abff08f4813c

But I’d add - if someone could draft this up and show me a working prototype, I might be easier to convince. It’s a lot easier to think about something when you can play with an idea.

I mean sure…but essentially you’re using the facts as they stand as justification that it will never work

More or less.

when my whole point is that these facts as they stand need to change because they will never work unless we change them.

I think to make that argument you’d have to first argue that this works elsewhere. But we see warnings like this, https://web.archive.org/web/20221104001618/https://old.reddit.com/r/TaylorSwift/comments/yljj15/swifties_be_warned_that_this_is_a_fake_account/ or like this, https://www.instagram.com/czaronline/p/CvAts_9MFDf/

then I’m not at all convinced that this is the case.

You can tweet at celebrities, and you can follow celebrities on instagram, and all the other services, but you generally can’t email them.

Perhaps it’s a generational thing? Back in the day you could. Bill Gates used to be reachable at bill.gates@microsoft.com and Jeff Bozos at jeff@amazon.com

On the flip side, just because a celebrity has a handle on a particular social media service doesn’t guarantee you can reach them. Taylor Swift has a tumblr but she hasn’t publicly used it in years.

People keep using email, and domains as reasons for why it’s not an issue, but there’s a reason celebrities aren’t known for their email.

What’s the reason? Two things come to my mind: first, Bill Gates supposedly said he had an entire team whose job was just to read and respond to his public email.

Second, email is direct contact, like a DM rather than a tweet (that everyone sees). The email equivalent would be a mailing list. If you want that, you can join Taylor Swift’s mailing list over at https://www.taylorswift.com/#mailing-list

you wouldn’t want a second abff08f4813c to exist.

I wouldn’t mind that much, tbh. Though considering the username in question, it’s very unlikely.

Even if you don’t use tiktok, you would want to make sure nobody else has the name abff08f4813c on tiktok.

Much harder with a name like Taylor Swift. How many other people have the same name? Even on twitter there’s a different taylorswift - so the famous singer is taylorswift13 there.

now suddenly 300 more abff08f4813c on 300 different instances all pop up.

My username is probably the wrong one to use for this example.

But more generally - does anyone want to be taylorswift@hotmail.com and taylorswift@gmail.com and taylorswift@outlook.com and taylorswift@yahoo.com all at once? (Well, okay, yes there probably is someone who wants that, with bad intentions, but practically speaking it’s kinda obvious that these aren’t all official email accounts by the singer.)

Because if you try to sue one person on one other instance that has abff08f4813c,

But Taylor Swift may not be able to sue the other person - she’s not the only one named Taylor Swift after all.

What I’m suggesting is, no matter which instance you’re on, if you search abff08f4813c, the search should find that username, and direct you to the profile that corrilates with you. And even though that profile is only on one instance, it would make it so if I tried to make abff08f4813c, on another instance, I would be told that username is already taken.

And then someone tries to be abffo8f4813c or abff08f48i3c.

I don’t see any celebrity who values their own brand on an international scale, be willing to publically announce they are on the fediverse,

uh … https://joinfediverse.wiki/Notable_Fediverse_accounts

and their fans can migrate to the fediverse to follow them.

I mean, there’s no accounting for the fans, sure. If anything, celebs seek out platforms that have lots of people to connect them with fans, rather than them bring fans to a platform, I’d guess.

From there, you could absolutely create an old twitter style verification system.

Sure, but it’s not a required step.

Mastodon.social could implement a mimic of the old twitter style verification system for folks who join that particular instance - and those joining another instance simply wouldn’t have the guarantee.

And then threads can implement the verification system for folks joining directly through threads - and again those joined on another instance simply wouldn’t have the guarantee.

And then Bluesky can …

I don’t really see anyone but a commercial company even trying to do this - it’d be a headache - and probably expensive - in terms of the requirements to protect the data used (such as identify card verification).

I’m partial to ecosia.org myself. Search while helping to plant more trees!

