Title says it. Apparently lemmy devs are not concerned with such worldly matters as privacy, or respecting international privacy laws.

  • Zak@lemmy.world
    link
    fedilink
    English
    arrow-up
    39
    arrow-down
    4
    ·
    11 months ago

    It gets worse: everything you post to Lemmy is sent to multiple other servers automatically. Those servers may be in jurisdictions that have very different privacy laws than the server you post from, or that hosts the community you’re posting to. You have no legal agreement with those servers.

    We’re not done though. The ActivityPub standard makes delete optional, and other servers could be running anything, not just Lemmy. Some of them are probably running somebody’s janky pet project that implements half of ActivityPub, poorly, on a jailbroken smart light bulb or something.

    Lemmy should implement proper post deletion, possibly with a delay to allow moderators and admins to inspect deleted posts, but expect anything you share via ActivityPub to follow the once on the internet, always on the internet rule even more than in the past.

    • roofuskit@lemmy.world
      link
      fedilink
      English
      arrow-up
      61
      ·
      11 months ago

      Delete buttons are just a placebo on the Internet anway. At least activitypub is honest about that.

    • Scrubbles@poptalk.scrubbles.tech
      link
      fedilink
      English
      arrow-up
      24
      ·
      11 months ago

      Almost like the entire platform is based on the idea that one server/owner can’t be in charge of the data.

      Don’t get me wrong, not picking a fight, just what op said is kind of obvious to me. You’re picking a social media that is democratized and is federated with everyone. The natural tradeoff is that your data is not housed on one server… Which obviously means it’s not private.

      Idk, the fediverse is a great place, but I would never post anything here I ever wanted to be private. It’s not an accident, it’s literally by design.

    • Russ@bitforged.space
      link
      fedilink
      English
      arrow-up
      2
      ·
      11 months ago

      Lemmy should implement proper post deletion, possibly with a delay to allow moderators and admins to inspect deleted posts, but expect anything you share via ActivityPub to follow the once on the internet, always on the internet rule even more than in the past.

      How would this be done? Like you mentioned, anyone can run a modified instance of Lemmy that does not honor delete requests. I suppose you could put something that retrieves content from other servers as a pull operation instead of a push, but that’s going to break Lemmy’s ability to work with other ActivityPub applications (at the very least).

      • Zak@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        11 months ago

        How would this be done? Like you mentioned, anyone can run a modified instance of Lemmy that does not honor delete requests.

        Delete currently renders posts invisible to most users. Delete should actually delete the post from the server.

        It’s impossible to ensure that the post is deleted from federated servers, web caches, clients that cache things, etc…

  • thefactremains@lemmy.world
    link
    fedilink
    English
    arrow-up
    34
    arrow-down
    1
    ·
    edit-2
    11 months ago

    This is a lot like spray painting a message on a public wall in a neighborhood and then complaining because the community won’t paint over it (or destroy photos they took of it) when you realize how dumb it was.

    You’re writing on a public space for free with no business behind it. You’re not the customer in this scenario.

    • KISSmyOS@lemmy.world
      link
      fedilink
      English
      arrow-up
      8
      ·
      11 months ago

      That’s the beauty of the fediverse. There are no customers, there is no product, this is no business.

    • Scrubbles@poptalk.scrubbles.tech
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      1
      ·
      11 months ago

      From their history, maybe their comment is this one they wanted deleted:

      “software engineer” is such a stupid, shallow and arrogant description. I’m not an engineer and neither are you. I’m a software developer, developer for short. All these fake “engineers” and “scientists” tend to be arrogant stuck up pricks.

      Idk OP, maybe step one is to be less of a jerk to people. If you do that you won’t have to worry as much about if things are deleted

  • kglitch@kglitch.social
    link
    fedilink
    arrow-up
    23
    arrow-down
    2
    ·
    edit-2
    11 months ago

    OP is simply incorrect.

    I’m coding a Lemmy alternative right now and have been testing this functionality out extensively. Deletes of posts and comments certainly federate, I’ve seen the AP traffic to make it happen. Also, the docs: https://join-lemmy.org/docs/contributors/05-federation.html#delete-post-or-comment

    I haven’t tested what happens when the ‘delete account’ button is clicked… Mastodon solves this by sending a ‘delete this user’ Activity to every fediverse instance so there’s nothing about ActivityPub that makes removing an account and all it’s posts in one go impossible.

