Lemmy's Image Problem (Updated 02-06-2024)
(wedistribute.org)
from deadsuperhero@lemmy.world to fediverse@lemmy.world on 06 Mar 2024 02:10
https://lemmy.world/post/12786469
from deadsuperhero@lemmy.world to fediverse@lemmy.world on 06 Mar 2024 02:10
https://lemmy.world/post/12786469
Highlighting the recent report of users and admins being unable to delete images, and how Trust & Safety tooling is currently lacking.
threaded - newest
This link has been posted and discussed on Reddit too.
Of course, we shouldn’t care about what people on Reddit think (and I noticed this post by chance since I log on there very rarely now), but some users in the thread genuinely ask about joining Lemmy and so I guess it’s useful to know about possible obstacles to trying it that they may perceive.
That OP has been crying everywhere about the Lemmy devs being mean to him. Saw a few threads of his here on Lemmy.
No space for muh centrism
lol
Ya, reading the GitHub issue sounds entirely like burnt out devs being abused by users. It’s a massive issue in open source.
The Late Night Linux and Linux Dev Time podcasts talked about exactly this in a recent episode. It can be extremely demoralizing to do all this work for free for a project only to be inundated by ungrateful people demanding you fix something or implement a feature they want. Many open source projects have died because of that.
while i think there are people like that i think this particular issue is a serious issue that should be handled properly. i think the conversation should have been much professional from both sides, but nonetheless this issue addresses a serious problem.
Why should it be handled professionally? I don’t necessarily disagree, but what makes you say that? This isn’t a paid job. They aren’t working for a corporation. And all of their work is voluntary for a free project.
Does them working on the project voluntairly, makes them be able to steal code from non-opensource projects, ignore licenses and do other shit like that? If the answer is no, why does working on the project voluntairly lets them break the law in other ways?
That’s a lot of incorrect assumptions there.
They didn’t steal any code. They didn’t ignore licenses either. In fact, the only reason they had a judgment ruled against them is because they were taking monetary donations. Which was interpreted as “profiting”.
They reverse engineered a process without stealing anything. They didn’t even circumvent DRM, which is actually protected by law on the grounds of creating personal backups and data/software preservation.
You’re either very ignorant on the subject or you just ate up Nintendo’s BS.
I was talking hypothetically. Are they allowed to do that? If not, then they cannot be noncompliant with GDPR, simple as.
Actually yes. The people that run afoul of the GDPR are the people who run the instance servers. The code writers are not the ones legally responsible.
Yeah, theu are just as legally responsible as admins of instances.
That’s going to vary heavily based on regional laws. You cannot make such a blanket statement like that.
Yes I can.
Ok, sure. You can. You can also just be completely wrong at the same time.
there is a lot of difference between a random internet forum and an issues forum. also that particular issue was made with good faith even though both of them might have gone overboard. people suck a lot and might even make stupid arguments or issues. people stick to your work because they like it and they hope it will continue without dying next day, even though you do it voluntarily. this gives more weight here since their work is more like an internet forum where people voice out their thoughts. given such weight, i think they should have handled it properly, if they did it would not have been made a post or an article. i have no biased opinion for any party here, but since I respect lemmy a lot and doesn’t want lemmy to have a bad name, i think their developers should not give in and be unprofessional and give lemmy a bad reputation.
We’re not talking about a user demanding you release a flatpak build targeting their personal linux distribution running in a VM’d WSL, we’re talking about a consumer facing social app that doesn’t include the functionality for a user to delete something they added.
You know what the acronym used for describing the most basic functional web app api is?
CRUD - Create, Read, Update, Delete
You seem to know what you are talking about. Have you made a pull request yet?
Have you learned how to program to fix the problem?
It doesn’t seem worth my time to learn Rust just to submit a PR to devs who behave like that, they’ll just reject it and be pithy, like they are when a user asks them to comply with EU privacy law.
Ya, this is exactly the attitude that burns out devs and kills projects. Congrats for being super entitled towards a free project.
It is not entitled to expect a published project to comply with basic privacy legislation and not be illegal to use.
If your bar for this project is that much below basic consumer expectations, then this project was always going to fail.
No it’s not. But what is entitlement is bombarding voluntary devs with garbage requests. Is this particular issue entitlement? No. But having seen the various requests made over the last year or so there’s a breaking point where a person gets overly sensitive.
Think of being pestered ALL day at work over garbage and having an all around bad day. Then on the way home you jump into a store to pick something up and someone says something annoying but ultimately innocuous to you. Some people can handle it in stride, some people’s nerves get frayed.
I’m not excusing the devs here. I don’t actually know what their thoughts are. But from personal experience in the dev world and from what I’ve seen, it looks to me like they’re getting frustrated by users.
And they might be in a region where the privacy concerns don’t apply to them. And I agree that it’s a problem, but ultimately it’s their right and prerogative to not implement.
Remember, absolutely no one here has paid a single CENT to the devs for their work (not talking about donations).
So complaining about the quality of their work while you are benefiting from it for free is literally entitlement.
I understand having frayed nerves, I even understand snapping at someone because you’re having a bad day, and I do feel sympathy for the devs, and wouldn’t hold this against them (especially since they’re at least providing a nuke everything option that will address it).
But the line between entitlement and reasonable expectation is not one of monetary compensation.
Engineering ethics does not let you off the hook just because no one paid you to build what you built. If an engineer goes to the park and unilaterally builds a playground that doesn’t meet basic legislated safety standards and kills a kid, they’re not off the hook. They will be investigated by their professional body and have their license revoked.
Hell if they just build a playground off in the woods on their own private land but don’t take reasonable steps to prevent kids from accessing or using it then they will have their license revoked.
Sure, but if you want to extend the analogy that far, then the devs are just posting free plans online on how to build a playground. It’s the instance owners who physically build the “playground” and are liable.
Again, that does not matter. If an engineer published those plans online and you built it and your kid died they would have their license revoked and face likely criminal liability.
There’s no equivalent to a licensed civil engineer in programming.The proper analogy is just anyone putting up those plans.
Why do you keep adding new parameters to these analogies? It’s such a simple concept but you are determined to prove your opinion, that the devs should acquiesce to your point of view, no matter what.
It’s literally called a software engineer in most jurisdictions that aren’t America where anyone is allowed to call themselves that. And software engineers also have to take engineering ethics, both courses in university as well as in their final professional exams if they want to call themselves engineers.
You’re the one who added the “posted online” parameter. I responded and pointed out that it doesn’t matter to the analogy.
If you put something dangerous into the world, mark it “ready to use”, and encourage people to use it, and that results in them getting hurt or hurting others, then that is a bad thing and you have an obligation to fix it or warn people.
You’re right about it being a simple concept, I don’ understand where you think I’m demanding anyone do anything. The devs have already acquiesced after the community overwhelmingly dumped on their response. My only point has been that it’s not entitled to expect a developer to put a warning on software once they’ve been alerted that it’s dangerous.
Your failure to provide a reliable source for your claims is not my problem.
If you cannot provide a reliable source of your claims, your claim will be dismissed.
Is it entitlement if it’s making using the entire thing illegal everywhere? Since there is no tooling to block traffic from the EU / not federate with instances that don’t comply with GDPR?
No. It’s the dev’s project. They can do whatever they want with it. They can delete the repo and go live in the woods if they want.
To be clear, I don’t agree with the stance they have taken. But I also see the kind of reactions there are far from what people are making it out to be. I think the people complaining about the devs being “mean” are just hypersensitive and have never been told “no” their whole lives.
Like I said, I disagree with the devs’ position to not implement this feature. It’s been highly requested, and for good reason. But this is a free project. If they say no, then it’s no. If we don’t like that decision, then maybe we need to move somewhere else.
It sucks but sometimes that’s life.
I don’t care if they are mean. The app isn’t GDPR compliant. That’s what matters.
Fine, that’s what matters. Then ask them to implement it or write it yourself.
And if they say no, then that’s your answer and Lemmy instances within the EU will need to move out of the EU or just shut down.
