FBI Seizure of Mastodon Server is a Wakeup Call to Fediverse Users and Hosts to Protect their Users ( www.eff.org )

EatMyDick , 11 months ago

I have been laughed at and down voted every single fucking time I point out how woefully unprepared every fucking instance is.

The free model is flawed and will be unsuccessful every fucking time there is any signs popular server. And users aren’t going to tolerate moving fucking servers every month.

You think cloudflare is going to keep on protecting lemmy.world each week on their free/professional their? Enterprise starts at 20k a year before traffic, good luck raising that kind of yearly money on a hobby server.

And then there is GDPR and CCPA all of which are ignored and clearly not being enforced just waiting for a lawsuit.

Oh and I do I need to explain to you people the child porn reporting mechanisms that need to be in place?

The only way if this bullshit is successful it’s if someone starts a no profit e.g Mozilla foundation and acts like a functioning adult running a business vs a 16 year old tinkering with Linux.

Bring on the down votes and compium.

HKayn , 11 months ago

You bring up valid points, but you are being very antagonistic towards server admins in the process. I get that you’re frustrated by being dismissed all the time

heimchen , 11 months ago

Yea, you could have served your points in a less agressiv mana

Mdotaut801 , 11 months ago

I’m out of mana…once again.

Atemu , 11 months ago

Given their username, I don’t believe that was a possibility.

nomadjoanne , 11 months ago

I think part of the problem is that laws in the developed world essentially make in extremely expensive to run one of these services if you have a lot of users per month.

Te heart of the issue is that at some point it becomes more useful for mega-corporations to have a cozy relationship with the government than with you. It used to be that if a service found that there was child porn on their service, the law simply required them to remove it and report it to the police. Very reasonable.

The thing is though, if that is all the compliance one needs to follow, then the creation of new firms and services is quite easy. Mega-corporations don’t like this. They want to slow the creation of new services and firms because this slows the appearance of new competition. Hence they become pro-regulation, and, I’d argue, attempt to shift the entire culture towards paranoia and a demand for more regulation.

Perhaps the only defense is to stay small. Obviously don’t allow any abusive or illegal content. But stay small so that you can skirt by without having to deal with compliance with the big-boy regulations.

EatMyDick , 11 months ago

Laws + costs of a server. Cloudflare is 100% in talks warning lemmy.world they aren’t going to support them for free/$20/month.

I love how you dismiss the compliance as all you need. As if it isn’t a crazy topic that requires a lawyer every other day plus hiring a team and creating a process to deal with child porn shit.

None of you know half the reality of running successful digital services.

nomadjoanne , 11 months ago

I love how you’re an asshole for no apparent reason. We both like this place and are on the same team, even if we disagree about some things.

But, in all seriousness, I really have the feeling that you are approaching this from the standpoint of a lawyer or someone on the marketing team of a large corporation. Of course a service like lemmy.world, or any of the larger instances, should consult with a lawyer at some point if they haven’t already. But this is not a mega-corporation, and I don’t think many people in Lemmy apart from you have any intention of running it like one.

Of course these services cost money to run and protect. No one is saying it’s free. To give a similar example, some of the largest Invidious instances blow though several terabytes a day. So they are very much dependent on donations. We should all try and chip in if we are able.

archomrade , 11 months ago

This person honestly just sounds frustrated with the idealism of a not-for-profit social media alternative. Their concerns have some validity, but to suggest that it can’t work without following a paid or ad-supported model is a little dogmatic in my view.

mrmanager , 11 months ago (edited 11 months ago)

I don’t think gdpr is required when it’s not a company running the instances? We have 1389 instances running now, rented or owned by individuals. Interesting point though, wonder if gdpr applies still.

And if an instance is hosted in America, does it still apply? It seems many advertising companies are avoiding Europe because there is privacy laws like gdpr.

Zetaphor , 11 months ago (edited 11 months ago)

When the regulation does not apply

Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn’t specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.