    • ttmrichter@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      2
      ·
      11 months ago

      Deletion of entities is optional in ActivityPub. That, by definition, makes known-removal of an account and all its posts in one go impossible, because a server can just ignore the deletion activity.

      • kglitch@kglitch.social
        link
        fedilink
        arrow-up
        9
        ·
        edit-2
        11 months ago

        Yes, although the server will not ignore the deletion activity if that server is running Lemmy. We’re talking about Lemmy here, not the fediverse as a whole. OP singled out Lemmy in the post title and said “lemmy devs are not concerned with…”

        I’m sure there is more to be done in this area. It’d be great to know for sure which software treats deletion activities properly (I’m really unsure about Kbin, I think it does not) and which does not so instance admins can make informed decisions about who they federate with. Perhaps this information could be made available right within the UI that Lemmy admins use to control their instance, rather than an obscure documentation page somewhere…

        IMO having deletes federate should be part of a minimum standard all fediverse software has to meet (plus mod tools, spam control, csam filters, etc) before it is allowed to federate but obviously we’re nowhere near having that sort of social organisation.

        • ttmrichter@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          11 months ago

          How would you even know if deletes federate?

          “Does your server respect delete activities?”

          “Yeah. Yeah. Delete activities. Definitely. We totally respect them. Scout’s honour.”

          Tell me: how much closer are you to knowing if the server is caching or not?

          This is likely why deletion is optional. The people making the protocol know there’s no way to enforce it.

          • kglitch@kglitch.social
            link
            fedilink
            arrow-up
            2
            ·
            11 months ago

            As long as a deleted post is no longer visible in the publicly-accessible parts of the site, that would be enough verification for me.

            I don’t know how the GDPR authorities verify compliance with mainstream proprietary closed source apps, do you?

            • r00ty@kbin.life
              link
              fedilink
              arrow-up
              3
              ·
              11 months ago

              I think in terms of gdpr, if you notify a site that is providing service (allows users to register from I guess) to EU countries you want something deleted, they need to comply.

              But I think in terms of federated content, you cannot be expected to do more than send information about the deletion out. If other instances don’t respect it, it’s not the originating instance’s job to police it.

              Now the user could go to these other instances and chase it up. But I wonder if a third party instance doesn’t allow users from EU countries, if they’d be required to comply? Federated content opens up a an interesting set of scenarios that will surely test privacy laws.

              I also wonder what the EU powers are to sites in non EU countries that allow EU users but don’t respect GDPR. what can they even do? Companies like twitter, Facebook, reddit etc have presences in EU countries that can be pursued, but John Smith running a lemmy instance on a $5 vps might be out of reach.

              • Kayn@dormi.zone
                link
                fedilink
                English
                arrow-up
                1
                ·
                11 months ago

                But I think in terms of federated content, you cannot be expected to do more than send information about the deletion out. If other instances don’t respect it, it’s not the originating instance’s job to police it.

                It actually is.

                When delegating the processing of PII to someone else (like another instance), you’re supposed to initiate a data processing agreement with them: https://gdpr.eu/what-is-data-processing-agreement/

                Unless Mastodon has somehow automated this process in inter-instance communication, they are just as liable as Lemmy is.

                • r00ty@kbin.life
                  link
                  fedilink
                  arrow-up
                  3
                  ·
                  11 months ago

                  But pii isn’t being sent. A user’s nickname and the domain of their instance plus any content they create is. If they choose to put their pii in public posts or user info, that’s their choice but is not pii solicited in order to operate the service, it was volunteered.

                  It’s a crucial difference. I considered this when writing the terms and data retention information for my own instance. Federation is very frugal about the information shared.

            • ttmrichter@lemmy.world
              link
              fedilink
              arrow-up
              2
              ·
              11 months ago

              Short of having someone inspect the databases, they can’t. The GDPR is a threat, basically, that says “if (or, rather, when) the truth outs, we can nail you later”. Which is why it’s really only effective on big players anyway.

              • FaceDeer@kbin.social
                link
                fedilink
                arrow-up
                2
                arrow-down
                1
                ·
                11 months ago

                And it’s only effective on players that have some kind of EU presence, otherwise there’s nothing the EU can put that nail into.

    • A_A@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      11 months ago

      Exactly, this is not specific to Lemmy as it applies to the whole internet.
      Also, Lemmy is not a website : it would be somewhat like saying the language Python doesn’t obey GDPR !

