Texas SCOPE act takes effect Sunday. How does Lemmy comply?
click2houston.com
"The SCOPE Act takes effect this Sunday, Sept. 1, and will require everyone to verify their age for social media."
So how does this work with Lemmy? Is anyone in Texas just banned, is there some sort of third party ID service lined up...for every instance, lol.
But seriously, how does Lemmy (or the fediverse as a whole) comply? Is there some way it just doesn't need to?
I expect the usage of VPNs in Texas to skyrocket exponentially in the next couple of months.
Don't think so
I'm petty sure everyone already started using VPNs when Pornhub was banned
I'm tired of Texas trying to expand their sphere of influence beyond their borders with shitty laws and shitty judges.
Texas wants what the EU and California have so bad.
Why should it affect LW or any other (non-Texan) instance? Any rogue country with populists at the head can implement any arbitrary legislation. That does not affect Lemmy instances hosted in countries with reasonable governments. If Texas wants to enforce their rules (or punish for non-compliance), it is on them to approach instance admins or block the site in their corner of the global internet.
This is a fair view. I'm not sure anyone has gotten that far, especially outside the country.
Heres an article about a similar bill in Utah, that hasn't gone into effect yet.
I mean if the general consensus is that it doesn't apply, then, cool.
I live in Texas, and can confidently tell you the people writing these laws have no fundamental concept of what the internet is or how to implement or enforce such a law for consistent adherence.
I can also tell you with confidence this law will be wielded with impunity against specific companies/sites our corrupt, petulant AG decides to go after. Fuck Ken Paxton.
As far as users in Texas, this is nothing a VPN can't fix.
I can absolutely see Texas looking at it the other way. "Your website can be accessed by our citizens? On you to comply with our laws." They then spit out a bunch of criminal charges that make things rather inconvenient for some instance hosts. The US reach into international banking systems is uncomfortably long.
The real problem question is about federation. You can post to an instance from any federated instance. If an account is created in one instance and the user posts to a federated instance are both liable? You have to be able to create accounts AND post to be subject to the law. Can one instance not allow posts but host accounts for participation in other instances to skirt around the law?
That would require jurisdiction to charge them anyways. They do not have such power.
Don't comply with tyrants.
The answer? Block Texas
Not joking. If suddenly hundreds or thousands of sites would become unavailable. It wouldn't last a week
doesnt that happen every time it rains in texas?
That didn't work with porn, so it's not a good idea for less popular websites.
Who cares about porn
Enough that there's a serious spike in VPN sales during the porn age restriction wave.
I doubt NordVPN and friends would see that if EVERY single lemmy instance got banned.
Why would anyone mess with texas at this point?
Cause it's funny
Comply?
"Is there some way it just doesn't need to" = "Is there some scenario in which Texas laws don't apply worldwide?"
Yes. There is.
To expand on this- In general you must comply with the laws of any jurisdiction where you have a business presence. This for example Meta is a USA company, but they have offices in the EU and they sell advertising in the EU from EU offices so they have to comply with EU laws for EU users. They can't just wave off and say 'we are a USA company, EU regs don't apply to us'.
Lemmy is not a corporation. There is no business presence in Texas, unless an instance admin lives there or hosts the server there. So Lemmy, both as a whole and as individual instances, can simply give Texas the middle finger and say 'we aren't subject to your laws as we have no presence or business in your state. We are in the state of California (or whatever) and are subject to the laws of our home state. It is not our job to enforce Texas laws in California on servers hosted in Virginia.'
Thus Texas trying to enforce their laws on a Cali company is like Hollywood studios sending DMCA notices to Finland.
I'm fine with Texas disappearing from the internet. Literally every site with a comment section now has to comply or just block Texas. One of those seems more feasible.
The same way lemmy works with GPDR. Lemmy completely ignores it.
That's the vibe I'm getting. No problem.
At times like this I wish we had /c/LegalAdvice - would love for someone who says "IAAL" to chime in.
Some of the biggest lemmy instances - lemmy.world, feddit.de - are based in the EU. I don't understand how EU based instances like these would be able to get away with not following GDPR.
Though, it may be more that GDPR doesn't apply, as per https://decoded.legal/blog/2022/11/notes-on-operating-fediverse-services-mastodon-pleroma-etc-from-an-english-law-point-of-view/
In any case it seems like asking a fediverse instance to be compliant with the GDPR is possible, see for an example at https://sciences.re/ropa/ and https://mastodon.social/@robin/109331826373808946 for a discussion.
