“The SCOPE Act takes effect this Sunday, Sept. 1, and will require everyone to verify their age for social media.”

So how does this work with Lemmy? Is anyone in Texas just banned, is there some sort of third party ID service lined up…for every instance, lol.

But seriously, how does Lemmy (or the fediverse as a whole) comply? Is there some way it just doesn’t need to?

  • Richard@lemmy.world
    link
    fedilink
    English
    arrow-up
    146
    arrow-down
    1
    ·
    4 months ago

    Why should it affect LW or any other (non-Texan) instance? Any rogue country with populists at the head can implement any arbitrary legislation. That does not affect Lemmy instances hosted in countries with reasonable governments. If Texas wants to enforce their rules (or punish for non-compliance), it is on them to approach instance admins or block the site in their corner of the global internet.

    • FarFarAway@lemmy.worldOP
      link
      fedilink
      arrow-up
      43
      arrow-down
      1
      ·
      4 months ago

      This is a fair view. I’m not sure anyone has gotten that far, especially outside the country.

      Heres an article about a similar bill in Utah, that hasn’t gone into effect yet.

      What’s not clear from the Utah bill and others is how the states plan to enforce the new regulations.

      I mean if the general consensus is that it doesn’t apply, then, cool.

      • protist@mander.xyz
        link
        fedilink
        English
        arrow-up
        83
        ·
        edit-2
        4 months ago

        I live in Texas, and can confidently tell you the people writing these laws have no fundamental concept of what the internet is or how to implement or enforce such a law for consistent adherence.

        I can also tell you with confidence this law will be wielded with impunity against specific companies/sites our corrupt, petulant AG decides to go after. Fuck Ken Paxton.

        As far as users in Texas, this is nothing a VPN can’t fix.

          • Zedd @lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            19
            ·
            4 months ago

            Absolutely. Most “travel routers” have openvpn installed on them. I have one router set up with my normal internet, and another with a full time vpn’d connection. The VPN router was like $60.

            They’re also great to have when traveling. It connects to whatever random wifi, and all of your devices show up as a single device. You turn off the VPN to connect to your hotel’s capture portal, then turn it back on and all of your devices have secure internet.

            • GlendatheGayWitch@lemmy.world
              link
              fedilink
              arrow-up
              2
              ·
              4 months ago

              Is there a particular VPN router that you suggest?

              Also, is there a subscription fee or something for the VPN usage?

              Thank you so much for the info!

              • Zedd @lemmy.dbzer0.com
                link
                fedilink
                English
                arrow-up
                3
                ·
                4 months ago

                I’m using the gl.Inet 1200 off Amazon.

                There is a monthly fee for your VPN account. I use nordvpn, but there are a ton of options depending on how much you want to pay and what you need.

    • ninja@lemmy.world
      link
      fedilink
      English
      arrow-up
      22
      ·
      4 months ago

      I can absolutely see Texas looking at it the other way. “Your website can be accessed by our citizens? On you to comply with our laws.” They then spit out a bunch of criminal charges that make things rather inconvenient for some instance hosts. The US reach into international banking systems is uncomfortably long.

      The real problem question is about federation. You can post to an instance from any federated instance. If an account is created in one instance and the user posts to a federated instance are both liable? You have to be able to create accounts AND post to be subject to the law. Can one instance not allow posts but host accounts for participation in other instances to skirt around the law?

      • MotoAsh@lemmy.world
        link
        fedilink
        arrow-up
        29
        arrow-down
        1
        ·
        4 months ago

        That would require jurisdiction to charge them anyways. They do not have such power.

      • aesthelete@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        4 months ago

        Interstate commerce is not under the jurisdiction of any state, it’s under the jurisdiction of the federal government. They’d need a federal bill passed.

    • NeoNachtwaechter@lemmy.world
      link
      fedilink
      arrow-up
      13
      arrow-down
      1
      ·
      4 months ago

      Look where it’s hosted? Sorry, but this approach has been outdated for decades. Laws apply when you address the users inside that legislation. No matter where you are, where your server is, etc.

      • dan1101@lemm.ee
        link
        fedilink
        arrow-up
        4
        arrow-down
        1
        ·
        4 months ago

        Do you have examples of that? From what I’ve seen the laws only apply if a business has a physical presence in that state or country.

    • AA5B@lemmy.world
      link
      fedilink
      arrow-up
      4
      arrow-down
      1
      ·
      4 months ago

      Is there any Lemmy hosted in the US? Texas can put on a stunt against any US instance, but don’t see them even trying for anything from the rest of the world. Too much work/money with too little chance of success.

      • spacecadet@lemm.ee
        link
        fedilink
        arrow-up
        2
        ·
        4 months ago

        And the state I’m in would tell them to fuck right off and would probably allow me to counter sue Texas into the ground for harassment. I don’t think Texas wants to mess with states that have massive GDPs and contribute lots of money to the federal government.

  • bdonvr@thelemmy.club
    link
    fedilink
    arrow-up
    72
    arrow-down
    1
    ·
    4 months ago

    As someone neither living nor hosting my instance in Texas I’ll basically ignore it, and if it came to it I’d block the entirety of Texas if they somehow convince courts to enforce this outside of Texas.