  • maegul (he/they)@lemmy.ml
    link
    fedilink
    English
    arrow-up
    15
    ·
    11 months ago

    All your posts on the fediverse are effectively a public blog of your thoughts that will be scraped and stored in servers you have no control over.

    If you care about privacy, which I understand, you probably want to leave quickly.

    Here’s a rundown from someone who got fed up with the fediverse and kinda rage quit: https://blog.bloonface.com/2023/07/04/the-fediverse-is-a-privacy-nightmare/

    Another example of this is that it’s not just about lemmy. One way in which lemmy actually federated well worth microblogs like mastodon is that users can be followed from mastodon etc.

    So any number of servers running a number of open source easy to run platforms could be taking up everything you specifically post.

    • donio@lemmy.world
      link
      fedilink
      English
      arrow-up
      25
      arrow-down
      2
      ·
      edit-2
      11 months ago

      If you care about privacy, which I understand, you probably want to leave quickly.

      Just because you care about privacy it doesn’t mean that you have to stay indoors all the time. You can still hang around on the town square you just have to be conscious about what you do where.

      A big part of caring about privacy is understanding how the platforms you use work and using them accordingly. With proprietary platforms this is often opaque and the rules can change. Open platforms are transparent and you can actually understand them - if you make the effort.

      • FaceDeer@kbin.social
        link
        fedilink
        arrow-up
        13
        ·
        11 months ago

        It’s not like deleting your comments or posts off of Reddit would magically remove them from all the various Reddit archives that exist around the Internet, either. Reddit only controls what happens on Reddit, and that problem is now generalized across the whole Fediverse.

        • Skull giver@popplesburger.hilciferous.nl
          link
          fedilink
          English
          arrow-up
          4
          ·
          11 months ago

          The difference is that Reddit doesn’t actively push those comments out to those archives, they’re scraped. ActivityPub, on the other hand, is push based; unless the server chooses to push your activity objects, other ActivityPub servers wouldn’t know about what you’re saying.

          Someone could scrape the Fediverse the same way they do Reddit (although by design Mastodon is a lot harder to scrape than Lemmy so there are differences in what content would be archived), but for basic Fediverse operation, servers must make an active decision to send information out to other servers.

          The fact most communities are off-server should help (because the user is actively deciding to publish information on another server that’s not in the home server’s jurisdiction) but when it comes to letting foreign servers subscribe to communities, I’m not sure if Lemmy servers can use the same defence. After all, ActivityPub is designed to have the ability do deny subscriptions.

          • FaceDeer@kbin.social
            link
            fedilink
            arrow-up
            3
            arrow-down
            2
            ·
            11 months ago

            That difference doesn’t make a difference to the point I was explaining. It doesn’t matter how or why those public posts are being replicated into archives from which deletion will be difficult or impossible. All that matters is that it is getting replicated.

        • AlteredStateBlob@kbin.social
          link
          fedilink
          arrow-up
          2
          ·
          11 months ago

          Reddit still has to ensure what is deleted on their end, is actually deleted (which they don’t, as we saw during the whole protest thing with delted comments being restored)

          The fact that archive websites exist doesn’t change that. A request under gdpr to such a site would have to result in deletion as well.

          Sure someone who doesn’t host or specifically target EU citizens can ignore it at their leisure, but I doubt every Lemmy instance is hosted somewhere in non EU areas.

          • FaceDeer@kbin.social
            link
            fedilink
            arrow-up
            2
            arrow-down
            1
            ·
            11 months ago

            You’re misunderstanding my point, I think. A Lemmy instance within the EU can theoretically be fully compliant with EU laws and delete whatever they’re told to delete, but it’s not going to make a difference because non-EU Lemmy instances can retain that data. Likewise, Reddit can delete whatever the EU tells it to delete, but that won’t make a difference either because of those archives outside of Reddit;s control.

            I’m not saying anything about what’s legal, just about what happens. When you post something in public, be it on Lemmy or on Reddit, that public post is not going to easily “go away” when you try to delete it regardless of whether your instance is following EU law. Arguing “but it should go away” isn’t going to make a difference, it isn’t going to go away. It’s important to understand this when making use of a forum like the Fediverse or Reddit.

            • AlteredStateBlob@kbin.social
              link
              fedilink
              arrow-up
              2
              ·
              11 months ago

              Yes, and my point is, that the person running an instance has to comply with the gdpr if they are within the EU.