They can’t be in the EU or the US. That cuts like 99% of them off. That’s exactly my point - they don’t want to implement something that makes the app illegal with 99% of the userbase being from there.
Ok, then it’s time to jump to another platform
For an instance admin? Yeah, it probably would be a good time to not get screwed over. Or at least try to implement it themselves. Traffic blocking isn’t that problematic when location based
What we’re talking about is a complete free and open source project that’s built and maintained completely through volunteer labour.
There are zero obligations towards the people actively using the software.
While I agree that the functionality should exist, the devs can literally do whatever they want. Nobody is paying them.
Edit: you’re also seeing only a single instance of a conversation. I can guarantee that the devs have been dealing with asinine and demanding users for a while now. There comes a point where your patience wears thin.
Yes, there are, and that obligation is to not publish something as production ready if it is illegal to use because of how it’s built.
I’m a software developer, I understand exactly how frustrating user demands are, that was still a completely and utterly unacceptable way to respond to a very politely worded request for software that literally just doesn’t break privacy laws to run.
As the commenter pointed out, if you don’t want to fix it, fine, but then you absolutely have a moral, ethical, and professional obligation to document that clearly in your README.md.
No, there really isn’t. Do I feel that project owners should follow good practices for maintaining clean code that also allows users to keep things legal? Absolutely I do.
But that is not the same thing as an obligation. If there was a single cent exchanged between the devs and anyone else (donations do not count) then this conversation would be entirely different.
I don’t agree with the devs’ stance. But it is 100% their prerogative to say no. It’s their project, not ours.
As am I.
I agree.
No, you absolutely do not. Although I do somewhat agree on the professional part, but it’s still not an obligation. It’s completely unprofessional, but that’s different than it being an obligation.
The word obligation is not as narrow as you’re using it:
Does he have a contractual obligation? No, no contracts were signed. Does he have a legal obligation? No, the license file in the project absolves him of legal liability.
But he absolutely has a moral, social, and professional obligation to do so.
If you want to apply such a better definition, then you have an obligation to learn Rust and submit a PR to bring the project into compliance. You have a societal obligation since you are aware of the issue and use Lemmy.
You owe it to your fellow Lemmites. Lemurs? Lemmings? Whatever the term for a Lemmy user is.
All I have an obligation to do is give back to society, and I do so through taking care of my parents and grandparents, volunteering teaching classes every weekend at the community center, volunteering to upgrade and maintain an app for a non profit, donating to charity, open source projects and news organizations, helping my elderly neighbours with their snow and leaf clearing, etc.
And if you find one of my open source github projects will cause a user to violate a local law, kindly file an issue and I’ll immediately update the README.md and take it down until the issue is fixed.
100% your prerogative.
Nope, it’s my moral, ethical, and social obligation as a person, my professional obligation as a professional software developer, and if I had bothered to file the paper work for my engineering license, would also be my legal obligation as an engineer.
Again, 100% your prerogative. No one is forced to use any of your software. The only time you must fix it is if you have a contract that outlines those conditions or you are selling licenses to customers in the EU.
Again, you are narrowing the definition of “obligation” to just legal and contractual.
If you just want to think about yourself and how you interact with the world through legal and contractual terms, good luck, it will be hard and miserable and you will be disliked. Otherwise you do have moral, ethical, and social obligations for everything you put into society.
That’s how a Minecraft server I ran died. Too many people telling me how to run it and trying to break things when I was asleep.
Ya, I know exactly what you experienced. It sucks and it’s why we can never have nice things.
What I truly don’t understand is why the negative eggs that you WILL ALWAYS HAVE NO MATTER WHAT, read it again, ALWAYS HAVE NO MATTER WHAT, gets so much mental attention than the many more people who are actively applauding you and saying their thanks and giving you their praises.
I will never understand the focusing on the negative I guess. It’d be easy as fuck for me to ignore people’s assholeishness while still taking their badly typed criticism and improving (if I reasonably can).
Shit, it makes me feel like the fucking champ when some random persons says thanks for something I did, and I laugh and ignore the ones who don’t like what I do.
But hey, if focusing on the few negatives instead of the mountains of praise is what you want to do, it’s all yours.
Imagine you get approval to build a new park and playground for your neighbourhood. You spend hundreds of hours designing the plan and layout and you spend incredible amounts of your own money to get the resources.
You get to work and things are going well. As you near the end of months upon months of work, the park finally opens for families and kids to use.
As you’re standing there proud of your work, some people come over to you. Do they say “thank you!” or “you did amazing work”? No, they come over to complain about things that are missing, tell you what you should have done better, that you didn’t accommodate their each specific needs, etc.
You would very quickly get bitter and demoralized.
Like I mentioned before: this is a massive problem in the open source development world and has killed many great projects. This has nothing to do with “mental attention” and everything to do with users abusing the devs and their time.
In your analogy, the park didn’t follow any safety guidelines and people are dying on the rides and falling into a lake with piranhas.
In my analogy it’s a park with trees, bushes, rocks, and slides. I said “park in your neighbourhood” not “mega-extreme rollercoaster park”. I also said “you got approval” which is generally from the city or other governing municipal/county/regional body. And that also requires a plan to be submitted before approval is stamped.
So no, what you did is make up a bunch of crap to strawman my argument and try to make what I said wrong in some way.
Nice try.
They by definition didn’t “get permission” if they are noncompliant with GDPR.
Are they in the EU? No? Then they don’t need that permission.
Are they in the US? Then they need that permission too.
Your comment doesn’t make sense to me.
Because you don’t know how GDPR works.
No, I meant the wording of you comment is terrible
Was going to say “another one of these?” but, wow, the article really further highlights the childish nature of the Lemmy devs… Can’t wait for Sublinks to reach feature parity and become main stream, so we can leave this dark phase behind.
Yeah same. I’ve been looking forward to sublinks for quite a while now. I’m jumping to it as soon as it’s ready
What is sublinks?
Update: there was a link in the article, thanks though!
sublinks.org
Yeah, I’m pretty excited about it. Apparently the Pangora (Lemmy fork) dev joined forces, and the new UI is starting to look great.
bytes.programming.dev/notes/9qi6rc2avj3gn9dx
I can’t wait to migrate from Lemmy to it. Looks good and all Apps should be working with it
Followed Sublinks on Mastodon for updates 😼
It’s honestly mind-blowing. At every turn, for no reason at all, they act like a bunch of dicks. It’s like they decided to run a community project based on engineering prowess alone, and nothing else.
Except the engineering isn’t all that good, either.
Not only that, but the developer Dessalines apparently denies the Tiananmen Square Massacre and praises the Uyghur Genocide. Absolutely disgusting
Edit: Wow. Tankies are mad. Lmao
Well yeah? The only countries accusing China of mishandling the ETIM in Xinjiang (an issue created by the US through Afganistan btw) are the ones committing an actual genocide in Palestine, i.e imperial core countries. The Organization of Islamic Cooperation, Global South and Muslim countries in general are against the western propaganda about it.
<img alt="" src="https://lemmy.zip/pictrs/image/61883253-d930-4fd1-b036-ed13eb5fb7c2.webp">
Yeah, because the West is also committing a genocide, that means your genocide is ok. Both are doing genocides. Torturing and raping hundreds if thousands of Uyghurs, forcing them to abandon their culture, forced birth control, forced labour, forced sterilisation and prosecution without any legal process isn’t just combating ETIM terrorists. That’s same level of BS argument Israel is using while flattening entire Gaza and saying they’re only combating Hamas terrorists.
Because they’re corrupt shitheads? They don’t give shit about human rights either, they see more profit from supporting China same way the west sees more profit supporting Israel.
Sources:
And you can’t say Amnesty International is Western propaganda because they’re very critical of Israel and it’s genocide as well.
TIL two wrongs equals a right!
And on .ml you get banned for saying otherwise. Check their modlog.
Yeah, one of the project devs threatened to ban me after I told him to get past his own ego.
Par for the course. I hope for them they don’t break the ethics clauses of their financing.
You’re being dense, the reason is devs get burned out and you’re asking them to do work for free.