  • tyler@programming.dev
    link
    fedilink
    arrow-up
    73
    arrow-down
    4
    ·
    4 months ago

    Lemmy isn’t social media. Ignoring that though, the law actually says:

    According to the Texas Office of the Attorney General, this new law will primarily “apply to digital services that provide an online platform for social interaction between users that: (1) allow users to create a public or semi-public profile to use the service, and (2) allow users to create or post content that can be viewed by other users of the service. This includes digital services such as message boards, chat rooms, video channels, or a main feed that presents users content created and posted by other users.”

    Which literally applies to every single site on the entire planet that has a comment section. This law is incredibly unenforceable.

    • SupraMario@lemmy.world
      link
      fedilink
      arrow-up
      26
      arrow-down
      1
      ·
      4 months ago

      Yep. This is another dumbass politicians trying to solve a problem that doesn’t exist with a solution that doesn’t work.

      • SyntaxTerror@feddit.org
        link
        fedilink
        Deutsch
        arrow-up
        9
        arrow-down
        5
        ·
        4 months ago

        It’s a social news aggregator. I assume the difference is, that this is to follow mainly news, whereas social media is to mainly follow people. In my 10 years of reddit and now Lemmy I never followed any account, I was just there for the niche topics and news aggregation.

        • NeatNit@discuss.tchncs.de
          link
          fedilink
          arrow-up
          7
          arrow-down
          1
          ·
          4 months ago

          I don’t know about you but I’m here for the comments sections, i.e. to socialize. That counts as social media IMO. Socializing with random users and not followed accounts, is still socializing.

        • NeatNit@discuss.tchncs.de
          link
          fedilink
          arrow-up
          5
          arrow-down
          1
          ·
          4 months ago

          I guess I disagree with “social media is to mainly follow people”. I think social media is for socializing, regardless of who it’s with. Sorry for the double reply.

        • NeatNit@discuss.tchncs.de
          link
          fedilink
          arrow-up
          13
          arrow-down
          2
          ·
          4 months ago

          I totally disagree on both counts: forums are social media, and Lemmy is not a mere forum. Lemmy is a platform where people can create forums, and many of those forums (communities) exist mainly to socialize.

          I’ll give you that some forums (both on Lemmy and otherwise) that have a clear defined topic - such as tech support for a particular thing - are somewhat different from “social media”, but even in those three are often regulars who use the forum to socialize with each other. Any forum with an “off-topic” subforum is social media in my book, in a very real sense (not just technically).

          But hey, we can disagree on this and it’s fine.

          • NeatNit@discuss.tchncs.de
            link
            fedilink
            arrow-up
            6
            arrow-down
            2
            ·
            4 months ago

            To clarify why I think Lemmy is not a forum: in my eyes, forums are set up by the admins, only the admins can decide which subforums exist and what’s allowed in them. Lemmy and reddit are not simple forums because they allow any user to create a subforum and make those choices and decisions, that traditionally are reserved for admins. It’s an extremely important difference and makes Lemmy much more of a general social platform and not a focused forum.

            • tyler@programming.dev
              link
              fedilink
              arrow-up
              1
              arrow-down
              1
              ·
              4 months ago

              Lemmy has the ability to lock down forum creation, like on programming.dev which is the 8th largest lemmy site.

              Social media has always been defined as being about people, not topics. People just don’t even try to use the right words though so you get ridiculous things like people calling something coincidental or unfortunate “ironic”.

          • tyler@programming.dev
            link
            fedilink
            arrow-up
            1
            arrow-down
            1
            ·
            4 months ago

            By your definition every single news comment section is social media, which is clearly a ridiculous suggestion. Webchat, irc, literally anywhere there’s a comment section. That’s just clearly incorrect and so broad as to be a completely useless definition.

            • NeatNit@discuss.tchncs.de
              link
              fedilink
              arrow-up
              1
              arrow-down
              1
              ·
              4 months ago

              There are degrees to social-media-ness. News comment sections have a very low amount of this. Lemmy has a lot.

          • A_Random_Idiot@lemmy.world
            link
            fedilink
            English
            arrow-up
            5
            arrow-down
            8
            ·
            edit-2
            4 months ago

            Engaging with people does not make it a social media platform.

            A bathroom wall covered in graffiti messages is not social media.

            an email is not social media.

            text messages are not social media.

            a brick with “Fuck You” written on it, thrown through a window, is not social media.

            A restaurant you go to with friends is not social media.

            A webforum is not social media.

            IMs are not social media.

            Just because you socialize on/in/at something, does not magically make it social media… Because Social Media is a very specific type of thing.

            Stop trying to make everything into freaking facebook.

            • Pup Biru@aussie.zone
              link
              fedilink
              English
              arrow-up
              8
              arrow-down
              4
              ·
              edit-2
              4 months ago

              facebook is social media, therefor friendica is social media

              instagram is social media, therefor pixelfed is social media

              twitter is social media, therefor mastodon is social media

              at the VERY least, all the latter platforms can interact with each other via activity pub, as can lemmy. by interacting with lemmy, you’re making interactions with social media

              social media isn’t just big tech - social media is a way of interacting with a system

              is reddit social media? most people would say yes it definitely is… and this makes lemmy firmly social media

              • A_Random_Idiot@lemmy.world
                link
                fedilink
                English
                arrow-up
                3
                arrow-down
                2
                ·
                edit-2
                4 months ago

                Getting people to agree to a mistaken, misinformed premise does not mean you are right.