              It doesn’t matter if data has already been propagated somewhere else. On that instance, data needs to be able to be fully deleted. For the matter of deletion, it is irrelevant where the data might have been pushed or mirrrored to, that is a seperate issue, which still needs to be dealt with. But one cannot argue that deleting is pointless or needn’t be implemented, just because “public” data is already mirrored elsewhere. The people running “elsewhere” have their own compliance to deal with.

              • FaceDeer@kbin.social
                link
                fedilink
                arrow-up
                1
                arrow-down
                1
                ·
                11 months ago

                that is a seperate issue, which still needs to be dealt with.

                And my point is that expecting this to be “dealt with” is unrealistic. It’s going to continue existing on servers that are outside of your control and outside of the EU’s reach. No matter how hard the EU legislates or how hard you believe it should be possible to delete that data, it’s just not going to happen. Not without turning the world into a police state dystopia in the process, at any rate.

                I’m not saying “don’t implement post deletion.” Go ahead and do that if it makes you feel better. But making you feel better is all that it’s really going to accomplish, in the grand scheme of things. If you’re concerned about stuff you post “sticking around” even after you want it gone, nothing is going to actually solve that. The only option is to not post that stuff in the first place.

                • AlteredStateBlob@kbin.social
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  11 months ago

                  There already is federation of deletion. It’s not even something that needs to be implemented.

                  I have less of a defeatist attitude about privacy. Same way I don’t think absitence is the only true way of contraconception. Privacy, yes, even if public spaces is possible. It’s not easy, it won’t just happen, but it is achievable. Needs a lot of work from a lot of people, but it is doable.

                  I don’t expect you to change your mind on that.

    • YarrMatey@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      5
      ·
      11 months ago

      Thank you for posting that link. I’m not fed up (completely?) yet I suppose but it was eye-opening. I’ll have to be a lot more careful about posting, possibly not post again.

  • originalucifer@moist.catsweat.com
    link
    fedilink
    arrow-up
    22
    arrow-down
    9
    ·
    11 months ago

    seems weird this expectation of privacy on public sites built for public consumption of public content posted by people publicly.

    i mean, i get wanting to control your data. the software i use allows for this ( the 'bins offer a user-level purge).

    but privacy? seems weird

    • Snot Flickerman@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      9
      arrow-down
      1
      ·
      11 months ago

      I mean, to have a Lemmy account you already decided to put your trust in total strangers with questionable security credentials.

        • Snot Flickerman@lemmy.blahaj.zone
          link
          fedilink
          English
          arrow-up
          12
          ·
          edit-2
          11 months ago

          Mastadon works the same way, all ActivityPub services work the same way.

          By being Federated that means data is being sent to remote servers. Sometimes that data doesn’t always make it, like a delete request. So someone on their own home-server deletes their post, but on some remote server where that post they made is cached, it’s not deleted, because the delete request never federated. For example, say you made a post on your own box, which you clearly have, and you delete a post, but it doesn’t get deleted over on say, Lemmy.world. That’s not purposeful, that’s something the developers also trying to fix, so I think it’s disingenuous to say they don’t care.

          This is literally a consequence of how federation works. It’s not a purposeful violation of GDPR.

        • ttmrichter@lemmy.world
          link
          fedilink
          English
          arrow-up
          8
          ·
          11 months ago

          You may not be directly using it, but this is part and parcel of the entire point of federated social media. Other software will be accessing the pool.

  • YarrMatey@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    9
    ·
    edit-2
    11 months ago

    This is definitely a con of Lemmy for me. I like to be more privacy focused but Lemmy gives you 0 privacy on whatever you do on the website. Anyone who wants more privacy on Lemmy is told you have no right to privacy, don’t expect any privacy, everything you do is public on the internet, etc. A massive boner killer for me. I think basic things like deleting your own post or comments should actually get removed from all servers, PMs should not be viewable by anyone except the recipients, and what you vote on or subscribe to should be private. Lemmy doesn’t sell your data but that’s because anyone can take the data for free. I thought this stuff was because Lemmy is still new and will get to it eventually but the push back seems to say this was a choice or is not broken. I ended up exploring different social media alternatives but I like the style of Lemmy better since it is more reddit-like with an active user base plus has different android clients. I don’t like kbin because it shows who upvoted or downvoted something to everyone - it’s not accountability when it erodes your privacy.

