this post was submitted on 09 Jun 2023

15 points (100.0% liked)

Beehaw Support

153 readers

2 users here now

Support and meta community for Beehaw. Ask your questions about the community, technical issues, and other such things here.

A brief FAQ for lurkers and new users can be found here.

Our July 2023 financial update is here.

For a refresher on our philosophy, see also What is Beehaw?, The spirit of the rules, and Beehaw is a Community

This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago

MODERATORS

[email protected]

Lemmy, privacy and potential GDPR violations (beehaw.org)

submitted 1 year ago by [email protected] to c/[email protected]

13 comments fedilink hide all child comments

Been just linked to this post, that claims that on Lenny:

Messages are never deleted, only hidden, a GDPR violation
Deleted usernames are also not deleted, only hidden, same thing
Stuff remains on federated servers even if you delete it
There's no way to delete yourself from the network if you choose to do so

Gut feeling says none of this is true or is only half truths, but want to be sure before i invest myself heavily on this platform.

top 9 comments

sorted by: hot top controversial new old

[–] [email protected] 17 points 1 year ago* (last edited 1 year ago)

Messages are never deleted, only hidden, a GDPR violation

This is partly true. Messages are not really deleted until you delete your account.

Deleted usernames are also not deleted, only hidden, same thing

This is true

Stuff remains on federated servers even if you delete it

If everything works according to plan it should be gone, though there might be cases, where some instances don't update.

These question were also answered in this github issue.

EDIT: Imho this should be changed. At least the first two points. It does not need to be 100% foolproof on other instances, as they may be down when the deletion happens, but I think that the instance, which hosts the content should NOT have the content after deletion. Another idea would be to edit comments / posts to just say "[removed]".

[–] [email protected] 15 points 1 year ago (2 children)

Few things:

Federated Protocol essentially offers something similar to Peer-To-Peer communication like Bit Torrent, only that it's a server-to-server communication protocol. You could GDPR the Lemmy servers that are within the EU jurisdiction, but good luck enforcing that outside of EU.
Anything you post in public is PUBLIC, this should be obvious and I honestly advise not to put your real name out there if you're not going to be responsible with your posting or behavior.
Services like Internet Archive exists, so your stuff are going to be saved forever whether you like to or not.

If you're not comfortable with the non-compliance of GDPR on Lemmy Server, then I can suggest two things:

Detach your real life identity from Lemmy and assume everything you do with that service/website is public.
Find other platform that respects GDPR.

[–] [email protected] 7 points 1 year ago* (last edited 1 year ago) (1 children)

You could GDPR the Lemmy servers that are within the EU jurisdiction, but good luck enforcing that outside of EU.

Yup. In order for something like the GDPR to be effective, it requires centralization to both implement and enforce. A decentralized platform is inherently incompatible with that. I don't think any attempt should be made to integrate any semblance of GDPR compliance into Lemmy's code base if it's just for compliance's sake.

[–] [email protected] 11 points 1 year ago

Yeah GDPR compliance seems like the kind of thing that should be left down to specific instances if they want/need it, but I personally reckon that a decent chunk of the spirit behind the GDPR - namely, user privacy and the right to delete your data - is worth implementing into Lemmy at a fundamental level!

[–] [email protected] 6 points 1 year ago (2 children)

GDPR compliance is not optional for entities that interact with European citizens, you don't get to say "Oh well, that doesn't work for me". You MUST be GDPR compliant, or you WILL get fined, and the GDPR fines are no joke! Still checking and asking, but if this messages thing happens to really be a GDPR violation, every single instance admin that interacts with EU citizens (so, all of them) will be under threat of huge fines. That'd mean Lemmy would be a HUGE legal liability for instance creators, and pretty much a no-go.

The fact that this is for a feature that is also a potential huge waste of resources, as you'd keep deleted messages potentially indefinitely if the people with the accounts don't delete them, makes me feel this was not well thought out.

[–] [email protected] 5 points 1 year ago

The reason I believe that the messages don't actually delete unless you delete your account likely have to do with moderation ability. For example, If I delete your message, everyone can't see your message but me and other moderators can see it. The reason it's put in place like that is to encourage moderation accountability. With that point of view in mind, it makes sense to have this third state of deletion.

I'm also not sure that GDPR fines would have any power if the service decides to simply not offer services in that country anymore.

That said, I recognize the issues being brought forward and it would be nice to have additional options in regards to that.

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago) (1 children)

As I said, it only within the CONFINE OF THE EU JURISDICTION. Your law have no power over the American citizen and we don't have to comply with GDPR and neither does Lemmy that is hosted in USA do.

Lemmy was created to support federation of servers and the inherent problem with that is that it is incompatible with GDPR legal system, because while you can enforce GDPR on one server, you can't guarantee enforcement of it on any other servers that retain your posts or threads, because they can retain a copy of your posts thereby defeating your "right to be forgotten." So in that context, even if that one server comply with your GDPR request, is your government still going to punish that one server for something outside of their control? Lemmy, PeerTube, Mastodon, and so forth all have servers to tackle the crux of the problem in social media, The Network Effect. When you set up one server, you would notice that your one server have no content when you don't have visitors or users using that server, so you have to connect to other servers to get the contents you want and so forth, the trade off is that you can't control what goes on in that other server unless they're kind enough to give you some of that measure of control which is no guarantee.

[–] [email protected] 3 points 1 year ago

It doesn't matter where the service is hosted, if it serves EU citizens it MUST comply with the GDPR, even if it's hosted in USA, that's why even the big companies like Google, Microsoft and all the others comply (or SAY they do, no one trusts FB on data deletion). So yes, they DO have power there.

Also, from what i understand you're assuming federation means that everything is everywhere. That is not true. From what i see from Lemmy's mechanisms (and from what my critical lack of caffeine allows me at the moment), if something is deleted on one instance it should get deleted on all as Lemmy sends the deletion request to other instances, and anything remaining from other places should be eventually deleted and flushed out of caches, that part shouldn't be an issue there. So, the instance admins would be responsible only for the data of the users in their servers, not the others. And yes, they WOULD be responsible and legally liable if this is in fact a violation (still not sure, might be OK and not even a problem as "restriction of processing" from article 18, i guess i'll continue searching tomorrow, it's 2AM here and i'm done).

[–] [email protected] 11 points 1 year ago* (last edited 1 year ago)

For the third and fourth points, I think the comparison to email is apt here. If you do a GDPR data request/removal service on your email provider, it's unreasonable to expect that they chase down all the people you've sent emails to and ask them to delete them.

As far as I know, Lemmy doesn't send any data to other instances unless you explicitly request them to (by either subscribing to a community or sending a message/post).

(Also, I am not a lawyer or expert in GDPR, so don't take this as legal advice!)

load more comments