Geez, check out OP's comment history...
Fediverse
A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).
If you wanted to get help with moderating your own community then head over to !moderators@lemmy.world!
Rules
- Posts must be on topic.
- Be respectful of others.
- Cite the sources used for graphs and other statistics.
- Follow the general Lemmy.world rules.
Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration), Search Lemmy
OP is nothing more than a corporate boot licking troll, if would seem. That makes this post concern trolling.
Hey OP, if you actually cared about this issue, you'd be trying to help people. But you're not helping anyone anywhere on the network.
You clearly don't want to be here. So, log off and just don't come back.
Yikes, you're right. Definitely corporate troll. Either that or he's just so deep in his own cynicism he can't help himself.
Have been asking this myself lately.
People always seem to get defensive about this topic, but if an instance gets challenged on a GDPR investigation it could have a huge fine associated to it.
It is good to have this sorted out, so instance owners don't enter a life changing financial risk.
Currently we probably are too small and fly under the radar, but this could become a big problem as the fediverse scales.
Issues I wonder about:
- How safe is the Fediverse? Is there a way for a federated instance to misuse the user data? Or can such activity be detected and cause a defedaration.
- How easily can all user data be deleted if a request comes in to remove all personal data? Wouldn't that request have to be extended to all instances your instance is currently federated with?
- Instances probably wouldn't be able to handle a bad actor (for example Meta, or spez) that decides to start a mass request attack.
- Corporations have lawyers that deal with this stuff, I don't feel like most instance owners have the same kind of protection here.
Totally agree, there is really valuable discussion to be had and collectively it needs to be resolved and approached holistically and consistently across as many instances as possible. Just because you're someone running a tiny server doesn't mean you can't get absolutely dragged over the coals for breach and or non-compliance.
Even things like reporting incidents and breaches of the service for each instance - it is very unlikely tiny servers can or will comply with so many aspects of GDPR.
I think the fact that someone could maliciously (or actually, genuinely) report instances now using a relatively straightforward process should be grounds to get the wheels moving on this really!
For example, you can report non-compliance with cookie information in a one page form here: https://ico.org.uk/make-a-complaint/cookies/report-cookie-concerns/. The process for consumers to kick off a potentially serious enforceable action is very straightforward.
Disclaimer: I have no law degree and everything in this post is speculative.
After reading up on GDPR (https://en.wikipedia.org/wiki/General_Data_Protection_Regulation) it deals with the transfer of personal data to entities outside the EU or EEA for processing. The definition of personal data would be the main point to see if/how GDPR is applicable to lemmy instances. (https://en.wikipedia.org/wiki/Personal_data)
Your IP address and EMail address could be classified as personal data from my point of view. But this won't be shared or processed outside of the instance as far as I can tell. If your username and associated posts are classified as personal data I can't say, but there seems no connection of these to your IP or Mail outside the instance. According to this TechDispatch (https://edps.europa.eu/data-protection/our-work/publications/techdispatch/2022-07-26-techdispatch-12022-federated-social-media-platforms_en) the instances still must adhere to GPDR, but as there is not much or no processing of personal data taking place this should pose no issue.
All of this is based on a bit of research, so please enlighten me if I made any mistakes.
In the UK a screen name is an identifier. See ICO here. I am in the UK. Therefore combined with other data being collected, e.g. IP. Lemmy and instances I interact with are handling personal data. If it is transferred between instances when I search or view content from one instance to another, there are GDPR implications.
Here is the information I have on your user ID as an operator of a remote instance.
1: Your username and home instance (and a separate link to your profile page on your home instance)
2: Your avatar
3: Your about info
4: Date/time of your last activity (but that I think will be the last time you were seen by my instance, interacting in a community I also have here), so not shared really.
I took a look at the json returned from your home instance, and again the info is profile page, username, information required for communication between instances with the only PII present being the username, the about and an icon and image.
Here's why I'm going to say this isn't likely to be a problem as such. This is the same as on reddit, if I look at a post a user makes I can click on the user and get access to this level of public information. Also under GDPR and DPA based on advice from the ICO data sharing isn't forbidden, but the minimum required to fulfil the function of that sharing should be sent. I think the above data meets that. There isn't information we don't need to work a distributed network like this.
I think the point about making a privacy policy visible is a good one. It should make it clear how the network works, and what kind of information is shared with federated instances (and also available to the public, the user query is publicly available). But the data that is federated is the same as is publicly available.
Now I do feel like there's the scope for a lot of manual work. For example, federation sometimes means that edits/deletes don't make it. It can be caused by problems on both sides of the connection. So if you want all your data deleted. Sure I could delete all posts and your user info here. And even make requests to the home instances that they delete them too. But, some might remain on remote instances, and I don't know who would be responsible for that. Some grey areas remain.
I agree, there is definitely work to be done regarding compliance.
The issue for lemmy is the same as mastodon
The Mastodon.social privacy policy covers a lot of this, https://mastodon.social/privacy-policy
This is the least every lemmy site should have