Nightmare on Lemmy Street (A Fediverse GDPR Horror Story)

Bit of a red herring to put GDPR in the title when the article is about Lemmy missing key admin functions, and only tangentially how this runs afoul of GDPR.

TL;DR Lemmy hasn’t implemented image deletion for users or admins, so don’t upload your government ID.

Bit of a red herring to put GDPR in the title when the article is about Lemmy missing key admin functions, and only tangentially how this runs afoul of GDPR.

I haven't read the GDPR, yet, but it's still a serious issue – GDPR or not. Imagine if Instagram did that. Everybody would seriously go bonkers and rightfully so.

System administrators often aren't software developers. Lemmy users need to trust Lemmy admins and Lemmy admins need to trust Lemmy developers. Maybe not letting users delete any uploaded media isn't outright illegal, maybe it is. I'm in the camp of it being definitively not cool.
- Inflicting lawyers on an open source project is a great way to drive off the developers.
  
  If I hear Lemmy has a GDPR problem I assume it’s lawyer BS only European instance admins have to worry about.
  
  If I hear Lemmy has bugs in basic CRUD functionality, that’s a real issue.
Aren't the key admin functions missing leading to GDPR non compliance?
- Yeah, but talking about GDPR is burying the lede.
Permanently Deleted
- No, Lemmy servers are not exempt from GDPR compliance. The household exemption (you are not subject to gdpr for private activities) only applies for purely personnal activities. As soon as a service is offered to someone else, the exemption is no more applicable.
  
  That's one of the drawback about open-source projects, they are designed to fulfill a need (persistent storage & decentralised communication for Lemmy), and no one give a f*ck about legalities.

I found it interesting how the maintainers reacted to these issues.

Would you mind if we set some of your priorities also? You're asking us to do free labor for you, that you're unwilling to do yourself. Do not put ultimatums and demands on people making FOSS, or I won't hesitate to block you from these repos.

https://github.com/LemmyNet/lemmy/issues/4433#issuecomment-1939275302

Just another guy who thinks he’s Gods gift to open source because he found a bug, and thinks the volunteer developers fail to show proper gratitude by not dropping everything to work on your pet bug.
- Interestingly, he was silent for 3 weeks after being assigned to the bug, then came back to post his blog post and nothing else. I've seen this blog post a few times today, looks like his self promoting strategy is working.
- To be fair, this is a bug that could be the end of lemmy. As soon as one malicious actor sues even a few instance admins, other will get scared and shut down their instances. As the reporter points out, this isn’t just a shiny feature that’s missing. Instance admins lack the ability to follow data protection requirements that their users have a right to. It’s a lawsuit waiting to happen.
The lemmy devs are communist, isn't doing free labor their whole thing?

Permanently Deleted

Except you don't get to ignore GDPR by saying "don't expect our site to be private".
- GDPR is really designed to target software controlled by a single entity, but this isn't that. The instances are responsible for their content, full stop. There's no way of forcing an instance to delete content, and even if there were, since the admins are running it, there's nothing stopping them from removing such a feature.
  
  There's also nothing stopping admins from deleting content from their servers (it's just a database, after all).
How would tracking pixels work via lemmy? I don't see how you could gain individual ip addresses if the instance simply store the image in their cache.
- Permanently Deleted

This post made my curious about the instance he's on, monero.town, and the first post I see is Covid antivax shit

Yikes. Played it for shits and giggles and it leads off with saying the vaccines or even being around people who took the vaccine causes you to emit a Bluetooth MAC address lmfao.

I'm gonna find this guy's image ...

https://monero.town/pictrs/image/00000000-0000-0000-0000-000000000000.jpeg ... nope
https://monero.town/pictrs/image/00000000-0000-0000-0000-000000000001.jpeg ... nope
https://monero.town/pictrs/image/00000000-0000-0000-0000-000000000002.jpeg ... nope
https://monero.town/pictrs/image/00000000-0000-0000-0000-000000000003.jpeg ... nope

Mmm, I'm sure it won't take long. Just have to remember to do it all again for .jpg, .webp, and .png.

Anyway, I'll let you know when I get it.

Its been a few hours, did you find it yet?
- Not quite, no. I know what it isn't at least.
  
  I'll keep going - I'm sure the article's author is someone who genuinely uploaded some confidential info and then became really involved with privacy/GDPR etc, and not someone who was always been really involved with privacy/GDPR issues and now has a story to fit.

Not that I hold the Lemmy devs in particular high regard, but unless OP is cutting them a check every month enough to pay their full time salaries, I really don't think that he should be expecting anything just because he faced an issue that was difficult, but (a) not specific to the developers but the admins of the instance and (b) ultimately solvable.

I also think that this is not a reason to justify a whole fork or even a fully adversarial position. Yeah, tooling for moderation and instance management is lacking, but these can be built on top of the existing codebase. If my fediverser tool does that for user authentication and account management, it could also be extended for content moderation and provide granular access for staff.

a check every month enough to pay their full time salaries

I would usually agree because often FOSS projects are used commercially but I don't think this standard doesn't apply here because the Lemmy instances are also non-commercial projects.
- Lemmy instances are also non-commercial projects.
  
  So why should they be expecting commercial-level support?
Well, the bare minimum you need to do, is refuse traffic from the EU then. The devs don't want to do that, but they also don't want to implement the changes which is illegal and carried huge fines (yes, they can fine you in the US too)
- The "huge fines" are proportional to the revenue of the company and there are plenty of legal steps that need to be taken before someone with a big stick gets involved.
  
  Also, this is not an issue for the developers, but for the admins.

Do uploaded images get federated? If they do, this is a pointless losing battle

Yes

In my opinion both sides should have communicated less emotional and more respectful.

The GDPR might not be the problem of the developers. It is the problem of public instance hosters affected by that law. Is it the only and most critical problem for instance hosters? I don't know, but nowadays there are countless legal risks you take by hosting a public (or even private, depends on the use case) service online. There might be a lot of other issues too.

However, knowing that there definitely is a bug, that prevents me from complying with a user's request to delete his personal data is definitely keeping me from hosting an instance.

Is my opinion and the fact I would not host an instance with this bug important? No. What if more people share that opinion? Depends on how many...

I would actually consider using normal reddit a nightmare, lemmy like the rest of the fediverse softwares mostly just feels like a community theater play put on by people who really passionately care about what they are making but have zero budget and so long as you go into not expecting a blockbuster movie it is awesome.

Nightmare on Lemmy Street (A Fediverse GDPR Horror Story) - Michael Altfield's Tech Blog