• 0 Posts
  • 24 Comments
Joined 1 year ago
cake
Cake day: October 16th, 2023

help-circle




  • Git itself is not proprietary so all the projects can survive without GitHub if the need arises. Ad

    You’re neglecting the exclusion that’s inherent in Github when the need to bounce does NOT arise.

    Also worth adding that during the war in Gaza some of us boycott Israel. Which implies boycotting Microsoft.

    Additionally, you don’t need an account to view the repository or its discussions.

    Advocating read-only access is comparable to endorsing only freedom 1 and 2, not freedom 0 or 4. Which is precisely what I’m talking about: FOSS projects that discard digital rights and partake in digital exclusion for some convenience frills.

    There is of course a walled garden for participation and it is an issue, however it doesn’t compare to discord, which is much, much worse.

    Bug trackers have more of a monopoly on bug reports than discord has on discussions. There are countless decentralized discussions about free software all over the place – threadiverse, probably facebook, ad hoc phpbb forums, IRC, usenet, mastodon, mailing lists, conferences like FOSDEM … and rightfully so. Discussions don’t need the centralization that bug trackers do. General discussions also do not have the degree of importance to QA that bug tracking does.

    Case in point, when bugs are reported outside of Github, they don’t get noticed by developers and triaged.


  • There’s not really much point in using a self hosted gitea or codeberg or sourcehut if you want the barrier of entry to be as low as possible for potential contributors.

    Of course there is.

    But GitHub has more features (like discussions), provides better hosting and ease of use.

    Bingo. Prioritizing convenience features above digital rights principles is exactly why Github’s walled garden dominates over forges that have a lower barrier of entry.

    The focus of any open source project should be on development of the software, not the software which supports its development.

    Again, people to setting aside their principles is exactly what I’m talking about.



  • from the article:

    In short, using Discord for your free software/open source (FOSS) software project is a very bad idea. Free software matters — that’s why you’re writing it, after all. Using Discord partitions your community on either side of a walled garden, with one side that’s willing to use the proprietary Discord client, and one side that isn’t. It sets up users who are passionate about free software — i.e. your most passionate contributors or potential contributors — as second-class citizens.

    Interesting to do a “s/Discord/Github/” replace on the above. Same situation yet hardly anyone gives a shit.

    So yes, Drew DeVault is right. But he overestimates people’s commitment to free world digital rights principles and consistency thereof.




  • Thanks!

    The To: address in the header would be interesting. Of course, you wouldn’t want to disclose it verbatim here but it might be useful to have a rough idea. Was it Firstname.Lastname@yadayada.com or some variation of that, or was it more like commonNickname@yadayada.com? Some people here think it doesn’t matter, that it’s inherently personal info, but the European Commission says it matters. It’s not hard and fast; there are varying shades of gray here. Maybe they kept logs of your IP address and maybe that makes a difference. You might want to read WP136 (I have yet to read that).

    I would love to see action taken against Reddit, if anything just to burden their lawyers and create some costs for them. But I doubt it will go anywhere. GDPR enforcement is such a shit-show in Europe. Even dealing with clearly blatant violations that are wholly internal to Europe which should irrefutably incur penalties, simple obvious cases are being ignored by DPAs. So I have little confidence that this cross-border case against a non-EU data controller would actually get results when the law is not really concrete. The one factor in your favor is that Reddit is somewhat high-profile which might take a DPA’s interest.

    I don’t think a “delete my account” button constitutes an Article 17 request. It removes the purpose of processing to some extent, which then relies on the data minimization principle (Art.5). Reddit can do a bit of hand-waving to make excuses like needing to retain your email address in case one of your posts sparks a legal inquiry. Your case would be stronger if you had submitted an explicit Art.17 request to Reddit.

    From the email:

    Per our lawyercats, we are not able to respond to further inquiries or questions.

    I wonder if that statement might be actionable. Art.12 and 13 require Reddit to identify a data controller with a point of contact and to tell you your GDPR rights (IIUC). And here they are outright stating in effect “we don’t want to hear from you”. I would stress that in your GDPR complaint, not just the misuse of your email which you expected to be deleted. But note they do provide an address at the bottom of that msg. Although that angle of attack might require Reddit having a way to know you have ties to a GDPR region after the supposedly “deleted” your acct.

    Also, I would look into any anti-spam laws your country has. There may be a higher degree of legal actionability there.


  • I’m trying to get to the bottom of this because a chunk of my data & activity is tied to nothing but my email address which always deliberately excludes personal identifiers and I do everything over Tor.

    GDPR recital 26 seems the most relevant. It’s complicated but note that the GDPR clearly does not apply to legal persons (aka moral persons aka companies). So a data controller must at a minimum have a way of knowing the account belongs to a natural person. Which IMO requires being linked to other data like IP address. Though even that is a fuzzy because IP databases on whether an IP address is residential boils down to guesswork.

    Tempting to read wp136 which predates the GDPR but seems quite relevant. It’s possibly the most exact answer unless there is a closely related CJEU ruling.





  • If I create an anonymous account but put what looks like a real name in the username field, and sign all posts with that real-looking name, who’s to say it’s really my name? Then suppose I lose my internet connection but want to exercise my right to be forgotten. The GDPR enables people to make an Art.17 request in writing but the GDPR also mandates that data controllers identify who the request comes from (so Mallory does not request deletion of Alice’s records). If a user ad hoc puts their name on everything then mails a request with a copy of their ID card which matches the name they put on everything, it’s a bit off because a company who does not ID users would not normally have the infrastructure in place to support GDPR requests. (and that’s a good thing… it’s good that there’s incentive to support the practice of offering anonymous accounts) But here’s the other problem: the ID mechanism itself must be minimal. A data controller cannot demand a full copy of your ID card if they can verify using something less intrusive like date of birth to verify you. Perhaps in this case a copy of the ID card would be necessary. OTOH, names are not generally unique, which would mean I could use my ID card to request deletion of all records of other people who have the same name.

    As a practical matter, we also have to figure that DPAs are extremely lazy. I’ve filed many Art.77 reports with strong irrefutable evidence and the cases just sit for years. I cannot see a DPA being motivated to work on a case that Reddit can easily defend. OP’s best move is to look at local anti-spam laws (I’m guessing it’s spam… I do not have access to the Cloudflared image the OP posted).