    I used to comment on Lemmy more but then I ran into this problem when juggling multiple accounts, Liftoff sucks ass at letting you know which account you are logged into (I use Summit now and it is better at it) so I ended up getting my accounts’ wires crossed when I thought using the drop down on your accounts changed your account but no you have to go to manage instances to switch which was not intuitive. I ended up abandoning the accounts when I couldn’t figure out how to actually delete the post from the server.

    Edit: man I wish I saw this sooner, might be time for me to either stop posting again or look somewhere else.

    • Zak@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      ·
      11 months ago

      While I didn’t find any factual issues in a quick skim of that article, I really don’t agree with its tone.

      The Fediverse is radically public. That’s the nature of a protocol like ActivityPub, not a bug to be fixed. Using it for anything you’re not comfortable with being public forever is a mistake.

    • BloodSlut@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      ·
      11 months ago

      always remember to throw in false information to throw others off your tail

      completely unrelated, but I am a 45lb chihuahua with alopecia from Reno, Nevada.

  • 0xtero@kbin.social
    link
    fedilink
    arrow-up
    7
    ·
    11 months ago

    Effect of ActivityPub, not Lemmy. All federating systems function similarly, because it’s a feature of the protocol.
    If instances want, they can ignore delete requests and your content stays in their cache forever (remember Pleroma nazis from couple of years ago?) - now, that is an instance problem that might be a GDPR issue, but good luck reporting it to anyone who cares. At best you can block and defederate, but that doesn’t mean your posts are removed.

    The fediverse has no privacy, it’s “public Internet”. Probably a good idea to treat it as such.

  • ttmrichter@lemmy.world
    link
    fedilink
    English
    arrow-up
    10
    arrow-down
    4
    ·
    11 months ago

    GDPR is international now? Do I need to break out Nelson Muntz when some Euro type thinks European law is extraterritorial?

    Don’t make me break out Nelson Muntz, please.

    • 🐑🇸 🇭 🇪 🇪 🇵 🇱 🇪🐑@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      edit-2
      11 months ago

      It’s mostly important for when you wanna do business in the European markets.

      The alternative is to be blocked by most of Europe entirely. Happens usually to tabloid news sites as they are often in violation of anti misinformation and hate speech laws. It’s also why they could sue Facebook so easily as otherwise Facebook would be non-GDRP compliant and be blocked there.

      Lemmy however isn’t exactly for profit, so sees much less scrutiny. This is primarily for business after all. Lemmy doesn’t have ads, doesn’t take users money, nor does it sell products. It also does not actively distribute illegal media either.

      (it should be noted that it’s usually not the EU doing the blocking but rather so websites choosing to block viewership from the EU because they’d rather do that than get sued to hell)

      • ttmrichter@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        3
        ·
        11 months ago

        “Lemmy” doesn’t do ANYTHING. Lemmy is server software. It has no agency whatsoever.

        Individual Lemmy sites might be beholden to the GDPR (or not, if individually run). But any site hosted outside of the EU can wave its ass in the faces of EU officials trying to enforce the GDPR.

    • Skull giver@popplesburger.hilciferous.nl
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      1
      ·
      edit-2
      11 months ago

      The GDPR is a directive implemented by 27 countries, so I guess you could call it “international law”?

      With treaties such as the Safe Harbour Privacy Principles EU–US Privacy Shield EU–US Data Privacy Framework, GDPR restrictions may also start affecting American busineses, so the “international law” monniker would actually make sense.

      • r00ty@kbin.life
        link
        fedilink
        arrow-up
        2
        ·
        11 months ago

        It’s not really as simple as that. Businesses in countries outside the EU have to follow the gdpr rules if they have or want customers from the EU because the EU can hit them financially in their EU operations.

        Normal people offering a free service that are not based in the EU probably cannot be pursued at all. I doubt the EU considered people that might not be some business wanting to profit from EU citizens.

      • ttmrichter@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        1
        ·
        11 months ago

        India? China? Japan? Vanuatu? …

        Know what? I think I’ll just link instead of list because I can’t be arsed to type out all the names.

        So it’s “international” as a technicality, but the context he was using it in implied he meant “universal”. And it barely qualifies even as international against the sheer weight of non-EU, non-US states.

        • Skull giver@popplesburger.hilciferous.nl
          link
          fedilink
          English
          arrow-up
          3
          ·
          11 months ago

          In theory an EU institution could fine a non-EU company, the same way the Chinese government can fine a European company. It’d be tough to do business with outstanding legal action.

