Highlighting the recent report of users and admins being unable to delete images, and how Trust & Safety tooling is currently lacking.

  • Jumuta
    link
    fedilink
    English
    arrow-up
    23
    arrow-down
    1
    ·
    9 months ago

    how are you supposed to do gdpr compliance on a federated system though?

    • maynarkh@feddit.nl
      link
      fedilink
      English
      arrow-up
      30
      ·
      9 months ago

      You are responsible for data collected by your own instance. If a deletion request comes through, you are responsible for deleting it from your account, and forwarding the deletion request and responses to other instance you federate with. You are in the clear as long as you don’t keep data you legally can’t, and have sufficiently informed other instances of your obligations.

      • RubberDuck@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        3
        ·
        9 months ago

        No, if you collected the data and shared it with others, simply informing the others is not enough. This is why the platform needs tools for admins to comply.

        A proper method, that allows the users to nume their account could already be enough.

        • maynarkh@feddit.nl
          link
          fedilink
          English
          arrow-up
          4
          ·
          9 months ago

          What I mean by informing others is that you have to explicitly forward the deletion request. Not much else you can do I think.

          • RubberDuck@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            9 months ago

            I get that, but this is where it gets tricky. As “there is nothing we can do” was the number one reason used under the law predating the GDPR. So in the GDPR there is a stipulation that you stay responsible or share responsibility with the other party If you share the data. Because large companies used this to send data through clearing houses allowing them to hash their hands.

            GDPR is really the cranky brother of its predecessors, because there was so much fuckery going on.

            And while I doubt Admins will be a prime target for privacy watchdogs, it is good that they also have to think about the privacy of their users. Since privacy is a basic human right.

            • maynarkh@feddit.nl
              link
              fedilink
              English
              arrow-up
              1
              ·
              9 months ago

              Oh, that’s actually neat. But at the same time, that means every instance owner is responsible for the whole of the Fediverse.

              I can imagine that would mean non-compliant instances will get defederated at some point? Or ActivityPub will get some compliance features? It’s not like the EU is unaware of the Fediverse, they are the main monetary supporters behind Lemmy.

              • RubberDuck@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                ·
                9 months ago

                I have no clue how jurisprudence would turn out. But keep in mind, this is not about the posts people make. The framework just needs to collect/store as little information as possible that can be considered PII. And it should have a way to remove it.

                If Deleting your account results in the PII actually being removed (username, ip address, other profile info, whatever data is stored under the hood) and these removals actually get federated… there should not be an issue.

                Then admins maybe have to do something if people start posting PII as messages, but that would probably be doxing and up for removal anyway.

                So mainly the issus boil down to:

                • is there a way for people to scrub their account
                • does the scrubbing remove all the data
                • is the platform clear about what data is being collected and is all collected data actually needed
                • maynarkh@feddit.nl
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  9 months ago

                  The issue I see is that if my instance is on the hook for the fediverse at large, and I operate on an allowlist basis, malicious actors can scrape PII and ignore the GDPR, and that would make me the one on the hook for that, isn’t that right?

                  • RubberDuck@lemmy.world
                    link
                    fedilink
                    English
                    arrow-up
                    1
                    ·
                    9 months ago

                    There is plenty of jurisprudence and clarity needed, so… maybe. Hence the importance for the framework itself to be as GDPR compliant as possible and not store PII if not nessecary and remove it once no longer nessecary. (Storing someone’s IP for login, and post validation, bans etc should be limited to the period that makes sense, not infinitely.)

                    And in your example, the ‘malicious’ part of the 3rd party probably makes it different. Maybe then it is a dataleak.

