Nightmare on Lemmy Street (A Fediverse GDPR Horror Story) - Michael Altfield's Tech Blog - eviltoast
  • deegeese@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    42
    arrow-down
    3
    ·
    edit-2
    9 months ago

    Bit of a red herring to put GDPR in the title when the article is about Lemmy missing key admin functions, and only tangentially how this runs afoul of GDPR.

    TL;DR Lemmy hasn’t implemented image deletion for users or admins, so don’t upload your government ID.

    • woelkchen@lemmy.worldM
      link
      fedilink
      English
      arrow-up
      21
      ·
      9 months ago

      Bit of a red herring to put GDPR in the title when the article is about Lemmy missing key admin functions, and only tangentially how this runs afoul of GDPR.

      I haven’t read the GDPR, yet, but it’s still a serious issue – GDPR or not. Imagine if Instagram did that. Everybody would seriously go bonkers and rightfully so.

      System administrators often aren’t software developers. Lemmy users need to trust Lemmy admins and Lemmy admins need to trust Lemmy developers. Maybe not letting users delete any uploaded media isn’t outright illegal, maybe it is. I’m in the camp of it being definitively not cool.

      • deegeese@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        9
        arrow-down
        7
        ·
        edit-2
        9 months ago

        Inflicting lawyers on an open source project is a great way to drive off the developers.

        If I hear Lemmy has a GDPR problem I assume it’s lawyer BS only European instance admins have to worry about.

        If I hear Lemmy has bugs in basic CRUD functionality, that’s a real issue.

          • kernelle@lemmy.world
            link
            fedilink
            English
            arrow-up
            8
            ·
            9 months ago

            Yet GDPR requires if you operate anywhere but allow European citizens to register, you have to be GDPR compliant as well, or risk being blocked by an entire continent.

            • Maalus@lemmy.world
              link
              fedilink
              English
              arrow-up
              5
              arrow-down
              2
              ·
              9 months ago

              You can get fined by the entire continent. And you would need to pay up in that case, if living in the US for instance. The laws aren’t toothless, otherwise everyone would be abusing them, instead go to any US news site in Europe, and they’ll tell you they can’t serve content to you for legal reasons.

              • kernelle@lemmy.world
                link
                fedilink
                English
                arrow-up
                3
                arrow-down
                2
                ·
                9 months ago

                Oh for sure they will try to fine, but being another sovereignty they have no authority to force a payment.

                • Maalus@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  3
                  arrow-down
                  6
                  ·
                  9 months ago

                  Yeaaaah no. Look it up, you still have to pay up. It’s insanely good for EU citizens. Look at the top fines - Meta, Google, Amazon, Instagram, Facebook, with fines being tens of milions of dollars. The US works with the EU and you still get fined.

                  • kernelle@lemmy.world
                    link
                    fedilink
                    English
                    arrow-up
                    6
                    arrow-down
                    1
                    ·
                    9 months ago

                    Ofcourse they do, because they want to keep their business working in Europe. Which doesn’t apply to a decentralized system like the fediverse. But they do not have to pay the fine if they shut down all operations within Europe, which no company wants to do.

              • lambalicious@lemmy.sdf.org
                link
                fedilink
                English
                arrow-up
                1
                arrow-down
                2
                ·
                9 months ago

                The laws aren’t toothless, otherwise everyone would be abusing them,

                Have you heard of such small indie developers such as Google, Amazon or Facebook?

                • Maalus@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  3
                  ·
                  9 months ago

                  The exact same ones who have millions in fines racked up and are paying them? Yes, I have heard of those.

                  • lambalicious@lemmy.sdf.org
                    link
                    fedilink
                    English
                    arrow-up
                    1
                    arrow-down
                    1
                    ·
                    9 months ago

                    You said it yourself: Millions. Not Billions.

                    For these companies, paying such a mundane fine is just the business cost of being able to do whatever they want. The execs figuratively (and perhaps literally too) piss out a fine payment every morning before reading the newspaper company whatsapp account.

        • woelkchen@lemmy.worldM
          link
          fedilink
          English
          arrow-up
          6
          arrow-down
          1
          ·
          9 months ago

          If I hear Lemmy has bugs in basic CRUD functionality, that’s a real issue.

          Coincidentally I saw bug reports by that person and another person earlier that day (before the blog post was published), including one opened months ago with absolutely no reaction at all of even acknowledging that this is even an issue: https://github.com/LemmyNet/lemmy/issues/3973

          I’ve heard from time to time that Lemmy developers can be difficult to work with (I never worked with them, so I make it clear that this is hearsay) but I have the suspicion that there is some merit to that.

      • morras@jlai.lu
        link
        fedilink
        English
        arrow-up
        12
        ·
        9 months ago

        No, Lemmy servers are not exempt from GDPR compliance. The household exemption (you are not subject to gdpr for private activities) only applies for purely personnal activities. As soon as a service is offered to someone else, the exemption is no more applicable.

        That’s one of the drawback about open-source projects, they are designed to fulfill a need (persistent storage & decentralised communication for Lemmy), and no one give a f*ck about legalities.

          • morras@jlai.lu
            link
            fedilink
            English
            arrow-up
            9
            ·
            9 months ago

            I’m not so sure about the GDPR status for the Fediverse, I don’t think there’s the law is prepared for “Jerry runs this for people, just for fun”. It’s very much “official organisation” or “money grabbing business” oriented. Someone should fund an actual lawyer to look into this and lay down the real requirements.

            I’m working in the gdpr compiance field ;) Using a personnal device to monitor public space doesn’t fall under the household exception, this solution even pre-dates the GDPR (https://curia.europa.eu/jcms/upload/docs/application/pdf/2014-12/cp140175en.pdf).

            (the case-law is about camera fixed on a private house, but the logic easily translates in a private server grabbing public data).

            but when legal compliance comes up, everybody just sticks their fingers in their ears and pretends not to hear you.

            Just as you did ^^