          There’s another way to take the “international law” definition: many countries (China, Russia, the EEA, probably more) have laws defining where user information is stored. A Russian company can’t just store their user data in an American data centre. Most countries do have some kind of privacy law, and I’m sure ActivityPub violates more than just the GDPR.

          It’d be silly to think you could enforce the GDPR against some guy running a server from his basement in Brazil, but for the larger instances, which take donations, things can become more problematic. Servers run by the Lemmy devs could be operating safely from the communist depths of Cuba, but if they get fined, I doubt those EU sponsor funds would keep flowing towards Lemmy development.

          Also interesting to note: a LOT of big Fediverse instances operate from Europe. Mastodon.social, Lemmy.world, Lemmy.ml, Kbin.org, just to name a few. Based on the map on Fediverse.observer, most of the world’s Fediverse servers are either in Europe or in the USA (with twice as many in Europe as in the USA). When it comes to server count, Fediverse law may as well be about EU-USA relations, maybe with Japan as a third large host.

          • ttmrichter@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            3
            ·
            11 months ago

            I have a ridiculous judgement against me in Germany. (Complicated shenanigans around an inheritance where the authorities’ legal representatives did shady shit specifically to unload an estate that would have cost them.) Technically I owe the city of Frankfurt something like 50,000€ in fines.

            I’m comfortable with this.

            Why?

            Because good fucking luck enforcing a European fine on a Canadian citizen resident in China. Even if they catch me out when I visit Germany (which I have done a couple of times without incident since the judgement was levied against me), watch the judge make grumpy-faces at attorneys who sent legal documents in German to a Canadian in China whose repeated requests for translated versions was denied. Their case will vanish in a puff of legal sanctions and I’ll make fucking sure on top of it that it becomes a press circus.

            EU types are almost as bad as American types for thinking their laws are extraterritorial. I love rubbing the fact that they aren’t in their faces.

        • Silverseren@kbin.social
          link
          fedilink
          arrow-up
          10
          arrow-down
          3
          ·
          11 months ago

          The GDPR is a required to comply EU law for all websites in their jurisdiction. You can’t get away with claiming “but people choose to join the website”.

          Many other websites and even major social media sites have gotten fined and other sanctions put against them already for violating it.

          • ttmrichter@lemmy.world
            link
            fedilink
            English
            arrow-up
            7
            ·
            11 months ago

            I … think you have a deep failure to comprehend even the basics of how the software you’re on works.

            “Lemmy” is not a fucking web site. Lemmy is a piece of software. It can be running on a site in the EU, in which case the GDPR applies absolutely; those running it on sites outside the EU … not so much.

            • Silverseren@kbin.social
              link
              fedilink
              arrow-up
              2
              arrow-down
              3
              ·
              11 months ago

              No, it has jurisdiction in the EU. And Lemmy is a part of the EU jurisdiction.

              Unless the devs want to block everyone in the EU from accessing the site.

              • FaceDeer@kbin.social
                link
                fedilink
                arrow-up
                7
                arrow-down
                1
                ·
                11 months ago

                Lemmy instances are hosted all over the world, by people in a wide variety of jurisdictions. A particular instance of Lemmy might be risking trouble, but Lemmy as a whole (and the Fediverse as a whole) is not.

                If I were to write up a simple forum server and post the code, and it happens to lack the ability to delete comments, I’ve done nothing wrong. Someone running that software in the EU might run into some trouble, but I’m not on the hook for that.

            • ttmrichter@lemmy.world
              link
              fedilink
              English
              arrow-up
              6
              arrow-down
              1
              ·
              11 months ago

              Whose law?

              The GDPR applies to servers running in Europe.