If anything we want to encourage this.

I like the example of SAG AFTRA hosting their own instance to be official, for example. Celebs typically have their own domains and websites, so easy enough to hire a team to create and manage their own instance that supports the celeb but federates. And you know it’s legit just because it’s on the celeb’s own domain. Ditto for gov’t agencies having their own instances.

Even without federation and such it’s an issue. Old twitter actually did a really good job of this, but other social networks have had problems in the past,

https://www.dailydot.com/debug/katie-hopkins-impersonated-parler/

https://www.politico.com/news/2020/07/02/republicans-parler-trolls-347737

We don’t have to guess if trolls will try to impersonate celebs and be successful at it, because it’s already happened elsewhere.

That said, there are two nice things about the fediverse. First, verification is explicitly not offered, so folks have to do the digging themselves to see if an account is official or not. (Which is as easy as checking a person’s web site). Or perhaps confusing a regular person’s account with a celeb of the same name.

Second, you can host your own instance. Celebs might not bother, but official gov’t agencies set up their own domains and websites - and in particular under domains like .gov which aren’t open to regular folks. So seeing if a gov’t agency is really authentic is potentially as simple as checking the domain that the instance is using.

A difference between kbin (and mbin?) vs lemmy (and pyfedi) - the former would show the entire name, including instance. If instance was not included, it was because it was local (so you could assume ‘@kbin.social’)

On lemmy/pyfedi the name shows up alone - though you can hover over and see the instance name. But at a glance I can see how someone could get confused. Not the best UX IMHO.

I can’t ask, because years ago I watched a video on twitter. It was funny. I tweeted “That killed me”. I was banned
youtube doesn’t seem to have a direct messaging system.

Does this person have a patreon or something similar? Could sign up and then ask there. Or leave a youtube comment on a recent video sharing your email address.

Heck, I might risk creating a new youtube account over VPN just to ask in a public youtube comment for peertube (so if YT bans the account for mentioning peertube, it’s no loss to me, and the creator has still gotten the message).

They’ve never heard of mastodon.

Makes sense if this was years ago, back when it was younger and less wide spread… I also imagine you just heard and saw this, but didn’t directly ask because, well yeah.

What surprises me is that these seem to be all on other instances - including a few big ones like just.works - rather than someone spinning up their own instance to create unlimited accounts to downvote/spam/etc.

Being alive in the time fire was invented - well it’s hard to say since it was Homo Erectus who did so, some millions of years ago. Modern humans are very different from good ole’ Erectus, and we think differently, so… the tale of Prometheus is a good one for sure, but it’s also much younger than the actual history of human control over fire.

Source: https://study.com/academy/lesson/how-did-stone-age-man-make-fire-discovery-importance-facts.html

Can you explain further? I don’t recall that Prometheus was mentioned at all by that particular religious group.

The author (who isn’t OP) is using federated wordpress blogs, so expect to see this pop up if you are subscribing to them.

That being the case, and also considering the rough edges around the fediverse right now, I think the link sharing is reasonable. I’ll add that this isn’t the first time I’ve seen it shared.

Surprised that no one has mentioned Vegemorphs from PBS’s Arthur yet.

Piefed? It does, at least somewhat. IIRC the main thing is that you can’t follow specific Mastodon users.

• From a satisfied pyfedi user.

Agreed. It’s quite telling that despite all the asking, no one has been yet able to pinpoint a single issue on the mbin devs.

The most generous interpretation is that it’s just a half-remembered thing of discontent from folks who didn’t want kbin to get replaced (before it was known that kbin was dead).

I think not entirely - the experiment did not seem to rule out the case where traveling backwards in time is possible, but only up to the point when the time machine was built.

I.e. in 3012 Dwayne George successfully creates the first functional time machine, and moments later is slain at the hand of a time traveller who went back to prevent the invention of the time machine.

For me it’s zero. In addition to reusing existing hardware, I have a subsidized internet connection that I reuse to connect my instance, and even the domain name is free.

