304

This is extremely concerning for me . Thoughts ? (lemmy.today)

submitted 8 months ago* (last edited 8 months ago) by THE_MASTERMIND@lemmy.today to c/casualconversation@lemmy.world

72 comments fedilink hide all child comments

https://github.com/LemmyNet/lemmy/issues/4433

Should i repost this to any other /c/'s meant for this kind of things ?

EDIT: In case anyone don't understand what this is it is an issue raised by someone on lemmy git that when an account is deleted or banned it should also delete the data the data posted by the user. And one of the main dev nutomic is blowing it of like it won't affect me and maltfield is remainding him that it is illegal under the EU law and it also affects lemmy and moreover it is not ethical or moral . And i thought that was what lemmy was built on privacy, ethics and morals now i am dissapointed.

EDIT : For everyone saying there is no way i am not really ap roggrammer or anything but couldn't this work :

They could just roll it out on a new version and i think most instances won't mod it to remove that maybe some oddball ones will but not most. I know saved copies will be there but who cares no one is saving my 1000 comments but that is not the case with this .

It is copy pasted from one of my replies.

EDIT: Also it is not my intention to point finger to lemmy devs and i can differentiate their political stance and their work my only intention was to see that if this post gained enough traction they will reply or fix the issue.

EDIT : Relevant comment from @NeatNit@discuss.tchncs.de about what if other instance don't delete your data.

So maybe those instances are breaking the law, but Lemmy by default should comply. You could say the exact same thing about any social media - scrapers can and do archive everything they can - but that doesn’t absolve the original platforms (e.g. Twitter) from having to follow the law.

EDIT : As just a person i can't do anything about it but i am certain if everybody pitch in the lemmy devs will listen and even though everyone seems to hate lemmy devs political stance i can differentiate with politics and their work and i find @Dessalines@lemmy.ml to be very responsive so i am gonna mention him and see what he thinks about it instead of trashing lemmy devs on speculation (i don't know nutomic's id) even though i don't agree wuth nutomic's response in this case i don't share the views of many people in the comments and don't associate this post with them.

EDIT : I just want an option to purge my data when deleting an account that you can enable or disable.

top 50 comments

sorted by: hot top controversial new old

[-] dessalines@lemmy.ml 140 points 8 months ago

I've been tagged here, so to answer some of the questions I saw below:

We already have a way to permanently delete / overwrite your comments when you delete your account. That's been done for a long time., and is easily visible in lemmy-UI when you go to delete your account.

We do federate that removal, but there's nothing that stops a malicious server from ignoring that request. Activitypub is ultimately like email; there is no unsend email button.

That ticket is more about image removals, which gets tricky. We recently added a table that makes sure to attach image uploads to the local user, and now what's needed is to build out an interface for handling those also, in addition to handling the removals properly. Issue for that is here.

Data privacy will always be an ongoing issue, and we have to handle new problems as they arise. That's nothing new for us.

The main issue in that ticket is that there are 2-4 of us devs working on software that is now used by over 40k ppl daily, and we're spread extremely thin. So my personal patience for people making demands, while refusing to do anything to help out themselves, is very thin. We are not a multi-million dollar corporation with hundreds of developers. If someone wants a feature that we don't have time to work on atm, they can help out by adding it.

I think maltfield is well-intentioned, but they've also shown no interest in helping out with any of these GDPR-related requests. We have no legal expertise about the GDPR, and lemmy is not european software, it's international software.

[-] Maalus@lemmy.world 19 points 8 months ago

If you have no expertise in european GDPR, then at least check the minimum. If you host EU users, you need to comply with it. If you can't or don't want to, you need to refuse them entry / access to the application. They cannot leave any data with you. And before you say "it doesn't apply to me I can do what I want" - no you can't, since in the US and many other countries you can still get fined for it.

If you don't have the resources, you need to throw a 451 response or some other general message blocking access to the EU.

[-] dessalines@lemmy.ml 39 points 8 months ago

If you're a lawyer then, you should advise ppl running servers, and also chime in on that thread.

