As the Fediverse grows more and more, rules and regulations become more important. For example, is Lemmy GDPR compliant? If not, are admins aware of the possible consequence? What does this mean for the growth of Lemmy?

Edit: The question “is Lemmy GDPR compliant” should mean, does the software stack provide admins with means to be GDPR compliant.

Edit2: Similar discussion with many interesting opinions on lemmy.ml by /u/infamousbelgian@waste-of.space–> https://lemmy.ml/post/1409164

    • moreeni@lemm.ee
      link
      fedilink
      arrow-up
      10
      ·
      edit-2
      1 year ago

      People are struggling really hard to understand the concept of software federation

      • Drunemeton@lemmy.world
        link
        fedilink
        arrow-up
        5
        arrow-down
        1
        ·
        1 year ago

        Both ways are a wheel with a hub in the center and spokes out to the wheel. The users are the spoke/wheel location, the “corporation” is the spoke/hub connection

        The Old Way was users connecting to a corporation that provided a service. The corporation controls almost everything.

        The New Way is that users control almost everything and connect to the hub which allows them to connect with each other.

        Lemmy is the hub, instances are the users, and communities are the data shared.

    • chaorace@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      1
      ·
      1 year ago

      Has this actually been court-tested? I get the feeling that this is all really quite grey until something in the Fediverse actually gets sued over this.

      For example: when you create something (a comment, a post, a community), the “true” version exists on your home-instance, but copies also get sent and saved across the entire Fediverse. Is an instance really able to be GDPR compliant if it’s constantly “backing up” data to non-compliant instances?

      On the one hand, you could make the case that these outside instances are separate entities. Like the equivalent of a webarchive. Simply being public on the internet means other people can save copies and that’s obviously all fair play under the GDPR.

      On the other hand, you could make the case that saving copies to the outside instances is a lot like using third-party cookies. It’s not technically “strictly necessary” for the instance to send your data to outside instances, even though it would seriously complicate the underlying design to allow specific users to opt-out of federating their content specifically.

      • jmcs@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        6
        ·
        1 year ago

        There’s no reason why activitypub would be considered any different from email, nntp, or even search engines and internet archives. When an website or email server gets a GDPR request it’s not propagated in any way, and it would be a stretch to expect it to.

        • chaorace@lemmy.sdf.org
          link
          fedilink
          English
          arrow-up
          8
          ·
          1 year ago

          There’s no reason why activitypub would be considered any different from email

          Are you sure? Email only sends your message to servers which you explicitly ask it to. If you only trust protonmail, you can choose to only send emails to other protonmail addresses. If protonmail chose to share your emails with other third parties regardless, I can’t help but think maybe that breaches the GDPR.

          Lemmy, by design, propagates copies to instances based on opaque factors outside of the user’s control, even when the UI suggests that you are sending content locally. In the case of posting a comment to a community hosted on your home instance: Lemmy will send a copy to whichever servers happen to have users that are currently subscribed to that community. It’s a very opaque outcome and pretty far from the outcome you’d experience when sending an email message to someone using the same email provider.

          even search engines and internet archives

          Yes, but these are genuinely disconnected entities who come across the data as a user might. Lemmy doesn’t personally phone up Google and send them a copy of your comment as soon as you post it, but that’s basically exactly what happens when Lemmy federates a comment with other instances via ActivityPub.


          FWIW: I think Lemmy as a piece of software is actually very aligned with the interests of the EU more generally and I think it would be a bad idea for them to come down on federated social media as a GDPR issue. I nevertheless worry that it represents untested waters and can certainly imagine a reality where it receives a raw deal from regulators.

          • LoreleiSankTheShip@lemmy.ml
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 year ago

            Wouldn’t this be solvable by one of those cookie banners or some sort of waiver? After all, the only personal information I can think of that is shared is your username, which anyone can see if they just go to your instance. The post and the comments are public, aren’t they?

          • LoreleiSankTheShip@lemmy.ml
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            1
            ·
            1 year ago

            Wouldn’t this be solvable by one of those cookie banners or some sort of waiver? After all, the only personal information I can think of that is shared is your username, which anyone can see if they just go to your instance. The post and the comments are public, aren’t they?

          • LoreleiSankTheShip@lemmy.ml
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            1
            ·
            1 year ago

            Wouldn’t this be solvable by one of those cookie banners or some sort of waiver? After all, the only personal information I can think of that is shared is your username, which anyone can see if they just go to your instance. The post and the comments are public, aren’t they?

          • LoreleiSankTheShip@lemmy.ml
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            2
            ·
            1 year ago

            Wouldn’t this be solvable by one of those cookie banners or some sort of waiver? After all, the only personal information I can think of that is shared is your username, which anyone can see if they just go to your instance. The post and the comments are public, aren’t they?

          • LoreleiSankTheShip@lemmy.ml
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            2
            ·
            1 year ago

            Wouldn’t this be solvable by one of those cookie banners or some sort of waiver? After all, the only personal information I can think of that is shared is your username, which anyone can see if they just go to your instance. The post and the comments are public, aren’t they?

      • HobbitFoot @thelemmy.club
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        I would imagine that the caching that Lemmy does has been tested in court, since the intent of the cache isn’t to create a permanent copy of the data. It would likely only become a problem with GDPR if that data would stay across the instances.

        • chaorace@lemmy.sdf.org
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          As far as the federated server is concerned, the copy it has is canonical and kept forever until such a time that it receives an edit/delete signal from the original instance. I’m not really sure if you could plausibly call that caching, but I’m not a GDPR lawyer (or any variety of legal professional, for that matter) 🤷

          • HobbitFoot @thelemmy.club
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            the copy it has is canonical and kept forever until such a time that it receives an edit/delete signal from the original instance.

            I don’t see this staying in Lemmy as the federation grows. I can’t see admins being able to sustain these costs.

            • chaorace@lemmy.sdf.org
              link
              fedilink
              English
              arrow-up
              3
              ·
              edit-2
              1 year ago

              Well… that’s just kind of how it has to work. Storage is cheaper than bandwidth and it’s not a close contest. Historically, storage costs have fallen faster than networks have grown and it is probably safe to assume that this trend will continue indefinitely.

              FWIW: The stuff that gets federated is all text. Image uploads aren’t federated at all – those are just shared as URLs which point to the instance wherein they were originally uploaded. This is actually why things like avatars are currently so unreliable on Lemmy – they can’t scale well without there being local copies.

    • Kafanzi Max. Praetor@lemmy.ml
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      I think to this might be a reductive view.

      the fediverse uses activypub.

      ActivityPub is. a W3C raccomandation and this organisation cares about privacy.

      it’s likely that the protocol will, if it already doesn’t, take care of it.

      even if it’s up to single imstamcesy is true, there are two further questions here (beyond how much it’s enforceable)

      should fediverse help admin in the task?

      should fediverse help users to protect their privacy?

      and to me the answer to both is yes.

      • HobbitFoot @thelemmy.club
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        You need the protocol to implement crosshonoring of deletion requests, which is the default now. However, that deletion request could be ignored.

        As others noted, it gets complicated if two instances defederate from each other, as the communication link which would process these requests have been severed.

    • Kafanzi Max. Praetor@lemmy.ml
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      I think to this might be a reductive view.

      the fediverse uses activypub.

      ActivityPub is. a W3C raccomandation and this organisation cares about privacy.

      it’s likely that the protocol will, if it already doesn’t, take care of it.

      even if it’s up to single imstamcesy is true, there are two further questions here (beyond how much it’s enforceable)

      should fediverse help admin in the task?

      should fediverse help users to protect their privacy?

      and to me the answer to both is yes.