Title says it. Apparently lemmy devs are not concerned with such worldly matters as privacy, or respecting international privacy laws.
It’s been a problem for a while. Considering major social media companies have already gotten massive fines from the EU for violating the GDPR, maybe the lemmy devs will put more effort in setting up a deletion system once the EU sends them a fine for breaking the law?
The EU doesn’t have global jurisdiction, if an instance developer or admin has no EU presence then they could just ignore them.
Sure, but EU data protection laws may require EU based Lemmy instances to block instances that dont honour deletion requests.
This is why mastodon was built GDPR compliant by design.
Sure. Lemmy does have such a presence though.
“Lemmy” is a piece of software. A piece of software can’t violate the GDPR, it’s just a blob of data. You need to be running a server to do something that would break the GDPR. Those server-running admins are the ones that need to be concerned about their EU presence.
Maybe some of the people developing Lemmy are in that category and might get in trouble, but it will be because they’re running servers not because they’re developing Lemmy. If they get arrested or whatever it has no effect on Lemmy-the-software.
seems weird this expectation of privacy on public sites built for public consumption of public content posted by people publicly.
i mean, i get wanting to control your data. the software i use allows for this ( the 'bins offer a user-level purge).
but privacy? seems weird
I mean, to have a Lemmy account you already decided to put your trust in total strangers with questionable security credentials.
but… im not using lemmy
Mastadon works the same way, all ActivityPub services work the same way.
By being Federated that means data is being sent to remote servers. Sometimes that data doesn’t always make it, like a delete request. So someone on their own home-server deletes their post, but on some remote server where that post they made is cached, it’s not deleted, because the delete request never federated. For example, say you made a post on your own box, which you clearly have, and you delete a post, but it doesn’t get deleted over on say, Lemmy.world. That’s not purposeful, that’s something they’re also trying to fix.
This is literally a consequence of how federation works. It’s not a purposeful violation of GDPR.
sorry, i was just being snotty.
i know full well and am on the side of pointing out the futility of attempting privacy in a public space.
This is a lot like spray painting a message on a public wall in a neighborhood and then complaining because the community won’t paint over it (or destroy photos they took of it) when you realize how dumb it was.
You’re writing on a public space for free with no business behind it. You’re not the customer in this scenario.
Very bad indeed! This is the beginning of the end for lemmy.
Ps for those who don’t know, copying a deleted comment makes it appear in your pastbin
there’s a delete button
That’s a pretty uncharitable interpretation, especially considering Lemmy is developed in and funded in part by the EU, and it’s a consequence of Federation (and one they’re working on remedying).
If you were worried about this sort of thing, perhaps you should have done your research about the platform before making an account so you could bitch about it here. You definitely don’t sound like the voice of reason when you couldn’t be arsed to figured this out before you made an account.
Lemmy may be developed partially by EU funding, but that doesn’t mean they’re necessarily following EU laws.
For what it’s worth, complying with the GDPR and other privacy laws is on the corporate instance owners, not on the Lemmy devs. It’s up to the instance devs to make sure things like data encryption and deletion requests are set up correctly.
That said, there are exemptions for personal use. Things become a little muddy when you get to the “personal server but donations” territory, but companies and people have very different obligations when it comes to privacy.
Lemmy needs better tooling for privacy compliance, though. As an instance admin, the only way to generate full takeouts is to go through the database manually. The export button helps a lot, but doesn’t contain all user data.
“Maybe check if the website you signed up with is following the law” is a ridiculous take. They may be overestimating their privacy rights (especially when it comes to small servers run by individuals) but that’s not how the law works.
So you can’t make an account on this platform if you don’t agree with how it operates? By that logic no criticism of the platform by its users is possible, which is a great way to ensure it never gets better.
I mean, yes?
If you do not agree to the terms of a service, do not use the service. This is the case for essentially every system ever. You can go complain about it on Reddit or something if you like.
Okay, since you clearly carefully read and completely agree and support eveything in the Lemmy TOS, please tell me where it says it will keep your comments forever.
I’m not saying that the terms can’t be more transparent, because they absolutely can be.
But if you have become aware of this practice and you continue to participate, you have de facto agreed to it. You can of course agree to the terms and continue to criticize them, but you don’t get to sign up for a soccer game and then claim that the rules against using your hands don’t actually apply to you. If you don’t want to face the consequences of how distributed services like this fundamentally work, don’t use them.
It took this person 20 days to post this. They didn’t create their account to post it the same day or even the next day, ergo, they figured it out after the fact.
If they really had an issue with stuff like this, why pray-tel weren’t they already doing their due diligence to ensure that the service they were signing up for didn’t violate the GDPR in ways they didn’t like? That seems like a gross oversight by someone clearly incensed by it.
(Also, it continues to be questionable whether it’s actually breaking GDPR rules, and even in that regard, it would be individual server admins responsible for enforcing GDPR compliance.)
(Also, it continues to be questionable whether it’s actually breaking GDPR rules, and even in that regard, it would be individual server admins responsible for enforcing GDPR compliance.)
Wow I can’t believe you’re criticising the policy that you agreed to when you made your account. Sounds like you need to delete your account and take that kind of talk elsewhere.
You know, it’s clear you’re not arguing in good faith or taking what I’ve said in good faith, instead of choosing the most uncharitable interpretation you can to get a “gotcha,” so I think we’re done here.
Also, it’s not a “policy” it’s literally a byproduct of how federation works. Sorry you completely fail to understand the architecture of this service and how that influences how it works. All ActivityPub services suffer from the same issue.
