deegeese@sopuli.xyz
on 04 Mar 2024 21:29
nextcollapse
Bit of a red herring to put GDPR in the title when the article is about Lemmy missing key admin functions, and only tangentially how this runs afoul of GDPR.
TL;DR Lemmy hasn’t implemented image deletion for users or admins, so don’t upload your government ID.
woelkchen@lemmy.world
on 04 Mar 2024 21:57
nextcollapse
Bit of a red herring to put GDPR in the title when the article is about Lemmy missing key admin functions, and only tangentially how this runs afoul of GDPR.
I haven’t read the GDPR, yet, but it’s still a serious issue – GDPR or not. Imagine if Instagram did that. Everybody would seriously go bonkers and rightfully so.
System administrators often aren’t software developers. Lemmy users need to trust Lemmy admins and Lemmy admins need to trust Lemmy developers. Maybe not letting users delete any uploaded media isn’t outright illegal, maybe it is. I’m in the camp of it being definitively not cool.
Inflicting lawyers on an open source project is a great way to drive off the developers.
If I hear Lemmy has a GDPR problem I assume it’s lawyer BS only European instance admins have to worry about.
If I hear Lemmy has bugs in basic CRUD functionality, that’s a real issue.
woelkchen@lemmy.world
on 04 Mar 2024 22:15
nextcollapse
If I hear Lemmy has bugs in basic CRUD functionality, that’s a real issue.
Coincidentally I saw bug reports by that person and another person earlier that day (before the blog post was published), including one opened months ago with absolutely no reaction at all of even acknowledging that this is even an issue: github.com/LemmyNet/lemmy/issues/3973
I’ve heard from time to time that Lemmy developers can be difficult to work with (I never worked with them, so I make it clear that this is hearsay) but I have the suspicion that there is some merit to that.
kernelle@lemmy.world
on 05 Mar 2024 09:57
collapse
Yet GDPR requires if you operate anywhere but allow European citizens to register, you have to be GDPR compliant as well, or risk being blocked by an entire continent.
You can get fined by the entire continent. And you would need to pay up in that case, if living in the US for instance. The laws aren’t toothless, otherwise everyone would be abusing them, instead go to any US news site in Europe, and they’ll tell you they can’t serve content to you for legal reasons.
kernelle@lemmy.world
on 05 Mar 2024 11:35
nextcollapse
Oh for sure they will try to fine, but being another sovereignty they have no authority to force a payment.
Yeaaaah no. Look it up, you still have to pay up. It’s insanely good for EU citizens. Look at the top fines - Meta, Google, Amazon, Instagram, Facebook, with fines being tens of milions of dollars. The US works with the EU and you still get fined.
kernelle@lemmy.world
on 05 Mar 2024 12:10
collapse
Ofcourse they do, because they want to keep their business working in Europe. Which doesn’t apply to a decentralized system like the fediverse. But they do not have to pay the fine if they shut down all operations within Europe, which no company wants to do.
Most servers are in Europe. Also, yeah, that’s my point - if you shut down access for Europeans, your worries fade away. The thing is - people want to have the cake and eat it too - not comply with GDPR and still allow people in Europe to be able to reach all instances.
Right now, Lemmy is too small to be noticed by anyone. But all it takes is some a-hole reporting GDPR noncompliance, and the entire project will get hit, and it will get hit hard.
kernelle@lemmy.world
on 05 Mar 2024 16:32
collapse
“your point” was that the EU can force a fine on any foreign company operating outside the EU for not following local laws, which is ridiculous. But I agree with the rest.
It’s not ridiculous if you actually read up what GDPR is. They can place a fine on any foreign company. It probably won’t be enforced in China, Russia, Iran, etc. But GDPR isn’t a “local law”. Most countries comply with it, hence cookie notices and all that jazz
kernelle@lemmy.world
on 05 Mar 2024 23:56
collapse
You might be missing the point. Again, the EU will send them a bill and a firm letter, but they don’t have any authority to actually demand payment. That fact has nothing to do with GDPR but with the fact that it’s an entirely different sovereignty.
The EU could sue them, they could impose sanctions on other companies for dealing with said company. They have an enormous amount of power to make sure said company can never deal with anything EU related. They have tried to sue companies in the US for not complying but no outcome for that is known.
