• deegeese@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    42
    arrow-down
    3
    ·
    edit-2
    10 months ago

    Bit of a red herring to put GDPR in the title when the article is about Lemmy missing key admin functions, and only tangentially how this runs afoul of GDPR.

    TL;DR Lemmy hasn’t implemented image deletion for users or admins, so don’t upload your government ID.

    • woelkchen@lemmy.worldM
      link
      fedilink
      English
      arrow-up
      21
      ·
      10 months ago

      Bit of a red herring to put GDPR in the title when the article is about Lemmy missing key admin functions, and only tangentially how this runs afoul of GDPR.

      I haven’t read the GDPR, yet, but it’s still a serious issue – GDPR or not. Imagine if Instagram did that. Everybody would seriously go bonkers and rightfully so.

      System administrators often aren’t software developers. Lemmy users need to trust Lemmy admins and Lemmy admins need to trust Lemmy developers. Maybe not letting users delete any uploaded media isn’t outright illegal, maybe it is. I’m in the camp of it being definitively not cool.

      • deegeese@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        8
        arrow-down
        7
        ·
        edit-2
        10 months ago

        Inflicting lawyers on an open source project is a great way to drive off the developers.

        If I hear Lemmy has a GDPR problem I assume it’s lawyer BS only European instance admins have to worry about.

        If I hear Lemmy has bugs in basic CRUD functionality, that’s a real issue.

          • kernelle@lemmy.world
            link
            fedilink
            English
            arrow-up
            8
            ·
            10 months ago

            Yet GDPR requires if you operate anywhere but allow European citizens to register, you have to be GDPR compliant as well, or risk being blocked by an entire continent.

            • Maalus@lemmy.world
              link
              fedilink
              English
              arrow-up
              5
              arrow-down
              2
              ·
              10 months ago

              You can get fined by the entire continent. And you would need to pay up in that case, if living in the US for instance. The laws aren’t toothless, otherwise everyone would be abusing them, instead go to any US news site in Europe, and they’ll tell you they can’t serve content to you for legal reasons.

              • kernelle@lemmy.world
                link
                fedilink
                English
                arrow-up
                2
                arrow-down
                2
                ·
                10 months ago

                Oh for sure they will try to fine, but being another sovereignty they have no authority to force a payment.

                • Maalus@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  3
                  arrow-down
                  4
                  ·
                  10 months ago

                  Yeaaaah no. Look it up, you still have to pay up. It’s insanely good for EU citizens. Look at the top fines - Meta, Google, Amazon, Instagram, Facebook, with fines being tens of milions of dollars. The US works with the EU and you still get fined.

              • lambalicious@lemmy.sdf.org
                link
                fedilink
                English
                arrow-up
                1
                arrow-down
                2
                ·
                10 months ago

                The laws aren’t toothless, otherwise everyone would be abusing them,

                Have you heard of such small indie developers such as Google, Amazon or Facebook?

                • Maalus@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  3
                  ·
                  10 months ago

                  The exact same ones who have millions in fines racked up and are paying them? Yes, I have heard of those.

        • woelkchen@lemmy.worldM
          link
          fedilink
          English
          arrow-up
          6
          arrow-down
          1
          ·
          10 months ago

          If I hear Lemmy has bugs in basic CRUD functionality, that’s a real issue.

          Coincidentally I saw bug reports by that person and another person earlier that day (before the blog post was published), including one opened months ago with absolutely no reaction at all of even acknowledging that this is even an issue: https://github.com/LemmyNet/lemmy/issues/3973

          I’ve heard from time to time that Lemmy developers can be difficult to work with (I never worked with them, so I make it clear that this is hearsay) but I have the suspicion that there is some merit to that.

      • morras@jlai.lu
        link
        fedilink
        English
        arrow-up
        11
        ·
        10 months ago

        No, Lemmy servers are not exempt from GDPR compliance. The household exemption (you are not subject to gdpr for private activities) only applies for purely personnal activities. As soon as a service is offered to someone else, the exemption is no more applicable.

        That’s one of the drawback about open-source projects, they are designed to fulfill a need (persistent storage & decentralised communication for Lemmy), and no one give a f*ck about legalities.

          • morras@jlai.lu
            link
            fedilink
            English
            arrow-up
            9
            ·
            10 months ago

            I’m not so sure about the GDPR status for the Fediverse, I don’t think there’s the law is prepared for “Jerry runs this for people, just for fun”. It’s very much “official organisation” or “money grabbing business” oriented. Someone should fund an actual lawyer to look into this and lay down the real requirements.

            I’m working in the gdpr compiance field ;) Using a personnal device to monitor public space doesn’t fall under the household exception, this solution even pre-dates the GDPR (https://curia.europa.eu/jcms/upload/docs/application/pdf/2014-12/cp140175en.pdf).

            (the case-law is about camera fixed on a private house, but the logic easily translates in a private server grabbing public data).

            but when legal compliance comes up, everybody just sticks their fingers in their ears and pretends not to hear you.

            Just as you did ^^

    • deegeese@sopuli.xyz
      link
      fedilink
      English
      arrow-up
      22
      arrow-down
      7
      ·
      10 months ago

      Just another guy who thinks he’s Gods gift to open source because he found a bug, and thinks the volunteer developers fail to show proper gratitude by not dropping everything to work on your pet bug.