                Lest you also believe the world is a flat pancake and other various nuttery.

                Also, you clearly know what the difference is, since your list of examples is nothing but social media.

                Again. Stop trying to make everything social media. You have all the social media you need to fuel your need for attention, as is. You don’t need to make non-social media into more of it.

                • tromars@feddit.org
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  arrow-down
                  2
                  ·
                  4 months ago

                  Wikipedia: „Lemmy (social network) - Open source social media software“

                  Also: „Social media are interactive technologies that facilitate the creation, sharing and aggregation of content (such as ideas, interests, and other forms of expression) amongst virtual communities and networks.“ How does Lemmy not fit that description?

    • ExFed@lemm.ee
      link
      fedilink
      arrow-up
      2
      ·
      4 months ago

      It probably boils down to the definition of “user” vs. owner/admin/host … But I wouldn’t be surprised if those definitions were unclear or missing entirely.

  • UncleGrandPa@lemmy.world
    link
    fedilink
    arrow-up
    62
    arrow-down
    1
    ·
    edit-2
    4 months ago

    The answer? Block Texas

    Not joking. If suddenly hundreds or thousands of sites would become unavailable. It wouldn’t last a week

      • abff08f4813c@j4vcdedmiokf56h3ho4t62mlku.srv.us
        link
        fedilink
        arrow-up
        5
        arrow-down
        1
        ·
        4 months ago

        At times like this I wish we had /c/LegalAdvice - would love for someone who says “IAAL” to chime in.

        Some of the biggest lemmy instances - lemmy.world, feddit.de - are based in the EU. I don’t understand how EU based instances like these would be able to get away with not following GDPR.

        Though, it may be more that GDPR doesn’t apply, as per https://decoded.legal/blog/2022/11/notes-on-operating-fediverse-services-mastodon-pleroma-etc-from-an-english-law-point-of-view/

        [The UK GDPR] does not apply to … the processing of personal data by an individual in the course of a purely personal or household activity
        But for those spinning up an instance of a fediverse service for them and their friends, for a hobby, I think there’s far more scope for argument.

        In any case it seems like asking a fediverse instance to be compliant with the GDPR is possible, see for an example at https://sciences.re/ropa/ and https://mastodon.social/@robin/109331826373808946 for a discussion.

        • Maalus@lemmy.world
          link
          fedilink
          arrow-up
          4
          ·
          4 months ago

          They won’t be able to the second someone reports them and a spotlight is put onto them. It does apply. Devs just don’t give a shit and admins are hosting what’s available.

          • It does apply.
            admins are hosting what’s available.

            After writing my comment above I realized that lemmy.world (an EU based instance) does in fact comply with the GDPR - their policy is described at https://legal.lemmy.world/privacy-policy/

            So it’s possible for fediverse instances to comply with the GDPR. What makes one think it wouldn’t be doable?

            They won’t be able to the second someone reports them and a spotlight is put onto them.

            I mean, unless they give in and comply with the GDPR.

            Devs just don’t give a shit

            I guess you are referring to lemmy here. Considering who they are (they run lemmygrad.ml which is defederated from much of the fediverse) this isn’t surprising. But lemmy isn’t the only software on the fediverse - I’d check out piefed.social and mbin for starters.

            The other thing is - if you think there’s some software improvement needed to better comply with the GDPR, instead of asking overworked devs who are donating their free time to fix it - why not raise a pull request yourself with the fixes? (Or if you aren’t much in the way of coding ability but have money burning in your pocket, hire someone to do the same and donate the result!)

            • General_Effort@lemmy.world
              link
              fedilink
              arrow-up
              1
              ·
              4 months ago

              So it’s possible for fediverse instances to comply with the GDPR. What makes one think it wouldn’t be doable?

              That’s not even remotely enough, even assuming that the information is sufficient.

              Mastodon is in a much better place, on account of how federation works there. It might still not be enough. Lemmy instances would have to stop all federation with instances beyond the territorial reach of the GDPR or equivalent. Federation within that territory should only happen based on a contractual agreement between the owners, probably with every user given an explicit choice to opt out.

              • That’s not even remotely enough, even assuming that the information is sufficient.

                What’s not enough? lemmy.world’s privacy policy?

                Mastodon is in a much better place, on account of how federation works there. It might still not be enough.

                Hmm… what’s the difference?

                Lemmy instances would have to stop all federation with instances beyond the territorial reach of the GDPR or equivalent.

                Oof. This is indeed a tough one.

                I recall that this isn’t universally true - in some cases a country or territory may be deemed as GDPR equivalent and after that data transfer is allowed without additional safeguards, see for example https://www.torkin.com/insights/publication/european-commission-approves-of-canada-s-data-protection-regime-(again)#::text=What%20does%20this%20mean%20for,authorizations%20to%20transfer%20the%20data.

                Even so, this does impose significant limits on federation due to the risk of transferring data to non-complying terrotories.