That is why you see the cookie notices and general compliance, but also if you’re a relatively small company it’s actually not that hard to comply. It gets exponentially more difficult the larger you get but if you’re that large than you’ll definitely be dealing with world economics, including the EU which gives a lot of incentive to comply.
if actually read up what GDPR is
I have and was a part of my curriculum. Bit arrogant innit
lambalicious@lemmy.sdf.org
on 05 Mar 2024 13:40
collapse
The laws aren’t toothless, otherwise everyone would be abusing them,
Have you heard of such small indie developers such as Google, Amazon or Facebook?
The exact same ones who have millions in fines racked up and are paying them? Yes, I have heard of those.
lambalicious@lemmy.sdf.org
on 07 Mar 2024 23:22
collapse
You said it yourself: Millions. Not Billions.
For these companies, paying such a mundane fine is just the business cost of being able to do whatever they want. The execs figuratively (and perhaps literally too) piss out a fine payment every morning before reading the newspaper company whatsapp account.
And you think that lemmy devs / admins being hit by thousands of dollars of a fine is going to go the same way facebook goes? That they’ll be able to ignore it and say it’s a cost of business? The giant corps get fined too. The US companies get fined too (for all the people saying “this EU law, me no care”.
Blaze@reddthat.com
on 04 Mar 2024 23:53
nextcollapse
Aren’t the key admin functions missing leading to GDPR non compliance?
No, Lemmy servers are not exempt from GDPR compliance.
The household exemption (you are not subject to gdpr for private activities) only applies for purely personnal activities. As soon as a service is offered to someone else, the exemption is no more applicable.
That’s one of the drawback about open-source projects, they are designed to fulfill a need (persistent storage & decentralised communication for Lemmy), and no one give a f*ck about legalities.
I’m not so sure about the GDPR status for the Fediverse, I don’t think there’s the law is prepared for “Jerry runs this for people, just for fun”. It’s very much “official organisation” or “money grabbing business” oriented. Someone should fund an actual lawyer to look into this and lay down the real requirements.
I’m working in the gdpr compiance field ;)
Using a personnal device to monitor public space doesn’t fall under the household exception, this solution even pre-dates the GDPR (curia.europa.eu/jcms/upload/…/cp140175en.pdf).
(the case-law is about camera fixed on a private house, but the logic easily translates in a private server grabbing public data).
but when legal compliance comes up, everybody just sticks their fingers in their ears and pretends not to hear you.
Article 3 GDPR is straightforward, gdpr will apply.
The real question is how any kind of authority could enforce it ?
Almost no chance that any law enforcement/regulator will bother a single-user instance purely on the ground of gdpr…
bleistift2@feddit.de
on 04 Mar 2024 21:45
nextcollapse
I found it interesting how the maintainers reacted to these issues.
Would you mind if we set some of your priorities also? You’re asking us to do free labor for you, that you’re unwilling to do yourself. Do not put ultimatums and demands on people making FOSS, or I won’t hesitate to block you from these repos.
deegeese@sopuli.xyz
on 04 Mar 2024 22:08
nextcollapse
Just another guy who thinks he’s Gods gift to open source because he found a bug, and thinks the volunteer developers fail to show proper gratitude by not dropping everything to work on your pet bug.
Darrell_Winfield@lemmy.world
on 04 Mar 2024 22:24
nextcollapse
Interestingly, he was silent for 3 weeks after being assigned to the bug, then came back to post his blog post and nothing else. I’ve seen this blog post a few times today, looks like his self promoting strategy is working.
bleistift2@feddit.de
on 05 Mar 2024 11:41
collapse
I agree commenting that post under every issue was a dick move.
bleistift2@feddit.de
on 05 Mar 2024 11:45
collapse
To be fair, this is a bug that could be the end of lemmy. As soon as one malicious actor sues even a few instance admins, other will get scared and shut down their instances. As the reporter points out, this isn’t just a shiny feature that’s missing. Instance admins lack the ability to follow data protection requirements that their users have a right to. It’s a lawsuit waiting to happen.
lambalicious@lemmy.sdf.org
on 08 Mar 2024 16:40
collapse
To be fair, this is a bug that could be the end of lemmy.
