this post was submitted on 21 Oct 2024
41 points (93.6% liked)

Fediverse

28481 readers
807 users here now

A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).

If you wanted to get help with moderating your own community then head over to [email protected]!

Rules

Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration), Search Lemmy

founded 2 years ago
MODERATORS
 

I'm looking for answers from instance admins, if you're a regular user, you can still answer but it's more helpful for me to get answers directly from admins.

If a user on [instance A] asked another instance (Instance B) to remove their federated account and federated content copies from instance B (likely also banning it so content doesn't continue to flow) would the user on Instance A be in trouble with their instance admin for asking for such a thing.

Obviously it depends on the instance's rules but that's part of why I'm asking the question, to get answers from instance admins on this.

On one hand I can see how it would since, since it hurts interoperability and can create tension between instances, but on the other hand a user has the right to be in specific places or not be in those places, that probably extends to not wanting to be federated into an instance they find objectionable (assuming it is for good reasons).

all 18 comments
sorted by: hot top controversial new old
[–] [email protected] 11 points 1 month ago

I'm more into just educating the users to not post shit they don't want out in the public in the first place. No matter how good the efforts of the server administrators are in removing the content, there's still the possibility of users, be it actual humans or bots, collecting that content and continuing to spread it elsewhere or otherwise use it.

I mean, go ahead and follow their request if they do ask, but also explain to them to maybe think a little harder about what they are posting because you cannot guarantee someone outside your sphere of influence doesn't have the same content saved somewhere.

[–] [email protected] 10 points 1 month ago

I have a Mastodon, Friendica, Peertube, and a PieFed instance. I'm an Admin.

Let me make sure I understand. You are asking whether I would care if you were using my server, and you asked a different server Admin to remove your data from their server (and probably ban you on that server)?

If this is what you are asking, I personally wouldn't give it any thought. It's your data. If you don't want it on some other server, then you certainly have that right. I frankly don't think any Admin would have a problem with this. Even the opposite would be fine. If someone asked me to remove their data that came in remotely.

I might even be impressed that you are enforcing and thinking about your rights to privacy and your right to control your own data.

[–] [email protected] 5 points 1 month ago (2 children)

Not an admin, but from a legal perspective, users in the EU have the right to request deletion of their data under the GDPR, which the consequences of violation are up to €10m or 2% of annual turnover (not profit), whichever is higher

Frankly, if a user asks a service owner to delete their personal data, the service owner should do it as promptly as possible.

[–] [email protected] 6 points 1 month ago* (last edited 1 month ago) (1 children)

Lemmy doesn't federate "personal data" to other servers. The GDPR has a strict definition what can be "personal data". The Wikipedia has a good overview of the relevant laws in various countries: https://en.wikipedia.org/wiki/Personal_data

Requesting the deletion of posts and comments that they agreed to be federated when signing up is purely voluntary but usually done as it is fairly easy to ban a user and delete their contributions.

[–] [email protected] 1 points 1 month ago (1 children)

From your link

Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person[15]

The "directly or indirectly" part is important here, a username is a constant identifier between a user's posts and comments

Given comments and posts are free text input, there's no way of knowing the entire set of a user's content doesn't contain PII, unless an admin wants to spend the time combing through and determining which posts definitely contain PII and which definitely don't, they should delete it all. The data subject does not need to make specific listings of what they want deleted, the onus is on the service owner to be able to process the deletion request completely and within a timely manner.

[–] [email protected] 3 points 1 month ago* (last edited 1 month ago) (1 children)

No, as only the instance admin that hosts the original account can indirectly associate a user handle with actual "personal data". An admin of a federated instance can not, as they do not have any "personal data" to correlate it with.

If a user themselves posts "personal data" publicly it is not covered by the GDPR (IANAL) and thus not subject to mandatory deletion requests. Of course deleting everything is often the easiest course of action, but this is not legally required.

[–] [email protected] 3 points 1 month ago (1 children)

Also not a lawyer but I've done a lot of GDPR training since it was introduced and I believe you're incorrect—the data subject posting it publicly or not doesn't factor into the validity of a deletion request under the GDPR. There are a limited set of specific reasons a service owner can refuse a deletion request and they're pretty much down to preventing abuse and facilitating compliance with other laws.