                Federation within that territory should only happen based on a contractual agreement between the owners, probably with every user given an explicit choice to opt out.

                Uh - if this is right, then this is even more restrictive and seems to suggest a fundamental incompatibility between federation and the GDPR overall.

                But, this has got to be an already solved problem. Usenet has been around since the 1980s at least, and NNTP was basically federating before there was ActivityPub. I’m missing something obvious here I’m sure, but what?

                • General_Effort@lemmy.world
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  4 months ago

                  What’s not enough? lemmy.world’s privacy policy?

                  There’s way more to do than writing a privacy policy. And I don’t think the policy meets the requirements but getting that right certainly needs a specialist.

                  Hmm… what’s the difference?

                  On mastodon, you follow a person, which they can refuse. Only then the data is automatically sent to your instance. On lemmy, you subscribe to a community and everyone’s posts and comments are sent to yours. At least, that’s how I understand it.

                  seems to suggest a fundamental incompatibility between federation and the GDPR overall.

                  You could say that there is a fundamental incompatibility between the internet and the GDPR, but that’s by design. The internet is about sharing (ie processing) data. The GDPR says, you mustn’t (unless).

                  Take the “right to be forgotten”. Before the internet, people read their newspapers, threw them away, and forgot about it. The articles were still available in some dusty archive, but you finding them was laborious. With search engines, you could easily find any unflattering press coverage. So you get the right to make search engines remove these links and it’s like back in the good old days. The fact that the GDPR is incompatible with existing technology is a feature, not a bug.

                  Bear in mind, that few of the people who passed the GDPR have any technical background. Of the people who interpret it - judges and lawyers - fewer still have one. They are not aware of how challenging any of these requirements are.

                  The main problem for the fediverse is that compliance requires a lot of expert legal knowledge. There’s not just the GDPR but also the DSA and other regulations to follow.

                  Federation itself may also be problematic, since many more people get to be in control of the data than strictly necessary. The flow of data must be controlled and should be limited as much as possible. That would be much easier with a central authority in charge. But that’s not a deal-breaker.

        • General_Effort@lemmy.world
          link
          fedilink
          arrow-up
          2
          ·
          4 months ago

          a purely personal or household activity

          No chance. This is what makes it legal to share data within a family and, to a degree, among friends. Running an open social media platform is neither a personal nor a household activity.

          The UK is not part of the EU. They kept the GDPR when they left, but it should not be assumed that the UK interpretation is always the same.

          The GDPR is not very thoroughly enforced; much to the chagrin of some people. This may or may not change in the future. It would be politically quite unpopular, a bit like thoroughly enforcing no-parking zones.

          • a purely personal or household activity
            No chance. This is what makes it legal to share data within a family and, to a degree, among friends. Running an open social media platform is neither a personal nor a household activity.

            Hmm.

            So running a single user instance for my own personal use (and keeping in mind the nature of federation meaning the only stuff my instance sends out is the stuff that I write) is absolutely not covered by the above?

            The UK is not part of the EU. They kept the GDPR when they left, but it should not be assumed that the UK interpretation is always the same.

            That is a very good point indeed.

            The GDPR is not very thoroughly enforced; much to the chagrin of some people. This may or may not change in the future. It would be politically quite unpopular, a bit like thoroughly enforcing no-parking zones.

            Seems risky to rely on low enforcement though. For those of us who love federation and privacy and want to federate while complying with the GDPR - what must be done?

            • General_Effort@lemmy.world
              link
              fedilink
              arrow-up
              1
              ·
              4 months ago

              (and keeping in mind the nature of federation meaning the only stuff my instance sends out is the stuff that I write)

              The stuff you write is personal data as long as it can be connected to your identity and so protected under the GDPR. But that’s a problem for other people.

              Your problem is the personal data of other people that come under your control. For starters, you need to answer this question: What legal basis do you have for processing that data?

              For those of us who love federation and privacy and want to federate while complying with the GDPR - what must be done?

              They need legal experts on the team. As GDPR-fans will tell you, data protection is a fundamental human right. We don’t let just anyone perform surgery, so don’t expect that just anyone should be able to run a social media site.

              Complying with the GDPR is challenging at the best of times. When you handle personal data, some of it sensitive, at the scale of a fediverse instance, it becomes extremely hard.

              Strictly speaking, it’s impossible. EG you need to provide information about what you do with the data in simple language. The information also needs to be complete. If the explanation is too long and people just click accept without reading, that’s not proper consent. You need to square that circle in a way that any judge will accept. That’s impossible for now. Maybe in a few years, when there’s more case law, there’ll be a solid consensus.

              Complying as well as possible will require the input of legal experts, specialized in the law of social media sites. The GDPR is not the only relevant law. There’s also the DSA, quite possibly other stuff I am not aware of, and local laws.

              Definite problems, I can see:

              1. Under german law, an instance owner has to provide an address, that may be served legal papers.
              2. It’s possible to embed images, but under the GDPR, there must not be connections to 3rd party servers without consent. In fact, all out-going links are a problem.
              3. Federation itself. You can’t federate with instance, if you haven’t made sure that they comply with GDPR.
      • General_Effort@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        4 months ago

        It is a problem. If anyone complains or sues about GDPR compliance, they will get fined and/or have to pay damages.