Then the reporter should have acted like it was, indeed, that important. Like, putting money or a PR into it.
Just “someone, sometime, somewhere, might sue” does not suffice to fix things. Just like with physical products in the real world, if someone, somewhere, sometime, might sue, then you designate money, time and staff into your project to pre-corect the things to minimize the chance of that happening, or to buy whatever auditing / maintenance needed to check for issues.
And, correctly enough, the devs are not saying “we won’t fix this”. They are saying, “fix this requires people to pour $X time and $y money into it. Care to chime in?”
Unfortunately, the world of free software users is full of “couch coaches”.
rickyrigatoni@lemm.ee
on 06 Mar 2024 13:44
collapse
The lemmy devs are communist, isn’t doing free labor their whole thing?
freamon@endlesstalk.org
on 04 Mar 2024 22:09
nextcollapse
Mmm, I’m sure it won’t take long. Just have to remember to do it all again for .jpg, .webp, and .png.
Anyway, I’ll let you know when I get it.
johntash@eviltoast.org
on 05 Mar 2024 02:25
collapse
Its been a few hours, did you find it yet?
freamon@endlesstalk.org
on 05 Mar 2024 03:35
collapse
Not quite, no. I know what it isn’t at least.
I’ll keep going - I’m sure the article’s author is someone who genuinely uploaded some confidential info and then became really involved with privacy/GDPR etc, and not someone who was always been really involved with privacy/GDPR issues and now has a story to fit.
wahming@monyet.cc
on 05 Mar 2024 00:32
nextcollapse
Do uploaded images get federated? If they do, this is a pointless losing battle
UndercoverUlrikHD@programming.dev
on 05 Mar 2024 22:49
collapse
Yes
dumpsterlid@lemmy.world
on 05 Mar 2024 02:47
nextcollapse
I would actually consider using normal reddit a nightmare, lemmy like the rest of the fediverse softwares mostly just feels like a community theater play put on by people who really passionately care about what they are making but have zero budget and so long as you go into not expecting a blockbuster movie it is awesome.
Maalus@lemmy.world
on 05 Mar 2024 11:21
nextcollapse
Except you don’t get to ignore GDPR by saying “don’t expect our site to be private”.
expr@programming.dev
on 05 Mar 2024 14:51
collapse
GDPR is really designed to target software controlled by a single entity, but this isn’t that. The instances are responsible for their content, full stop. There’s no way of forcing an instance to delete content, and even if there were, since the admins are running it, there’s nothing stopping them from removing such a feature.
There’s also nothing stopping admins from deleting content from their servers (it’s just a database, after all).
Well then, once the EU knows about Lemmy, it’ll be screwed. Again, you don’t get to make excuses when dealing with GDPR. The book will be thrown at you once you have EU citizen’s data, which lemmy obviously does. Saying “we made this application without it ever being possible to comply with GDPR” will only get you a bigger fine, or worse.
expr@programming.dev
on 05 Mar 2024 16:33
collapse
“Lemmy” (the software) doesn’t have any data. It all resides on servers owned by people other than Lemmy’s developers. They have the user data and would absolutely be subject to GDPR.
Again, no matter what Lemmy’s devs put in place, it doesn’t matter because the instance admins can do whatever they want.
Once they know about one server, they will know about most large instances. Since Lemmy doesn’t implement any GDPR features (i.e. cookie notices, a button for deletion, etc) every larger instance will get hit.
UndercoverUlrikHD@programming.dev
on 05 Mar 2024 22:45
collapse
How would tracking pixels work via lemmy? I don’t see how you could gain individual ip addresses if the instance simply store the image in their cache.
Yikes. Played it for shits and giggles and it leads off with saying the vaccines or even being around people who took the vaccine causes you to emit a Bluetooth MAC address lmfao.
rglullis@communick.news
on 05 Mar 2024 09:46
collapse
Not that I hold the Lemmy devs in particular high regard, but unless OP is cutting them a check every month enough to pay their full time salaries, I really don’t think that he should be expecting anything just because he faced an issue that was difficult, but (a) not specific to the developers but the admins of the instance and (b) ultimately solvable.