[-] THE_MASTERMIND@lemmy.today 13 points 8 months ago* (last edited 8 months ago)

I understand your frustation and i do appreciete the work you do and in no way am i demanding anything but the way that issue was handled kinda irked me and that is why i posted here so maybe that issue would get more attention and be handled more fast. But things escalated and people started to speculate and i didn't want it to get anymore uncasual (because of the sub) or weird so i thought i should mention you and you can provide the anwers we seek and thus end the speculation and it was turning a little uncasual for this sub .

[-] originalucifer@moist.catsweat.com 77 points 8 months ago* (last edited 8 months ago)

dunno. if i was all that concerned about that kinda stuff i wouldnt be using a publicly, anonymously federating communication platform like lemmy

clearly people need to stay within legal requirements, and a user wanting to delete their account should be able to do so... but youre not recalling your remotely-transmitted posts anymore than you can recall the words you shout on a street corner.

e. ahh i see, this is about a bug they dont want to fix on lemmy because they dont feel they are gdpr targets

so, its definitely a bug. its definitely already on their bug list, but they arent acting on it for 'reasons'. and now that you pointed it out, they will definitely never act on it.

[-] Turun@feddit.de 28 points 8 months ago

but youre not recalling your remotely-transmitted posts anymore than you can recall the words you shout on a street corner.

That is true, but the user must still have the ability to delete all their comments. The fact that someone could have scraped the data is irrelevant.

[-] THE_MASTERMIND@lemmy.today 6 points 8 months ago

Exactly

[-] THE_MASTERMIND@lemmy.today 27 points 8 months ago

But him blowing it off like that was spezy we should be better than reddit and let users delete their data if they want to .

[-] rdyoung@lemmy.world 34 points 8 months ago* (last edited 8 months ago)

That would be ideal but reality is that because of the way the fediverse works there is no way to control what we post to instances that aren't our home one and we definitely can't undo the thousands of copies of those comments/posts that get copied across the fediverse.

This is a concept that was understood in the early days of the internet and seemed to have gotten forgotten over the years. The basic concept of not being able to unring a bell.

Basically even if a local instance lets us delete our account and all comments/posts, it would be up to every other federated instance to honor that delete transmission, we have no way to enforce that.

[-] pixxelkick@lemmy.world 14 points 8 months ago

there is no way to control what we post to instances that aren’t our home one

This doesn't give the home instance a get out of jail free card for also failing to comply.

This is pure whataboutism.

[-] rdyoung@lemmy.world 8 points 8 months ago

First off. That's not the definition of whataboutism. Second. It's simply the reality we live in. It's clear in posts like this who actually understand code and software at their core and who wouldn't be able to name even 1 coding language aside from an oldy like cobal.

I'm not justifying anything or saying that the right to be forgotten isn't a worthwhile goal to strive for. What I am doing is attempting to explain reality and the unlikelyhood of OPs dream happening in the fediverse any time soon, if at all.

I'll close by pointing out that it's clear you nor OP read or understood what I said about someone scraping an instance and having a copy of everything posted up to that point and the undeniable fact that you can't delete anything from that data even if every single instance respected the delete command.

[-] pixxelkick@lemmy.world 7 points 8 months ago

The fact you bring up scraping at all indicates you have no idea what this is about.

Data privacy and protection isn't about that.

"Some third party could just..." is indeed trying to whataboutism it, it's completely irrelevant.

Other instance owners are completely irrelevant.

You'll need to wrap your head around the fact that legally lemmy has to support the takedown request per instance, not federation wide.

If I truly wanted my data gone I'd have to make the request to each individual server. That's fine.

Data privacy and protection compliance means that I can request specifically server A take down my data, and still be fine with server B retaining a copy.

If I wanted both to drop the data, I'd have to request it from both individually.

Scrapers aren't involved here.

