Being alive in the time fire was invented - well it’s hard to say since it was Homo Erectus who did so, some millions of years ago. Modern humans are very different from good ole’ Erectus, and we think differently, so… the tale of Prometheus is a good one for sure, but it’s also much younger than the actual history of human control over fire.
Source: https://study.com/academy/lesson/how-did-stone-age-man-make-fire-discovery-importance-facts.html
Can you explain further? I don’t recall that Prometheus was mentioned at all by that particular religious group.
Surprised that no one has mentioned Vegemorphs from PBS’s Arthur yet.
I think not entirely - the experiment did not seem to rule out the case where traveling backwards in time is possible, but only up to the point when the time machine was built.
I.e. in 3012 Dwayne George successfully creates the first functional time machine, and moments later is slain at the hand of a time traveller who went back to prevent the invention of the time machine.
Hold on. You can’t keep personal data longer than needed. Making data disappear from the web is one important demand by the GDPR.
Agreed, but - while it might be permissible legally to wipe out my data and content, what if I want to retrieve a copy afterwards?
I wouldn’t want to keep control over other people’s content, but regarding my own…
“Involuntary data transfer”
I don’t know what exception that is. There are rules for data breaches. I’m not at all sure how much you have to do to block crawlers.
Well, in that case, baring credible contradicting information from another source, I think it’s reasonable to accept the note from the former worker of a DPO. Would you agree?
Comments are problematic because they inherently relate to other persons beside yourself. It could be argued that you have to delete your own writings as well when you shut down your instance.
Hmm. Will need a good think about this - perhaps I should adjust my commenting style to avoid direct quoting and such…
Ironically, that is a problem because if there is such an alternative, then it must be used. If you can reach your goal by processing less personal data, then you must do so.
All the more reason to get started on it, I suppose.
You’d only be hosting the communities created on your own instance. Apart from that, you’d simply authenticate the identities of users.
Well, and dealing with responsible for user content from your instance’s local users - but since it’s just the one instance (or small handful if you trust a few others) it’s still much more managable. And it becomes zero for, e.g., single-user instances (since those would have zero other users and thus zero other content to worry about hosting).
Unfortunately, confirming the identities also means transferring personal data.
That’s why I had the idea of creating and using the federation-bot account - this way there’s no confirmation of identities or transfer of personal data.
One question is what that would do to server load. I don’t know.
Server admin question. Can save that for serverfault.com and the like IMVHO
Proxying the posts/comments may be the better solution, but when and how that should be done has no clear answer.
One of those things that need experimentation and research to determine, but an answer can be found.
Unfortunately, the different DPOs don’t agree on everything. Maybe in a few years, this will all be at a point where ordinary people can be on the safe side by simply following a manual.
Hmm - if different DPOs can’t agree, then I don’t see how we get to the point of a user friendly manual.
Maybe it won’t be so much extra effort that it becomes impossible for hobbyists, but - on the whole - the future of the European internet belongs to big players.
This is what’s inherently disturbing to me. I am one of those hoping that the GDPR would be a tool for the opposite (a way to rein in the big players, so to speak).
People don’t know the law and just chose to believe a happy fantasy.
It was a surprise to read from the former DPO worker that email as a system is not compliant with the GDPR.
I believe, there is no way - at present - that an ordinary person can maintain an internet presence while being compliant with GDPR and other regulations.
Hmm. I am starting to see why you take this view. Not saying I agree, but I can understand the frustration. That said, PIPEDA in Canada came to pass in 2000 - it’s considered to have GDPR-equivalency and we’ve not had the sort of issues that you are raising with PIPEDA, which makes me optimistic that the GDPR can likewise be something that folks can live with.
The GDPR is a terrible mistake, but that’s not what people want to hear.
Even if it is flawed it’s still a step in the right direction IMVHO. I’m in Canada, which had PIPEDA back in 2000 - 18 years before the GDPR took effect in the EU. Hence I believe a solution is workable and a balance can be struck - even if in the worst case that means additional legislation to tweak the existing law. (Though I’d not even go that far - for example, from the former DPO, it seems that if EU courts all agreed that the API behind federation was covered by the “involuntary data transfer” exception then Lemmy would already be GDPR compliant (or mostly so) as-is of the time that I write this.)