Source: European Commission

This has been my primary understanding, since many of us instance admins are not specifically targeting individuals in the EU, say as opposed to a company like Facebook or Spotify, we are not subject to the GDPR.

mrmanager , 11 months ago

It also says company here. We (instance owners) don’t have companies (corporations), which also makes gdpr not apply on it’s own, correct?

Zetaphor , 11 months ago

It says “company or entity” further up in the page, that quote is just an example they provided.

I am neither a lawyer or an EU citizen, so honestly I don’t know. This is the law as I understand it from reading that source.

This is one of the many reasons I have a semi-private instance, so I’m only liable to myself and maybe a few friends.

mrmanager , 11 months ago

I asked chatgpt and it seems to apply to instance owners:

The General Data Protection Regulation (GDPR) is a data protection law that was implemented by the European Union (EU) to protect the personal data and privacy of individuals within the EU. It applies to both corporations and individuals who process personal data in the context of offering goods or services to individuals in the EU or monitoring the behavior of individuals within the EU, regardless of where the company is located.

So, the GDPR does not only apply to corporations but also to any individual or organization that handles personal data of individuals within the EU, irrespective of their size or location. This means that even small businesses, non-profit organizations, and individuals who process personal data falling within the scope of the GDPR must comply with its provisions.

Zetaphor , 11 months ago

I’m definitely not taking legal advice from ChatGPT lol

This does beg the question, what constitutes personal data? If I don’t require an email for signup, does information you publicly post count as personal data?

It seems we’d be best asking a lawyer for these kinds of things

mrmanager , 11 months ago

Chatgpt is usually accurate enough in my experience and also what it says below is what i I know myself is included:

Personal data, as defined by various data protection laws, refers to any information that relates to an identified or identifiable natural person. This means that personal data includes any data that can be used, directly or indirectly, to identify an individual. It can be a name, identification number, location data, online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

Examples of personal data include:

1. Name: Full name, first name, last name, or initials.
2. Contact Information: Email address, phone number, physical address, or social media handles.
3. Identification Numbers: National ID number, passport number, social security number, or driver’s license number.
4. Location Data: GPS coordinates, IP address, or data from tracking systems.
5. Online Identifiers: Usernames, account numbers, or device-specific identifiers.
6. Biometric Data: Fingerprints, facial recognition data, or voiceprints.
7. Health Information: Medical history, health conditions, or health insurance details.
8. Financial Information: Bank account numbers, credit card details, or income information.
9. Racial or Ethnic Information: Information about race, ethnicity, or cultural background.
10. Sexual Orientation: Information regarding a person’s sexual orientation or preferences.

It’s important to note that even if a single piece of data seems innocuous or does not appear personally identifiable by itself, when combined with other data points, it might lead to the identification of an individual. Therefore, data controllers and processors are obligated to treat all such data with care and follow data protection regulations, such as the General Data Protection Regulation (GDPR) in the European Union or other relevant laws, to ensure the privacy and security of individuals’ personal data.

Atemu , 11 months ago

IANAL.

I don’t think gdpr is required when it’s not a company running the instances?

Depends on whether your thing is intended for public or private use. If it’s just a static website to share files with friends and family or a chat service for a similarly limited group, then no, the GDPR does not apply.

Most popular Fediverse instances are clearly made for public use however.

if an instance is hosted in America, does it still apply

As long as it processes data of EU citizens, the GDPR applies. Whether the EU is able to enforce it is a different question.

Atemu , 11 months ago

IANAL.

I don’t think gdpr is required when it’s not a company running the instances?

Depends on whether your thing is intended for public or private use. If it’s just a static website to share files with friends and family or a chat service for a similarly limited group, then no, the GDPR does not apply.

Most popular Fediverse instances are clearly made for public use however.

if an instance is hosted in America, does it still apply

As long as it processes data of EU citizens, the GDPR applies. Whether the EU is able to enforce it is a different question.