They won't be able to the second someone reports them and a spotlight is put onto them. It does apply. Devs just don't give a shit and admins are hosting what's available.
After writing my comment above I realized that lemmy.world (an EU based instance) does in fact comply with the GDPR - their policy is described at https://legal.lemmy.world/privacy-policy/
So it's possible for fediverse instances to comply with the GDPR. What makes one think it wouldn't be doable?
I mean, unless they give in and comply with the GDPR.
I guess you are referring to lemmy here. Considering who they are (they run lemmygrad.ml which is defederated from much of the fediverse) this isn't surprising. But lemmy isn't the only software on the fediverse - I'd check out piefed.social and mbin for starters.
The other thing is - if you think there's some software improvement needed to better comply with the GDPR, instead of asking overworked devs who are donating their free time to fix it - why not raise a pull request yourself with the fixes? (Or if you aren't much in the way of coding ability but have money burning in your pocket, hire someone to do the same and donate the result!)
That's not even remotely enough, even assuming that the information is sufficient.
Mastodon is in a much better place, on account of how federation works there. It might still not be enough. Lemmy instances would have to stop all federation with instances beyond the territorial reach of the GDPR or equivalent. Federation within that territory should only happen based on a contractual agreement between the owners, probably with every user given an explicit choice to opt out.
What's not enough? lemmy.world's privacy policy?
Hmm... what's the difference?
Oof. This is indeed a tough one.
I recall that this isn't universally true - in some cases a country or territory may be deemed as GDPR equivalent and after that data transfer is allowed without additional safeguards, see for example https://www.torkin.com/insights/publication/european-commission-approves-of-canada-s-data-protection-regime-(again)#::text=What%20does%20this%20mean%20for,authorizations%20to%20transfer%20the%20data.
Even so, this does impose significant limits on federation due to the risk of transferring data to non-complying terrotories.
Uh - if this is right, then this is even more restrictive and seems to suggest a fundamental incompatibility between federation and the GDPR overall.
But, this has got to be an already solved problem. Usenet has been around since the 1980s at least, and NNTP was basically federating before there was ActivityPub. I'm missing something obvious here I'm sure, but what?</sub>
There's way more to do than writing a privacy policy. And I don't think the policy meets the requirements but getting that right certainly needs a specialist.
On mastodon, you follow a person, which they can refuse. Only then the data is automatically sent to your instance. On lemmy, you subscribe to a community and everyone's posts and comments are sent to yours. At least, that's how I understand it.
You could say that there is a fundamental incompatibility between the internet and the GDPR, but that's by design. The internet is about sharing (ie processing) data. The GDPR says, you mustn't (unless).
Take the "right to be forgotten". Before the internet, people read their newspapers, threw them away, and forgot about it. The articles were still available in some dusty archive, but you finding them was laborious. With search engines, you could easily find any unflattering press coverage. So you get the right to make search engines remove these links and it's like back in the good old days. The fact that the GDPR is incompatible with existing technology is a feature, not a bug.
Bear in mind, that few of the people who passed the GDPR have any technical background. Of the people who interpret it - judges and lawyers - fewer still have one. They are not aware of how challenging any of these requirements are.
The main problem for the fediverse is that compliance requires a lot of expert legal knowledge. There's not just the GDPR but also the DSA and other regulations to follow.
Federation itself may also be problematic, since many more people get to be in control of the data than strictly necessary. The flow of data must be controlled and should be limited as much as possible. That would be much easier with a central authority in charge. But that's not a deal-breaker.
And I completely agree with this. I'm one of those who is a GDPR-fan as well as a fediverse fan.
So this is the fundamental disagreement I feel. Progress generally entails moving things into the hands of the people. We're empowered because we can do things like program our own computers, 3-d print our own devices, and yes run our own social media site.
Deny a person that right, and you take a bit of their power away. By running my own single user instance, I make sure that I always own my own content, no one can take it away from me by suddenly shutting down their website (as has happened to e.g. elle.co for example).
As such, my goal here is to figure out how to let ma & pa joe run their own social media site on the fediverse, while staying GDPR compliant.
Of course, the same can be said of surgery but it's still not allowed. Obviously the harm from letting anyone try it is much worse than strictly regulating it, but is running a social media site on the fediverse likewise so harmful? Is there no way at all to strike the balance?
I've been thinking about this. You are right of course, but I'd wager that this is outside of what most folks running instances can afford. In particular new devs who want to run their own single user instance.