As GDPR-fans will tell you, data protection is a fundamental human right.
And I completely agree with this. I’m one of those who is a GDPR-fan as well as a fediverse fan.
We don’t let just anyone perform surgery, so don’t expect that just anyone should be able to run a social media site.
So this is the fundamental disagreement I feel. Progress generally entails moving things into the hands of the people. We’re empowered because we can do things like program our own computers, 3-d print our own devices, and yes run our own social media site.
Deny a person that right, and you take a bit of their power away. By running my own single user instance, I make sure that I always own my own content, no one can take it away from me by suddenly shutting down their website (as has happened to e.g. elle.co for example).
As such, my goal here is to figure out how to let ma & pa joe run their own social media site on the fediverse, while staying GDPR compliant.
Of course, the same can be said of surgery but it’s still not allowed. Obviously the harm from letting anyone try it is much worse than strictly regulating it, but is running a social media site on the fediverse likewise so harmful? Is there no way at all to strike the balance?
They need legal experts on the team.
I’ve been thinking about this. You are right of course, but I’d wager that this is outside of what most folks running instances can afford. In particular new devs who want to run their own single user instance.
So what’s the way forward? I have come up with an idea for this. Basically we need to get some organization like the EU branch of the Electronic Frontier Foundation (EFF) to research this and come up with a HOWTO guide that covers most of the average cases - along with pointers on when something is not covered by the guide (so at least you know going in that you’d need to pay for that extra legal firepower).
On mastodon, you follow a person, which they can refuse. Only then the data is automatically sent to your instance. On lemmy, you subscribe to a community and everyone’s posts and comments are sent to yours. At least, that’s how I understand it.
I think you have understood correctly. This actually provided me with the epiphany that I needed. On forum-like software that speaks ActivityPub (like pyfedi or mbin), there’s no actual need to actually transfer the content. Just send me a notification - with the “user” being a bot account named something like “federation_bot_messenger” with a link to the new post or comment, then bubble it up to the user to open in their browser. No content is shared, and no identifiers like a user name get shared, so there’s no risk of a GDPR violation. It’s just a link.
One could imagine that fancier web UIs might use an iframe or something to display the content inplace instead of requiring an extra manual click - but it’s still only on the end user’s browser that the content is transferred.
We could still have traditional federation - but just as you describe, the allow list for that is only for those instances where you know the folks (have contracts you said) and thus are assured that the transfer of content complies with the GDPR. For unknown instances, just do the link sharing. It could be implemented in a way that instances running older software would still see a post by the bot account with just the link inside. (Perhaps as an enhancement, folks could designate a trusted instance as the primary - e.g. my instance trusts lemmy.world as primary, so when it sends the links out, it sends out a lemmy.world link, to take the load off of my own instance from users clicking on links.)
Or am I missing anything here?
Bear in mind, that few of the people who passed the GDPR have any technical background. Of the people who interpret it - judges and lawyers - fewer still have one. They are not aware of how challenging any of these requirements are.
I think this is a bit unfair. Clearly they had technically knowledgable advisors at the very least. After all, they came up with exceptions like this,
here are two exceptions here: “Involuntary data transfer” is generally seen as not being part of the data handling. But that mainly applies to datascrapers like the web archive and similar usage where the data is transfered through general usage of a page that the DC cannot reasonaby prevent without limiting the usage of their service massively.
That said I think I might have been a bit unfair to the lemmy devs. From https://tech.michaelaltfield.net/2024/03/04/lemmy-fediverse-gdpr/ I can see that pretty much all of the issues raised directly on lemmy itself have since been resolved - by a dev writing code to fix the problem. Even if GDPR isn’t the highest priority, the devs are clearly at work trying to address what they can when they can.
a purely personal or household activity
No chance. This is what makes it legal to share data within a family and, to a degree, among friends. Running an open social media platform is neither a personal nor a household activity.
Hmm.
So running a single user instance for my own personal use (and keeping in mind the nature of federation meaning the only stuff my instance sends out is the stuff that I write) is absolutely not covered by the above?