The reason that an open source developer might experience burnout are myriad, but can include:
As someone who has done Community Management for an open source, decentralized communication platform (Diaspora), I am familiar with all of these things. This shit is hard, and I am not denying that Lemmy devs have done a lot of good work.
The problem is actually much simpler than you’re making it out to be. For a social platform, which depends on interconnected self-hosted communities to succeed, you absolutely have to build in the tools and utilities necessary to deal with all the crazy shit that comes with the territory. Ignoring this causes a cascade of problems that gradually get worse the longer they remain unaddressed.
The devs are surviving on crowdfunding and grants, and doing the best they can with that. That’s commendable! They probably need more of both to have their needs fully covered. But don’t get it twisted: receiving proceeds for your work is not the same thing as working for free.
Why? If your argument were “users of the system need to have these type of tools ancillary utilities to be able to use the core product”, I certainly agree. What I am failing to understand why do you think that this must be the responsibility of the developers of the core product.
What is so bad about the developers delegating this away?
Developmental drift and code rot. Both parties can try their best to keep up with changes and adjustments, but an external resource is always going to lag behind of core. This isn’t necessarily bad, but having it in core at least kind of ensures that future development and updates have to take into account how those things are affected.
Couple of reasons:
It’s core. Super crucial parts of the platform should, ostensibly, be done by the core development team, who can ensure they have someone to work on it as needed. If you delegate the development of a core feature to someone who isn’t part of the core team, there is always a possibility that said person will fall off the development wagon, and the feature either languishes, or core team is stuck having to babysit a part neither of them directly worked on.
The people building the platform need to have a significant understanding / frame of reference for these parts and how they work. When doing future feature development, they need to be keenly aware of which features touch which fixtures.
Trying to delegate this kind of thing to volunteers is just such a mixed bag in terms of Quality Assurance that I cannot recommend it. You might get something great! But regardless, you’re delegating to someone who is a relative stranger, who may have done things in a hacky way that will break something else later on, or may have not even bothered with code or documentation. Worse yet: trying to reconcile a volunteer’s PR with upstream is not always a cakewalk, and this can drag on and on and on. I’ve literally seen projects with PRs open that sat in that state gradually getting adjusted, tweaked, and rebased by various volunteers who came and went, that are still open to this day.
I assume you missed all the microservices hype cycle of 2015? The whole idea was to isolate the dev teams into their core functionalities and to only let them talk through specific APIs.
Speaking as someone with 20 years of software development experience and from the work on Fediverser: all I need from the Lemmy devs is in the API that already exists. None of the functionality related to content moderation and instance administration needs to be implemented in Rust and frankly trying to tie it with the core code would make development slower.
Can you trust me on this one? This is not about the Lemmy devs being dicks or not wanting to do this work, this is me saying that they are right when they say that someone else could take care of this instead.
I’d love it if the API that exists was more reliable… It’s getting better, but the amount of basic features that didn’t work (usually without specific combinations of params or unknown ranges, but sometimes not at all) is pretty crippling. (If there’s a central place of discussion, I’d love to hear about it…I don’t speak rust or flutter, but I’ve had to muddle through source several times)
I’ve never done anything as a mod so I have no idea what kind of tools they need, but I noticed enough basic parts to build all sorts of things.
There’s definitely no reason to build it into the core though… Why put it on the machine busy serving everyone? You could do stuff so much cooler if you offload it… Like you could track mod actions against users/communities/servers, give a sample of random posts across their vote distribution, show the top few communities they get down voted… All things psychotic to even consider in the core right now, but a reasonable project for a separate system
And since you seem like you’d get it, I want to share a win I made today. I’ve got a lemmy app I want to mix feeds (including between accounts and servers) to make a unified feed algorithm on your device. I also want it to support kbin, and maybe more… I took a couple cracks at it and charted out several designs, but I was getting too deep into abstraction.
Today, I finished working on a ridiculously generic abstraction layer - it handles not only tracking pagination, buffering, and preprocessing, it also enumerates all of the options in the Lemmy sdk so I can auto magically build most of the controls when I update. It also disambiguates resources (and actors) across instances and could describe valid actions you can take on it (I think that might be too far, so I’m resisting the urge… This time)
Everything is done through the account level, everything knows where it came from and can call the API by passing itself to its account to be worked on. It’s also neatly serializable, you just have to write one function to pull the next page, and the rest is just an absurd amount of generics
Now, if I can figure out how to translate all that into a usable UI, I’ll be getting somewhere…
I just had to share that with someone who can appreciate crazy data flow, it’s been in the back of my head for months and today (after pulling my hair out for an hour and realizing I was forgetting to actually pass the posts to the UI) it worked beautifully
I like to think of it like this - many hands makes for a very stable project. Stable as in reliable, but also stable as in resistant to change.
Everyone is going to pull in a different direction, and it kind of averages out and slows things down.
Right now, lemmy is extremely immature. It’s amazing how well it’s held up really. There’s a lot to go to get to a solid baseline - just enough to keep
If everyone dogpiled it, someone could easily solve the image problem. Granted, that might block someone else working on the database, and changes to improve or extend federation would likely be set back as they step on each other’s toes.
We could still probably quickly get popular features quickly… For example, one person could get more useful mastodon and kbin federation going in a reasonable period of time. But then, when the core team goes in to overhaul the database or the API, now they need to make sure they don’t break it - and the person who did those changes won’t have the same vision as the core team, and now you have to either refactor the whole thing or work around it until it’s causing too many problems
Certain things can be spun off more easily than others - I think other people have totally taken over deployment of instances.
Some are good candidates but require more maturity - like if they handed off jerboa and the default web client, there’s one place that would need to be reinforced - the API.
Way down the road, they could build plug-in/mod interfaces so instances could choose feed algorithms, or individuals could come up with their own karma systems, or all sorts of other things.
To get to that point, you have to have a clear vision and stable growth though - that takes time, and is better done by an individual or small team keeping things heading in one direction
You know that you are riffing on the theme of “The Cathedral and The Bazaar”, right?
Anyway… For this to work well things needs to be enforced at the API level, but APIs are exactly that: a contract between two separate applications that need to interface with each other programmatically.
I for one wished that “the API” was not something ad-hoc and developed exclusively for Lemmy, but as long as “Lemmy’s API” can be used as a de-facto standard for discussion-group applications on the Fediverse, then I don’t mind working with it.
Huh, I’ve never actually come across that, I’ve only gotten it indirectly. I bet my first mentor put it on in my head, the guy built out our entire system, then a v2, with one intern while the rest of us extended the framework he built.
And that’s the sad part… The Lemmy api is not only not that, federation is an API+ that gives an amazing starting point. As far as I can tell, the lemmy API was made with the official clients in mind, and everything else was an afterthought made in a hurry during the last Reddit Exodus
I started reading through the kbin API, which starts with “here’s a link to activity pub standards, they’re surprisingly readable”. They were… It’s unwieldy in a lot of ways and maybe too all-encompassing, but they left so much on the table.
For one, uri ids. Lemmy has them for everything (which is nice), but they aren’t directly usable. You can get the local ID for the home instance, but if I’ve got a url for lemmy.world I want to see on my instance, my only option is a search. Which should kick off federation, but what if it’s there already? I want an endpoint to resolve it (or even to tell me it’s not here right now so I can fall back).
And the way they handled metadata is pretty awkward… They next objects inside of collections of activity data and object properties, which is annoying because it’s so inconsistent. Like, if you get a comment response, it gives you the comment reply, which is basically a comment without the usual metadata like vote count or the full actor object.
