At some point the Fediverse is going to have to protect itself from Europe.
Comment on Telegram CEO Pavel Durov Arrested in France
tal@lemmy.today 3 weeks ago
TF1 and BFM both said the investigation was focused on a lack of moderators on Telegram
I would vaguely imagine that they aren’t going to be very happy about the Threadiverse when they discover us. There’s no global moderator team to make moderate things.
Deceptichum@quokk.au 3 weeks ago
Kusimulkku@lemm.ee 3 weeks ago
Would be horrible if they went after our child porn
Deceptichum@quokk.au 3 weeks ago
Kusimulkku@lemm.ee 3 weeks ago
I don’t mind when they genuinely do go after child porn. But I suppose I’m not as principled about freedom of speech as some others
General_Effort@lemmy.world 3 weeks ago
It certainly is against the GDPR to federate with US instances. US law enforcement could get their hands on our data!
tal@lemmy.today 3 weeks ago
It certainly is against the GDPR to federate with US instances.
considers
I don’t think that it is, even for EU instances, in that the GDPR regulates businesses, so it’s out-of-scope for the GDPR.
In theory, I suppose that GDPR implications might come up if someone starts selling commercial Threadiverse access at some point, though.
There might be some interesting questions providing Usenet or maybe XMPP, though, as there are commercial providers of those services, and they are federated and transfer data all over the world.
kagis
Hmm. This has some people talking about it for XMPP.
mail.jabber.org/…/F5EGKYVPD42PPHOW72VBOS5E6OZTA22…
Under UK GDPR (not sure about the EU one) the only grounds for exemption is “Residential use” (other than police and national security, which are also exempt), quoting from the ICO:
“Domestic purposes – personal data processed in the course of a purely personal or household activity, with no connection to a professional or commercial activity, is outside the UK GDPR’s scope. This means that if you only use personal data for such things as writing to friends and family or taking pictures for your own enjoyment, you are not subject to the UK GDPR.” [1]
(For those who don’t know who the ICO is, they are the British data protection authority, see [2])
At first, at least in my case, this seems pretty easy. The data is stored domestically, it is used with me and my friends for communication, there shouldn’t be any more to it… right?
But there is. I regularly connect and talk in many MUCs for open source projects, such as Ignite Realtime (which this was initially discussed until Guus suggested moving it to operators, thanks Guus :) ).
IP addresses, are considered identifiable information, logs will store said information, this therefore means my server is storing identifiable information on other servers, in this case, servers which could be considered for commercial purposes.
It needs to be noticed commercial purposes doesn’t necessarily mean paid services, charities and non-profits are included within the definition. Open source projects COULD be considered commercial purposes because, although contributions are provided free of charge, it is still a “donation” of sorts in the way of code.
The definition of “professional” does not seem to be clarified anywhere on the ICO page, nor in their legal definitions [3]. It doesn’t seem to be within the UK GDPR legislation [4] (I will admit I did not read all of this, I tried searching for keywords and found nothing, if someone read it all and knows where this exception is clarified, please let me know). Professional could mean a lot, but I will assume it is to do with some sort of “work”, which therefore would include open source contributions.
This therefore could break the “no connection to professional or commercial activity”, to be honest the easiest thing to draw from this is if it involves someone who is not family or friend (or yourself), you are very likely to not be exempt.
For those who will suggest a zero storage solution, where the XMPP server doesn’t store any data, it still comes under GDPR due to PROCESSING of data, simply processing it, even if you don’t store it, will have GDPR requirements.
Failure to pay when you are required to results in fines.
This is really cracking open a huge can of worms, it isn’t so much of “ah £45/yr is no big deal”, once you are exempt you must follow all the legal requirements of GDPR, and for a hobby? Is it worth it?
I am 100% sure, an XMPP server which does not federate, which is used to communicate with friends would be exempt. But I have my doubts whether a federated server can still use the same exemption clause.
General_Effort@lemmy.world 3 weeks ago
the GDPR regulates businesses,
The GDPR regulates everything and everyone, including individuals and non-profits. See Article 2. eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=…
For example: If you keep a personal journal and write about your friends and acquaintances, that’s out of scope. But when the Jehovah’s Witnesses go door to door and make notes who opens etc, that’s in scope.
barsoap@lemm.ee 3 weeks ago
Unless you dox yourself what kind of personal information are instances sharing? On top of that stuff that isn’t due to the normal functioning of the site as a public message board?