I also think that this is not a reason to justify a whole fork or even a fully adversarial position. Yeah, tooling for moderation and instance management is lacking, but these can be built on top of the existing codebase. If my fediverser tool does that for user authentication and account management, it could also be extended for content moderation and provide granular access for staff.
Maalus@lemmy.world
on 05 Mar 2024 11:20
nextcollapse
Well, the bare minimum you need to do, is refuse traffic from the EU then. The devs don’t want to do that, but they also don’t want to implement the changes which is illegal and carried huge fines (yes, they can fine you in the US too)
rglullis@communick.news
on 05 Mar 2024 11:23
collapse
The “huge fines” are proportional to the revenue of the company and there are plenty of legal steps that need to be taken before someone with a big stick gets involved.
Also, this is not an issue for the developers, but for the admins.
bleistift2@feddit.de
on 05 Mar 2024 12:01
nextcollapse
The fines are only proportional for big corporations. Organizations without revenue can still be fined:
Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
(a) the basic principles for processing, […] pursuant to Articles […] 7 […];
In this case, the processing of data hinges upon the data subject’s consent, which is detailed in article 7.
Also, this is not an issue for the developers, but for the admins.
Imagine a car manufacturer building cars without brakes and then saying ‘This isn’t a problem for the engineers, but for the retailers’. Of course the developers can’t be sued for this. But that’s not the point! The point is that this bug or missing feature or whatever you want to call it jeopardizes the admins upon which this whole ecosystem hinges. I can’t believe that that’s in the devs’ best interests.
They are also proportional to the size of the leak. Small businesses get some leeway, but the approach that devs have had so far is “we don’t care” when it was brought up.
It’s an issue for both. If a software you run can get you fined in both the US and the EU, then devs need to adapt or nobody will be using it. Right now, lemmy is too small for big wigs to notice. It takes one disgruntled user to report the breaches though, and everything can change veeeery quickly.
rglullis@communick.news
on 05 Mar 2024 12:11
collapse
then devs need to adapt or nobody will be using it.
Or the people that want to use it can hire other developers to add the missing functionality, or develop themselves, or implement some tedious-but-functional process that satisfies the legal requirements, etc, etc.
My point is:
No developer from an open source project should feel responsible for how the software is being used by others
No open source developer should feel pressured into working on something just because someone needs it.
If people don’t like the Lemmy devs and want to use something else that fulfills their needs, fine. But this “I opened a bunch of issues on Github and I demand the developers to work on them ASAP” is really not the way to go.
Your point is “don’t make our devs do things that are essential for using it in Europe”
I wasn’t talking about some issues on github, I was talking about GDPR. If lemmy is to be used in any way, it can’t behave like some student project thrown together from random bits. Legal is part of that. And there is a lot of it to go through. I get it, it’s not fun at all to code that and they’d rather do some cool new feature instead. But it needs to be done, even if nobody wants to do it. Or, at least people could simply accept the risk of it going really bad.
rglullis@communick.news
on 05 Mar 2024 18:23
collapse
But it needs to be done, even if nobody wants to do it.
Nobody wants to do it for free. Show some actual support to the developers, let’s help them find a way to let work on something without worrying about how they will keep a roof over their heads, and I can bet that things will start being prioritized accordingly.
If you want any open source project to be more than “a student project thrown together”, then we need to treat the people working on it as professionals. And how well are these professionals being treated by this “community”, if is not able to collectively pay for one FT developer and where the “CTO” of Mastodon GmbH makes less than what an intern can get at Facebook?
And since I’m feeling like a rant is brewing inside me, allow me to vent a little: when I mean “developers”, it doesn’t need to be the Lemmy team exactly. As I said in the top comment, my fediverser project already added an “admin” backend that could be used by staff and moderation. it wouldn’t be difficult at all to turn it into a center dashboard for moderation, and it could even be made to have a granular permission system. From the reasonable amount of people that expressed interest, how many do you think actually opened up their wallets to help? Zero
Back in July when Reddit revealed its true colors, I thought people finally understood the importance of paying for the products they use, so I took the opportunity to pledge 20% of Communick’s profits to the Fediverse projects that I offer. I thought it would be a win-win-win situation: I could acquire customers, users would have expert help to figure out their issues and hopefully even help steering the direction of the project, and developers would have some form of income while not having to deal with a barrage of requests from the non-technical mob. How well do you think that went? Let me tell you: The handful of paying customers that I have are amazing, but they are simply not enough for me to even the server bills.