        There’s also other regulations, like the DSA. I’m fairly sure the GDPR isn’t the only legal problem.

      • Kaboom@reddthat.com
        link
        fedilink
        arrow-up
        2
        arrow-down
        5
        ·
        4 months ago

        It’s going to be a big problem when the EU catches wind. Gpdr is a nasty law, hard to comply with properly, and has harsh fines. And no, “we tried to comply” will not fly

        • Don_alForno@feddit.org
          link
          fedilink
          Deutsch
          arrow-up
          3
          arrow-down
          1
          ·
          4 months ago

          hard to comply with properly

          Not at all. Don’t collect personal data that’s not technically necessary for the service to work. Tell users what data is collected and for what purposes. Done.

    • Nibodhika@lemmy.world
      link
      fedilink
      arrow-up
      8
      arrow-down
      1
      ·
      4 months ago

      It doesn’t exactly ignore it, but in a sense GDPR doesn’t apply to Lemmy.

      Long story short, GDPR is made to protect private information, and EVERYTHING in Lemmy is public so there is no private information to protect. It’s similar to things like pastebin or even public feed in Facebook, companies cannot be penalized for people willingly exposing their information publicly, but private information that is made public is a problem.

      • General_Effort@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        4 months ago

        That is entirely incorrect. It is general data protection regulation, not privacy regulation.

        You are given certain rights over data relating to you. For example: you may have it deleted. Have you googled the name of a person? At the bottom, you will find a notice that “some results may have been removed”. Under the GDPR, you can make search engines delete links relating to you; for example, links to unflattering news stories (once you are out of the public eye).

        • Nibodhika@lemmy.world
          link
          fedilink
          arrow-up
          1
          ·
          4 months ago

          Sorry, forgot about answering here. Although the name is General data it is about personal data. I was going to reply with point by point why it either doesn’t apply to Lemmy or it follows GDPR, but I think it might be easier to answer directly your point about right to be forgotten.

          First of all Lemmy allows you to delete your posts and user so it complies with it, but even if it didn’t GEPR has this to say:

          Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

          Paragraphs 1 and 2 are the right to be forgotten

          for exercising the right of freedom of expression and information;

          Which one could argue is public forum primary use

          for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing;

          Which again one could argue is part of the purpose of Lemmy as well.

          • General_Effort@lemmy.world
            link
            fedilink
            arrow-up
            1
            ·
            4 months ago

            I was going to reply with point by point why it either doesn’t apply to Lemmy or it follows GDPR

            It does apply to lemmy and lemmy is not compliant. That is simply a fact as far as the courts have ruled so far.

            Which one could argue is public forum primary use

            One can argue a lot. But if such hand-wavy arguments work, then why do you think anyone ever has to pay fines or damages?

            For this argument to work, you have to argue that erasing the precise personal data in question would infringe on someone else’s right to freedom of expression and information.

            The original “right to be forgotten” was about links to media reports. The media reports themselves did not have to be deleted because of freedom of information, but google had to delete the links to them to make them harder to find. This is a narrow exception. Under EU law, data protection and these freedoms are both fundamental rights. They must be balanced. The GDPR dictates how. These exceptions will only apply where these freedoms are infringed in a big way.

            At least, you have to do like reddit and anonymize the comments and posts. It could be argued that you actually may not even do more. Removing comments that someone else has replied to arguably makes their personal data incomplete. Reddit’s approach meets a lot of outspoken criticism on lemmy.

            The problem is that the data is duplicated all over the federated instances. So, someone on your instance deletes their data, Other instances also delete their copies. What do you do if someone in the US refuses to delete and maybe gives you that argument about freedom of expression? That’s right. You pay damages to your user because you screwed it up.

            • Nibodhika@lemmy.world
              link
              fedilink
              arrow-up
              1
              ·
              4 months ago

              Still, the archival nature of decentralized communities is one of the primary objectives of the technology. It’s arguably the defining feature of any decentralized thing that no one controls everything so things are meant to stay “forever”. Otherwise Bitcoin would be completely ilegal since there’s no way to delete information there.

              What do you do if someone in the US refuses to delete and maybe gives you that argument about freedom of expression? That’s right. You pay damages to your user because you screwed it up.

              Not really, again, the text of the law states that if the information has been made public the company must inform whoever they made the data public to:

              Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

              AFAIK Lemmy federated deletions, whether an instance acts on it or not is another matter.

              But GDPR doesn’t work like you think, let me give you an example, say you sent an email from provider A to someone on provider B, then you decide to delete that email account, the email you sent will still be in provider B, even if company A deletes all of your information that email is still there and won’t get deleted. This is fine with GDPR, otherwise no email provider could operate here. Same goes for other federated or decentralized technologies.

              • General_Effort@lemmy.world
                link
                fedilink
                arrow-up
                1
                ·
                4 months ago

                Still, the archival nature of decentralized communities is one of the primary objectives of the technology. It’s arguably the defining feature of any decentralized thing that no one controls everything so things are meant to stay “forever”. Otherwise Bitcoin would be completely ilegal since there’s no way to delete information there.

