“The SCOPE Act takes effect this Sunday, Sept. 1, and will require everyone to verify their age for social media.”
So how does this work with Lemmy? Is anyone in Texas just banned, is there some sort of third party ID service lined up…for every instance, lol.
But seriously, how does Lemmy (or the fediverse as a whole) comply? Is there some way it just doesn’t need to?
So it’s possible for fediverse instances to comply with the GDPR. What makes one think it wouldn’t be doable?
That’s not even remotely enough, even assuming that the information is sufficient.
Mastodon is in a much better place, on account of how federation works there. It might still not be enough. Lemmy instances would have to stop all federation with instances beyond the territorial reach of the GDPR or equivalent. Federation within that territory should only happen based on a contractual agreement between the owners, probably with every user given an explicit choice to opt out.
That’s not even remotely enough, even assuming that the information is sufficient.
What’s not enough? lemmy.world’s privacy policy?
Mastodon is in a much better place, on account of how federation works there. It might still not be enough.
Hmm… what’s the difference?
Lemmy instances would have to stop all federation with instances beyond the territorial reach of the GDPR or equivalent.
Oof. This is indeed a tough one.
I recall that this isn’t universally true - in some cases a country or territory may be deemed as GDPR equivalent and after that data transfer is allowed without additional safeguards, see for example https://www.torkin.com/insights/publication/european-commission-approves-of-canada-s-data-protection-regime-(again)#::text=What%20does%20this%20mean%20for,authorizations%20to%20transfer%20the%20data.
Even so, this does impose significant limits on federation due to the risk of transferring data to non-complying terrotories.
Federation within that territory should only happen based on a contractual agreement between the owners, probably with every user given an explicit choice to opt out.
Uh - if this is right, then this is even more restrictive and seems to suggest a fundamental incompatibility between federation and the GDPR overall.
But, this has got to be an already solved problem. Usenet has been around since the 1980s at least, and NNTP was basically federating before there was ActivityPub. I’m missing something obvious here I’m sure, but what?
What’s not enough? lemmy.world’s privacy policy?
There’s way more to do than writing a privacy policy. And I don’t think the policy meets the requirements but getting that right certainly needs a specialist.
Hmm… what’s the difference?
On mastodon, you follow a person, which they can refuse. Only then the data is automatically sent to your instance. On lemmy, you subscribe to a community and everyone’s posts and comments are sent to yours. At least, that’s how I understand it.
seems to suggest a fundamental incompatibility between federation and the GDPR overall.
You could say that there is a fundamental incompatibility between the internet and the GDPR, but that’s by design. The internet is about sharing (ie processing) data. The GDPR says, you mustn’t (unless).
Take the “right to be forgotten”. Before the internet, people read their newspapers, threw them away, and forgot about it. The articles were still available in some dusty archive, but you finding them was laborious. With search engines, you could easily find any unflattering press coverage. So you get the right to make search engines remove these links and it’s like back in the good old days. The fact that the GDPR is incompatible with existing technology is a feature, not a bug.
Bear in mind, that few of the people who passed the GDPR have any technical background. Of the people who interpret it - judges and lawyers - fewer still have one. They are not aware of how challenging any of these requirements are.
The main problem for the fediverse is that compliance requires a lot of expert legal knowledge. There’s not just the GDPR but also the DSA and other regulations to follow.
Federation itself may also be problematic, since many more people get to be in control of the data than strictly necessary. The flow of data must be controlled and should be limited as much as possible. That would be much easier with a central authority in charge. But that’s not a deal-breaker.
As GDPR-fans will tell you, data protection is a fundamental human right.
And I completely agree with this. I’m one of those who is a GDPR-fan as well as a fediverse fan.
We don’t let just anyone perform surgery, so don’t expect that just anyone should be able to run a social media site.
So this is the fundamental disagreement I feel. Progress generally entails moving things into the hands of the people. We’re empowered because we can do things like program our own computers, 3-d print our own devices, and yes run our own social media site.
Deny a person that right, and you take a bit of their power away. By running my own single user instance, I make sure that I always own my own content, no one can take it away from me by suddenly shutting down their website (as has happened to e.g. elle.co for example).
As such, my goal here is to figure out how to let ma & pa joe run their own social media site on the fediverse, while staying GDPR compliant.
Of course, the same can be said of surgery but it’s still not allowed. Obviously the harm from letting anyone try it is much worse than strictly regulating it, but is running a social media site on the fediverse likewise so harmful? Is there no way at all to strike the balance?
They need legal experts on the team.
I’ve been thinking about this. You are right of course, but I’d wager that this is outside of what most folks running instances can afford. In particular new devs who want to run their own single user instance.
So what’s the way forward? I have come up with an idea for this. Basically we need to get some organization like the EU branch of the Electronic Frontier Foundation (EFF) to research this and come up with a HOWTO guide that covers most of the average cases - along with pointers on when something is not covered by the guide (so at least you know going in that you’d need to pay for that extra legal firepower).
On mastodon, you follow a person, which they can refuse. Only then the data is automatically sent to your instance. On lemmy, you subscribe to a community and everyone’s posts and comments are sent to yours. At least, that’s how I understand it.
I think you have understood correctly. This actually provided me with the epiphany that I needed. On forum-like software that speaks ActivityPub (like pyfedi or mbin), there’s no actual need to actually transfer the content. Just send me a notification - with the “user” being a bot account named something like “federation_bot_messenger” with a link to the new post or comment, then bubble it up to the user to open in their browser. No content is shared, and no identifiers like a user name get shared, so there’s no risk of a GDPR violation. It’s just a link.
One could imagine that fancier web UIs might use an iframe or something to display the content inplace instead of requiring an extra manual click - but it’s still only on the end user’s browser that the content is transferred.
We could still have traditional federation - but just as you describe, the allow list for that is only for those instances where you know the folks (have contracts you said) and thus are assured that the transfer of content complies with the GDPR. For unknown instances, just do the link sharing. It could be implemented in a way that instances running older software would still see a post by the bot account with just the link inside. (Perhaps as an enhancement, folks could designate a trusted instance as the primary - e.g. my instance trusts lemmy.world as primary, so when it sends the links out, it sends out a lemmy.world link, to take the load off of my own instance from users clicking on links.)
Or am I missing anything here?
Bear in mind, that few of the people who passed the GDPR have any technical background. Of the people who interpret it - judges and lawyers - fewer still have one. They are not aware of how challenging any of these requirements are.
I think this is a bit unfair. Clearly they had technically knowledgable advisors at the very least. After all, they came up with exceptions like this,
here are two exceptions here: “Involuntary data transfer” is generally seen as not being part of the data handling. But that mainly applies to datascrapers like the web archive and similar usage where the data is transfered through general usage of a page that the DC cannot reasonaby prevent without limiting the usage of their service massively.
That said I think I might have been a bit unfair to the lemmy devs. From https://tech.michaelaltfield.net/2024/03/04/lemmy-fediverse-gdpr/ I can see that pretty much all of the issues raised directly on lemmy itself have since been resolved - by a dev writing code to fix the problem. Even if GDPR isn’t the highest priority, the devs are clearly at work trying to address what they can when they can.