Of course I also have fewer users - excluding me, zero.

Instead of having it be completely random, I am thinking of a site similar to sub.rehab.

Instances that are open to public signup would register on the site, and give updated states on how many users they have along with a brief description of what they are for.

Users can decide roughly what size instance they’d like to join and view a list of matches. We could add a “I’m Feeling Lucky” button that picks a random one out from the list.

Hold on. You can’t keep personal data longer than needed. Making data disappear from the web is one important demand by the GDPR.

Agreed, but - while it might be permissible legally to wipe out my data and content, what if I want to retrieve a copy afterwards?

I wouldn’t want to keep control over other people’s content, but regarding my own…

“Involuntary data transfer”
I don’t know what exception that is. There are rules for data breaches. I’m not at all sure how much you have to do to block crawlers.

Well, in that case, baring credible contradicting information from another source, I think it’s reasonable to accept the note from the former worker of a DPO. Would you agree?

Comments are problematic because they inherently relate to other persons beside yourself. It could be argued that you have to delete your own writings as well when you shut down your instance.

Hmm. Will need a good think about this - perhaps I should adjust my commenting style to avoid direct quoting and such…

Ironically, that is a problem because if there is such an alternative, then it must be used. If you can reach your goal by processing less personal data, then you must do so.

All the more reason to get started on it, I suppose.

You’d only be hosting the communities created on your own instance. Apart from that, you’d simply authenticate the identities of users.

Well, and dealing with responsible for user content from your instance’s local users - but since it’s just the one instance (or small handful if you trust a few others) it’s still much more managable. And it becomes zero for, e.g., single-user instances (since those would have zero other users and thus zero other content to worry about hosting).

Unfortunately, confirming the identities also means transferring personal data.

That’s why I had the idea of creating and using the federation-bot account - this way there’s no confirmation of identities or transfer of personal data.

One question is what that would do to server load. I don’t know.

Server admin question. Can save that for serverfault.com and the like IMVHO

Proxying the posts/comments may be the better solution, but when and how that should be done has no clear answer.

One of those things that need experimentation and research to determine, but an answer can be found.

Unfortunately, the different DPOs don’t agree on everything. Maybe in a few years, this will all be at a point where ordinary people can be on the safe side by simply following a manual.

Hmm - if different DPOs can’t agree, then I don’t see how we get to the point of a user friendly manual.

Maybe it won’t be so much extra effort that it becomes impossible for hobbyists, but - on the whole - the future of the European internet belongs to big players.

This is what’s inherently disturbing to me. I am one of those hoping that the GDPR would be a tool for the opposite (a way to rein in the big players, so to speak).

People don’t know the law and just chose to believe a happy fantasy.

It was a surprise to read from the former DPO worker that email as a system is not compliant with the GDPR.

I believe, there is no way - at present - that an ordinary person can maintain an internet presence while being compliant with GDPR and other regulations.

Hmm. I am starting to see why you take this view. Not saying I agree, but I can understand the frustration. That said, PIPEDA in Canada came to pass in 2000 - it’s considered to have GDPR-equivalency and we’ve not had the sort of issues that you are raising with PIPEDA, which makes me optimistic that the GDPR can likewise be something that folks can live with.

The GDPR is a terrible mistake, but that’s not what people want to hear.

Even if it is flawed it’s still a step in the right direction IMVHO. I’m in Canada, which had PIPEDA back in 2000 - 18 years before the GDPR took effect in the EU. Hence I believe a solution is workable and a balance can be struck - even if in the worst case that means additional legislation to tweak the existing law. (Though I’d not even go that far - for example, from the former DPO, it seems that if EU courts all agreed that the API behind federation was covered by the “involuntary data transfer” exception then Lemmy would already be GDPR compliant (or mostly so) as-is of the time that I write this.)

As GDPR-fans will tell you, data protection is a fundamental human right.