              It does not apply to servers running in, say, Canada¹. Or China¹. Or South Africa¹. (If you try to claim European law is extraterritorial to non-European citizens, be prepared for the Nelson Muntz meme.)²

              The very nature of the protocol in use makes any content anywhere on the Fediverse, no matter what the software, distributed. (It’s almost like that’s the very point of it! Almost…) And it could well be distributed into a jurisdiction where the GDPR is best used as toilet paper¹. If this bothers you, fuck off back to sites hosted entirely in Europe where the GDPR holds sway.²

              Only wait! That’s not true either! Because that other protocol you’re likely to be using—HTTP(S)—also allows anybody who has access to the site from anywhere in the world to store it without being beholden to the GDPR!¹ Oopsie! Better make sure that site blocks any kind of access from outside of the EU as well!²

              Only wait! That won’t work either because VPN’s are a thing as well! I can be sitting here in China with my IP address coming at you from, say, the Netherlands. (It doesn’t. It comes at you from the USA 'cause that’s where my Great Firewall-crossing back door is hosted.) And again, any post you make, were I to go to your web site in Europe through my (currently-hypothetical) European VPN endpoint, could be stored and held permanently with the GDPR being able to do precisely a) Fuck and b) All to about it.¹ Because European laws are not, in fact, extraterritorial to non-EU citizens, no matter how much wanking the EU parliament does about it.²

              So it sounds like you should just shut off your Internet access. Or, you know, you could post knowing the reality of the world and moderate your content accordingly.


              ¹ Note: I am emphatically not saying that the GDPR is a bad thing. I think the GDPR’s goals are laudable. It’s just that the GDPR is ludicrous in the face of how literally every piece of technology used in web sites of any kind actually works. It is a regulation that is a nice idea but that has absolutely no meaningful way to get enforced. As the EU will find out over the years. Hopefully not the really hard way.

              ² Any claim of EU legal extraterritoriality is risible and needs to be rebuffed in the strongest possible way up to and including punching EU politicians who claim it in the face with a spiked gauntlet.

              • FaceDeer@kbin.social
                link
                fedilink
                arrow-up
                2
                ·
                11 months ago

                If it’s a Walmart that’s surrounded by dumpsters filled with corpses missing their livers, and the occasional bloody survivor comes running out screaming “they’re after your liver! Don’t go inside!” Before being dragged back in by Walmart greeters wielding meathooks, then even if what Walmart is doing is illegal I’d still be very unsympathetic if you walked in that door anyway.

    • crystenn@lemmy.ml
      link
      fedilink
      English
      arrow-up
      8
      arrow-down
      8
      ·
      11 months ago

      if it was any other social media like reddit doing this, everyone would be up in arms about it. no one is forced to be on reddit either. we’re on lemmy bc we value our privacy (no ads, tracking, etc.) so it should be held to the same standard too and not given a free pass.

      • FaceDeer@kbin.social
        link
        fedilink
        arrow-up
        7
        ·
        11 months ago

        “We” aren’t on Lemmy for any one uniform reason. We aren’t even all on Lemmy, I’m on a kbin instance for example.

        I, personally, understand how federation and ActivityPub operate and so I’m not surprised by this. I expected it, I accept it, it’s just the way the world works. When I say something in public I lose control over who will hear it or how long it will last, and any laws that mandate I should have that control are just a placebo or illusion in the grand scheme of things.

        • crystenn@lemmy.ml
          link
          fedilink
          English
          arrow-up
          1
          ·
          11 months ago

          fair enough. allow me to rephrase, whatever reason we’re on the fediverse, it should be held to the same standard. for context, the initial commenter said something along the lines of “you don’t have to be here”

        • Ender2k@kbin.social
          link
          fedilink
          arrow-up
          1
          ·
          11 months ago

          I’m also not on Lenny—I’m reading this on Kbin—and just to make sure, I also looked this thread up on Mastodon as well.

          Pixelfed found OP—but they don’t have any photo posts yet.

          So…

  • YoBuckStopsHere@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    arrow-down
    1
    ·
    edit-2
    11 months ago

    Mods and admins can remove posts and they don’t stay on the server. If you delete it yourself, then it stays. Comments stay deleted, though and is replaced with a ‘deleted by creator’ message.

  • jet@hackertalks.com
    link
    fedilink
    English
    arrow-up
    5
    ·
    11 months ago

    Lemmy lack of central control is a feature. But it can still be GDPR compliant. GDPR did not make useNet illegal. GDPR does not make peer-to-peer illegal.

    As an EU citizen you can still write letters to the editor of newspapers, and those letters can be published in those newspapers of record. Sending a message to Lemmy is akin to publishing publicly and opinion piece in a newspaper.

    Certainly you can use GDPR to talk to an lemmy admin to remove your data on the instance you registered and account on. But due to the nature of Lemmy, it’s architecture, you can’t go out and retract all of the newspapers that have been published. That’s a physical impossibility.

    Even if you could somehow talk to every administrator of every instance, you can’t prove you were that user who posted that data.