Where’s the lie?
I don’t agree with that reasoning. It’s entirely possible for someone to be personally accepting of the Fediverse’s privacy issues, but make an intelligent, well informed, coherent critique of them.
Like perhaps the OP did? Seems like they had to personally accept the TOS, or at least tolerate it, but they also have a critique.
I also still don’t see how “yet you participate in lemmy” is a real answer.
Thats why I stay as anonymous as possible.
Yeah, the Fediverse is terrible for privacy. By design, I should add.
I’m pretty sure running a Lemmy server (or Mastodon server) in Europe in blacklist federation mode is illegal, as you’re exchanging data with external processors without any kind of validation about privacy arrangements. No DPAs, no competency decesions taken into account, data shared all over the world.
Lemmy lacks proper delete functionality (you can edit to replace the contents with an empty string, though). In theory you could exercise your rights and demand thst the administrator deletes all your PII, and instructs any data processors that PII was hared with to do the same. If they do not or cannot comply, that should be grounds for a complaint with your local DPA.
I’m not aware of any international privacy law, but this is going to be A Thing now that Meta and Tumblr and Foursquare are joining the Fediverse. My guess is that they’ll consult at least one DPA (probably the Irish one, they’re usually located there for tax reasons) for guidelines. I wouldn’t be surprised if data they severely restrict Fediverse activity within EU/EEA borders because of privacy laws.
Even more interesting will be what would happen if a user sued the instance admins of a European server that’s more than just a person. Several Fediverse instances are backed by organisations, which means they need to comply with the terms of the GDPR if they operate within Europe, and the way the open Fediverse operates just isn’t compatible.
This is one of the reasons I don’t see the Fediverse lasting long. Unless you add some kind of validation system to verify that you’re exchanging data within certain borders, the entire system as it stands simply cannot be run legally by anything bigger than private individuals.
However, it’s important to note that privacy law generally only applies to PII. Your works (blog posts, comments, etc.) are probably not covered by privacy laws. Your username probably is, though.
I think the fact there’s a privacy oriented community on Lemmy is pretty hilarious. Of course, privacy is irrelevant if you choose to share information willingly, but the entire protocol is a giant privacy violation.
As an added bonus: this applies to most other federated protocols as well (Bluesky, Matrix, XMPP, you name it) unless those servers are configured to only communicate with known-compliant servers.
Remind me again how things can be deleted from the internet?
OP is simply incorrect.
I’m coding a Lemmy alternative right now and have been testing this functionality out extensively. Deletes of posts and comments certainly federate, I’ve seen the AP traffic to make it happen. Also, the docs: https://join-lemmy.org/docs/contributors/05-federation.html#delete-post-or-comment
I haven’t tested what happens when the ‘delete account’ button is clicked… Mastodon solves this by sending a ‘delete this user’ Activity to every fediverse instance so there’s nothing about ActivityPub that makes removing an account and all it’s posts in one go impossible.
All your posts on the fediverse are effectively a public blog of your thoughts that will be scraped and stored in servers you have no control over.
If you care about privacy, which I understand, you probably want to leave quickly.
Here’s a rundown from someone who got fed up with the fediverse and kinda rage quit: https://blog.bloonface.com/2023/07/04/the-fediverse-is-a-privacy-nightmare/
Another example of this is that it’s not just about lemmy. One way in which lemmy actually federated well worth microblogs like mastodon is that users can be followed from mastodon etc.
So any number of servers running a number of open source easy to run platforms could be taking up everything you specifically post.
Thank you for posting that link. I’m not fed up (completely?) yet I suppose but it was eye-opening. I’ll have to be a lot more careful about posting, possibly not post again.
Effect of ActivityPub, not Lemmy. All federating systems function similarly, because it’s a feature of the protocol.
If instances want, they can ignore delete requests and your content stays in their cache forever (remember Pleroma nazis from couple of years ago?) - now, that is an instance problem that might be a GDPR issue, but good luck reporting it to anyone who cares. At best you can block and defederate, but that doesn’t mean your posts are removed.The fediverse has no privacy, it’s “public Internet”. Probably a good idea to treat it as such.
Message your admin and ask for purging of that post/comment/user.
Lemmy lack of central control is a feature. But it can still be GDPR compliant. GDPR did not make useNet illegal. GDPR does not make peer-to-peer illegal.
As an EU citizen you can still write letters to the editor of newspapers, and those letters can be published in those newspapers of record. Sending a message to Lemmy is akin to publishing publicly and opinion piece in a newspaper.
Certainly you can use GDPR to talk to an lemmy admin to remove your data on the instance you registered and account on. But due to the nature of Lemmy, it’s architecture, you can’t go out and retract all of the newspapers that have been published. That’s a physical impossibility.
Even if you could somehow talk to every administrator of every instance, you can’t prove you were that user who posted that data.
Oh no, that’s not even the half of it. The admin for your instance has access to literally anything on their server, including passwords afaik. If you want privacy, this ain’t it chief.
Every website has access to the password you use on that website. ALWAYS use unique and randomly generated passwords for every service.
They have access to your password hash, effectively the “infrastructure” admin(s) as I’ll call it (not admins of the site - they need to have access to the actual system that is running the instance) have access to the same things that infrastructure admins of another site would have.
Ah, guess i misunderstood a comment on here.
including passwords afaik
Nobody has access to passwords. They have access to password hashes, which are not the same thing. It would be the absolute most half baked of solutions to still be saving passwords in cleartext.