The protection isn't about "oh no people on the internet can see my posts"

It's more about "oh man it came to light Server B's owner is selling people's data and I don't want my data included in that"

This is a legal requirement, id recommend lemmy instance owners check in with their local lawyers about this, because a lack of compliance could get individual instance owners in hot water, and if multiple large instance owners realize this, it should put more pressure on the debs to fix that shit.

load more comments (1 replies)

[-] THE_MASTERMIND@lemmy.today 5 points 8 months ago

They could just roll it out on a new version and i think most instances won't mod it to remove that maybe some oddball ones will but not most. I know saved copies will be there but who cares no one is saving my 1000 comments but that is not the case with this .

[-] Nomecks@lemmy.ca 11 points 8 months ago

It's not an issue until it's an issue. Someone will need to attempt to exercise their GDPR rights to get a change made. As others have said, it's not so black and white as removing posts from something like Spezddit or Shitter, so the EU may need to weigh in if/when it becomes a legal issue.

[-] rdyoung@lemmy.world 10 points 8 months ago* (last edited 8 months ago)

A new version of what? This is open-source software, anyone can modify and compile their own version and stay federated so long as it stays compatible. Basing compatibility on the deletion of posts/comments/accounts is way more complex than you may think and would only lead to all kinds of unforeseen issues down the road.

All of this also doesn't stop anyone from scraping and storing a local copy of any public available instance. Somewhere in my collection of software I have one from a couple of decades ago that does exactly that, it pulls down an entire site just based on a url, it will basically mirror a site.

I think we would be better off focusing on 2 slightly at odds concepts.

Getting used to whatever we say is out there forever and learning to be comfortable with that and not saying anything that we would be bothered by friends and coworkers seeing.
Teaching people to be truly anonymous on the webs and being careful to not share enough info to be identified by their collective posts (which is easier than people realize).

load more comments (2 replies)

[-] surewhynotlem@lemmy.world 8 points 8 months ago

Sounds like we need a lawsuit to decide who is correct.

Anyone in the EU feeling feisty?

load more comments (15 replies)

[-] p3n@lemmy.world 65 points 8 months ago

It has been my experience working with FOSS that if you really want a bug fixed, or a feature implemented, it is best to take the following steps:

Fork the repository
Implement the feature or bug fix in your fork
Open an issue (if one does not exist already) in the upstream repository describing the feature or bug
Submit a pull request with your implemented changes as a solution to the issue

I have had a 100% success rate with these steps.

[-] tyler@programming.dev 19 points 8 months ago

Oh boy, you’re luckier than I. I’ve contributed to hundreds of oss software for over a decade and I’d say maybe 50% of PRs get merged, sometimes taking years. 50 is probably generous.

load more comments (1 replies)

[-] teft@lemmy.world 38 points 8 months ago

And i thought that was what lemmy was built on privacy, ethics and morals now i am dissapointed.

I don't think lemmy was built on that. The original software was written by tankies so i doubt they cared about privacy, ethics, or morals. It was built as an open source decentralized alternative to other news aggregation sites.

Everything you post to it proliferates out to every server you federate with so even when they implement this it would be trivial for someone to setup a catch all server that doesn't obey the delete command sent from another server and store everything everyone has posted. That might be why they haven't prioritized it. Just a guess from me though.

[-] agent_flounder@lemmy.world 15 points 8 months ago

The original software was written by tankies so i doubt they cared about privacy, ethics, or morals.

Oof lol

[-] NeatNit@discuss.tchncs.de 14 points 8 months ago

Everything you post to it proliferates out to every server you federate with so even when they implement this it would be trivial for someone to setup a catch all server that doesn’t obey the delete command sent from another server and store everything everyone has posted.

(repeating from my reply elsewhere)

So maybe those instances are breaking the law, but Lemmy by default should comply. You could say the exact same thing about any social media - scrapers can and do archive everything they can - but that doesn’t absolve the original platforms (e.g. Twitter) from having to follow the law.

load more comments (2 replies)

load more comments (1 replies)

[-] pixxelkick@lemmy.world 31 points 8 months ago

ITT: people too focused on Data Privacy with respect to other posters/internet denizens.

