Drive we are so privacy focused here. What is to prevent myself or anybody out there, from starting to report individual instances of GDPR and CCPA.

No lemmy insurances are complying with national privacy laws and nobody is talking about it at all.

    • Kichae@kbin.social
      link
      fedilink
      arrow-up
      11
      ·
      1 year ago

      OP is nothing more than a corporate boot licking troll, if would seem. That makes this post concern trolling.

      Hey OP, if you actually cared about this issue, you’d be trying to help people. But you’re not helping anyone anywhere on the network.

      You clearly don’t want to be here. So, log off and just don’t come back.

    • Molecular0079@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Yikes, you’re right. Definitely corporate troll. Either that or he’s just so deep in his own cynicism he can’t help himself.

    • redditcunts@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      16
      ·
      1 year ago

      🤷‍♂️ seems pretty buried with the current UI. In general most users seem to think this place is actually more private than a reddit or Facebook.

      • nottheengineer@feddit.de
        link
        fedilink
        English
        arrow-up
        18
        arrow-down
        1
        ·
        1 year ago

        That’s the worst strawman I’ve read in quite a while. This is literally a public forum, no one thinks it’s private in any way.

      • Norgur@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        It is for the sole reason that it doesn’t prevent any form of fake profiles or multi accounting.

        There is even an argument that a rando profile with a fake mail adress that’s not used anywhere else is not traceable to you, since the other information (IPS, Session data, etc) that’s necessary to do that is not federated.

  • JanoRis@kbin.social
    link
    fedilink
    arrow-up
    8
    ·
    1 year ago

    Have been asking this myself lately.
    People always seem to get defensive about this topic, but if an instance gets challenged on a GDPR investigation it could have a huge fine associated to it.
    It is good to have this sorted out, so instance owners don’t enter a life changing financial risk.

    Currently we probably are too small and fly under the radar, but this could become a big problem as the fediverse scales.

    Issues I wonder about:

    1. How safe is the Fediverse? Is there a way for a federated instance to misuse the user data? Or can such activity be detected and cause a defedaration.
    2. How easily can all user data be deleted if a request comes in to remove all personal data? Wouldn’t that request have to be extended to all instances your instance is currently federated with?
    3. Instances probably wouldn’t be able to handle a bad actor (for example Meta, or spez) that decides to start a mass request attack.
    4. Corporations have lawyers that deal with this stuff, I don’t feel like most instance owners have the same kind of protection here.
    • trouser_mouse@lemmy.world
      link
      fedilink
      arrow-up
      3
      ·
      edit-2
      1 year ago

      Totally agree, there is really valuable discussion to be had and collectively it needs to be resolved and approached holistically and consistently across as many instances as possible. Just because you’re someone running a tiny server doesn’t mean you can’t get absolutely dragged over the coals for breach and or non-compliance.

      Even things like reporting incidents and breaches of the service for each instance - it is very unlikely tiny servers can or will comply with so many aspects of GDPR.

      I think the fact that someone could maliciously (or actually, genuinely) report instances now using a relatively straightforward process should be grounds to get the wheels moving on this really!

      For example, you can report non-compliance with cookie information in a one page form here: https://ico.org.uk/make-a-complaint/cookies/report-cookie-concerns/. The process for consumers to kick off a potentially serious enforceable action is very straightforward.

  • awderon@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    ·
    1 year ago

    Disclaimer: I have no law degree and everything in this post is speculative.

    After reading up on GDPR (https://en.wikipedia.org/wiki/General_Data_Protection_Regulation) it deals with the transfer of personal data to entities outside the EU or EEA for processing. The definition of personal data would be the main point to see if/how GDPR is applicable to lemmy instances. (https://en.wikipedia.org/wiki/Personal_data)

    Your IP address and EMail address could be classified as personal data from my point of view. But this won’t be shared or processed outside of the instance as far as I can tell. If your username and associated posts are classified as personal data I can’t say, but there seems no connection of these to your IP or Mail outside the instance. According to this TechDispatch (https://edps.europa.eu/data-protection/our-work/publications/techdispatch/2022-07-26-techdispatch-12022-federated-social-media-platforms_en) the instances still must adhere to GPDR, but as there is not much or no processing of personal data taking place this should pose no issue.