                Any number of people here will happily tell you where to shove your illegal technology. In truth, the GDPR is explicitly meant to limit what may be done with existing technology.

                With crypto, one can make use of some existing exceptions and perhaps create compliant apps. I’m not familiar with those. Much that stuff is not compliant. There isn’t a lot of enforcement.


                So that’s my bad. I pointed out the issue with the right to erasure to highlight the problem, In truth, the probable violation happens when the data is shared. With e-mail, the user sends their own data, just like while clicking links. The transfer of data for lemmy federation is under the control of the instances involved. It might still be okay, like serving the data over the web. But that requires the user to know what’s going on.

                If you could hand-wave these problems away so easily, Meta would not be paying those huge fines. What do you actually think that’s about?

                • Nibodhika@lemmy.world
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  4 months ago

                  Data in Bitcoin is undeletable, it’s impossible for any law to force anything from being deleted on Bitcoin. Then the same exceptions that apply there would apply to Lemmy since the technology is similar in the relevant aspects (besides deletion being theoretically possible on Lemmy).

                  As for Meta, the problem is that the data they’re sharing is not public. Meta is not getting fined for sharing things you posted on your publicly, since they share those regardless by virtue of them existing and being publicly available, they’re fined for sharing things you put privately or data derived from non publicly available sources such as how you interact with Meta.

                  Any information that a user willingly makes public can be processed in any way, even if it includes identifiable medical information (which is the biggest no-no of GDPR). It even has a specific point about it in 9.2.e

                  processing relates to personal data which are manifestly made public by the data subject;

                  Essentially saying you can process anything that was made public by the person. GDPR is to protect people from companies doing shady things, not to prevent people from themselves. Because EVERYTHING is public in Lemmy, all data in it has been manifestly made public by the person who created it.

  • 𝕸𝖔𝖘𝖘@infosec.pub
    link
    fedilink
    English
    arrow-up
    46
    ·
    4 months ago

    This has “DMCA notice to a Russian music site” vibes. Basically, we do nothing. They have absolutely zero authority outside of Texas. If the instance is inside Texas’s borders, that’s a different story, but if the instance is located outside, it has no obligation to follow Texas’s law. They can’t do anything. They can’t block Lemmy, because it’s federated. They can’t sue Lemmy, because it’s federated. They have zero recourse, except for slam their feet on the ground and cry like a petulant child.

    • cordlesslamp@lemmy.today
      link
      fedilink
      arrow-up
      7
      ·
      4 months ago

      I’m curious to why can’t they do anything to Lemmy because it’s federated.

      Can they just block all the domain names of lemmy through ISP?

      As for suing, can they just go after the server owners or the hosting service?

      • luciferofastora@lemmy.zip
        link
        fedilink
        arrow-up
        6
        ·
        4 months ago

        Good luck finding “all the domain names”. IDK about suing, but unlike centralised monoliths like Facebook, you’d have to sue every instance violating your rules separately, and that’s assuming you can pin down who and where to sue for each of them.

      • rbesfe@lemmy.ca
        link
        fedilink
        arrow-up
        5
        ·
        edit-2
        4 months ago

        They can’t sue, but they could legislate that ISPs have to block lemmy instance domains. That would require Texas legislators to understand Lemmy though, which will never happen.

  • sorghum@sh.itjust.works
    link
    fedilink
    arrow-up
    34
    ·
    4 months ago

    If you don’t operate in Texas, do you have you comply? Is the easy fix is don’t have your servers be in Texas?

    • FarFarAway@lemmy.worldOP
      link
      fedilink
      arrow-up
      12
      ·
      4 months ago

      Someone can correct me if im wrong, but, pretty sure its any social media. Similar to what happened with pornhub.

      According to the Texas Office of the Attorney General, this new law will primarily “apply to digital services that provide an online platform for social interaction between users that: (1) allow users to create a public or semi-public profile to use the service, and (2) allow users to create or post content that can be viewed by other users of the service. This includes digital services such as message boards, chat rooms, video channels, or a main feed that presents users content created and posted by other users.”

      • sorghum@sh.itjust.works
        link
        fedilink
        arrow-up
        28
        ·
        4 months ago

        I mean my question was addressing the scope of the jurisdiction Texas can have over a server in another state. It feels like the onus is on them (or the ISPs in Texas) to block that server

        • FarFarAway@lemmy.worldOP
          link
          fedilink
          arrow-up
          4
          ·
          edit-2
          4 months ago

          Maybe someone is better equip to answer this question. As far as I understand, it is up to the social media company, as it is operating in the state. Sort of the way the corporate office of a national grocery store can be sued.

          https://www.texaspolicy.com/wp-content/uploads/2023/04/2023-05-BillAnalysis-HB18-Updated.pdf

          First, it prohibits digital service providers from entering into an agreement with a known minor unless they have verifiable parental consent.

          It seems its up to whomever is registering the account. If the person is under 18 they see a scrubbed version, of the person is over 18 they have full access. I’m not sure an ISP has control like that. I could be wrong.

          I know with pornhub, the ISP didn’t block the site, pornhub itself did.