It gives you too much, then suddenly too little - I don’t need the bio, tagline, and banner of a server every time I see a post, and I also don’t need it for the community and user
But I do need the comment votes when I get a reply - I’ll wait on the comment chain and root post, but I don’t want to have to build a post-body only component to show while I wait to replace it with the whole thing
I do really like that they autodoc everything… Even if a lot of it is indecipherable with no context offered. Like the honeypot parameter on getPosts… It’s actually intended to be a honeypot. Like if you set it to true, it’s supposed to not give you posts, or log you or something? I tracked down a one line confirmation on GitHub which left me baffled. I had to try it… It didn’t seem to do anything
/Rant
It is getting better though, the amount of completely breaking changes that pop up is very frustrating, but this time around it is significantly improved
Accepting donations is not the same as entering into a contract agreement where the person giving a few bucks per month entitles them to dictate how the work should be done. If people want to enter in a relationship where they get exactly what they want for the money they are giving, then they will be better off by going to a commercial provider, so that the nature of the transaction is explicit and mutually agreed.
About the grants: AFAIK they got the grant to make federation work, which was completed to everyone’s satisfaction. If they had received a big grant from NLNet, got the money but didn’t deliver on what they promised on the application, then you could argue that they did not hold their end of the bargain. But do you it’s fair that because they got money from one part of the work that they should be responsible for all subsequent deliveries?
I’m really trying to understand where you are coming from with this. You mentioned your work on Diaspora, and I don’t know how much you were involved on it, but I do feel that one of the things that doomed Diaspora was that the founders mistook the attention and money they got in 2010 as an indication that they were all alone responsible in “saving us from Facebook”. If Ilya had learned to say “it’s not my responsibility to build everything to win a fight against a multi-billion corporation”, perhaps he would still be around.
With respect, this is a framing issue and depends on your point of view. Does a donation mean someone contracted you to do something specifically? Not really. But, will mismanagement of expectations and hostility convince someone to stop donating to a project? You’d better believe it. If you’re working full-time on a project, donations are your lifeblood. They literally put food on your table. You literally can’t afford to disregard the needs of users and admins. But of course, you are at discretion to decide what those needs actually are, and how critical they are. Nevertheless, the relationship is more transactional than it appears to be.
Overall, I think their grant from NLNet was a good thing, and I think they did good work on that. As long as their work was in scope of the grant, I don’t see a problem with that.
Community Manager, circa 2011 to 2013. I was basically an air traffic controller for GitHub issues, acted as a developer liaison, served as a face of the project to the community, and engaged on the network every single day to get a pulse on what was going on. A lot of it involved smoothing things over with people who were upset about things, resolving conflicts, drumming up volunteer coders, and indicating to core team what varying needs were across the user and developer communities. I lived and breathed it every day.
This is somewhat inaccurate, and here’s why: Diaspora never advertised itself as an Anti-Facebook. They were building a federated network that focused on user freedom, and it was a combination of timing and insanely good luck that their Kickstarter campaign picked up as much as it did. The whole “we’re going to save you from Facebook” thing was an invention of the media to get people to click headlines. What really doomed Diaspora was that the core team wanted to be a startup, the community wanted it to be a project, and getting the company into yCombinator had the team focus on things further and further away from their original goals.
This is where we fundamentally disagree. This is only true if the developers puts the project above themselves, which is the wrong attitude on multiple levels. Developer owe nothing to those donating, they owe nothing to the project and they should never be compelled to accept anything because other people are putting a metaphorical gun to their heads.
And like I said before, even successful projects are barely getting by with donations they are getting. Instead of putting themselves on some imaginary treadmill (one more feature, and we will get people to like us!) it is healthier for everyone if we dropped the pretense that “community is enough” and established beforehand what all parties want to get in order to get something done.
So, here’s the thing: these guys are working full-time on the project. Their only source of income, grants aside, are donations via fundraising. Effectively, they are putting the project above themselves.
The common model for this nowadays is the Patreon / OpenCollective / LiberaPay, where donations are usually given continuously over an indefinite period. It’s closer in form to crowdfunding than it is traditional institutional donations.
This is going to sound shitty: just as the expectation is set that no one should make demands of work done for free, so too is the expectation that development work technically isn’t owed a single penny. Any donor can stop giving, for any reason, at any time.
If I as a donor feel my needs aren’t being met, I can stop donating. As a collective action, a bunch of dissatisfied supporters can do the same all at once.
I’m not saying either side should threaten each other. But let’s not pretend that this is some hoity-toity Utopian model where donors selflessly hand over money with no expectations, and the developer just works on whatever. If your livelihood depends on it, if you can’t put bread on your table without it, then you’ve got to keep your backers happy.
No. They are working on something according to their own terms and their own value scales. They are giving a clear indication of what they are willing to do for the miser amount of money they are getting, and are telling quite clearly what they do not value highly enough to justify spending their time on it.
They would be sacrificing themselves only if they bent over and worked on something they already said they don’t want just because other people see value in the work they already done and want them to keep pushing out the missing functionality.
It sounds shitty because it is shitty. The donation-based model is insufficient and unsustainable. What you are describing is the main reason that I’d rather shut down any of the communick instances over turning to “donation-based” access. At the same time, the reason that I have managed to keep things running (even if not profitable) is that by refusing to play this game I don’t put myself in an unsustainable situation.
The surprising thing is to see how even people who have been involved in the space for so long continue to advocate for the donation-based model. Perhaps it would help everyone if we accepted reality and started telling people that it is not okay to push people to work for free? That donations are only a way to show support for what people are doing and do not entitled them to make demands of any kind? Thay if you want something done according to your exact preference and expectations you need to enter a proper contract where both parties agree to the terms?
This is why I was a bit frustrated with your last blog post. You acknowledge that there is a problem with FOSS development, but instead of trying to elaborate on a alternative model, it went down the route of victim-blaming the FOSS developers who you think should swallow the opportunity cost and keeping cranking out code. This is not healthy at all.
You don’t understand how open source works. You are not entitled to any features. Let the devs go on their own pace. A lot of open source projects shut down because of similar reasons.
While I think you’re correct about it ultimately being their project, and that users are in no place to demand or expect anything, this thing takes on whole other dimensions once a project is all about building a social platform. Particularly one where volunteers host part of the network themselves.
It’s one thing to look at some random demand to write everything in a P2P architecture because DNS is too centralized. When I worked on Diaspora, I literally saw people demand stuff like that, and laughed it off. I’m trying to build a platform that exists today, not some pixie dream bullshit compromised of academic circle-jerking.
But when it comes to basic table stakes for participating in a network that already exists, things change a bit. This is especially true when you’re connecting to a global network that has:
Suddenly, it makes a lot of sense to say “you know what, admins are going to want to filter this shit out, maybe it’s reasonable for them to have some tools and fixtures that are part of core.”
Unfortunately, these devs are the kind of people who scream angrily when someone says “Hey, this thing doesn’t actually respect local image deletes / GDPR stuff / content deletion on account deletion”. To me, that’s fucking insane.
Likewise, an open source project can totally die if they refuse to engage with the needs of the users. The lack of moderation and content management tools have been a longstanding criticism of Lemmy, and instances will migrate to alternatives that address these concerns. It is a genuine legal liability for instance operators if they are unable to sufficiently delete CSAM/illegal content or comply with EU regulations.
But opensource projects are more likely to get dropped by devs than losing their userbase from what I’ve seen. I could be wrong. Both our points are true. That’s the best part of fediverse. If one doesn’t like lemmy, they are free to choose an alternative. I just don’t agree with demanding features from open source developers. There is a distinct line between demanding and requesting. I’m not saying lemmy is perfect. Maybe Sublinks would be better. Let’s wait. But even Sublinks won’t be sustainable if users do not respect developers time and patience.
I think there is also a distinct line between demanding, for example, a new animated avatar feature and demanding a way to delete child porn.
Reasonable.
You don’t know how social networks work. They only survive based on network effects, if they don’t have the most basic functionality that users expect (like complying with privacy legislation), then they will fail to reach critical mass and be outcompeted and die.
If the devs don’t want to provide the most basic functions that any user of a social network would expect, they’re welcome to be downvoted to hell and have their project go back to being one of the millions of forgotten and unviewed personal github projects.
Open source projects die because it takes both technical talent and attention to your users to make a project successful, and for-profit companies often pay different people to do those.
The entire point of the “fediverse” is to combat the network effect. Don’t like Lemmy? Move to another app and still communicate with people on Lemmy. Plus it’s all open, can’t find an app you like? Build one or wait for someone to build one you like.