    All of this is based on a bit of research, so please enlighten me if I made any mistakes.

    • trouser_mouse@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      edit-2
      1 year ago

      In the UK a screen name is an identifier. See ICO here. I am in the UK. Therefore combined with other data being collected, e.g. IP. Lemmy and instances I interact with are handling personal data. If it is transferred between instances when I search or view content from one instance to another, there are GDPR implications.

      • r00ty@kbin.life
        link
        fedilink
        arrow-up
        5
        ·
        1 year ago

        Here is the information I have on your user ID as an operator of a remote instance.

        1: Your username and home instance (and a separate link to your profile page on your home instance)
        2: Your avatar
        3: Your about info
        4: Date/time of your last activity (but that I think will be the last time you were seen by my instance, interacting in a community I also have here), so not shared really.

        I took a look at the json returned from your home instance, and again the info is profile page, username, information required for communication between instances with the only PII present being the username, the about and an icon and image.

        Here’s why I’m going to say this isn’t likely to be a problem as such. This is the same as on reddit, if I look at a post a user makes I can click on the user and get access to this level of public information. Also under GDPR and DPA based on advice from the ICO data sharing isn’t forbidden, but the minimum required to fulfil the function of that sharing should be sent. I think the above data meets that. There isn’t information we don’t need to work a distributed network like this.

        I think the point about making a privacy policy visible is a good one. It should make it clear how the network works, and what kind of information is shared with federated instances (and also available to the public, the user query is publicly available). But the data that is federated is the same as is publicly available.

        Now I do feel like there’s the scope for a lot of manual work. For example, federation sometimes means that edits/deletes don’t make it. It can be caused by problems on both sides of the connection. So if you want all your data deleted. Sure I could delete all posts and your user info here. And even make requests to the home instances that they delete them too. But, some might remain on remote instances, and I don’t know who would be responsible for that. Some grey areas remain.

        • trouser_mouse@lemmy.world
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          This is really interesting, thank you - I definitely agree there is grey areas and work to be done to ensure compliance as far as is possible!

          It will be interesting to see how it all unpacks.

      • rodhlann@kbin.social
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        If a screen name is an identifier doesn’t that make literally every social website or forum a potential breach? That seems a bit harsh

        • trouser_mouse@lemmy.world
          link
          fedilink
          arrow-up
          4
          ·
          1 year ago

          Not if they are compliant and handle the data correctly, but yes it is a minefield and pretty strict with potential huge fines for non compliance and breaches! I would not want to be in charge of trying to get it all straight for Lemmy!

        • Jajcus@kbin.social
          link
          fedilink
          arrow-up
          3
          ·
          1 year ago

          Non-federated services keep data on their servers or share it with well-defined set of partners. This can be be done in accordance to GDPR. In fediverse that data is broadcasted to anybody who wants to listen (this make the network open). That is a big difference.

        • HeartyBeast@kbin.social
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          Just to be clear - I don’t think it is in breach but you have federated servers in various countries, some of which may be owned by entities that do business in the EU making copies of and forwarding messages that contain PII .

          • r00ty@kbin.life
            link
            fedilink
            arrow-up
            2
            arrow-down
            1
            ·
            1 year ago

            Your email address (personal identifier) is right there in the from field. And in many cases, in the header there might be your IP address.

              • r00ty@kbin.life
                link
                fedilink
                arrow-up
                2
                ·
                1 year ago

                Our point is, sharing the information required to make a network like this work is allowed provided you’re not sending information not required. If you right a post on a community that is shared the information about you (user id, avatar etc) is required to render that message on other federated instances. In the same way as when you send an email the from address is required so that people can reply to the email.

