architecture because DNS is too centralized. When I worked on Diaspora, I literally saw people demand stuff like that, and laughed it off. I'm trying to build a platform that exists today, not some pixie dream bullshit compromised of academic circle-jerking.

But when it comes to basic table stakes for participating in a network that already exists, things change a bit. This is especially true when you're connecting to a global network that has:

  • Hate Speech
  • Targeted Harassment Campaigns
  • Child Pornography
  • Extreme Gore and Violence

Suddenly, it makes a lot of sense to say "you know what, admins are going to want to filter this shit out, maybe it's reasonable for them to have some tools and fixtures that are part of core."

Unfortunately, these devs are the kind of people who scream angrily when someone says "Hey, this thing doesn't actually respect local image deletes / GDPR stuff / content deletion on account deletion". To me, that's fucking insane.