It frustrates me to no end when I think of how “anti-capitalistic” people here claim to be, yet I can bet that if we got only the the North American users who have bought an iPhone to pay $1/month, we would probably be able to fund all of the leading fediverse projects and kill Big Tech.
Yeaaah, except I don’t care about this platform enough to invest money into it. It has huge flaws, no people, etc. The fact of the matter is though, and I keep repeating this, once it gets noticed, it will be hit by fines. And by that time, it will be a huge scandal, with both admins and devs wishing they actually coded the “uninteresting” parts of the app.
rglullis@communick.news
on 05 Mar 2024 21:54
collapse
So you are not willing to contribute, you are just here to dismiss whatever effort people make and to feel smug about it.
It’s the worst type of leech behavior. All high and mighty to talk about the law, but no fundamental sense of ethics and no willingness to put skin in the game.
And the most shameful part, you are likely in the majority.
woelkchen@lemmy.world
on 05 Mar 2024 18:28
collapse
a check every month enough to pay their full time salaries
I would usually agree because often FOSS projects are used commercially but I don’t think this standard doesn’t apply here because the Lemmy instances are also non-commercial projects.
rglullis@communick.news
on 05 Mar 2024 19:12
collapse
Lemmy instances are also non-commercial projects.
So why should they be expecting commercial-level support?
woelkchen@lemmy.world
on 05 Mar 2024 20:48
collapse
So why should they be expecting commercial-level support?
“Users should be able to delete stuff they uploaded” is only something for commercial services?
rglullis@communick.news
on 05 Mar 2024 21:45
collapse
“You get what you pay for”.
woelkchen@lemmy.world
on 07 Mar 2024 16:42
collapse
threaded - newest
Bit of a red herring to put GDPR in the title when the article is about Lemmy missing key admin functions, and only tangentially how this runs afoul of GDPR.
TL;DR Lemmy hasn’t implemented image deletion for users or admins, so don’t upload your government ID.
I haven’t read the GDPR, yet, but it’s still a serious issue – GDPR or not. Imagine if Instagram did that. Everybody would seriously go bonkers and rightfully so.
System administrators often aren’t software developers. Lemmy users need to trust Lemmy admins and Lemmy admins need to trust Lemmy developers. Maybe not letting users delete any uploaded media isn’t outright illegal, maybe it is. I’m in the camp of it being definitively not cool.
Inflicting lawyers on an open source project is a great way to drive off the developers.
If I hear Lemmy has a GDPR problem I assume it’s lawyer BS only European instance admins have to worry about.
If I hear Lemmy has bugs in basic CRUD functionality, that’s a real issue.
Coincidentally I saw bug reports by that person and another person earlier that day (before the blog post was published), including one opened months ago with absolutely no reaction at all of even acknowledging that this is even an issue: github.com/LemmyNet/lemmy/issues/3973
I’ve heard from time to time that Lemmy developers can be difficult to work with (I never worked with them, so I make it clear that this is hearsay) but I have the suspicion that there is some merit to that.
.
Yet GDPR requires if you operate anywhere but allow European citizens to register, you have to be GDPR compliant as well, or risk being blocked by an entire continent.
You can get fined by the entire continent. And you would need to pay up in that case, if living in the US for instance. The laws aren’t toothless, otherwise everyone would be abusing them, instead go to any US news site in Europe, and they’ll tell you they can’t serve content to you for legal reasons.
Oh for sure they will try to fine, but being another sovereignty they have no authority to force a payment.
Yeaaaah no. Look it up, you still have to pay up. It’s insanely good for EU citizens. Look at the top fines - Meta, Google, Amazon, Instagram, Facebook, with fines being tens of milions of dollars. The US works with the EU and you still get fined.
Ofcourse they do, because they want to keep their business working in Europe. Which doesn’t apply to a decentralized system like the fediverse. But they do not have to pay the fine if they shut down all operations within Europe, which no company wants to do.