No, it’s not.
The purpose of the fediverse is to decentralize control of the network, it does not eliminate network effects in any way shape or form. At the end of the day a social network is only as valuable as the users using it and contributing content to it. If they don’t find lemmy pleasant to use, they’re not going to say “let me jump to mastodon” they’re going to go to Reddit.
You really don’t understand network effects if you think you can just sit around and wait for basic functionality and expect your network not to die.
We can expect them to follow the law. And yes this means implementing required features to comply with the law.
Nothing here is breaking any laws. I don’t know why OP thinks the GDPR applies here, it doesn’t.
It does apply, but not to the Lemmy devs, but to the instance admins.
As it stands, you can’t legally host a Lemmy server in either the EU or the US (or places they can reach) and federate with the 'verse at large without fear that the authorities will come after you.
This is not true at all, you can host a instance in the USA for free and not be subjective to the GDPR. You’re not selling anything, or marketing anything or doing any data collection to be sold. It %100 does not apply.
GDPR article 3, and the EU-US Data Protection Umbrella Agreement concluded in the US in December 2016 which makes it US law disagree.
Yeah no it doesn’t.
gdpr-info.eu/art-3-gdpr/
Go read it ffs.
Lemmy instances offer services to me as an in-EU data subject, and that makes it subject under the very Article 3/2 (a) you linked.
Since there is federation, a US-based instance would still be a data processor if it IP blocked be as coming from the EU.
I did in fact read it.
Read the rest of it, instead of cherry picking shit. The instance needs to be collecting your data and selling it or making some sort of money off of it.
Where does it say that?
Lemmy doesn’t sell anything and it doesn’t monitor you or collect pii.
Anything that someone’s identity can be even indirectly inferred is PII. The GDPR explicitly defines usernames as online identifiers as PII.
The whole “irrespective of whether a payment of the data subject is required” bit is so that it applies to free services like Lemmy as well. Lemmy provides me with a free service. It even monitors me through federation, since it scrapes my username and comments from other instances without my affirmative and explicit consent. Using a service, no matter its nature, is not consent as required by the GDPR.
There is an explicit cutout for services you offer yourself or your household members. The reason it is there is that free services like Lemmy absolutely do qualify.
No it doesn’t, and good luck finding a case where someone has been fined for hosting a free service that doesn’t sell anything.
There are dozens of cases of fines issued to municipalities, and government offices that don’t do business. France fined a parliamentary candidate. Italy has fined the Italian Archery Federation, an NGO. Germany fined a bunch of individual police officers and an employee of a Covid testing centre.
Please either start backing up your claim of some supposed nonprofit exception, or go sealioning somewhere else.
Cool, so no forum owners of foss…got it.
Nice moving the goalposts there. You said “not selling anything”. I think police officers or the “Association for the prevention and study of crimes, abuses and negligence in information technology and advanced communications” don’t sell stuff, they were fined nevertheless.
If I put a link to for example this case where a small social media provider got fined for nothing more than not handling data well, you could move the goalposts even further.
Or you could look at the countless cases brought against private individuals where they of course are not selling things. Austria fined a guy under GDPR for having a dashcam!
So again, you made a claim that there is an exception under GDPR for “forum owners of foss”. Let’s see evidence for that claim.
Let’s see, in the EU and was a company that sold and processed data.
All you have done is provided that companies that hold pii in the EU have been fined before.
I’ll ask again, please provide a instance of a person who holds no pii operating a forum or instance that is free, sells no data and makes no profit off the instance being fined.
I was going to write a long ass answer to this, but tbh I’m tired of you asking and me answering the same question over and over again while not providing any source for your claims.
Lemmy holds PII. Usernames and other online identifiers are PII according to GDPR Art 4/1 and legal practice as well. Photos people upload of themselves, people claiming to be Jews or from some country in comments are all PII. You have just said “oh but they are not” without backing up your claims. If nothing else, the fact that Reddit, the site which this is a clone of, holds PII should convince you if the relatively plain words of the law don’t.
Lemmy processes data. According to GDPR Art 4/1 data processing does not involve sales of data, just “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”. Again, you have not found anything to back up your claim that “it actually doesn’t and selling and processing is the same”.
GDPR applies to nonprofits, even non-commercial entities, private individuals, government institutions as evidenced by fines. You claim an exception for “forum owners for free instances” without even trying to back it up, and are asking me to prove a negative, again without providing any evidence of your own.
So the real question is, let’s say you’re an admin of some instance that grows to some noticeable size. Would you trust your gut feeling of “I hate EU regulations, and they shouldn’t apply to me either” before some random country you probably never heard of sends you a letter that you pay them some large amount of money? Or would you implement basic delete functionalities on your website and sleep easy?
I disagree strongly that they are childish. They are 100% correct in what they are saying here. Also this article doesn’t “highlight” their behavior, it’s actually “cherry-picking” behavior that puts them in a bad light. Similar to tabloids read by the lowest iq crowds.
You don’t demand anything from open source devs. You feel gratitude for what you have.
.
It’s my only account and it’s my honest opinion about this. Take that as you may.
.
You are free to build your own platform without the “harm caused here”.
Java is horrible. And Lemmy is open source. We could just fork it and have the best of both worlds.
The core issue here is that there are too many things to do, and too few developers to do them. By the way, for a huge number of these things that need to be done, there is most likely at least one person who thinks it’s the absolute highest priority for Lemmy. Forking would not help fix this issue, it would only make it worse.
In other words: if you’re a Rust dev, you can just fix it in Lemmy anyway, so there is no benefit from forking. If you’re not a Rust dev, then after forking, you will have a new repo to create issues on, except you’ll have 0 devs to actually fix them.
Honestly, what? Why would be baffling to have third party tools in this ecosystem? It would be baffling if that was the case for Facebook. Also the devs did work on some moderation features, but they probably have tons of other stuff to work on, all for an amount of money which is a low salary for one developer.
That’s not the argument being made. What’s baffling is to pretty much only rely on the efforts of third party devs to fill in the missing gaps. It’s a profoundly bad strategy.
It’s like with Bethesda releases a shitty half-finished game, and leans on the modding community to actually put in half the things that would actually make it in any way fun to play. Except Bethesda actually makes money, and the community works for peanuts. Here, Lemmy makes some money, but a huge chunk of the user community shoulders the cost out of pocket. A big chunk of the Fediverse is actually unpaid labor that brings in negative dollars month over month.
The devs have a vested interest in ensuring their project continues to grow, they continue to get funded for their work, and features on their own roadmap get planned and developed. They can’t do that if the tooling is too brittle, shitty, or threadbare to actually handle the deeply fucking intense problem of managing and maintaining a server and community on the open Internet, where literally anything and everything goes. Factor in a myriad of local jurisdictions and laws about data and content, and a lot of these things end up becoming severe liabilities.
Look at it this way: with federation, a handful of volunteers themselves are doing labor for free, for the devs, by propping up their platform, client ecosystem, and reputation in the space. If this gets bad enough, people will literally say “fuck it” and walk away.
I literally quoted the article:
I mean, there are some moderation features in Lemmy, for sure with gaps, but there are many gaps on other aspects as well, and if people can’t run the instances due to other technical issues, there is also nothing to moderate, so obviously prioritization is complex when resources available (dev) are so limited.
That said, I really don’t see the problem of third parties. We rely on third parties for one of the most fundamental features, which is community discovery (lemmyverse.net), for example. What’s the problem with that? I think that’s literally one of the benefits of making an open platform, where other people can build other tools in the ecosystem. We are not purchasing a service, we are not talking about an organization who has a substantial revenue and tons of people and can’t deal with basic functionalities. We are talking about a project with a team that is smaller than the team that in Facebook deals with which colors to make buttons, and it’s “paid” 1/20th of that. So I still don’t understand, what is “baffling”? Because from where I stand, all things considered, it’s totally normal that a project with these resources and that gained popularity less than a year ago has still tons of gaps and a long roadmap, and that tools in the ecosystem address some of these gaps.
