“The SCOPE Act takes effect this Sunday, Sept. 1, and will require everyone to verify their age for social media.”

So how does this work with Lemmy? Is anyone in Texas just banned, is there some sort of third party ID service lined up…for every instance, lol.

But seriously, how does Lemmy (or the fediverse as a whole) comply? Is there some way it just doesn’t need to?

  • abff08f4813c
    link
    fedilink
    11 month ago

    Sorry for the late response, your last comment didn’t federate, so I just saw it.

    Agreed, but - while it might be permissible legally to wipe out my data and content, what if I want to retrieve a copy afterwards?

    You have the right to request a copy of all your personal data from whoever controls it. Apparently that feature is still missing from lemmy.

    I run my own single user instance and it’s not that hard… I’d have to make some SQL queries to the database directly to retrieve the info but it’s straightforward.

    Well, in that case, baring credible contradicting information from another source, I think it’s reasonable to accept the note from the former worker of a DPO. Would you agree?

    That quote is from here: https://lemmy.world/post/1060627

    Yep that’s the one.

    I think I agree with pretty much everything they wrote. From what I understand, the apostrophes indicate that this is not official jargon. You can’t prevent web-scraping with any reasonable effort, so you don’t have to. The internet already exists. It’s too late to stop it now; better focus on stopping future progress.

    Agreed.

    Mind that there is nothing involuntary about federation. It’s not like web-scraping in that respect. You can just turn it off. You are left with something like an old school forum or reddit. No problem.

    Yes but that also makes it less useful and viable, unfortunately. I guess it really is like email if we consider federation an essential feature. I can set up my own email server that doesn’t talk to any other, but then it’s not too useful since it’d just me sending emails to myself.

    So, federation is a must, but the question is how to make it work.

    Hmm. Will need a good think about this - perhaps I should adjust my commenting style to avoid direct quoting and such…

    If you take the view that context is a necessary part of your personal data, then merely avoiding quotes is probably not enough.

    What more would need to be done?

    • abff08f4813c
      link
      fedilink
      11 month ago

      And now I hit some kind of length limit so I had to break up the post. Moving right along,

      That’s why I had the idea of creating and using the federation-bot account - this way there’s no confirmation of identities or transfer of personal data.

      But what if someone wants to participate in a community on a different instance?

      It would still work. The difference instance would fetch the link containing the requested content and pass that on to the end user, where either the web UI running on the user’s browser or the user’s app would load the content. (Akin to a web browser loading the web page). It’d be up to to the piece running on the end user’s computer to match it all together.

      At least, the texts and their context, along with the username and home instance, need to be revealed.

      Yes, but the point is that, like an old-school forum, this is not revealed except by (and from) the original instance hosting the content, and only to the end user. It’s not revealed until the end user’s app/browser fetches the content from the original server. So since only a link is federated, the PII only exists on those two places. Meaning that the server admin has a much easier job to delete data, as they only have to get it deleted off their own instance.

      If the end user then does webscraping … well how can you prevent that?

      And if someone creates a malicious instance that follows the link and screenscrapes it … I assume it also falls under the “cannot prevent” bucket.

      Taking a mental step back, it’s probably premature to worry about technological implementations. Sending data around does not have to be a violation. Compliance will require partly better information, and partly different administration. The legal aspects should be worked out before the necessary tools for the administrators are implemented.

      The problem here is that means we devs have to sit back and wait. When will we get the answers we need? And how long do we have to be exposed before we can actually work on solving the problem?

      We really do need a foundation like the EFF to provide that legal advice and support, but I think coming up with technical fixes is still worthwhile even as we wait…

      There are also a lot of regulation for the backend, that instance owners have to comply with but which won’t be noticed by users. Documenting the data processing, who has access, possibly make data impact assessments, maybe notify the local data protection office, …

      This seems like a good legal guide for an admin’s and instance’s jurisdiction is a must.

      Oh, and by german law there also needs to be a (physical) address that can be served legal papers.

      Interesting. In the US you can hire a lawyer to service that purpose, typically. In some jurisdictions, I wonder if something like https://www.alliancevirtualoffices.com/ may also work.

      There’s also more from the DSA, like releasing transparency reports on moderation twice a year, making regular backups and testing those, … I’m not quite sure what all is demanded by the DSA.