          • MotoAsh@lemmy.world
            link
            fedilink
            arrow-up
            12
            ·
            edit-2
            4 months ago

            “Operating in the state” and “accessible in the state” are different.

            Much like a business doesn’t have to have a specific state’s business license to sell to customers of a different state, a website does not have to comply with all laws everywhere just because the laws exist. If they’re operating in Texas, they will. If they’re accessible from Texas, that’s Texas’ problem.

            • chicken@lemmy.dbzer0.com
              link
              fedilink
              arrow-up
              1
              arrow-down
              1
              ·
              edit-2
              4 months ago

              Pretty sure it doesn’t work that way. Look at what happened to Binance; not a US website, not technically allowing US customers, still successfully prosecuted by the US government for not doing enough to prevent people in the US from using it.

              • MotoAsh@lemmy.world
                link
                fedilink
                arrow-up
                4
                ·
                edit-2
                4 months ago

                That’s because they were facilitating actual, across-the-board federal crimes.

                Not looking at titties.

                I could see states that have such draconian laws working together to attempt to do anything about flagrant violators, but otherwise Texas has yet another pointless, toothless virtue signaling “law” on their hands.

                • chicken@lemmy.dbzer0.com
                  link
                  fedilink
                  arrow-up
                  1
                  arrow-down
                  1
                  ·
                  edit-2
                  4 months ago

                  The difference between what the laws are trying to enforce is a different issue though. The point is a website can be prosecuted just for being accessible when what it offers is against local laws.

          • ShepherdPie@midwest.social
            link
            fedilink
            arrow-up
            8
            ·
            4 months ago

            In the case of a grocery store, they’d have an actual physical presence in the state along with revenue and employees, so I (a total laymen) don’t see how that’s comparable to a website like Lemmy. Even PornHub would be different IMO since they have paid content and the transaction would be happening in Texas. A site like Lemmy earns nothing from its users and doesn’t sell anything so it seems like it’d be quite the stretch to hold them accountable for the actions of some kid on the other side of the country (or planet) since Texas jurisdiction ends at the border of Texas.

          • the ISP didn’t block the site,

            And from the article you posted at the beginning, perhaps the ISP can’t be required to do that. At least it’s not list as an explicit remedy. Others are suggesting that Texas might block the site from being accessible from within Texas, but there’s nothing in the law itself that suggests Texas would legally do this.

            Basically it reads like that they’re restricted to whatever the existing office of the AG of Texas could have already done in terms of enforcement powers, which is largely fines.

            It seems its up to whomever is registering the account. If the person is under 18 they see a scrubbed version, of the person is over 18 they have full access.

            Or, like, not allow registration for under 18s at all, I suppose.

            I’m not sure an ISP has control like that. I could be wrong.

            No, you are right. The site itself must comply.

            • FarFarAway@lemmy.worldOP
              link
              fedilink
              arrow-up
              1
              ·
              4 months ago

              Or, like, not allow registration for under 18s at all, I suppose.

              Problem is, one would still have to find a way to verify the registrant is over 18.

        • Aha,

          Exemptions Small businesses as defined by the Small Business Administration (SBA);

          Not sure how’d this work overseas, but basically lemmy.world and friends just needs to apply to SBA to get recognized as a small business, and they’re all good. (Or perhaps they could try to apply thru a US Embassy; or apply at a local authority and argue for legal equivalence between the SBA’s recognition and their own country’s).

          As for enforcement, well,

          If someone were to violate the act, the AG’s office may seek … civil penalties of up to $10,000 per violation, and attorneys’ fees

          So yeah basically it comes down to trying to grab money. So as they say about sucking blood from a turnip…

      • Lost_My_Mind@piefed.social
        link
        fedilink
        arrow-up
        4
        ·
        4 months ago

        Fuck 'em. They want to do this, let Facebook, and Reddit, and Instagram, and TikTok and the fediverse, and any others that I’m forgetting refuse to serve connections to Texas.

        Make Texas the ONE PLACE where the internet is just yahoo and thehampsterdance.com

        And then when Texans go elsewhere, they realize all they did was punish themselves. The rest of the world moves on without them.

      • (1) allow users to create a public or semi-public profile to use the service

        So it seems like I’m safe. I run my own single-user instance to federate and post - but I don’t allow others to sign up at all, so they can’t create a public or “semi-public” profile here (and what does semi-public mean?)

        • WhyJiffie@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          1
          ·
          4 months ago

          I was going to argue that your account is publicly viewable, but I realized that you may still be right. This depends on their definition of what is a user.

          Same with semi-public. May even be used for anything that is not public but they don’t like it.

          • tyler@programming.dev
            link
            fedilink
            arrow-up
            3
            ·
            4 months ago

            The law literally is so broad it applies to every website on the planet with a comment section. This will be struck down immediately.

        • FarFarAway@lemmy.worldOP
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          4 months ago

          I find this interesting. Does one just install software and buy a domain? I would assume theres somewhere you have to register with in order to federate. I mean, if theres no one to go after, this would be a nice work around. At least, until theres a site for every Texan that figures it out.

          I think semi public would be like setting your facebook profile to private. It shows your name, and basic details, but doesn’t show all your posts or interactions.

          Edit: haha, you kinda answered this somewhere else as I was typing.