    • RubberDuck@lemmy.world
      link
      fedilink
      English
      arrow-up
      12
      ·
      edit-2
      9 months ago
      • By defining all information that is processed and why.
      • By not processing and storing any personal identifiable information (an IP address is PII for example) without a clearly defined need.
      • When stored ONLY using data for the defined purposes. This also means shielding data that should be shielded.
      • By implementing the mechanics for someone to be forgotten (delete my account, should delete all info, especially PII).
      • Making sure the mechanics to federate these changes/deletions exist.
    • SupraMario@lemmy.world
      link
      fedilink
      English
      arrow-up
      9
      arrow-down
      19
      ·
      edit-2
      9 months ago

      You can’t and this is a shit article…the GDPR doesn’t apply to instance outside of the EU…

      The GDPR even applies if no financial transaction occurs if the US company sells or markets products via the Internet to EU residents and accepts the currency of an EU country, has a domain suffix for an EU country, offers shipping services to an EU country, provides translation in the language of an EU country, markets in the language of an EU country, etc.

      https://www.dickinson-wright.com/news-alerts/what-usbased-companies-need-to-know#:~:text=The GDPR even applies if,language of an EU country%2C

      Literally people using the GDPR like it’s some gotcha thing for admins. If nothing is sold or offered to be sold and their is no financial gain it’s not going to apply. On top of that good luck suing a FOSS dev.

      Edit: that downvote button does jack shit on Lemmy people. If you think I’m wrong why not prove that I’m wrong…and why a bunch of law firms are wrong as well.

      • maynarkh@feddit.nl
        link
        fedilink
        English
        arrow-up
        22
        ·
        9 months ago

        You can’t and this is a shit article…the GDPR doesn’t apply to instance outside of the EU…

        It absolutely does, if the company processes data of EU residents. The US enforces GDPR themselves, as they have signed an agreement to do so. To be clear, this means that according to US law, if you are a US web host, you can abuse US customer data and the FBI will not come after you, but if you do so with EU customer data, US authorities will come after you on behalf of the EU.

        Literally people using the GDPR like it’s some gotcha thing for admins. If nothing is sold or offered to be sold and their is no financial gain it’s not going to apply.

        Yeah it does, as soon as you are providing a service, if you have a user from the EU that’s not you, it applies. And while GDPR fines are defined in a revenue percentage, there is a minimum of “up to 10 million EUR” for a violation.

        On top of that good luck suing a FOSS dev.

        Nobody is getting sued. EU data protection agencies don’t “sue” people and companies. They fine them. The difference is that a lawsuit is a process where at the end you might need to pay money, but you mostly settle. A GDPR fine looks like you get a letter saying you need to pay an amount, if you want to appeal, you can do so after paying.

        And it’s not the devs that will be getting these fines, it’s instance admins.

        • yamanii@lemmy.world
          link
          fedilink
          English
          arrow-up
          10
          ·
          9 months ago

          And this is why misskey is a mastodon instance that just blocked access if the person is from the EU, it’s too much to ask for devs in a single digit that survive by donations or their own pocket money, this is a hobby for them.

          • RubberDuck@lemmy.world
            link
            fedilink
            English
            arrow-up
            6
            arrow-down
            1
            ·
            9 months ago

            Yeah, their main income is from a Dutch based EU fund to help Foss projects. So maybe, just maybe they can then fix issues in following dutch/eu law.

          • maynarkh@feddit.nl
            link
            fedilink
            English
            arrow-up
            5
            arrow-down
            1
            ·
            9 months ago

            Did they defederate from all instances allowing access to EU citizens? If not, they are still liable, as they are scraping EU citizen’s data for federation. Even usernames are personal data according to the GDPR.

        • SupraMario@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          6
          ·
          9 months ago

          It absolutely does, if the company processes data of EU residents. The US enforces GDPR themselves, as they have signed an agreement to do so. To be clear, this means that according to US law, if you are a US web host, you can abuse US customer data and the FBI will not come after you, but if you do so with EU customer data, US authorities will come after you on behalf of the EU.

          No it does not, the instances are free, no one is making money off user data or selling anything to the user. It does not apply period.