Most servers are in Europe. Also, yeah, that’s my point - if you shut down access for Europeans, your worries fade away. The thing is - people want to have the cake and eat it too - not comply with GDPR and still allow people in Europe to be able to reach all instances.
Right now, Lemmy is too small to be noticed by anyone. But all it takes is some a-hole reporting GDPR noncompliance, and the entire project will get hit, and it will get hit hard.
“your point” was that the EU can force a fine on any foreign company operating outside the EU for not following local laws, which is ridiculous. But I agree with the rest.
It’s not ridiculous if you actually read up what GDPR is. They can place a fine on any foreign company. It probably won’t be enforced in China, Russia, Iran, etc. But GDPR isn’t a “local law”. Most countries comply with it, hence cookie notices and all that jazz
You might be missing the point. Again, the EU will send them a bill and a firm letter, but they don’t have any authority to actually demand payment. That fact has nothing to do with GDPR but with the fact that it’s an entirely different sovereignty.
The EU could sue them, they could impose sanctions on other companies for dealing with said company. They have an enormous amount of power to make sure said company can never deal with anything EU related. They have tried to sue companies in the US for not complying but no outcome for that is known.
That is why you see the cookie notices and general compliance, but also if you’re a relatively small company it’s actually not that hard to comply. It gets exponentially more difficult the larger you get but if you’re that large than you’ll definitely be dealing with world economics, including the EU which gives a lot of incentive to comply.
I have and was a part of my curriculum. Bit arrogant innit
Have you heard of such small indie developers such as Google, Amazon or Facebook?
The exact same ones who have millions in fines racked up and are paying them? Yes, I have heard of those.
You said it yourself: Millions. Not Billions.
For these companies, paying such a mundane fine is just the business cost of being able to do whatever they want. The execs figuratively (and perhaps literally too) piss out a fine payment every morning before reading the
newspapercompany whatsapp account.And you think that lemmy devs / admins being hit by thousands of dollars of a fine is going to go the same way facebook goes? That they’ll be able to ignore it and say it’s a cost of business? The giant corps get fined too. The US companies get fined too (for all the people saying “this EU law, me no care”.
Aren’t the key admin functions missing leading to GDPR non compliance?
Yeah, but talking about GDPR is burying the lede.
.
No, Lemmy servers are not exempt from GDPR compliance. The household exemption (you are not subject to gdpr for private activities) only applies for purely personnal activities. As soon as a service is offered to someone else, the exemption is no more applicable.
That’s one of the drawback about open-source projects, they are designed to fulfill a need (persistent storage & decentralised communication for Lemmy), and no one give a f*ck about legalities.
.
I’m working in the gdpr compiance field ;) Using a personnal device to monitor public space doesn’t fall under the household exception, this solution even pre-dates the GDPR (curia.europa.eu/jcms/upload/…/cp140175en.pdf).
(the case-law is about camera fixed on a private house, but the logic easily translates in a private server grabbing public data).
Just as you did ^^
.
Article 3 GDPR is straightforward, gdpr will apply.
The real question is how any kind of authority could enforce it ? Almost no chance that any law enforcement/regulator will bother a single-user instance purely on the ground of gdpr…
.
I found it interesting how the maintainers reacted to these issues.
github.com/LemmyNet/lemmy/issues/4433#issuecommen…
Just another guy who thinks he’s Gods gift to open source because he found a bug, and thinks the volunteer developers fail to show proper gratitude by not dropping everything to work on your pet bug.
Interestingly, he was silent for 3 weeks after being assigned to the bug, then came back to post his blog post and nothing else. I’ve seen this blog post a few times today, looks like his self promoting strategy is working.
I agree commenting that post under every issue was a dick move.
To be fair, this is a bug that could be the end of lemmy. As soon as one malicious actor sues even a few instance admins, other will get scared and shut down their instances. As the reporter points out, this isn’t just a shiny feature that’s missing. Instance admins lack the ability to follow data protection requirements that their users have a right to. It’s a lawsuit waiting to happen.
Then the reporter should have acted like it was, indeed, that important. Like, putting money or a PR into it.