          • I think semi public would be like setting your facebook profile to private. It shows your name, and basic details, but doesn’t show all your posts or interactions.

            Seems reasonable. It’s good to figure these things out now btw, as courts will adopt the “common definition” if the law doesn’t explicitly define things (including referencing dictionaries for the meanings of words).

            I find this interesting. Does one just install software and buy a domain?

            You don’t even need to buy a domain necessarily, just have a place to install the software and use one of the free services.

            I run my own self-hosted single-user pyfedi instance, and I more-or-less do so for free (I mean I pay for internet and I bought the old laptop that I’m running pyfedi on ages ago, but that’s it).

            After looking at a lot of different options, I decided to go with srv dot us since srv dot us guarantees you a permanent domain name without having to pay (albeit you can’t pick the name). srv dot us actually doesn’t require any signup either - you just follow the instructions, connect, and go - and they only keep records like your ip address for one day, so if you stop using it for longer then poof you’re suddenly that much harder to trace.

            ngrok dot com also offers a free domain name (but you can’t pick - if you want to choose your own then you have to pay). You sign up with your email and all that though (you can also sign up using your github account). I almost went with this (the author of pyfedi, [email protected] , mentions (recommends?) using ngrok for this purpose) but at the time I had some other issues and misdiagnosed it as ngrok blocking federation with their silly popup (see https://stackoverflow.com/questions/73017353/how-to-bypass-ngrok-browser-warning for more details)

            You can learn more about pyfedi by visiting the flagship instance at piefed.social

            I would assume theres somewhere you have to register with in order to federate.

            Nope, nothing like that. Verification is done mostly just by making sure you own or otherwise legitimately have access to the domain that you are using (specifically that you have SSL certs that are certified for the given domain for use in HTTPS if you wanna get a little bit technical).

            I mean, if theres no one to go after, this would be a nice work around. At least, until theres a site for every Texan that figures it out.

            So fly-by-night instances it is! It wouldn’t necessarily work for large instances with many users though - pretty much all of these do buy their own domain, for which you have to provide your legal name and address and such (even if it’s not public thanks to domain privacy, it would be available to law enforcement)

            And federation does not play nice with someone’s domain name changing. Meanwhile if one is caught registering for a domain with a fake name etc then the domain registrar is entitled to cancel the ownership of that domain and take it back.

            That said, one might luck out and find a good domain with a registrar that’s in a jurisdiction that is particularly unfriendly to Texas’s ability to enforce SCOPE.

            Edit: haha, you kinda answered this somewhere else as I was typing

            Thought I could enhance my previous answers by adding a little more detail here.

            • FarFarAway@lemmy.worldOP
              link
              fedilink
              arrow-up
              1
              ·
              4 months ago

              Wow! Thank you for such a detailed answer. Even without some weird law, it’s good information to have, and with a little elbow grease, it sounds completely doable. And if it keeps people from getting in trouble / protects privacy, I’m all for it!

    • naonintendois@programming.dev
      link
      fedilink
      arrow-up
      5
      ·
      4 months ago

      If you own an instance it’s better to check with a lawyer. They might give you a warning first or they might go after you immediately. How effective that is depends on what country you live in and which country the server is in.

    • My guess is that the law is basically extra-territorial - meaning that in theory it applies no matter where you are based.

      For a for-profit service this is more enforceable - just gotta find a way to seize the stream of money flowing out of Texas for violate of the law.

      For a service based in the US this is more enforceable - just gotta get the federal system and other states to cooperate, and enforce Texas’s court judgement, and then Texas can find a way to seize the stream of money flowing around and out of the US (or perhaps seize the US assets of the company).

      For a non-commercial entity based in the territory of the European Union that has no funds flowing at all from the US (think lemmy.world or feddit.de here) then it’s probably quite a bit harder to do anything at all in terms of effective enforcement.

      • RedSeries@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        4 months ago

        I’m gonna petition my state to make a law that if someone is from Texas and tries to enforce Texan laws on my state, they’re executed on the spot.

        Should be about as enforceable as this joke of a law.

  • some_guy@lemmy.sdf.org
    link
    fedilink
    arrow-up
    33
    ·
    4 months ago

    I’m tired of Texas trying to expand their sphere of influence beyond their borders with shitty laws and shitty judges.

  • ulkesh@lemmy.world
    link
    fedilink
    arrow-up
    32
    ·
    4 months ago

    It’s called the “Fuck Texas” response to such a garbage law. And good luck enforcing it especially with federated sites.

  • gravitas_deficiency@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    31
    ·
    4 months ago

    lol it doesn’t

    Texass is gonna have to play whack-a-mole and do it the hard way. And I’m pretty sure the more technically inclined members of the fediverse are going to have loads of fun fucking with whatever IT measures they try to mitigate this with, because they’re certainly not going to be drawing the best and brightest minds.

    Put another way: weaponized non-neurotypicals are gonna have some fun fucking with a state government that doesnt like them, because the feeling is very much mutual.

  • Howdy@lemmy.zip
    link
    fedilink
    arrow-up
    17
    ·
    4 months ago

    Texas: “I’m gonna let you finish but I’m just going to keep regressing right now.”