SpookySnek , 11 months ago

The history of piratebay proves that you can host a website (or instance in this case) and have it be incredibly resilient, out of reach for US/EU law enforcement as long as you have the knowledge and energy to do so. How many millions of hollywood-dollars have been spent on taking it down, vs how many days has it actually been down since it’s creation?

deafboy , 11 months ago

The history of piratebay also proves that you have to be ready to face the consequences, and run to Cambodia if needed. Not many operators would do that for their users.

SpookySnek , 11 months ago (edited 11 months ago)

You’re right, but I highly doubt that anyone will throw enough money on influencing a foreign country enough to prosecute a Lemmy admin under US law with a Hollywood chosen judge that has ties to MGM, Warner Bros, and Sony, as Hollywood did with Gottfrid (co-creator of piratebay) in Sweden, leading him to seek shelter in Cambodia.

Edit: Spelling

GONADS125 , 11 months ago

You have great points, I agree, and it’s why I donate to support lemmy.world. I’m hoping that enough people will donate small funds that it will cumulatively enable the server admins to better protect the instance. Basically like Wikipedia’s funding model.

Maybe it’s not realistic, but I’m hoping that the fact that we all gave enough of a shit to start anew on lemmy, a decent percentage of the userbase may be more likely to donate than typically the case in online platforms.

I guess time will tell the future of lemmy and the main instances.

Edit: Here are the donation pages:

• opencollective.com/mastodonworld
• patreon.com/mastodonworld

EatMyDick , 11 months ago

Wikipedia is run by a central NGO which is something I’ve advocated for. What we have now, and what folks are conversing about isn’t a sane model like you propose. People really believe this place isn’t going to have serious child porn, disinformation, and censorship issues without someone competent taking over the main policing and privacy concerns.

Auli , 11 months ago

Naw it doesn’t cost money to run anything. You don’t understand it all just there in the cloud /s.

Rawdogthatexe , 11 months ago

The admins just write it off!

EatMyDick , 11 months ago

The funny thing is I manage the NIST/ISO/GDPR for our company. I would have been coding slinging yaml and terraform just a few years ago. I literally have experience managing 75M of resources in such systems and have in depth discussions with my lawyer about this fascinating time bomb.

At some point a while back I just gave up having educated conversations over SM. For every one you’ll have 10 jackasses who have been widely unsuccessful in their career bitching in anti work how you doing know Jack shit. I stated my first two responses responses to incorrect or uneducated information and was immediately attacked as usual. It’s a race to the bottom that everyone is getting tired of.

iByteABit , 11 months ago

I’m not disagreeing with your points on running an online service, I just have to point out that you seem like an asshole of a person.

Take a damn chill pill

Blackmist , 11 months ago

I like the idea of it, but you’re right. It’s not going to scale because at some point, somebody has to pay for it. And most users, myself included, seem unwilling to dip into our own pockets to satisfy our crippling addiction to cat pictures and world weary cynicism.

In the old days we had Usenet newsgroups, hosted by ISPs, just like most of them still do with email. It’s the ideal place for hosting a fediverse, maybe not necessarily this one. They already scale their stuff with the number of users. We already pay them. And it decentralises power away from a handful of tech billionaires.

Would they do it? Who knows. They’re certainly best placed for it, but would they want the unenviable job of identifying and blocking kiddy porn and cartel torture videos? I know I wouldn’t want to be looking at that shit all day. The big networks obviously have a solution for that, but automated AI image recognition stuff only goes so far. At some point there’s a poor minimum wage worker looking at it in a third world country.

nomadjoanne , 11 months ago

I’m a bit unconvinced that we would want to scale. Why is growth necessarily good? We’d end up looking much like mainstream social media by that point. A lot of regulatory compliance, a lot of normie BS on the platform, etc. There is still probably some room to grow before that becomes a reality though.

I think it’s a fine line to walk, but being and staying a bit niche isn’t such a bad thing.

astral_avocado , 11 months ago

Because otherwise Lemmy will die from lack of interest, it’s too small at the moment.

Rodeo , 11 months ago

In the old days we had Usenet newsgroups, hosted by ISPs … it decentralises power away from a handful of tech billionaires.