No it’s not. Bethesda is company that sells you a proprietary product while having a revenue in the order of hundreds of millions. The relationship between Bethesda customers and Lemmy users has absolutely nothing in common.
Lemmy makes no money. Considered the opportunity cost, Lemmy loses money. A single dev with a full time job can easily double the amount that Lemmy devS earn. Not to talk about the fact that the money they make are donations, without a contract bounding them to anything and also not granting them anything (tomorrow everyone could cancel donations and the income would disappear).
Sure, but again, if those were the only problems and the devs would be sipping cocktails in Hawaii splurging on those 4k/month, I would agree with you. If they think priorities are elsewhere, or are also elsewhere, they might have their reasons. In fact, in the article there is a complaint about them answering in a “hostile” manner, but I also understand that the issue in question is probably the 100th issue in a week/month in which other people tell them what they should do. This is a regular problem in OSS (See mastodon.uno/@bagder@mastodon.social - the maintainer of curl - for plenty of examples). After they understood better what’s the problem, their stance changed as well, which is also reasonable.
I don’t look at it in this way at all. I think the devs made it extremely clear (even given the political stance of both) that despite the happiness of seeing their project flourish, they have no interest in growth as an end. In fact, I would say that nobody is doing work for the devs. But I see that we have a fundamentally different perception on the dynamics in Lemmy, so I see no reconciliation between our opinions.
Yeah it’s open source, 3rd party tools existing is kinda the point really. If these people care so much then they should be working on making tools to address the issue, or funding someone to do so.
@deadsuperhero Damn..breaking GDPR is a big problem
If an entity isn’t in Europe it shouldn’t be a problem at all.
That depends and should depend on what the instance is used for and whom it is used for.
If it’s an instance open to anyone, it’s up to Europeans to not participate if they don’t want to.
Yeah unfortunately that’s not how the law works.
Actually it is :)
Not located in the EU, not targeting the EU, and under 250 employees means no GDPR to worry about.
…europa.eu/…/who-does-data-protection-law-apply_e…
From your link:
A social networks core purpose is processing data, processing of data does pose risks to people.
I doubt that privacy watchdogs will pursue smaller instances, but pretending it never applies could lead to legal issues.
Eh i still dont think itd hold up.
But more reason to hate European arrogance. Imagine if i could go to say your blog, comment my name and address, and sue you for not going into your database and scrubbing it all. Just another way to benefit big companies at the expense of individuals who dont have the tech skills to comply but want to run their own personal sites.
Such an ignorant stance. Privacy is an individuals RIGHT. It should have been the defacto stance for everything.
You allowed the corporate fuckery to cloud your thinking it is too much to ask for. It isn’t. And GDPR compliance is usually straightforward.
If the blog platform in your example had an option to “delete my account” and it would then completely scrubbed this would be plenty compliant probably. As would the option for people to comment without storing anything but the comment.
It is, which is why you have the RIGHT not to use a public space and push your information out to millions of people. You explicitly agreed to it the second you started doing it.
And if it didn’t? If it’s just a simple piece of software made by two people? Should they drop everything to cater to European demands?
Europe invaded the world, then turns around and tells the world to respect its self imposed rule it enforces on others. We can’t even host our own space on the internet without you invading and threatening us to operate your way. The only safety we apparently have is in our small size means we might escape notice.
It’s utter arrogance.
Europe funds them. Check where they got their money.
Requiring people (yes also tankies devs) to respect human rights as outlined in many treaties is not a fringe stance.
The GDPR was implemented to require entities to respect human rights by giving privacy watchdogs some teeth. It’s not some strange law people made because they felt like it. It is apparently needed because privacy is just some silly concept to some people.
If you don’t understand all of that, maybe just sit down and be quiet.
To be precise, it’s not devs that need to worry about GDPR, it’s instance admins. I don’t disagree with you, but I think it’s an important distinction to make.
Fair point, it also requires privacy by design though.
And again, why not invest some time into actually respecting privacy. Storing all sorts of info through a framework that is not needed. And at least discuss what is needed and for how long.
It is a work in progress, but there is no need to be hostile about these requirements by people against these rules.
I am sure that for such small shops it’s trivial to explain that resources are extremely limited, I don’t see any data protection authority actually pursuing anyone based on the lack of privacy by design. The point is, nobody is forcing you to deploy the software as is, and technically anybody could write tools that bridge the gaps in the software. If the software does not offer data deletion, any instance admin could have identified this gap (a risk assessment for data collection is also needed technically) and wrote a script that would allow to satisfy data deletion requests or anything else that would have made them comply.
That said, I agree that these features are important. I do not agree that they are what the devs should work on right now, or that at least it takes some convincing to convey the fact that these are important features for instance admins to be compliant and for users (in general).
I also get the point about the “I am not taking your word for it” approach. Look how many people in this thread talk about GDPR without actually understanding who is the data controller/processor and who has to be compliant. I can only imagine the amount of uninformed people who open issues and waste time for already busy devs. We are seeing the couple of examples that the article picks, we are not seeing the rest of issues which justify this harsh approach.
The way I see it, having certain features implemented in the Lemmy software is one way to ease compliance for admins, and they should just upvote the issue and explain why it’s important for them, possibly even adding a bounty to the feature. OP’s approach doesn’t seem this and it’s much closer to demand stuff, as if the compliance responsibility was on the devs and the donation were some sort of reason to make them work on what other people want.
Or the US. The US enforces GDPR on behalf of the EU. If the US catches you with misusing EU citizens’ data, they will let the EU take 10 million off your accounts and/or close your instance.
Lemmy devs being man children when confronted with GDPR compliance.
And if Lemmy if supposed to better Reddit in basic fucking decency then GDPR is absolutely crucial.
how are you supposed to do gdpr compliance on a federated system though?
You can’t and this is a shit article…the GDPR doesn’t apply to instance outside of the EU…
dickinson-wright.com/…/what-usbased-companies-nee…
Literally people using the GDPR like it’s some gotcha thing for admins. If nothing is sold or offered to be sold and their is no financial gain it’s not going to apply. On top of that good luck suing a FOSS dev.
Edit: that downvote button does jack shit on Lemmy people. If you think I’m wrong why not prove that I’m wrong…and why a bunch of law firms are wrong as well.
It absolutely does, if the company processes data of EU residents. The US enforces GDPR themselves, as they have signed an agreement to do so. To be clear, this means that according to US law, if you are a US web host, you can abuse US customer data and the FBI will not come after you, but if you do so with EU customer data, US authorities will come after you on behalf of the EU.
Yeah it does, as soon as you are providing a service, if you have a user from the EU that’s not you, it applies. And while GDPR fines are defined in a revenue percentage, there is a minimum of “up to 10 million EUR” for a violation.
Nobody is getting sued. EU data protection agencies don’t “sue” people and companies. They fine them. The difference is that a lawsuit is a process where at the end you might need to pay money, but you mostly settle. A GDPR fine looks like you get a letter saying you need to pay an amount, if you want to appeal, you can do so after paying.
And it’s not the devs that will be getting these fines, it’s instance admins.
And this is why misskey is a mastodon instance that just blocked access if the person is from the EU, it’s too much to ask for devs in a single digit that survive by donations or their own pocket money, this is a hobby for them.
Yeah, their main income is from a Dutch based EU fund to help Foss projects. So maybe, just maybe they can then fix issues in following dutch/eu law.
Did they defederate from all instances allowing access to EU citizens? If not, they are still liable, as they are scraping EU citizen’s data for federation. Even usernames are personal data according to the GDPR.
No it does not, the instances are free, no one is making money off user data or selling anything to the user. It does not apply period.
No it does not, if you do not sell anything to anyone or offer any services or make any money it doesn’t apply. Stop repeating bullshit.
Good luck fining a host admin, of a foss instance. I don’t know why you think that any admins of instances will be getting fined if they’re not selling anything. You need to read up on the GDPR.
Again, no they will not.