      • Darrell_Winfield@lemmy.world
        link
        fedilink
        English
        arrow-up
        20
        arrow-down
        3
        ·
        10 months ago

        Interestingly, he was silent for 3 weeks after being assigned to the bug, then came back to post his blog post and nothing else. I’ve seen this blog post a few times today, looks like his self promoting strategy is working.

      • bleistift2@feddit.de
        link
        fedilink
        English
        arrow-up
        10
        arrow-down
        1
        ·
        10 months ago

        To be fair, this is a bug that could be the end of lemmy. As soon as one malicious actor sues even a few instance admins, other will get scared and shut down their instances. As the reporter points out, this isn’t just a shiny feature that’s missing. Instance admins lack the ability to follow data protection requirements that their users have a right to. It’s a lawsuit waiting to happen.

        • lambalicious@lemmy.sdf.org
          link
          fedilink
          English
          arrow-up
          1
          ·
          10 months ago

          To be fair, this is a bug that could be the end of lemmy.

          Then the reporter should have acted like it was, indeed, that important. Like, putting money or a PR into it.

          Just “someone, sometime, somewhere, might sue” does not suffice to fix things. Just like with physical products in the real world, if someone, somewhere, sometime, might sue, then you designate money, time and staff into your project to pre-corect the things to minimize the chance of that happening, or to buy whatever auditing / maintenance needed to check for issues.

          And, correctly enough, the devs are not saying “we won’t fix this”. They are saying, “fix this requires people to pour $X time and $y money into it. Care to chime in?”

          Unfortunately, the world of free software users is full of “couch coaches”.

    • Maalus@lemmy.world
      link
      fedilink
      English
      arrow-up
      8
      ·
      10 months ago

      Except you don’t get to ignore GDPR by saying “don’t expect our site to be private”.

      • expr@programming.dev
        link
        fedilink
        English
        arrow-up
        3
        ·
        10 months ago

        GDPR is really designed to target software controlled by a single entity, but this isn’t that. The instances are responsible for their content, full stop. There’s no way of forcing an instance to delete content, and even if there were, since the admins are running it, there’s nothing stopping them from removing such a feature.

        There’s also nothing stopping admins from deleting content from their servers (it’s just a database, after all).

        • Maalus@lemmy.world
          link
          fedilink
          English
          arrow-up
          8
          arrow-down
          1
          ·
          10 months ago

          Well then, once the EU knows about Lemmy, it’ll be screwed. Again, you don’t get to make excuses when dealing with GDPR. The book will be thrown at you once you have EU citizen’s data, which lemmy obviously does. Saying “we made this application without it ever being possible to comply with GDPR” will only get you a bigger fine, or worse.

          • expr@programming.dev
            link
            fedilink
            English
            arrow-up
            4
            arrow-down
            3
            ·
            10 months ago

            “Lemmy” (the software) doesn’t have any data. It all resides on servers owned by people other than Lemmy’s developers. They have the user data and would absolutely be subject to GDPR.

            Again, no matter what Lemmy’s devs put in place, it doesn’t matter because the instance admins can do whatever they want.

            • Maalus@lemmy.world
              link
              fedilink
              English
              arrow-up
              6
              arrow-down
              1
              ·
              10 months ago

              Way to go being pedantic about it.

              Once they know about one server, they will know about most large instances. Since Lemmy doesn’t implement any GDPR features (i.e. cookie notices, a button for deletion, etc) every larger instance will get hit.

    • UndercoverUlrikHD@programming.dev
      link
      fedilink
      English
      arrow-up
      2
      ·
      10 months ago

      How would tracking pixels work via lemmy? I don’t see how you could gain individual ip addresses if the instance simply store the image in their cache.

    • willya@lemmyf.uk
      link
      fedilink
      English
      arrow-up
      14
      arrow-down
      1
      ·
      10 months ago

      Yikes. Played it for shits and giggles and it leads off with saying the vaccines or even being around people who took the vaccine causes you to emit a Bluetooth MAC address lmfao.

  • freamon@endlesstalk.org
    link
    fedilink
    English
    arrow-up
    21
    arrow-down
    1
    ·
    10 months ago

    I’m gonna find this guy’s image …

    https://monero.town/pictrs/image/00000000-0000-0000-0000-000000000000.jpeg … nope
    https://monero.town/pictrs/image/00000000-0000-0000-0000-000000000001.jpeg … nope
    https://monero.town/pictrs/image/00000000-0000-0000-0000-000000000002.jpeg … nope
    https://monero.town/pictrs/image/00000000-0000-0000-0000-000000000003.jpeg … nope

    Mmm, I’m sure it won’t take long. Just have to remember to do it all again for .jpg, .webp, and .png.

    Anyway, I’ll let you know when I get it.

      • freamon@endlesstalk.org
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        1
        ·
        10 months ago

        Not quite, no. I know what it isn’t at least.

        I’ll keep going - I’m sure the article’s author is someone who genuinely uploaded some confidential info and then became really involved with privacy/GDPR etc, and not someone who was always been really involved with privacy/GDPR issues and now has a story to fit.

  • dumpsterlid@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    10 months ago

    I would actually consider using normal reddit a nightmare, lemmy like the rest of the fediverse softwares mostly just feels like a community theater play put on by people who really passionately care about what they are making but have zero budget and so long as you go into not expecting a blockbuster movie it is awesome.