Just “someone, sometime, somewhere, might sue” does not suffice to fix things. Just like with physical products in the real world, if someone, somewhere, sometime, might sue, then you designate money, time and staff into your project to pre-corect the things to minimize the chance of that happening, or to buy whatever auditing / maintenance needed to check for issues.
And, correctly enough, the devs are not saying “we won’t fix this”. They are saying, “fix this requires people to pour $X time and $y money into it. Care to chime in?”
Unfortunately, the world of free software users is full of “couch coaches”.
The lemmy devs are communist, isn’t doing free labor their whole thing?
I’m gonna find this guy’s image …
monero.town/…/00000000-0000-0000-0000-00000000000… … nope
monero.town/…/00000000-0000-0000-0000-00000000000… … nope
monero.town/…/00000000-0000-0000-0000-00000000000… … nope
monero.town/…/00000000-0000-0000-0000-00000000000… … nope
Mmm, I’m sure it won’t take long. Just have to remember to do it all again for .jpg, .webp, and .png.
Anyway, I’ll let you know when I get it.
Its been a few hours, did you find it yet?
Not quite, no. I know what it isn’t at least.
I’ll keep going - I’m sure the article’s author is someone who genuinely uploaded some confidential info and then became really involved with privacy/GDPR etc, and not someone who was always been really involved with privacy/GDPR issues and now has a story to fit.
.
Do uploaded images get federated? If they do, this is a pointless losing battle
Yes
I would actually consider using normal reddit a nightmare, lemmy like the rest of the fediverse softwares mostly just feels like a community theater play put on by people who really passionately care about what they are making but have zero budget and so long as you go into not expecting a blockbuster movie it is awesome.
.
Except you don’t get to ignore GDPR by saying “don’t expect our site to be private”.
GDPR is really designed to target software controlled by a single entity, but this isn’t that. The instances are responsible for their content, full stop. There’s no way of forcing an instance to delete content, and even if there were, since the admins are running it, there’s nothing stopping them from removing such a feature.
There’s also nothing stopping admins from deleting content from their servers (it’s just a database, after all).
Well then, once the EU knows about Lemmy, it’ll be screwed. Again, you don’t get to make excuses when dealing with GDPR. The book will be thrown at you once you have EU citizen’s data, which lemmy obviously does. Saying “we made this application without it ever being possible to comply with GDPR” will only get you a bigger fine, or worse.
“Lemmy” (the software) doesn’t have any data. It all resides on servers owned by people other than Lemmy’s developers. They have the user data and would absolutely be subject to GDPR.
Again, no matter what Lemmy’s devs put in place, it doesn’t matter because the instance admins can do whatever they want.
Way to go being pedantic about it.
Once they know about one server, they will know about most large instances. Since Lemmy doesn’t implement any GDPR features (i.e. cookie notices, a button for deletion, etc) every larger instance will get hit.
Only those based in the EU.
How would tracking pixels work via lemmy? I don’t see how you could gain individual ip addresses if the instance simply store the image in their cache.
.
Ah, interesting. I thought my instance cached images.
.
This post made my curious about the instance he’s on, monero.town, and the first post I see is Covid antivax shit
Yikes. Played it for shits and giggles and it leads off with saying the vaccines or even being around people who took the vaccine causes you to emit a Bluetooth MAC address lmfao.
Not that I hold the Lemmy devs in particular high regard, but unless OP is cutting them a check every month enough to pay their full time salaries, I really don’t think that he should be expecting anything just because he faced an issue that was difficult, but (a) not specific to the developers but the admins of the instance and (b) ultimately solvable.
I also think that this is not a reason to justify a whole fork or even a fully adversarial position. Yeah, tooling for moderation and instance management is lacking, but these can be built on top of the existing codebase. If my fediverser tool does that for user authentication and account management, it could also be extended for content moderation and provide granular access for staff.
Well, the bare minimum you need to do, is refuse traffic from the EU then. The devs don’t want to do that, but they also don’t want to implement the changes which is illegal and carried huge fines (yes, they can fine you in the US too)
The “huge fines” are proportional to the revenue of the company and there are plenty of legal steps that need to be taken before someone with a big stick gets involved.
Also, this is not an issue for the developers, but for the admins.
The fines are only proportional for big corporations. Organizations without revenue can still be fined:
gdpr-info.eu/art-83-gdpr/
In this case, the processing of data hinges upon the data subject’s consent, which is detailed in article 7.