As per official EU communication:
Lemmy instances are entities that offer free services and are arguably monitoring the behaviour of individuals in the EU through federation. From the perspective of the GDPR, there is no difference between Facebook and a Lemmy instance regarding what they can or cannot do, or whether they get fined for something.
You need to read up on the GDPR yourself.
What personal data is being processed by a Lemmy instance, what are they processing that’s being sold in the EU? The GDPR does not apply here, stop trying to wiggle it into something it’s not.
Usernames at the very least, as online identifiers.
And they don’t need to be sold, just retained. GDPR applies even if there is no payment anywhere, even to non-commercial entities.
Usernames are not PII…the GDPR only applies if someone is making money from the service. It does not mean just because your site is free but hosts ads or sells user data it’s exempt. Lemmy instances do none of this.
What do you think an online identifier is then? And why would the GDPR only apply if there is money made? It specifically says in multiple places free services also count.
www.ibm.com/topics/pii#:~:text=Personally identif….
Usernames are not and never have been considered pii
The GDPR states it clearly that the company/entity has to be collecting pii or selling something to the person. Lemmy does neither of these.
How is IBM authoritative on this subject? And even so, this article doesn’t say that usernames are not PII, it even indirectly says it is indirect PII.
Here’s another random company’s page saying usernames are PII: keepersecurity.com/…/what-is-personally-identifia…
The GDPR says it clearly and explicitly that:
Usernames that are used in an internal network are, because they’re linked to pii, a public username is not pii.
And where did you read that? If anything, public usernames are easier to correlate to form identities.
Use this for starters eff.org/…/user-generated-content-and-fediverse-le…
Nothing in there about the gdpr… literally 0, because it’s not part of hosting a forum that doesn’t host private user data or collect non essential cookies.
Why are you trying to be an authority on GDPR without even reading about what it is?
GDPR applies to all personal data of people currently in the EU. If you have a service that uses data from a person in the EU, you need to comply with it. It’s not some “gotcha” law which goes in effect once you make money.
What personal data is a Lemmy instance holding onto?
I’m pointing out how much bullshit is being spread in this damn thread by people who don’t understand the law. You’re the same damn users who get pissy with forums and demand action be taken using a law you don’t understand.
You are the one who doesn’t understand the law.
Says the guy who’s literally arguing with what lawyers in the USA say about the GDPR…good one.
Show me a lawyer that says “if you are processing data of EU citizens you can’t get fined in the US”. You don’t know anything about GDPR. It’s not some toothless law that only works in Europe.
What part of personal data do you not understand? Lemmy instances are no processing any personal data
And the link I provided has already stated this, but here it is again.
dickinson-wright.com/…/what-usbased-companies-nee…
You are responsible for data collected by your own instance. If a deletion request comes through, you are responsible for deleting it from your account, and forwarding the deletion request and responses to other instance you federate with. You are in the clear as long as you don’t keep data you legally can’t, and have sufficiently informed other instances of your obligations.
No, if you collected the data and shared it with others, simply informing the others is not enough. This is why the platform needs tools for admins to comply.
A proper method, that allows the users to nume their account could already be enough.
What I mean by informing others is that you have to explicitly forward the deletion request. Not much else you can do I think.
I get that, but this is where it gets tricky. As “there is nothing we can do” was the number one reason used under the law predating the GDPR. So in the GDPR there is a stipulation that you stay responsible or share responsibility with the other party If you share the data. Because large companies used this to send data through clearing houses allowing them to hash their hands.
GDPR is really the cranky brother of its predecessors, because there was so much fuckery going on.
And while I doubt Admins will be a prime target for privacy watchdogs, it is good that they also have to think about the privacy of their users. Since privacy is a basic human right.
Oh, that’s actually neat. But at the same time, that means every instance owner is responsible for the whole of the Fediverse.
I can imagine that would mean non-compliant instances will get defederated at some point? Or ActivityPub will get some compliance features? It’s not like the EU is unaware of the Fediverse, they are the main monetary supporters behind Lemmy.
I have no clue how jurisprudence would turn out. But keep in mind, this is not about the posts people make. The framework just needs to collect/store as little information as possible that can be considered PII. And it should have a way to remove it.
If Deleting your account results in the PII actually being removed (username, ip address, other profile info, whatever data is stored under the hood) and these removals actually get federated… there should not be an issue.
Then admins maybe have to do something if people start posting PII as messages, but that would probably be doxing and up for removal anyway.
So mainly the issus boil down to:
The issue I see is that if my instance is on the hook for the fediverse at large, and I operate on an allowlist basis, malicious actors can scrape PII and ignore the GDPR, and that would make me the one on the hook for that, isn’t that right?
There is plenty of jurisprudence and clarity needed, so… maybe. Hence the importance for the framework itself to be as GDPR compliant as possible and not store PII if not nessecary and remove it once no longer nessecary. (Storing someone’s IP for login, and post validation, bans etc should be limited to the period that makes sense, not infinitely.)
And in your example, the ‘malicious’ part of the 3rd party probably makes it different. Maybe then it is a dataleak.
Hey everyone, I just wanted to thank you for the lively conversation and thought-provoking insights. We don’t have to agree on every point (or at all), but I’ve decided to synthesize a lot of thoughts and ideas from these conversations into a blog post: deadsuperhero.com/…/economic-musings-on-federated…
I know you said it is a brain dump, but your follow up still seems mostly an emotional reaction to how the devs responded rather than a reasoning synthesis process.
E.g, your “Where Fediverse Software Differs”, it seems like you want to pay off the set up you’ve placed in the previous paragraph (about the difficulty of being an open source developer), but this payoff never comes and instead you end up the argument with “The feature requests valid, and the devs responded like dicks”.
Even if we take “the feature request was valid” for granted, it does not follow that the devs must act on it right away. If the Lemmy devs acknowledged the issue and said “You are absolutely right and we strongly advise anyone hosting an instance in the EU if they are worried about GDPR”, then what? Do you think that whoever wrote the “perfectly valid feature request” should still be pushing for making it a higher priority? On what grounds?
Also:
shouldn’t ever be used as an excuse to justify free labor from developers. This is not Self-Loathing and Display of Low Self-Steem Olympics. Anyone that comes to me with a “I’m not gaining anything from my work” argument will promptly receive “The fact that you can not establish boundaries and are martyring yourself is not my problem” as a response.
The fact that developers of FOSS software project are able to tell users “If you want something done, you need to give us the resources or do it yourself” should be lauded, not criticized or be seen as “dicks”.
If instance owners are dealing with bad users “and not getting paid for it”, they can do two things: close down the instance, or put proper boundaries and tell what they are willing and not willing to do for free. Alternatively, they can do what I do and make the relationship explicitly transactional: I’m more than willing to work a lot to solve my customer’s problems, but this is only after they actually paid me for it. The fact that I only accept paying customers makes my instance noticeably easier to manage. Even if I’m charging way less than what some people would donate to their favorite instance, the fact that all the users from the instances are paying make for an excellent filter.
This “donation-based” approach needs to change. Mastodon has no problems with “optics”, and its “Founder and CEO” is reportedly making 30000€ as yearly salary. This is ridiculously low. This is less than what an intern makes at Facebook. The three Lemmy devs are sharing less than 4k€/month. You can make more money by working part-time on Uber Eats. To think that this is enough to claim “they are making some money” is frankly absurd.
If society in general is so tired of exploitative Big Tech, society needs to give a strong signal that it’s willing to pay for the alternative. If we don’t want to have the most brilliant minds of our generation working on how to optimize the amount of ads that you get to see online, then we need to show that those building better solutions can be properly rewarded. It’s not up to the developers to try to build out everything perfectly and then go around begging for people for breadcrumbs and their seal of approval.
To sum up: I’m not saying that developers need to be worshipped because they can do what others can’t. I’m also not saying that the Lemmy devs were right in how they communicate with its users, but I am saying that they are absolutely right in establishing their priorities and not let their work be dictated by someone that is not putting any Skin on The Game.
The problem sort of is capitalism right? These public good projects should have public funding. Imagine if the public funding for open source software projects was like that of the Apollo program in the 60s (2.5% of gdp).