And I completely agree with this. I’m one of those who is a GDPR-fan as well as a fediverse fan.

We don’t let just anyone perform surgery, so don’t expect that just anyone should be able to run a social media site.

So this is the fundamental disagreement I feel. Progress generally entails moving things into the hands of the people. We’re empowered because we can do things like program our own computers, 3-d print our own devices, and yes run our own social media site.

Deny a person that right, and you take a bit of their power away. By running my own single user instance, I make sure that I always own my own content, no one can take it away from me by suddenly shutting down their website (as has happened to e.g. elle.co for example).

As such, my goal here is to figure out how to let ma & pa joe run their own social media site on the fediverse, while staying GDPR compliant.

Of course, the same can be said of surgery but it’s still not allowed. Obviously the harm from letting anyone try it is much worse than strictly regulating it, but is running a social media site on the fediverse likewise so harmful? Is there no way at all to strike the balance?

They need legal experts on the team.

I’ve been thinking about this. You are right of course, but I’d wager that this is outside of what most folks running instances can afford. In particular new devs who want to run their own single user instance.

So what’s the way forward? I have come up with an idea for this. Basically we need to get some organization like the EU branch of the Electronic Frontier Foundation (EFF) to research this and come up with a HOWTO guide that covers most of the average cases - along with pointers on when something is not covered by the guide (so at least you know going in that you’d need to pay for that extra legal firepower).

On mastodon, you follow a person, which they can refuse. Only then the data is automatically sent to your instance. On lemmy, you subscribe to a community and everyone’s posts and comments are sent to yours. At least, that’s how I understand it.

I think you have understood correctly. This actually provided me with the epiphany that I needed. On forum-like software that speaks ActivityPub (like pyfedi or mbin), there’s no actual need to actually transfer the content. Just send me a notification - with the “user” being a bot account named something like “federation_bot_messenger” with a link to the new post or comment, then bubble it up to the user to open in their browser. No content is shared, and no identifiers like a user name get shared, so there’s no risk of a GDPR violation. It’s just a link.

One could imagine that fancier web UIs might use an iframe or something to display the content inplace instead of requiring an extra manual click - but it’s still only on the end user’s browser that the content is transferred.

We could still have traditional federation - but just as you describe, the allow list for that is only for those instances where you know the folks (have contracts you said) and thus are assured that the transfer of content complies with the GDPR. For unknown instances, just do the link sharing. It could be implemented in a way that instances running older software would still see a post by the bot account with just the link inside. (Perhaps as an enhancement, folks could designate a trusted instance as the primary - e.g. my instance trusts lemmy.world as primary, so when it sends the links out, it sends out a lemmy.world link, to take the load off of my own instance from users clicking on links.)

Or am I missing anything here?

Bear in mind, that few of the people who passed the GDPR have any technical background. Of the people who interpret it - judges and lawyers - fewer still have one. They are not aware of how challenging any of these requirements are.

I think this is a bit unfair. Clearly they had technically knowledgable advisors at the very least. After all, they came up with exceptions like this,

here are two exceptions here: “Involuntary data transfer” is generally seen as not being part of the data handling. But that mainly applies to datascrapers like the web archive and similar usage where the data is transfered through general usage of a page that the DC cannot reasonaby prevent without limiting the usage of their service massively.

That said I think I might have been a bit unfair to the lemmy devs. From https://tech.michaelaltfield.net/2024/03/04/lemmy-fediverse-gdpr/ I can see that pretty much all of the issues raised directly on lemmy itself have since been resolved - by a dev writing code to fix the problem. Even if GDPR isn’t the highest priority, the devs are clearly at work trying to address what they can when they can.

I guess some people don’t get the joke.

The sayings potato/potahto and tomato/tomahto mean they’re the same thing.

No one in their right mind would say a potato is a tomato or vice versa, just like no one would ever argue Portuguese and Spanish are the same. They’re both of a category (veggies and languages respectively) but totally different and distinct items within that category.