And into the hands of the ISPs, which are also owned by billionaires.

Blackmist , 11 months ago

Depends where you are. In the US, probably. You don’t even get a choice of ISP in some places, although there’s probably more choice if you use a mobile. In the UK, there are a few dozen. Small ones all over most other countries. It’s still an improvement over Facebook and Twitter.

And you wouldn’t have to use your ISP’s one. You could use any. But you will have to accept that it costs money. You’ll be having to pay at some point, either with adverts, a subscription, or some Discord style nonsense waved in your face every day.

marmo7ade , 11 months ago

[Thread, post or comment was deleted by the author]

loudWaterEnjoyer , 11 months ago

No you can get fucked, I want basic data privacy rights and GDPR is a good start

deafboy , 11 months ago

If we want the ecosystem to be resilient, we need to migrate to a model where:

1. The data is redundant, in a way it matters. Yes, I know the posts are currently replicated, but if the primary replica is gone, the usefulness of the copies is limited.
2. The identities are not tied to a provider

NOSTR does this, AND provides an incentive for keeping the content online - you simply pay one, or even multiple relay operators, for keeping your data online. However:

1. NOSTR client UX currently sucks even more than lemmy/mastodon
2. There is no useful content whatsoever. They’re in the “only political extremists use this” phase at the moment.

astral_avocado , 11 months ago

The type of people that inhabit these instances will never ever agree to a no-moderation type of setup. That’s what true decentralization means, right?

epicspongee , 11 months ago

Enterprise starts at 20k a year before traffic

My Mastodon server has just under 1.5k MAUs and has raised $4k so far this year. We’ve only been open for six months. This is not hard money to raise.

UFO64 , 11 months ago

People are willing to contribute to well run services. Make the contributions manageable for users and they will happy chip in a few dollars here and there.

marmo7ade , 11 months ago

The GDPR and the CCPA are irrelevant. Your physical location is irrelevant. State and country lines are irrelevant. The internet is not a physical place. The EU and California do not own the internet. Don’t put your data online if you are concerned.

You are using Lemmy right now. Who is coping?

teaism , 11 months ago

You’re getting my downvote because you and whoever upvoted you, are greatly missing the point of the GDPR. The whole point of it IS end-user personal data protection and transparency on the ways that a company will gather data from you.

If anything, we need more of it in other non-EU countries. Let me give you a short example: in the EU you have the right to be “forgotten” by a company in terms of the data they have on you. As in, you contact that company, request they delete all the data they have on you which they have to legally comply to. That’s all thanks to the GDPR.

astral_avocado , 11 months ago

Cloud flare’s business is protecting small websites as well as large across the world from DDOS attacks. You don’t think there’s a tier somewhere between “free” and “enterprise 20k base”? DDOS mitigation techniques have gotten pretty advanced and are no longer the sole domain of large companies.

Redtitwhore , 11 months ago

Automated tools (AI baaed or not) should be able to handle CP reporting.

valveman , 11 months ago

You have good points, and yeah, I too want data privacy and everything, but the Fediverse in general always was a niche place. I mean, people only got to know this because the mainstream social media fucked up badly this time (and keeps doing it very well). Now we have thousands of new instances, users and everything, but no one was prepared for it.

My point is: your proposals are totally valid, but there was no need for this level of security until yesterday, since this was just a niche place with a couple hundreds of users. Give it a few months and we might get some updates on instance infrastructure and the ActivityPub protocol itself to make it safer.

drdabbles , 11 months ago

You seem to be collecting downvotes because you generally have bad takes. Why be here if you’re angry at the existence of servers run as a hobby? Which instance are you on?

Yeah, there’s a ton more work that needs to be done, and the first professionally operated instance is likely to become extremely successful. But literally zero of the other web properties started with any of the controls or funding you’re angry about. Shit, Twitter has disbanded most of the departments responsible for compliance.

Be less angry about it. It’s not life or death, it’s bullshitting with strangers online.