So what's the way forward? I have come up with an idea for this. Basically we need to get some organization like the EU branch of the Electronic Frontier Foundation (EFF) to research this and come up with a HOWTO guide that covers most of the average cases - along with pointers on when something is not covered by the guide (so at least you know going in that you'd need to pay for that extra legal firepower).
I think you have understood correctly. This actually provided me with the epiphany that I needed. On forum-like software that speaks ActivityPub (like pyfedi or mbin), there's no actual need to actually transfer the content. Just send me a notification - with the "user" being a bot account named something like "federation_bot_messenger" with a link to the new post or comment, then bubble it up to the user to open in their browser. No content is shared, and no identifiers like a user name get shared, so there's no risk of a GDPR violation. It's just a link.
One could imagine that fancier web UIs might use an iframe or something to display the content inplace instead of requiring an extra manual click - but it's still only on the end user's browser that the content is transferred.
We could still have traditional federation - but just as you describe, the allow list for that is only for those instances where you know the folks (have contracts you said) and thus are assured that the transfer of content complies with the GDPR. For unknown instances, just do the link sharing. It could be implemented in a way that instances running older software would still see a post by the bot account with just the link inside. (Perhaps as an enhancement, folks could designate a trusted instance as the primary - e.g. my instance trusts lemmy.world as primary, so when it sends the links out, it sends out a lemmy.world link, to take the load off of my own instance from users clicking on links.)
Or am I missing anything here?
I think this is a bit unfair. Clearly they had technically knowledgable advisors at the very least. After all, they came up with exceptions like this,
That said I think I might have been a bit unfair to the lemmy devs. From https://tech.michaelaltfield.net/2024/03/04/lemmy-fediverse-gdpr/ I can see that pretty much all of the issues raised directly on lemmy itself have since been resolved - by a dev writing code to fix the problem. Even if GDPR isn't the highest priority, the devs are clearly at work trying to address what they can when they can.
Hold on. You can't keep personal data longer than needed. Making data disappear from the web is one important demand by the GDPR.
Comments are problematic because they inherently relate to other persons beside yourself. It could be argued that you have to delete your own writings as well when you shut down your instance. Or it could be argued that other people's post may be kept (possibly anonymized) because otherwise your personal data would be incomplete. The 2nd is obviously what reddit is doing. That seems to draw more criticism than praise from the lemmy community, to put it mildly.
The GDPR gives you rights over data, like copyright does. It inherently gives you a right to control what other people do on their own with their own physical property.
You don't need to ask me. The GDPR is a terrible mistake, but that's not what people want to hear. People don't know the law and just chose to believe a happy fantasy. I believe, there is no way - at present - that an ordinary person can maintain an internet presence while being compliant with GDPR and other regulations. Mind, you also need to comply with the Digital Services Act and other stuff. With some skill, you can probably do a webpage, even with ads, but nothing where you interact with visitors and must collect data.
Yes. The DPOs issue guidances and send out newsletters. That would be a place to start. Unfortunately, the different DPOs don't agree on everything. Maybe in a few years, this will all be at a point where ordinary people can be on the safe side by simply following a manual. The problem is that this will still require extra time and effort. Well, content moderation also requires a lot of time and effort. Maybe it won't be so much extra effort that it becomes impossible for hobbyists, but - on the whole - the future of the European internet belongs to big players.
I was thinking the same. Ironically, that is a problem because if there is such an alternative, then it must be used. If you can reach your goal by processing less personal data, then you must do so.
You'd only be hosting the communities created on your own instance. Apart from that, you'd simply authenticate the identities of users. One question is what that would do to server load. I don't know.
Unfortunately, confirming the identities also means transferring personal data. It would also mean that the remote instance is able to connect an IP-address to a username; potentially allowing the real life identity to be uncovered. Proxying the posts/comments may be the better solution, but when and how that should be done has no clear answer.
Yes. Those are commonly referred to as industry lobbyists.
I don't know what exception that is. There are rules for data breaches. I'm not at all sure how much you have to do to block crawlers.
Agreed, but - while it might be permissible legally to wipe out my data and content, what if I want to retrieve a copy afterwards?
I wouldn't want to keep control over other people's content, but regarding my own...
Well, in that case, baring credible contradicting information from another source, I think it's reasonable to accept the note from the former worker of a DPO. Would you agree?
Hmm. Will need a good think about this - perhaps I should adjust my commenting style to avoid direct quoting and such...
All the more reason to get started on it, I suppose.