In reality the much bigger concern typically is the literal owner of the servers

If 1 server owner announces they are now selling off all their copies of raw lemmy data to an AI company to train on, legally by EU data privacy laws users very much would have a leg to stand on to demand their data be deleted and if the server owner doesn't comply, they could be in very hot water.

This doesn't have to be a federated problem.

You can request Server A delete your records while being cool with Server B keeping them, because Server A is selling your data and B isn't.

This delete/request action doesn't have to propagate, it can be "per server"

[-] abbadon420@lemm.ee 31 points 8 months ago

The secret trick is, abbadon420 isn't my real name.

[-] THE_MASTERMIND@lemmy.today 14 points 8 months ago

Shit i should'nt have used my real one.

[-] BloodSlut@lemmy.world 11 points 8 months ago

real name does not check out

[-] alyth@lemmy.world 15 points 8 months ago* (last edited 8 months ago)

Lemmy is decentralised. The idea that Lemmy should implement European GDPR law makes no sense. Should Lemmy also implement every censorship law of every country?

[-] Maalus@lemmy.world 26 points 8 months ago

If a website hosts european users, it needs to comply with GDPR. There isn't a middleground here, whether you like it or not. If you cannot comply, you need to refuse those users by law (just as a lot of american sites do).

load more comments (2 replies)

[-] schteph@lemmy.world 24 points 8 months ago

GDPR isn't about where the site is hosted, but whether it caters to EU citizens or not. So, if a lemmy instance allows EU citizens to register and/or visit, GDPR applies to them.

load more comments (1 replies)

load more comments (3 replies)

[-] TheTetrapod@lemmy.world 13 points 8 months ago

I think it should be an option to delete post and comment history upon account deletion, but by no means the rule. I hate finding swiss cheese threads on social media. Part of commenting on a platform like this is contributing your voice to the value of an overall discussion, and revoking that contribution is frequently more obnoxious for your fellow users than it is beneficial to you.

[-] pixxelkick@lemmy.world 22 points 8 months ago* (last edited 8 months ago)

I hate finding swiss cheese threads on social media

See the thing us, EU data privacy and protection laws don't really give a shit though

You feeling unhappy that chunks of a thread are missing due to someone requesting a data privacy wipe isn't, you know, a factor that matters

I'm sure you really wanted to know what so-and-so said, but the lack of their posts existing means they didnt want you to know what they said

And, you know... they have the right to do that.

[-] THE_MASTERMIND@lemmy.today 7 points 8 months ago

I agree with you not everyone lives to serve OP

load more comments (2 replies)

[-] Micromot@feddit.de 11 points 8 months ago

IIRC GDPR Right to be forgotten only affects personal data

[-] pdnq@feddit.de 18 points 8 months ago

Yes, it does not cover anonymized data or data that does not relate to an identifiable individual. But, if your Lemmy account is associated with a real email address, your comments and account details can be considered personal data under GDPR. The GDPR defines personal data as any information related to an identifiable person who can be directly or indirectly identified, particularly by reference to an identifier such as an email address. Even if you use a pseudonym (fake name), the fact that the account can be linked back to your real identity through the email address makes the associated data (like your comments) subject to GDPR provisions.

load more comments (3 replies)

[-] freamon@endlesstalk.org 11 points 8 months ago

This issue is about the fact that if you delete your account, lemmy will delete all the text in any posts and comments you've made. It won't go through those comments, read any URLs you've uploaded pictures too, and delete them if they've been hosted/cached locally.

Putting the lemmy devs response to one side for a moment: what's the concern here? The URLs for images in picts-rs are a random hex string - if you don't know the URL, you can't find it, and even if you do, you wouldn't be able to connect it to someone unless the info was literally in the image itself.

[-] pixxelkick@lemmy.world 11 points 8 months ago

if you don’t know the URL, you can’t find it

The owner of the server sure can.

[-] eya@lemmy.dbzer0.com 9 points 8 months ago

The Lemmy devs in general are not exactly known for being great people. Luckily the project is open source, and if they want to fuck around and find out then they can.