Imagine a car manufacturer building cars without brakes and then saying ‘This isn’t a problem for the engineers, but for the retailers’. Of course the developers can’t be sued for this. But that’s not the point! The point is that this bug or missing feature or whatever you want to call it jeopardizes the admins upon which this whole ecosystem hinges. I can’t believe that that’s in the devs’ best interests.
They are also proportional to the size of the leak. Small businesses get some leeway, but the approach that devs have had so far is “we don’t care” when it was brought up.
It’s an issue for both. If a software you run can get you fined in both the US and the EU, then devs need to adapt or nobody will be using it. Right now, lemmy is too small for big wigs to notice. It takes one disgruntled user to report the breaches though, and everything can change veeeery quickly.
Or the people that want to use it can hire other developers to add the missing functionality, or develop themselves, or implement some tedious-but-functional process that satisfies the legal requirements, etc, etc.
My point is:
If people don’t like the Lemmy devs and want to use something else that fulfills their needs, fine. But this “I opened a bunch of issues on Github and I demand the developers to work on them ASAP” is really not the way to go.
Your point is “don’t make our devs do things that are essential for using it in Europe”
I wasn’t talking about some issues on github, I was talking about GDPR. If lemmy is to be used in any way, it can’t behave like some student project thrown together from random bits. Legal is part of that. And there is a lot of it to go through. I get it, it’s not fun at all to code that and they’d rather do some cool new feature instead. But it needs to be done, even if nobody wants to do it. Or, at least people could simply accept the risk of it going really bad.
Nobody wants to do it for free. Show some actual support to the developers, let’s help them find a way to let work on something without worrying about how they will keep a roof over their heads, and I can bet that things will start being prioritized accordingly.
If you want any open source project to be more than “a student project thrown together”, then we need to treat the people working on it as professionals. And how well are these professionals being treated by this “community”, if is not able to collectively pay for one FT developer and where the “CTO” of Mastodon GmbH makes less than what an intern can get at Facebook?
And since I’m feeling like a rant is brewing inside me, allow me to vent a little: when I mean “developers”, it doesn’t need to be the Lemmy team exactly. As I said in the top comment, my fediverser project already added an “admin” backend that could be used by staff and moderation. it wouldn’t be difficult at all to turn it into a center dashboard for moderation, and it could even be made to have a granular permission system. From the reasonable amount of people that expressed interest, how many do you think actually opened up their wallets to help? Zero
Back in July when Reddit revealed its true colors, I thought people finally understood the importance of paying for the products they use, so I took the opportunity to pledge 20% of Communick’s profits to the Fediverse projects that I offer. I thought it would be a win-win-win situation: I could acquire customers, users would have expert help to figure out their issues and hopefully even help steering the direction of the project, and developers would have some form of income while not having to deal with a barrage of requests from the non-technical mob. How well do you think that went? Let me tell you: The handful of paying customers that I have are amazing, but they are simply not enough for me to even the server bills.
It frustrates me to no end when I think of how “anti-capitalistic” people here claim to be, yet I can bet that if we got only the the North American users who have bought an iPhone to pay $1/month, we would probably be able to fund all of the leading fediverse projects and kill Big Tech.
There, rant over.
Yeaaah, except I don’t care about this platform enough to invest money into it. It has huge flaws, no people, etc. The fact of the matter is though, and I keep repeating this, once it gets noticed, it will be hit by fines. And by that time, it will be a huge scandal, with both admins and devs wishing they actually coded the “uninteresting” parts of the app.
So you are not willing to contribute, you are just here to dismiss whatever effort people make and to feel smug about it.
It’s the worst type of leech behavior. All high and mighty to talk about the law, but no fundamental sense of ethics and no willingness to put skin in the game.
And the most shameful part, you are likely in the majority.
I would usually agree because often FOSS projects are used commercially but I don’t think this standard doesn’t apply here because the Lemmy instances are also non-commercial projects.
So why should they be expecting commercial-level support?
“Users should be able to delete stuff they uploaded” is only something for commercial services?
“You get what you pay for”.
“Open source respects your privacy! Lolnope, jk!”