Well, and dealing with responsible for user content from your instance's local users - but since it's just the one instance (or small handful if you trust a few others) it's still much more managable. And it becomes zero for, e.g., single-user instances (since those would have zero other users and thus zero other content to worry about hosting).
That's why I had the idea of creating and using the federation-bot account - this way there's no confirmation of identities or transfer of personal data.
Server admin question. Can save that for serverfault.com and the like IMVHO
One of those things that need experimentation and research to determine, but an answer can be found.
Hmm - if different DPOs can't agree, then I don't see how we get to the point of a user friendly manual.
This is what's inherently disturbing to me. I am one of those hoping that the GDPR would be a tool for the opposite (a way to rein in the big players, so to speak).
It was a surprise to read from the former DPO worker that email as a system is not compliant with the GDPR.
Hmm. I am starting to see why you take this view. Not saying I agree, but I can understand the frustration. That said, PIPEDA in Canada came to pass in 2000 - it's considered to have GDPR-equivalency and we've not had the sort of issues that you are raising with PIPEDA, which makes me optimistic that the GDPR can likewise be something that folks can live with.
Even if it is flawed it's still a step in the right direction IMVHO. I'm in Canada, which had PIPEDA back in 2000 - 18 years before the GDPR took effect in the EU. Hence I believe a solution is workable and a balance can be struck - even if in the worst case that means additional legislation to tweak the existing law. (Though I'd not even go that far - for example, from the former DPO, it seems that if EU courts all agreed that the API behind federation was covered by the "involuntary data transfer" exception then Lemmy would already be GDPR compliant (or mostly so) as-is of the time that I write this.)
It doesn't exactly ignore it, but in a sense GDPR doesn't apply to Lemmy.
Long story short, GDPR is made to protect private information, and EVERYTHING in Lemmy is public so there is no private information to protect. It's similar to things like pastebin or even public feed in Facebook, companies cannot be penalized for people willingly exposing their information publicly, but private information that is made public is a problem.
That is entirely incorrect. It is general data protection regulation, not privacy regulation.
You are given certain rights over data relating to you. For example: you may have it deleted. Have you googled the name of a person? At the bottom, you will find a notice that "some results may have been removed". Under the GDPR, you can make search engines delete links relating to you; for example, links to unflattering news stories (once you are out of the public eye).
Sorry, forgot about answering here. Although the name is General data it is about personal data. I was going to reply with point by point why it either doesn't apply to Lemmy or it follows GDPR, but I think it might be easier to answer directly your point about right to be forgotten.
First of all Lemmy allows you to delete your posts and user so it complies with it, but even if it didn't GEPR has this to say:
Paragraphs 1 and 2 are the right to be forgotten
Which one could argue is public forum primary use
Which again one could argue is part of the purpose of Lemmy as well.
It does apply to lemmy and lemmy is not compliant. That is simply a fact as far as the courts have ruled so far.
One can argue a lot. But if such hand-wavy arguments work, then why do you think anyone ever has to pay fines or damages?
For this argument to work, you have to argue that erasing the precise personal data in question would infringe on someone else's right to freedom of expression and information.
The original "right to be forgotten" was about links to media reports. The media reports themselves did not have to be deleted because of freedom of information, but google had to delete the links to them to make them harder to find. This is a narrow exception. Under EU law, data protection and these freedoms are both fundamental rights. They must be balanced. The GDPR dictates how. These exceptions will only apply where these freedoms are infringed in a big way.
At least, you have to do like reddit and anonymize the comments and posts. It could be argued that you actually may not even do more. Removing comments that someone else has replied to arguably makes their personal data incomplete. Reddit's approach meets a lot of outspoken criticism on lemmy.
The problem is that the data is duplicated all over the federated instances. So, someone on your instance deletes their data, Other instances also delete their copies. What do you do if someone in the US refuses to delete and maybe gives you that argument about freedom of expression? That's right. You pay damages to your user because you screwed it up.
Lemmy isnât social media. Ignoring that though, the law actually says:
Which literally applies to every single site on the entire planet that has a comment section. This law is incredibly unenforceable.
Yep. This is another dumbass politicians trying to solve a problem that doesn't exist with a solution that doesn't work.
It's not about solving a problem, it's about exerting control.
Lemmy is absolutely social media.
Nuh uh! I'm a Sovereign Netizen and I'm not driving social engagement, I'm just a traveler on the information superhighway!
Social engagement has nothing to do with social media. If you define anything with social engagement as social media then you literally are calling the entire internet social media.
