This is an opportunity for any users, server admins, or interested third parties to ask anything they’d like to @nutomic@lemmy.ml and I about Lemmy. This includes its development and future, as well as wider issues relevant to the social media landscape today.

Note: This will be the thread tmrw, so you can use this thread to ask and vote on questions beforehand.

Original Announcement thread

  • 1984@lemmy.today
    link
    fedilink
    English
    arrow-up
    189
    arrow-down
    4
    ·
    1 year ago

    I asked in the other thread about GDPR.

    Nobody thinks it’s very interesting but if instances don’t follow gdpr, the entire network is at risk of legal consequences.

    So please bring this up, even though it’s not very fun.

    • Dessalines@lemmy.mlOPM
      link
      fedilink
      English
      arrow-up
      97
      ·
      1 year ago

      Neither @nutomic@lemmy.ml or I are too familiar with the GDPR, so we don’t know everything that it requires. Lemmy doesn’t do any logging of IPs or other sensitive info, but of course instance runners could be doing their own logging / metrics via their webservers.

      We have a Legal section under admin settings, that’s an optional markdown field, that can probably be used for it. We’d need someone with GDPR expertise though to help put things together. Lemmy is international software, not european-specific, so we have to keep that in mind when supporting GDPR.

      • DerinA
        link
        fedilink
        English
        arrow-up
        54
        ·
        edit-2
        1 year ago

        As a person who oversaw the implementation of GDPR in a large software house (which wasn’t EU specific, but had to in order to operate legally in the EU), the requirements were:

        1. Allow users to request data deletion or a copy of their data.
        2. If the former, delete all data of their data on the server, send it to them, and then (this was the important part) forward the data deletion request to every single partner we were working with.

        For us, this was multiple ad companies. We had to e-mail each one, ask them about their GDPR implementation (most of them were somewhere between “we’re thinking about it” and “we have an e-mail address you can send something automated to and we’ll get to it sometime within the next month”), and then build an automated back-end system to either query their APIs for automated deletion, or craft/send e-mails for the more primitive companies.

        As far as the data being deleted, it was anonymized IDs that were tied to their advertising IDs from their mobile phones. I used to try and argue that “no, it’s anonymous” - but we also had some player data (these were games) associated with that, so we ended up just clearing house and deleting everything on request.

        So, legally, this means every instance - in order to be GDPR compliant - would have to inform every instance it federates with that a user wants their data deleted. If you’re not doing that, you’re not fully compliant.

        Kind of shitty, but that’s how it went for me. (this was back when GDPR was first being released)

        Edit: Also, the one month thing was relevant: you have 30 days to delete GDPR stuff after receiving a data clear request. I don’t recall what the time was for a “see my data” request. Presumably, though, on Lemmy the latter is superfluous as all your data is already present on your profile page. An account export option would be enough to satisfy that.

        • oce 🐆@jlai.lu
          link
          fedilink
          English
          arrow-up
          10
          arrow-down
          1
          ·
          1 year ago

          There a different levels of personal data but a unique identifier for a user is one of them because it allows linking information together about a single person, and from there you can try to identify the real person. So an option would be to overwrite all the occurrences of this identifier with random data so you can’t link data together anymore, as long as it’s not also personal data.

          • DerinA
            link
            fedilink
            English
            arrow-up
            4
            ·
            1 year ago

            Sure, but you’d still have to delete all their written posts - which is really what all this is about.

            • Atemu@lemmy.ml
              link
              fedilink
              English
              arrow-up
              5
              ·
              1 year ago

              You actually would not. The content of the post can stay but the username/identifier has to be removed. Written text is not PII to my knowledge and every social platforms I’ve actively used only delete the identifier (Reddit, GitHub).

              • Umbrias@beehaw.org
                link
                fedilink
                English
                arrow-up
                4
                ·
                1 year ago

                Written content can contain pii, but it’s rarer. Written content isn’t, by default, pii, but if someone tells anything reasonably pii the entire text can be consisted pii even when anonymized.

                • interolivary@beehaw.org
                  link
                  fedilink
                  English
                  arrow-up
                  3
                  ·
                  1 year ago

                  Yeah as someone who had to deal with GDPR in a professional capacity, it’s probably better to just assume that content written by users contains PII since you really have no way of telling whether it does or doesn’t.

                  Naturally you can just ignore that and leave the content as-is, but then you run the risk of some data protection authority ruining your day.

        • danc4498@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          So, I wonder if Lemmy instances would be responsible for the instances that federate with them. It’s my understanding that the Lemmy instance doesn’t send the user’s data to other instances, rather it is just posted, and the other instances copy it onto their local instance.

          It’s almost like those reddit services that would show deleted content. A user can delete their profile on Reddit, but Reddit isn’t required (that I know of) to go to these services and make sure the user’s data is being wiped out.