                If we were sending IP addresses and data on your browsing preferences to other instances, there would be an argument because it is not required operate the federated network (although you know the corporate players are all justifying their sharing of exactly that data and more). But we don’t do that.

                • trouser_mouse@lemmy.world
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  1 year ago

                  Thank you! Understand - I think the issue is there there is no documented policy on some instances, I don’t know how each instance handles / shares my data and what the retention policies etc are. I seem to remember there are more controls required depending on where the data is being transferred to. Anyway, that’s getting beyond what I am familiar with!

          • Kichae@kbin.social
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            You send the exact same kind of information when you send an email.

            Username, host, and IP.

            • Jajcus@kbin.social
              link
              fedilink
              arrow-up
              2
              ·
              1 year ago

              But e-mail is sent from one entity to another, through servers providing service for one or the other party. Most of Lemmy and Mastodon activities are publicly broadcasted and can be received and collected by any federated server.

    • redditcunts@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      3
      ·
      1 year ago

      but this won’t be shared

      How do you know that? No registered entities, no policies, no assurance what so ever.

    • Molecular0079@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      There is no taking back what you post on the internet, but with activity pub it’s almost guaranteed to not have been processed.

      This is a bug, not the intended design with federation.

      Pretty sure your deletion issues was due to the federation issues that Lemmy was experiencing before the latest round of patches. I’ve had issues where federation didn’t even publish my comment to other instances.

      I am sure once all the bugs get ironed out, these deletion issues will go away.

      • trouser_mouse@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        This is one reason I think there needs to be a public issue tracker and backlog.

        If issues deleting data is a known issue, that means it is known Lemmy / instances cannot comply with right to be forgotten requests. I think there are also rules around informing people who have made requests why you are not taking action, how they make a complaint (in UK this is to the ICO), and that they have a right to get this enforced though legal proceedings.

        It feels like it’s not just some elements not complying, it’s like a stack of things that just goes on and on!

          • trouser_mouse@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Awesome, thank you so much! I didn’t know :)

            Hopefully there can be a mechanism so that anyone who is an admin or controlling data in instances knows about it and regularly is alerted to any issue which might impact GDPR compliance.

            • Molecular0079@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              ·
              1 year ago

              I am sure these things will get hammered out in time by the devs and the open source community in the main Lemmy source code or as a separate project. Contrary to what OP thinks, people ARE talking about it and the people building the Fediverse are aware.

              • trouser_mouse@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                Absolutely, it is just surprising there has not been quicker action given the severity of the potential consequences.

                Hopefully all will be well!

                • Molecular0079@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  1 year ago

                  It’s only been a few weeks since the redditpocalypse and the devs are busy fixing scaling bugs to handle the crazy influx of new users. Most of the deletion issues are simply due to bugs in the code creating more load than there should be, which in turn breaks or delays federation. I think getting the scaling issues out of the way first will provide a solid foundation to fix these other bugs, and given how well lemmy.world is performing with the recent 0.18.1 update, progress is definitely moving at a fast pace!

      • static@kbin.social
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        It does

        You can request and download an archive of your content, including your posts, media attachments, profile picture, and header image.

        You may irreversibly delete your account at any time.

        If this server is in the EU or the EEA: Our site, products and services are all directed to people who are at least 16 years old. If you are under the age of 16, per the requirements of the GDPR (General Data Protection Regulation) do not use this site.

      • static@kbin.social
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        1 year ago

        It does

        You can request and download an archive of your content, including your posts, media attachments, profile picture, and header image.

        You may irreversibly delete your account at any time.

        If this server is in the EU or the EEA: Our site, products and services are all directed to people who are at least 16 years old. If you are under the age of 16, per the requirements of the GDPR (General Data Protection Regulation) do not use this site.

