"The ActivityPub protocol, standardised by W3C and governing exchanges within the Fediverse, requires us to clearly identify you when you interact with another platform, which is normal in order to prevent falsification of exchanges.
Opening such a breach would go against our commitments and philosophy on data protection and anonymity.
If we don’t expose your likes and follows it’s not to make them public on platforms that can be hosted anywhere and by anyone thanks to decentralised applications such as Mastodon.
This would also be a problem regarding our commitments in terms of moderation and the protection of minors, since profiles moderated by other platforms, with their own rules, could interact with Veklar users.
The Fediverse is open and anyone can decide to join in the future. This is particularly the case for Meta, which has already prepared Threads for its foray into the Fediverse, and is also thinking about integrating Instagram. Google could also join the Fediverse with YouTube. In all its principles, Veklar is committed to protecting you from GAFAM and ensuring the sovereignty of your personal data and your public image."
They use Threads as an example of what could happen to the Fediverse, but who knows how many companies are out there with fake Mastodon/Lemmy servers, subscribing to as many feeds as they can, letting the Fediverse handle delivering structured, scrapable data for them so they can work on their AIs or thread intel or marketing profiles.
They also have a point with their attempts to keep likes/follows private: that’s something a lot of users want, and something a lot of users are surprised to learn doesn’t exist on the Fediverse. The Fediverse is more metadata than data and that’s not something everyone likes sharing. With monoliths like Veklar, you only need to trust one server not to datamine your every move rather than thousands of servers.
Speaking of privacy, most of the Fediverse isn’t compatible with any privacy laws I’ve seen. For a bunch of hobbyists that’s probably fine because privacy enforcement agencies have better things to do, but for a company that intends to make money and wants to actually become an alternative, that’s a problem. A GDPR-compliant Fediverse server would need to record which other servers which bits of PII have been shared, how that information is protected (does lemmy.world even encrypt their database?), and with what other servers that information was shared in turn. That’s practically impossible. The Fediverse exists in Europe because it’s unimportant and unprofessional enough not to attract lawsuits.
They also have a good point about moderation. I could trivially spam every Lemmy server full of CSAM with maybe $100 in cloud credit to the point the FBI becomes interested. The Fediverse, and in particular Lemmy, is a bit like the Old Internet, assuming everyone has good intentions and that the minority with bad intentions can be handled by human interaction. New servers don’t get vetted, new moderation environments don’t get verified, and server administrators are left to their own devices to get rid of botnets and other malicious entities if they don’t want their server to become a spam relay.
I think the upsides of the Fediverse are worth the risks. Veklar clearly thinks otherwise. They’re not necessarily wrong, they just have different priorities.
I guess that could be in regards to user profiling.
Since no fedi platform aggregates user data like “user xy always upvotes topic a, therefore I will show him more on topic a via an algorithm”, or shows algorithmic advertisements, or sells user data for advertisements etc, I don’t think it’s relevant to GDPR at the moment.
Your instance has data covered by GDPR, but the data it sends to other instances is covered by the same exceptions as the data you send in a email. Without exceptions for legimitate interests it would be illegal to send an email from, say, mailbox to Gmail or Yandex Mail.
PII includes any information that can be used to link or correlate personal information. That includes usernames and account IDs. Every like/upvote contains that information, as well as a timestamp, indicating a unique account but also behaviour. The system doesn’t just share a list of names, it shares a list of names with a lot of context. Stuff like this is also why pseudonymisation isn’t sufficient to avoid GDPR obligations.
Usernames aren’t sensitive information, so you can handle it without too much special care (although you do need to ensure basic protection of login credentials against data leaks, for instance by encrypting databases as a minimum requirement). They are PII, though, which means you’re obligated to take some level of care and ensure that the information can be corrected or redacted everywhere.
The GDPR simply wasn’t written with something like the Fediverse in mind. My server knowing when your account upvoted what posts on a third server would be ridiculous if we’re talking about Twitter and Facebook, but it’s the core of vote counting on Lemmy.
GDPR doesn’t include things you choose to make public, otherwise no social media could show your posts or username to anyone. My only doubt about Lemmy and Mastodon is about DMs where people have a reasonable expectation that they are private but they are not.
Edit: and thinking about it, even DMs probably fall into the same exception as email.
That is wrong. GDPR of course covers public information. It simply does not force platforms to hide this kind of information. But transmission of these informations without user’s consent and especially sale of these informations could possibly be prohibited by a court referencing GDPR.
But simply transmitting it for the purposes of making the protocol work, falls under legimitate purposes, like sending an email to email server in China
Their reasoning isn’t necessarily bad:
They do explain their reasoning:
Expand for alt text
"The ActivityPub protocol, standardised by W3C and governing exchanges within the Fediverse, requires us to clearly identify you when you interact with another platform, which is normal in order to prevent falsification of exchanges.
Opening such a breach would go against our commitments and philosophy on data protection and anonymity.