      • randint@lemm.ee
        link
        fedilink
        English
        arrow-up
        13
        ·
        1 year ago

        It’s often too expensive to support GDPR for Europeans and disable it for other people. Most services just support GDPR for everyone.

    • nutomic@lemmy.mlM
      link
      fedilink
      English
      arrow-up
      44
      ·
      1 year ago

      Im not a lawyer so I dont know about GDPR. Do you know how similar platforms such as Mastodon handle it?

      • Matt@lemmy.world
        link
        fedilink
        English
        arrow-up
        27
        ·
        edit-2
        1 year ago

        Hard to say exactly what Mastodon does, but mastodon.social’s privacy policy should give you some direction in how they handle data: https://mastodon.social/privacy-policy

        As mastodon.social is based in Germany, they will know about GDPR and have to follow it to the letter.

        • nutomic@lemmy.mlM
          link
          fedilink
          English
          arrow-up
          35
          arrow-down
          3
          ·
          1 year ago

          That sounds like its something for instance admins to handle, nothing we as developers need to care about. Maybe we should add a privacy policy for lemmy.ml but thats it.

          • tatterdemalion@programming.dev
            link
            fedilink
            English
            arrow-up
            17
            arrow-down
            1
            ·
            1 year ago

            Yea it is ultimately on the admins, but Lemmy just needs to not make it hard to comply with GDPR. So it’s up to admins to raise issues when Lemmy is seen as an obstacle to compliance, and it’s up to devs to listen and implement compliance features.

          • Matt@lemmy.world
            link
            fedilink
            English
            arrow-up
            11
            ·
            1 year ago

            That’s my take on it as well - GDPR is for the individual instances to deal with, as they’re the ones who hold the data on their users and anything coming to them.

            The software, of course, can have some design which purges data automatically or whatever, but ultimately the control is whoever is hosting Lemmy so no matter what Lemmy does, people can override it (though some sane defaults are always good, of course).

          • joelghill@lemmy.ml
            link
            fedilink
            English
            arrow-up
            12
            arrow-down
            1
            ·
            1 year ago

            Wouldn’t it be prudent to build features into Lemmy that make it easy for admins to manage user data though?

      • 1984@lemmy.today
        link
        fedilink
        English
        arrow-up
        50
        arrow-down
        1
        ·
        edit-2
        1 year ago

        That’s what I thought too until I looked it up. It applies to individuals as well.

        If an individual runs a web server and processes personal data of individuals within the European Union, then they are subject to the requirements of GDPR. GDPR applies to anyone, including individuals, who processes personal data of EU residents, regardless of whether they are operating as a business or on a personal basis. It’s important for the individual running the web server to comply with GDPR’s data protection principles and obligations to safeguard the personal data they process.

        • bdonvr@thelemmy.club
          link
          fedilink
          English
          arrow-up
          10
          arrow-down
          2
          ·
          edit-2
          1 year ago

          As someone not residing in the EU, I don’t see how they could possibly enforce that. Best they could do is block my instance I suppose. Have they done that for any small site?

          I mean, I would delete/provide all data of any user who requests me to do so for themselves. But I’m likely not following every facet of the GDPR.

          • 1984@lemmy.today
            link
            fedilink
            English
            arrow-up
            10
            arrow-down
            1
            ·
            1 year ago

            They don’t work like that, they have no technical capabilites. I think it would work more like a company being ordered to pay a fine if a user on your instance finds out that his data is not deleted if he asks.

            But this is complicated so I hope someone else has good input on this topic. Someone must have run a website with registered users in Europe before without being a corporation.

            The fediverse brings a new touch to all of this also, since the posts and comments are replicated across instances. Will that matter to the EU law? Maybe, maybe not.

          • hikaru755@feddit.de
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 year ago

            Basically, anything that involves the data being present somewhere in information systems that you control. Taking decisions based on it, displaying it on a webpage, make decisions based on it, even just storing it, all counts as processing under GDPR.

          • 1984@lemmy.today
            link
            fedilink
            English
            arrow-up
            5
            arrow-down
            22
            ·
            1 year ago

            Asking chat gpt, so take it with a bit of salt, but it’s usually correct about these things.

            In the context of data protection and GDPR, “processing” refers to any operation or set of operations performed on personal data. This includes collecting, recording, organizing, storing, adapting, altering, retrieving, using, disclosing, transmitting, and deleting personal data.

            Processing can be done both manually and automatically. It covers a wide range of activities related to personal data, such as capturing information through web forms, analyzing data for marketing purposes, storing customer records in a database, or even just viewing or accessing personal data.

            Under GDPR, any entity or individual involved in processing personal data is required to comply with the regulation’s principles and obligations to protect the rights and privacy of the individuals whose data is being processed.

      • gonzo0815@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        27
        arrow-down
        4
        ·
        1 year ago

        That’s not true. You might be thinking about the German network enforcement act. Every little ecommerce website, even when it’s a one-man operation, has to follow GDPR guidelines when they aim at people in the EU.