[–] [email protected] 1 points 1 month ago

Not a lawyer, but honestly, both of these takes are probably not correct.

I'd say that most fedi-services fall more into the 'can I make someone delete an email' GDPR category (tldr: probably not, but maybe) with a dose of the 'this service is for personal/non-commercial use and includes messaging and social media' exemption.

This of course won't work if you're taking money or doing commercial activity but at that point you're a business and should consult your lawyers to ensure your compliance. (And if you can't, then maybe don't be in that business.)

I wouldn't want to be the one to spend the billion dollars to litigate that, but frankly if you're not in the EU, and not a business, then the person demanding removal would have to take you to court to force compliance (assuming you didn't just do it so you don't have to deal with a grumpy person) which is... unlikely.

The much more horrifying interpretation is that the data controller, processor, and sub-processor language comes into effect and everyone needs to sign written agreements with every other fediserver to be even remotely in compliance.

[–] [email protected] -1 points 1 month ago (1 children)

Except that only applies to federated servers that exist in the EU. If your data gets federated out to a country outside of the EU, they don’t have to listen to your whines of GDPR as it’s not enforceable. And given that you could be federated with hundreds of instances across the world, good luck.

I said the same thing with AI scraping. All someone needs is to add their own instance that federates with everyone else and they can scrape data for AI training till their heart’s content.

[–] [email protected] 5 points 1 month ago (1 children)

First, if you process the personal data of EU citizens or residents, or you offer goods or services to such people, then the GDPR applies to you even if you’re not in the EU. We talk more about this in another article.

https://gdpr.eu/companies-outside-of-europe/

https://gdpr.eu/what-is-gdpr/

[–] [email protected] -1 points 1 month ago

Cool cool, now realistically, do you have the time, resources and know how to find and contact every owner of every federated instance these comments have made to? Would you be able to deal with the legal resources of any number of jurisdictions to truly test whether that is actually enforceable?

My point basically is that it’s functionally impossible regardless of what the law says, and you should treat your comments and personal information as such that they won’t ever be able to be deleted or scrubbed.

[–] [email protected] 4 points 1 month ago

Following this thread because I think it's one of the very interesting unanswered questions about federation.

[–] [email protected] 2 points 1 month ago

I personally would if User didn't post anything to communities on my (bookwormstory.social) or similar (ani.social) instance.

I saw that link rot on lemmy is real. Missing poop post. Hijacked links in posts from over a year ago. Images deleted. I don't want to contribute to it.

[–] [email protected] 1 points 4 weeks ago

So I'm not sure where I fit in. I run my own instance, but it's a single user instance that only serves me. Also, I currently don't run any magazines (communities) of my own.

If I was the user on Instance A asking on Instance B ... well that means Instance A is my own, and I obviously wouldn't get in trouble with myself.

If I was the admin on Instance B - a user from elsewhere was asking me to remove such content on mine - I'd go ahead and do it. Not worth the potential headache or ramifications that would come with refusing.

I think in general, the admin on Instance A would not be upset with the user. If anything, in this situation the user is probably trying to delete their account and history, so the admins of Instance A would be thankful that the user went to instance B and saved the admins the headache of trying to contact other federated instances themselves to coordinate a manual deletion. (The only thing worse than dealing with a GDPR request is trying to get others to help you deal with a GDPR request - particularly without pay.)

[–] [email protected] 1 points 1 month ago (1 children)

It mostly only effects their own usage to be banned from another server, so why would an instance admin care?

[–] [email protected] 1 points 1 month ago* (last edited 1 month ago)

I don't know, I thought that maybe it could cause issues since some remote servers might feel insulted or upset by such a request being made to them, and they might get upset at my home instance for it. I don't know how likely it is, and whether or not admins might blame the user for starting such a conflict.

I'm thinking the servers I might do it for will very likely start trouble over it. I wouldn't be looking to do this if they were calm and rational servers (yes one of them is Hexbear).