        • redditcunts@lemmy.worldOP
          link
          fedilink
          arrow-up
          1
          arrow-down
          5
          ·
          1 year ago

          GDPR states you must have a specific GDPR policy. It’s absurd all theses comments from uneducated users. Like 1 in 10 have brought in useful pertinent information. This is stuff a privacy office would know on day one fresh out of school.

      • static@kbin.social
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        It does, and this is to comply with GDPR

        You can request and download an archive of your content, including your posts, media attachments, profile picture, and header image.

        You may irreversibly delete your account at any time.

      • Norgur@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Yes, I know Yet, can you be more specific as to which parts of those laws (or better groups of laws, GDPR is not one single law as every EU member state does things slightly differently) Lemmy instances are at odds with?

        • Molecular0079@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          I am not OP soooo…🤷‍♂️

          I am assuming he’s talking about the data deletion issues that happen with federation?

    • trouser_mouse@lemmy.world
      link
      fedilink
      English
      arrow-up
      11
      ·
      edit-2
      1 year ago

      This is just at a really high level. Take for example https://lemdro.id. I am in the UK.

      • I do not get cookie information / consent
      • How do I make a SAR request, it isn’t stated
      • What is their data retention and privacy policy, it isn’t stated
      • How do I make a data sharing request as a member of law enforcement or government
      • How is data processed if I am under 16/13
      • Is data transferred from an EU to non-EU server if I search their content from another instance? Are the correct controls and risk assessments in place
      • If I delete my .id account under right to be forgotten, how is my request propagated between other instances to ensure my data isn’t retained somewhere on another instance which has pulled the data
      • If I use an account from another instance and post an image on .id, and then delete my account, is the image I posted deleted from their server and backups etc

      GDPR is very serious and an absolute minefield. I am pretty sure Lemmy and individual instances are not compliant, and I am not sure they can be fully - it may have to be on a best-endeavours basis. Be interesting to see how that holds up under a challenge.

      • Kichae@kbin.social
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        I actually question whether GDPR is up for the task of distributed systems like this.

        Like, if you put in a right to be forgotten request to your host server, it’s not at all clear that they’re responsible for the copies of your content that are being hosted elsewhere, any more than asking a news website to remove your personal information from an article requires them to also hunt down anyone else who has copied and spread the story to remove it, too.

        Different Lemmy websites are independently owned and operated, and your local admin holds no authority over other admins. They can request deletion on your behalf, if that’s a legal requirement, but they cannot compel action. I’m not even sure they can act as your proxy, given that there’s no formal relationship between admins.

      • WalrusDragonOnABike@kbin.social
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        If I delete my .id account under right to be forgotten, how is my request propagated between other instances to ensure my data isn’t retained somewhere on another instance which has pulled the data

        There’s no way GDPR can tell we hosts they are responsible for other platform’s copy of data, right? Wouldn’t that mean Twitter has to remove tweets from every news article that makes copies, for example, if someone deleted their account under that right?

        • trouser_mouse@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          It’s law to comply with GDPR and the ePrivacy Directive.

          • Receive users’ consent before you use any cookies except strictly necessary cookies.
          • Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received.
          • Document and store consent received from users.
          • Allow users to access your service even if they refuse to allow the use of certain cookies
          • Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.
          • awderon@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            There is only one cookie present when I inspect the Cookies with my browsers dev tools. Which seems to be the auth token for my account.

            • trouser_mouse@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              As far as I am aware, a user authentication cookie is classed as personal data and therefore subject to GDPR!

              • awderon@lemmy.world
                link
                fedilink
                English
                arrow-up
                2
                ·
                1 year ago

                Receive users’ consent before you use any cookies except strictly necessary cookies.

                Wouldn’t the auth cookie fall into the strictly necessary category?

                • trouser_mouse@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  1 year ago

                  I’m no expert so hopefully someone will be able to chip in. I know when I have dealt with GDPR stuff, there has been quite a lot of conflicting opinions!

                  Even if it is not required to get consent for that, I think there is also a requirement around explaining to the user what they do and why they are necessary.