I am not sure I’d be using any mass communication platform that is primarily developed and/or funded by any government.
But anyway, I really don’t like to use hypotheticals as an excuse to not take action. Yes, it would be better if there was more public support for open source. But it doesn’t. Should we just shrug our shoulders and do nothing on our own? Why give away our agency?
One could argue you’re using one now.
No, not really. We’ve come a long way from ARPANET. Pretty much every large data network is privatized. The foundations working on funding FOSS might even get some of their money from Governments, but they are reasonably independent.
Anyway, my point is less about radical pro- or anti- government and more about asking “Cui bono?” if I suddenly heard about increased interest from any State Government to get more involved into specific FOSS projects.
Personally I believe that yes open source should be created by governments for the global good, that open source should be created by people studying PhDs and that community commons projects should be part of schooling with students learning how to use and contribute to them.
However the main brunt of open source should be created by people who simply want it to exist because we will always outnumber and outperform government workers and students.
Personally I would love to see a world where contributing to community projects is something everyone does as part of their life, not only because it’ll create more open source but because I think it’ll be a much healthier community if we stop seeing everyone else around us as competition and start seeing them as fellow workers in the project to improve life for all.
I can’t imagine why the devs or others wouldn’t be receptive when that’s how you start off
Instead of playing the blame game, let me see if I can help with a solution: I am fairly certain that I can take the “admin” functionality that I built for fediverser and use it as the basis for a “moderation dashboard”. It’s a Python/Django application that can communicate with the Lemmy server both through the API and the database. The advantages of it being a “sidecar system” instead of being built “into” the Lemmy code itself is that I am not blocked by any of the Lemmy developers and the existing instance owners do not need to wait for some fork to show up.
I can propose a deal: at the time of writing, there are ~200 people who upvoted this article. If I get 20 people (10% of the upvoters) to either sponsor me on Github or subscribe to my Europe-based, GDPR-subject suite of fediverse services, then I will dedicate 10 hours per week to solve all GDPR-related issues.
How does that sound? To me it sounds like a win-win-win situation: Instance admins get proper tooling, Lemmy devs get this out of their list of concerns and users get a more robust application for the fediverse.
In a similar vein, I’ve seen a lot of auto moderator implementations created. If instead of creating yet another project, people started contributing to existing ones we’d have a good core set of functionality that could be shared across instances. Competing implementations are fine, but at some point the efforts get spread so thin that progress is limited.
This sounds great!
Glad you agree, and hope to see your name on the sponsors list and/or the communick signups. ;)
If someone will point me there I’m on it.
The links are on the first comment:
Ok! Amazing.
I wish you the best of luck on this and I truly hope you do this, but this is what the lead dev of Sublinks tried to do. That’s the missing piece here. He tried making an external mod tooling system. Maybe you’ll have better luck than he did. I really hope you do.
That sounds great! Be sure to get in contact if you run into any problems or limitations with the API.
Thanks that sounds great
I don’t agree with the tone of the Lemmy devs, but they are right: it’s opensource being worked on mostly in the free time of people. Do not treat the devs like they are paid to do your bidding, because they aren’t. If you donated and have expectations, you don’t understand the meaning of a donation.
Imagine if the author had a woodworking workshop on their compound where they made things out of wood; figurines, furniture, tools, sculptures, and so on. Say they opened it up to the public so that guests could have a look, play around, spend some free time there, and maybe even use the equipment there. But then guest started demanding the author buy newer equipment, make sculptures more to the guest’s liking, made the workshop more accessible to invalids, put up the national flag, play the radio, and a host of other things. All the while not footing the bill for anything, not helping clean up, not volunteering to help in any fashion.
Then the author refused and invited the guests to help. But instead, the guests went off and made a blog saying the author was selfish, cold, self-centered, egoistic, rude, and what not.
This is what the author of this article and people in that github discussion come over as. If those people came into my workshop and told me how to do things without helping out in any way, I’d rightfully tell them to fuck right off.
Articles like these that are practically demanding change will not and do not improve the dialogue. They are actually bad for opensource as a whole because they give people who don’t understand opensource the feeling that they have the right to complain, the right to demand, the right to expect, the right to be entitled to an opinion and an outcome.
That’s a thumbs down from me dawg.
CC BY-NC-SA 4.0
This is what i would’ve wrote if i had the patience
I have a better example. What if a small company made pills or medical devices. Do they get to be noncompliant with the EU law, and tell their patients “we won’t get a medical license, there is too few of us to do it”? If you aren’t okay with that, you aren’t okay with lemmy being noncompliant GDPR-wise
Beautiful example of a commercial company selling products to customers 👍 My questions to you:
CC BY-NC-SA 4.0
Are lemmy admins handling EU information? Yes. Do they offer services? Yes. It doesn’t matter if free or not. Hosting a lemmy instance that allows EU users is therefore illegal.
Ah, I see. You’re answering your own questions with the answers you like. Do you even need me to agree with yourself?
Let me guess: “no”.
If you want to read your opinion typed by somebody else, I suggest you get a secretary. I’m not here to indulge in your fantasy.
CC BY-NC-SA 4.0
Ah, so now that it is really plainly explained and you have no arguments (since you never did) you start complaining and poisoning the discussion. Good job.
Of course the Lemmy devs aren’t liable for GDPR violations; the admins are. That doesn’t eliminate the problem, though: if the Lemmy devs wish to see their software used as it is now in the long term, they need to introduce GDPR compliance tools. We should consider it gravely concerning that bad actors (e.g., a Reddit employee) can set up Lemmy admins for a massive GDPR suit at any moment.
Edit:
I know it’s a stereotype around here, but not everybody on Lemmy is a programmer with free time.
Let’s play it out. I have a commercial instance based on the EU, I have a handful of European citizens who I have processed data.
If any of them tells me they want to delete their data, I can run a script that delete all their data from the database. If they want me to tell you what data I collected from them, it’s another data query away.
Please do tell me exactly what is illegal about it.
Your instance is tiny and it is manageable. For large instances, it’s not “just a single query”. You also can’t miss anything, so photos and similar - if they have uploaded something.
Also, does your instance have a cookie prompt? If not, then that’s a paddlin.
So, you went from “all instances are liable” to “big instances won’t be able to handle it”. Not only you just moved the goalposts, you are also missing the point of the Lemmy devs: if compliance with GDPR is problematic only for instances that are so big to the point that the volume of requests can not be manually processed, then it’s not something that should be a concern for the developers of the main software and the cost to implement such a thing should be born by the admins themselves!
Cookie prompts are only required if you have tracking cookies, which I don’t have on my website or any of the instances I run. Cookies used for authentication or basic functionality (let’s say to store the user preference for dark mode) are not tracking the user across multiple sites and therefore do not fall into the requirements for disclosure.
Edit: downvoting without a response serves only to show how lost you are in your argument. You spent the best part of the last two days fueling the mob and throwing accusations at the devs and basically making them criminally irresponsible and now you can’t even support the premise that EU instances are somehow not able to comply with the law.
.
GDPR applies to any entity that processes personal data. That includes instance owners. In fact of you look up GDPR enforcements you can that it’s also enforced against private persons.
.
Maybe you should reread what you wrote? You said there’s no way GDPR would ever apply. I said it does. You said there are no enforceable actions, there are. the part you thought makes you right is the “criminal charges” part but that makes zero sense to begin with because GDPR, as an EU wide regulation, imposes only fines and no criminal charges.
.
GDPR absolutely applies to Lemmy, it’s just that nobody has looked at it / there wasn’t a complaint. When that happens, lemmy will be in trouble.
.
There will be enforcement if one asshole reports instances. Are you certain nobody will get disgruntled and report it?
.
Yeah uh huh, I sure do suck mr random person on the internet. The only thing you are saying is “these people won’t audit lemmy because they don’t want to”. You think that in some magical way, lemmy will be immune. Guess what, it won’t. The fines aren’t simply because people aren’t cooperating (and the devs themselves said that they don’t care about GDPR outright). You don’t know how it works, all you do is wishful thinking and insulting others.