What’s questionable is embedding images, lemm.ee mitigates that with proxying, but ultimately the web is the web and you can’t proxy the whole web. Clicking a link will still lead you somewhere else and if your browser pre-loads links then that’s up to you.
General_Effort@lemmy.world 3 weeks ago
I’ll quote the definition from the GDPR:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Little of the information that instance share is not personal. Identifiable is also very broad. It’s enough that it would be possible for someone with the right tools and access to other information to identify you. EG Your ISP could be subpoenaed to reveal the customer behind a dynamic IP-address, making it a personal datum.
It’s an extremely broad definition. If it wasn’t, tracking cookies would not be a big deal unless you had the real name of someone connected to the cookie ID.
ultimately the web is the web and you can’t proxy the whole web. Clicking a link will still lead you somewhere else and if your browser pre-loads links then that’s up to you.
That’s exactly what my first reaction was. But the law sees it differently. No one is required to use an ad-blocker, VPN, or know anything about the internet. When you make a website or something, it is up to you to make sure that no one’s rights are violated. In fairness, if it was otherwise, tracking pixels would be fine.
We’re not at a point yet, where outgoing links must come with a warning, but it would be safer. Someone is always the first to lose a court over something. I noticed news media use rel=noreferrer. I think that’s the least one needs to do (“data minimization”).
Don’t expect me to defend the GDPR. It’s neoliberal/conservative bullshit; even an abandonment of enlightenment values. But it’s the law nevertheless and a lot of people on Lemmy positively love it.
barsoap@lemm.ee 3 weeks ago
Little of the information that instance share is not personal.
The only PII contained in that post you wrote is your user name. My instance has no idea what IP address or whatnot you used, it gets sent “user posted message”, “user voted”, etc. messages by lemmy.world. It does not interact with you.
The information that your instance shares with the rest of the world is a) pseudonymous, unless you dox yourself no connection can be made between your handle and your actual person and b) said information transfer is part of the primary service of the platform. You wouldn’t be here if things wouldn’t get shared that way, hence, you consented.
If it wasn’t, tracking cookies would not be a big deal unless you had the real name of someone connected to the cookie ID.
Cookies are no issue. Tracking without consent is. Lemmy isn’t tracking you. You have an account with lemmy.world. You presumably have taken notice of its privacy policy. lemmy.world is run by a Dutch foundation, and yes they have a legal department… or at least lawyers. If you’re a EU citizen the GDPR applies, otherwise other stuff might apply, they’re spelling it all out.
EG Your ISP could be subpoenaed to reveal the customer behind a dynamic IP-address, making it a personal datum.
…yes? You gave lemmy.world the right to log your IP when you signed up. They’re not retaining it longer than necessary because of the general GDPR provision of data frugality, but if a court order knocks on their door saying that they need your IP they can also be required to wait until you log in and then send that fresh IP directly to the authorities. Newsflash: The GDPR does not provide opsec against EU state actors. Off to the darknet with you if you care about that. It does provide opsec against ad networks, data brokers, etc… well at least in so far as it’s actually enforced.
Don’t expect me to defend the GDPR. It’s neoliberal/conservative bullshit; even an abandonment of enlightenment values.
The fuck are you on about.
0x0@programming.dev 3 weeks ago
Unless you dox yourself what kind of personal information are instances sharing?
Don’t IP addresses get associated with posts?
barsoap@lemm.ee 3 weeks ago
Why would they? Serves no purpose.
Blackmist@feddit.uk 3 weeks ago
It’s OK though because EU police can get their hands on it too. Phew!
General_Effort@lemmy.world 3 weeks ago
I’m not joking. It’s legally very questionable. It matters little if all the data is public.
Have you heard about that $1.3 billion fine that Meta got under the GDPR? That was for sending data to US servers where the US government can get to it. It was the highest fine ever under the GDPR and it happened because Meta complies with US law. For that matter, the option to embed images into posts is a violation, as well.
arin@lemmynsfw.com 3 weeks ago
Depends if it’s encrypted
wildbus8979@sh.itjust.works 3 weeks ago
Telegram isn’t either. Certainly not by default, and definitely not public channels.
cheddar@programming.dev 3 weeks ago
Telegram is encrypted, just not e2e.
Deebster@programming.dev 3 weeks ago
There’s moderation per community and per server. There’s no “fediverse moderator”, of course, but I think you’re vaguely worrying for nothing.
General_Effort@lemmy.world 3 weeks ago
I don’t think much of the fediverse is compliant with the DSA, including the rules on content moderation. I really doubt that any lemmy instance is. Can we really assume that no one will ever complain?