          Yeah it does, as soon as you are providing a service, if you have a user from the EU that’s not you, it applies. And while GDPR fines are defined in a revenue percentage, there is a minimum of “up to 10 million EUR” for a violation.

          No it does not, if you do not sell anything to anyone or offer any services or make any money it doesn’t apply. Stop repeating bullshit.

          Nobody is getting sued. EU data protection agencies don’t “sue” people and companies. They fine them. The difference is that a lawsuit is a process where at the end you might need to pay money, but you mostly settle. A GDPR fine looks like you get a letter saying you need to pay an amount, if you want to appeal, you can do so after paying.

          Good luck fining a host admin, of a foss instance. I don’t know why you think that any admins of instances will be getting fined if they’re not selling anything. You need to read up on the GDPR.

          And it’s not the devs that will be getting these fines, it’s instance admins.

          Again, no they will not.

          • Maalus@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            9 months ago

            Why are you trying to be an authority on GDPR without even reading about what it is?

            GDPR applies to all personal data of people currently in the EU. If you have a service that uses data from a person in the EU, you need to comply with it. It’s not some “gotcha” law which goes in effect once you make money.

            • SupraMario@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              arrow-down
              2
              ·
              9 months ago

              What personal data is a Lemmy instance holding onto?

              I’m pointing out how much bullshit is being spread in this damn thread by people who don’t understand the law. You’re the same damn users who get pissy with forums and demand action be taken using a law you don’t understand.

                • SupraMario@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  arrow-down
                  2
                  ·
                  9 months ago

                  Says the guy who’s literally arguing with what lawyers in the USA say about the GDPR…good one.

                  • Maalus@lemmy.world
                    link
                    fedilink
                    English
                    arrow-up
                    2
                    arrow-down
                    2
                    ·
                    9 months ago

                    Show me a lawyer that says “if you are processing data of EU citizens you can’t get fined in the US”. You don’t know anything about GDPR. It’s not some toothless law that only works in Europe.

          • maynarkh@feddit.nl
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            1
            ·
            9 months ago

            No it does not, the instances are free, no one is making money off user data or selling anything to the user. It does not apply period.

            As per official EU communication:

            The GDPR applies to:

            • a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
            • a company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behaviour of individuals in the EU.

            Lemmy instances are entities that offer free services and are arguably monitoring the behaviour of individuals in the EU through federation. From the perspective of the GDPR, there is no difference between Facebook and a Lemmy instance regarding what they can or cannot do, or whether they get fined for something.

            You need to read up on the GDPR yourself.

            • SupraMario@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              arrow-down
              1
              ·
              9 months ago

              What personal data is being processed by a Lemmy instance, what are they processing that’s being sold in the EU? The GDPR does not apply here, stop trying to wiggle it into something it’s not.

              • maynarkh@feddit.nl
                link
                fedilink
                English
                arrow-up
                2
                ·
                edit-2
                9 months ago

                Usernames at the very least, as online identifiers.

                Art. 4 GDPR Definitions

                For the purposes of this Regulation:

                ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

                And they don’t need to be sold, just retained. GDPR applies even if there is no payment anywhere, even to non-commercial entities.

                • SupraMario@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  arrow-down
                  1
                  ·
                  9 months ago

                  Usernames are not PII…the GDPR only applies if someone is making money from the service. It does not mean just because your site is free but hosts ads or sells user data it’s exempt. Lemmy instances do none of this.

                  • maynarkh@feddit.nl
                    link
                    fedilink
                    English
                    arrow-up
                    2
                    ·
                    9 months ago

                    Usernames are not PII

                    What do you think an online identifier is then? And why would the GDPR only apply if there is money made? It specifically says in multiple places free services also count.

            • SupraMario@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              arrow-down
              1
              ·
              9 months ago

              Nothing in there about the gdpr… literally 0, because it’s not part of hosting a forum that doesn’t host private user data or collect non essential cookies.