The UK is not part of the EU. They kept the GDPR when they left, but it should not be assumed that the UK interpretation is always the same.
That is a very good point indeed.
The GDPR is not very thoroughly enforced; much to the chagrin of some people. This may or may not change in the future. It would be politically quite unpopular, a bit like thoroughly enforcing no-parking zones.
Seems risky to rely on low enforcement though. For those of us who love federation and privacy and want to federate while complying with the GDPR - what must be done?
That’s not even remotely enough, even assuming that the information is sufficient.
What’s not enough? lemmy.world’s privacy policy?
Mastodon is in a much better place, on account of how federation works there. It might still not be enough.
Hmm… what’s the difference?
Lemmy instances would have to stop all federation with instances beyond the territorial reach of the GDPR or equivalent.
Oof. This is indeed a tough one.
I recall that this isn’t universally true - in some cases a country or territory may be deemed as GDPR equivalent and after that data transfer is allowed without additional safeguards, see for example https://www.torkin.com/insights/publication/european-commission-approves-of-canada-s-data-protection-regime-(again)#::text=What%20does%20this%20mean%20for,authorizations%20to%20transfer%20the%20data.
Even so, this does impose significant limits on federation due to the risk of transferring data to non-complying terrotories.
Federation within that territory should only happen based on a contractual agreement between the owners, probably with every user given an explicit choice to opt out.
Uh - if this is right, then this is even more restrictive and seems to suggest a fundamental incompatibility between federation and the GDPR overall.
But, this has got to be an already solved problem. Usenet has been around since the 1980s at least, and NNTP was basically federating before there was ActivityPub. I’m missing something obvious here I’m sure, but what?
It does apply.
admins are hosting what’s available.
After writing my comment above I realized that lemmy.world (an EU based instance) does in fact comply with the GDPR - their policy is described at https://legal.lemmy.world/privacy-policy/
So it’s possible for fediverse instances to comply with the GDPR. What makes one think it wouldn’t be doable?
They won’t be able to the second someone reports them and a spotlight is put onto them.
I mean, unless they give in and comply with the GDPR.
Devs just don’t give a shit
I guess you are referring to lemmy here. Considering who they are (they run lemmygrad.ml which is defederated from much of the fediverse) this isn’t surprising. But lemmy isn’t the only software on the fediverse - I’d check out piefed.social and mbin for starters.
The other thing is - if you think there’s some software improvement needed to better comply with the GDPR, instead of asking overworked devs who are donating their free time to fix it - why not raise a pull request yourself with the fixes? (Or if you aren’t much in the way of coding ability but have money burning in your pocket, hire someone to do the same and donate the result!)
I think semi public would be like setting your facebook profile to private. It shows your name, and basic details, but doesn’t show all your posts or interactions.
Seems reasonable. It’s good to figure these things out now btw, as courts will adopt the “common definition” if the law doesn’t explicitly define things (including referencing dictionaries for the meanings of words).
I find this interesting. Does one just install software and buy a domain?
You don’t even need to buy a domain necessarily, just have a place to install the software and use one of the free services.
I run my own self-hosted single-user pyfedi instance, and I more-or-less do so for free (I mean I pay for internet and I bought the old laptop that I’m running pyfedi on ages ago, but that’s it).
After looking at a lot of different options, I decided to go with srv dot us since srv dot us guarantees you a permanent domain name without having to pay (albeit you can’t pick the name). srv dot us actually doesn’t require any signup either - you just follow the instructions, connect, and go - and they only keep records like your ip address for one day, so if you stop using it for longer then poof you’re suddenly that much harder to trace.
ngrok dot com also offers a free domain name (but you can’t pick - if you want to choose your own then you have to pay). You sign up with your email and all that though (you can also sign up using your github account). I almost went with this (the author of pyfedi, Rimu@piefed.social , mentions (recommends?) using ngrok for this purpose) but at the time I had some other issues and misdiagnosed it as ngrok blocking federation with their silly popup (see https://stackoverflow.com/questions/73017353/how-to-bypass-ngrok-browser-warning for more details)
You can learn more about pyfedi by visiting the flagship instance at piefed.social
I would assume theres somewhere you have to register with in order to federate.