If we don’t expose your likes and follows it’s not to make them public on platforms that can be hosted anywhere and by anyone thanks to decentralised applications such as Mastodon.
This would also be a problem regarding our commitments in terms of moderation and the protection of minors, since profiles moderated by other platforms, with their own rules, could interact with Veklar users.
The Fediverse is open and anyone can decide to join in the future. This is particularly the case for Meta, which has already prepared Threads for its foray into the Fediverse, and is also thinking about integrating Instagram. Google could also join the Fediverse with YouTube. In all its principles, Veklar is committed to protecting you from GAFAM and ensuring the sovereignty of your personal data and your public image."
They use Threads as an example of what could happen to the Fediverse, but who knows how many companies are out there with fake Mastodon/Lemmy servers, subscribing to as many feeds as they can, letting the Fediverse handle delivering structured, scrapable data for them so they can work on their AIs or thread intel or marketing profiles.
They also have a point with their attempts to keep likes/follows private: that’s something a lot of users want, and something a lot of users are surprised to learn doesn’t exist on the Fediverse. The Fediverse is more metadata than data and that’s not something everyone likes sharing. With monoliths like Veklar, you only need to trust one server not to datamine your every move rather than thousands of servers.
Speaking of privacy, most of the Fediverse isn’t compatible with any privacy laws I’ve seen. For a bunch of hobbyists that’s probably fine because privacy enforcement agencies have better things to do, but for a company that intends to make money and wants to actually become an alternative, that’s a problem. A GDPR-compliant Fediverse server would need to record which other servers which bits of PII have been shared, how that information is protected (does lemmy.world even encrypt their database?), and with what other servers that information was shared in turn. That’s practically impossible. The Fediverse exists in Europe because it’s unimportant and unprofessional enough not to attract lawsuits.
They also have a good point about moderation. I could trivially spam every Lemmy server full of CSAM with maybe $100 in cloud credit to the point the FBI becomes interested. The Fediverse, and in particular Lemmy, is a bit like the Old Internet, assuming everyone has good intentions and that the minority with bad intentions can be handled by human interaction. New servers don’t get vetted, new moderation environments don’t get verified, and server administrators are left to their own devices to get rid of botnets and other malicious entities if they don’t want their server to become a spam relay.
I think the upsides of the Fediverse are worth the risks. Veklar clearly thinks otherwise. They’re not necessarily wrong, they just have different priorities.
Mastodon and Lemmy don’t actually share any data actually protected by GDPR, unless the users actively make it public (like using their real name).
Am I right in my understanding that if you run a federated Lemmy instance, you can see who has upvoted what, even on other instances?
Is that not something protected by GDPR?
I guess that could be in regards to user profiling.
Since no fedi platform aggregates user data like “user xy always upvotes topic a, therefore I will show him more on topic a via an algorithm”, or shows algorithmic advertisements, or sells user data for advertisements etc, I don’t think it’s relevant to GDPR at the moment.
No, things like your home address, your IP address, birth date, health conditions, religion, etc are PII.
Upvotes almost certainly falls into “legitimate purposes” since the data is required for moderation.
So, are you saying that Facebook holds basically no data covered by GDPR?
How’d you get that from that???
Well, ok, of that list they have my ip address, but nothing else.
Your instance has data covered by GDPR, but the data it sends to other instances is covered by the same exceptions as the data you send in a email. Without exceptions for legimitate interests it would be illegal to send an email from, say, mailbox to Gmail or Yandex Mail.
PII includes any information that can be used to link or correlate personal information. That includes usernames and account IDs. Every like/upvote contains that information, as well as a timestamp, indicating a unique account but also behaviour. The system doesn’t just share a list of names, it shares a list of names with a lot of context. Stuff like this is also why pseudonymisation isn’t sufficient to avoid GDPR obligations.
Usernames aren’t sensitive information, so you can handle it without too much special care (although you do need to ensure basic protection of login credentials against data leaks, for instance by encrypting databases as a minimum requirement). They are PII, though, which means you’re obligated to take some level of care and ensure that the information can be corrected or redacted everywhere.
The GDPR simply wasn’t written with something like the Fediverse in mind. My server knowing when your account upvoted what posts on a third server would be ridiculous if we’re talking about Twitter and Facebook, but it’s the core of vote counting on Lemmy.
GDPR doesn’t include things you choose to make public, otherwise no social media could show your posts or username to anyone. My only doubt about Lemmy and Mastodon is about DMs where people have a reasonable expectation that they are private but they are not.
Edit: and thinking about it, even DMs probably fall into the same exception as email.
That is wrong. GDPR of course covers public information. It simply does not force platforms to hide this kind of information. But transmission of these informations without user’s consent and especially sale of these informations could possibly be prohibited by a court referencing GDPR.
But simply transmitting it for the purposes of making the protocol work, falls under legimitate purposes, like sending an email to email server in China
Absolutely.
But if a fedi software/instance decided to do something else with this public data, it could get legally problematic. That is the point I’m making.