They said its not but, I think the argument they were trying to make was that it's not enforceable.
https://programming.dev/comment/12069336
Itâs absolutely not. It has none of the hallmarks of social media (personal relationship, feed of user activity, likes and shares). Itâs a forum. Forums existed for decades before social media. If you define forums as social media then you are defining every comment section on every site, including news sites, help sites, things like stack overflow even, as social media which is clearly ridiculous and so broad as to be a useless definition.
Unless you think Lemmy is somehow functionally different from Reddit, then you can argue with Wikipedia.
What in the heck is it then?
It's a social news aggregator. I assume the difference is, that this is to follow mainly news, whereas social media is to mainly follow people. In my 10 years of reddit and now Lemmy I never followed any account, I was just there for the niche topics and news aggregation.
You'll note that Wikipedia has that article under the "Social Media" category.
I guess I disagree with "social media is to mainly follow people". I think social media is for socializing, regardless of who it's with. Sorry for the double reply.
I don't know about you but I'm here for the comments sections, i.e. to socialize. That counts as social media IMO. Socializing with random users and not followed accounts, is still socializing.
Social News aggregator = social media.
Its a webforum.
Webforums are not social media.
And Reddit is what?
Originally, a social news aggregator. Now? An abortion of that idea.
I totally disagree on both counts: forums are social media, and Lemmy is not a mere forum. Lemmy is a platform where people can create forums, and many of those forums (communities) exist mainly to socialize.
I'll give you that some forums (both on Lemmy and otherwise) that have a clear defined topic - such as tech support for a particular thing - are somewhat different from "social media", but even in those three are often regulars who use the forum to socialize with each other. Any forum with an "off-topic" subforum is social media in my book, in a very real sense (not just technically).
But hey, we can disagree on this and it's fine.
Engaging with people does not make it a social media platform.
A bathroom wall covered in graffiti messages is not social media.
an email is not social media.
text messages are not social media.
a brick with "Fuck You" written on it, thrown through a window, is not social media.
A restaurant you go to with friends is not social media.
A webforum is not social media.
IMs are not social media.
Just because you socialize on/in/at something, does not magically make it social media.. Because Social Media is a very specific type of thing.
Stop trying to make everything into freaking facebook.
facebook is social media, therefor friendica is social media
instagram is social media, therefor pixelfed is social media
twitter is social media, therefor mastodon is social media
at the VERY least, all the latter platforms can interact with each other via activity pub, as can lemmy. by interacting with lemmy, youâre making interactions with social media
social media isnât just big tech - social media is a way of interacting with a system
is reddit social media? most people would say yes it definitely is⌠and this makes lemmy firmly social media
Getting people to agree to a mistaken, misinformed premise does not mean you are right.
Lest you also believe the world is a flat pancake and other various nuttery.
Also, you clearly know what the difference is, since your list of examples is nothing but social media.
Again. Stop trying to make everything social media. You have all the social media you need to fuel your need for attention, as is. You don't need to make non-social media into more of it.
Wikipedia: âLemmy (social network) - Open source social media softwareâ
Also: âSocial media are interactive technologies that facilitate the creation, sharing and aggregation of content (such as ideas, interests, and other forms of expression) amongst virtual communities and networks.â How does Lemmy not fit that description?
By your definition every single news comment section is social media, which is clearly a ridiculous suggestion. Webchat, irc, literally anywhere thereâs a comment section. Thatâs just clearly incorrect and so broad as to be a completely useless definition.
There are degrees to social-media-ness. News comment sections have a very low amount of this. Lemmy has a lot.
To clarify why I think Lemmy is not a forum: in my eyes, forums are set up by the admins, only the admins can decide which subforums exist and what's allowed in them. Lemmy and reddit are not simple forums because they allow any user to create a subforum and make those choices and decisions, that traditionally are reserved for admins. It's an extremely important difference and makes Lemmy much more of a general social platform and not a focused forum.
Lemmy has the ability to lock down forum creation, like on programming.dev which is the 8th largest lemmy site.
Social media has always been defined as being about people, not topics. People just donât even try to use the right words though so you get ridiculous things like people calling something coincidental or unfortunate âironicâ.
A forum?? Which have existed for literal decades before social media was a thing? If you define literally anything social as social media then youâre defining the entire internet as social media which is just a useless definition.
https://programming.dev/comment/12069336
Itâs called the âFuck Texasâ response to such a garbage law. And good luck enforcing it especially with federated sites.
They can SCOPE deez nuts.
That's right, get noSCOPEd