Nope, nothing like that. Verification is done mostly just by making sure you own or otherwise legitimately have access to the domain that you are using (specifically that you have SSL certs that are certified for the given domain for use in HTTPS if you wanna get a little bit technical).
I mean, if theres no one to go after, this would be a nice work around. At least, until theres a site for every Texan that figures it out.
So fly-by-night instances it is! It wouldn’t necessarily work for large instances with many users though - pretty much all of these do buy their own domain, for which you have to provide your legal name and address and such (even if it’s not public thanks to domain privacy, it would be available to law enforcement)
And federation does not play nice with someone’s domain name changing. Meanwhile if one is caught registering for a domain with a fake name etc then the domain registrar is entitled to cancel the ownership of that domain and take it back.
That said, one might luck out and find a good domain with a registrar that’s in a jurisdiction that is particularly unfriendly to Texas’s ability to enforce SCOPE.
Edit: haha, you kinda answered this somewhere else as I was typing
Thought I could enhance my previous answers by adding a little more detail here.
At times like this I wish we had /c/LegalAdvice - would love for someone who says “IAAL” to chime in.
Some of the biggest lemmy instances - lemmy.world, feddit.de - are based in the EU. I don’t understand how EU based instances like these would be able to get away with not following GDPR.
Though, it may be more that GDPR doesn’t apply, as per https://decoded.legal/blog/2022/11/notes-on-operating-fediverse-services-mastodon-pleroma-etc-from-an-english-law-point-of-view/
[The UK GDPR] does not apply to … the processing of personal data by an individual in the course of a purely personal or household activity
But for those spinning up an instance of a fediverse service for them and their friends, for a hobby, I think there’s far more scope for argument.
In any case it seems like asking a fediverse instance to be compliant with the GDPR is possible, see for an example at https://sciences.re/ropa/ and https://mastodon.social/@robin/109331826373808946 for a discussion.
the ISP didn’t block the site,
And from the article you posted at the beginning, perhaps the ISP can’t be required to do that. At least it’s not list as an explicit remedy. Others are suggesting that Texas might block the site from being accessible from within Texas, but there’s nothing in the law itself that suggests Texas would legally do this.
Basically it reads like that they’re restricted to whatever the existing office of the AG of Texas could have already done in terms of enforcement powers, which is largely fines.
It seems its up to whomever is registering the account. If the person is under 18 they see a scrubbed version, of the person is over 18 they have full access.
Or, like, not allow registration for under 18s at all, I suppose.
I’m not sure an ISP has control like that. I could be wrong.
No, you are right. The site itself must comply.
Aha,
Exemptions Small businesses as defined by the Small Business Administration (SBA);
Not sure how’d this work overseas, but basically lemmy.world and friends just needs to apply to SBA to get recognized as a small business, and they’re all good. (Or perhaps they could try to apply thru a US Embassy; or apply at a local authority and argue for legal equivalence between the SBA’s recognition and their own country’s).
As for enforcement, well,
If someone were to violate the act, the AG’s office may seek … civil penalties of up to $10,000 per violation, and attorneys’ fees
So yeah basically it comes down to trying to grab money. So as they say about sucking blood from a turnip…
My guess is that the law is basically extra-territorial - meaning that in theory it applies no matter where you are based.
For a for-profit service this is more enforceable - just gotta find a way to seize the stream of money flowing out of Texas for violate of the law.
For a service based in the US this is more enforceable - just gotta get the federal system and other states to cooperate, and enforce Texas’s court judgement, and then Texas can find a way to seize the stream of money flowing around and out of the US (or perhaps seize the US assets of the company).
For a non-commercial entity based in the territory of the European Union that has no funds flowing at all from the US (think lemmy.world or feddit.de here) then it’s probably quite a bit harder to do anything at all in terms of effective enforcement.
(1) allow users to create a public or semi-public profile to use the service
So it seems like I’m safe. I run my own single-user instance to federate and post - but I don’t allow others to sign up at all, so they can’t create a public or “semi-public” profile here (and what does semi-public mean?)
I’m partial to ecosia.org myself. Search while helping to plant more trees!