      You’ve mentioned this a bunch of times but … what’s the DSA again? I have no doubt it’s related but curious to understand exactly what it is and how it fits in.

      Could there be jurisdictions that have only DSA and no GDPR, and others with GDPR and no DSA?

      • abff08f4813c
        link
        fedilink
        11 month ago

        Ok, once more, continuing,

        Hmm - if different DPOs can’t agree, then I don’t see how we get to the point of a user friendly manual.

        I’m thinking about the issue of web-scraping, in particular. Some say that it’s almost always illegal. The European Commission, for one, disagrees.

        I pulled this from google: https://www.morganlewis.com/pubs/2024/05/eu-regulator-adopts-restrictive-gdpr-position-on-data-scraping-impacting-ai-technologies

        Thank you, that’s a really good example! I understand the need to rein in AI, of course. My point stands (and it doesn’t seem like you disagree) - a user friendly manual remains difficult to achieve.

        Web-scraping is in some ways related. You could also get (almost all of) the data through scraping. If it’s not legal to scrape lemmy without permission, then it’s probably not legal to spin up your own instance and get the data that way. It depends on your purpose, of course.

        Interesting. So pyfedi is a good example - the software supports backfilling when the instance discovers a new community/magazine on another instance for the first time, but it does it via API only. This means no backfilling of comments, and sometimes you can see posts from years ago in a stale magazine but which don’t get backfilled because the API doesn’t return them.

        That’s also why I find the whole issue a little silly. Someone outside Europe could just scrape the data from the web interface and not worry about the GDPR.

        Clearview AI is a good example of exactly this kind of bad actor, see https://lemmy.world/comment/12151959

        But it seems like even then there are ways to enforce.

        You’d have to put all of Europe behind a firewall to make it make sense.

        Interestingly I’ve seen the reverse happen - websites blocking access to ip addresses that appear to be based in the EU to avoid having to deal with the GDPR and its ramifications.

        That’s a prime example of why I say the people in charge of the GDPR have no idea of the technology they are regulating.

        I disagree. The issue you’re describing is a common one in terms of extraterritoriality. How does the IRS get US citizens who are dual citizens living abroad to still pay taxes to the US? Enforcing laws extraterritorially is never easy, but as the IRS has proven, it is possible.

        I am one of those hoping that the GDPR would be a tool for the opposite (a way to rein in the big players, so to speak).

        Me too. I’d say this is point one of what I’d like the GDPR to achieve.

        Such regulation inherently favors big players. The cost of creating a compliant service/app/etc is fairly constant, regardless of the size of the user base.
        This is what’s inherently disturbing to me.

        Same here. I’m thinking one way forward may be to add funding to expand the agencies - one side does the regulation, but the other side offers free services to small business and individuals to help them comply.

        Besides, the GDPR inherently favors elites. Most people will never have … the money to hire professionals to do it right.

        No, I think that’s a plus of the GDPR. Cost is on the company to comply and relevant gov’t agency to chase up if the company doesn’t. Facebook was brought in line, so it seems like a success so far. An example of point one above working.

        Besides, the GDPR inherently favors elites. Has anyone ever … chased after you to get paparazzi pictures? Some people’s personal data is worth a lot more than that of others. Most people will never have to worry about scrubbing unflattering media stories from search engines,

        Isn’t this specifically covered by the journalism exception that the GDPR providers? https://verfassungsblog.de/the-gdprs-journalistic-exemption-and-its-side-effects/

        Has anyone ever tracked your private jet on twitter?

        I can kind of understand this though. What if I want that hidden so militants with missiles can’t shoot me down? Easily justifiable by protection of life.

        Even if it is flawed it’s still a step in the right direction IMVHO. I’m in Canada, which had PIPEDA back in 2000 - 18 years before the GDPR took effect in the EU.

        Tell me what you hope the GDPR will achieve and I’ll tell you if there is any chance.

        See where I mention point one above.

        I’d write what the fundamental problems are, but time is short.

        Seeing as it’s a couple of months later, I’d add that I’m willing to wait if you think you will ever get around to it. Though you have already brought up some good points - the most salient one beinrg that GDPR compliance is simply too expensive and not user friendly for a small time individual, but I still feel that this is something that can be improved upon without major revisions to the GDPR itself.