Yesterday, as part of the discussions related to Lemmy current inability to delete all user content I wrote a proposal: if enough people stepped up to help with funding, I’d take my work on my Fediverser project (which already has an admin web tool that “knows” how to interface with Lemmy) to solve all the GDPR-specific issues that we were raised by @maltfield@monero.town
The amount asked is, quite frankly, symbolic. I offered to work 10h/week on it if at least 20 people showed up to contribute via Github (which would be $4/month) or to signup to my instance (which access is given via a $29/year subscription). In other words, I’m saying “Give me $80/month and I will work 40 hours per month on this thing which so many of you are saying is critical to the project.”
So now that we have passed 24 hours, 58 upvotes and a handful of “that’s great!” responses, let me tell you how that translated into actual supporters:
- Zero sponsors on Github
- Zero signups on Communick.
Don’t take this as me demanding anything. I’m writing this just to illustrate the following:
-
The Tragedy of the commons is real. I can bet that at least 30% of the 60+ thousand users on Lemmy are proud owners of a pricey iPhone, and most of these are okay with paying for an app to use on their pricey iPhones, but almost none of them will even consider throwing a few bucks per year on the way of an open source developer.
-
The Outrage Mill is not a “capitalist” or even “corporate” phenomenon. People were piling on the devs yesterday for completely ignoring “such a crucial piece of functionality”, but no one actually stepped up to offer (or gather) the resources needed to have this problem solved. It’s almost as if people were getting more out of the discussion about the problem than working through a solution.
-
“Skin In The Game” is a powerful filter. No matter how much people will tell you that something is important to them, the true test is seeing how many are willing to pay the asking price. If not people are not willing to pay $2 per hour of work, then I can assume that this is not really important.
24h for people to react to a comment in some post?
I think you under-advertised your proposal
I’m just finding out about this now lol. Imagine Kickstarter but with a 24h window…
Ok, so now you know, and you can share and/or help.
The last time I advertised something here, I got banned by the mods from LW.
Anyway, now you know it as well. If you think that this is a worthy effort, what are you going to do about it besides commenting here?
There are other communities too
Maybe I’m going to do something, maybe I’m not. Why the demanding tone?
I also think that grassroots economy would work better for many things. But we’re not there, the world doesn’t work like that ATM. Wish for 10% of people to contribute is very optimistic IMO.
You need much wider spread, and for me (for example) your tool is the only thing that gives you any credibility. If there are others like me, you might be missing clout for a call to support like that to simply just workLike I said, I am not demanding anything. I am just pointing out that now you know, so now you can take action.
You don’t have to, but you can.
Yes, I can. But you need much more to accomplish this
- You need reach: are there any mods/admins that would feel ok with vouching for your abilities? And preferably have info about your proposal stickied on a bunch of communities where it could reach people open to chip in?
- You need to convince those you reach that you’re not a Nigerian Prince. Mod/Admin saying you’re legit could help with it but maybe there’s something more you could do to convince the public?
Maybe I simply don’t know who you are, maybe in reality you are second in command after Dessalines. But either you are a random dev saying “I can do that” - in this case you need to somehow convince others that you really can. Or you are not recognised for your work - in this case you need to point us to what tie you to. I saw the fedi project on your GitHub so you probably can code (I’m not going to be auditing your project in order to asses your skills, sorry). But are you just a dreamer or are you serious?
I’m sorry if what I’m saying sounds harsh. I just feel that how you are coming through to the other side gets lost in translation here - GitHub is not the most popular support medium. Why not also have Patreon/Koffi/OpenCollective/etc? Many will chip in easier if they’re already present on the platform
-
The number of subscribers to this community is already close to half of the total amount of active users on all of Lemmy. Plus, as so many people said before (when complaining about the alien.top bots), the majority of people browse Lemmy by “all”. I really find hard to believe that going to other communities is going to move the needle too much in terms of reach.
-
If I were a scammer, I’d be a really dumb one. Do you really think that it would be a good idea to go through a platform like Github asking for $4/month? Or go through all the trouble to put together a real website, offering services were you pay through Stripe and can cancel or ask for a refund?
-
Honestly, because I don’t believe in the donation-based model. I’d rather have people believing in me and supporting my work by being actual customers of my business offer.
-
That seems futile to me. Once you post, your content is all over the instances, admins have backups. The best you can do is guarantee GDPR on your local instance but the user has to go hunt down every other instance with a copy of it.
The fediverse can’t ever be properly GDPR compliant unless an EU bubble develops with instances with contracts between eachother to be GDPR compliant and they all only federate with eachother. Federated Lemmy instances would fall into subprocessors that you need to hold to GDPR standards, that’s just not possible the way things work right now.
People think GDPR is some magic spell that can be used to stop bits from being transmitted around the Internet.
It’s not. It’s just a set of instructions regarding what online services are supposed to do with the data of European users interacting directly with their servers. To be “GDPR compliant”, all instance admins need to be able to do is:
- tell their users what PII they need to collect for their service.
- ask for consent to share this PII with other parties.
- remove any PII upon the user’s request from their servers.
I’m reasonably certain that I can satisfy these regulations.
- I don’t share any PII with other parties (not even analytics of any kind), so I don’t even need that stupid EU cookie pop-up on my website.
- The only PII I need to collect is their username. Even email address is optional.
- People only get access to my instance by signing up to Communick, so they need to accept my privacy policy.
There is nothing in the law that says “if someone screams Gee-Dee-Pee-Arrr three times in front of their phone, their data becomes radioactive and must disappear from the Internet in 48 hours or the instance owner will pay 100 million euros + 3 pints of blood from their unborn first child”
Aren’t you also supposed to ensure that the third-party handling the PII is also GDPR compliant before the user consents to sharing it? Pretty sure my work training said so, but they could be erring on the safe side.
If not, that sounds like a giant loophole: you could just ask for consent, funnel all the data out of reach from the GDPR, and do all the analytics and profiling you want. Like, when Threads joins, what’s stopping them from swallowing all your user’s data? They can get it, they’re implicitly allowed to process it, and yet the data is now unencumbered from any further consent requests by the user. They don’t even have a way of knowing if the user is potentially from the EU.
Meta would of course be obligated to delete the data if the user goes to them and requests it to be deleted, but they might not even know Meta’s processing their data, and there’s a lot of privacy enthusiasts on Lemmy.
How can a user possibly consent to this properly, other than practically waiving their GDPR rights, which the law doesn’t allow?
Is there any new documentation around on that topic from actual lawyers analyzing the implications? It feels everything GDPR I see is opinions and personal interpretations of the law, which may be biased towards “it’s probably okay” as obviously we all want the fediverse to succeed.
In particular, ActivityPub pushes the data out for the most part, so one can’t argue “well I can’t stop people scraping my site illegally”, one could argue that instance admins should vet new instances before opening the data firehose.
It feels very much like depending on the case, and who got harmed how, a judge could decide the admins should have put technical safeties. I mean, we’re in the era of holding porn sites responsible for letting minors access the site and demanding they ID everyone to make sure. Lawmakers barely understand technology, let alone something like the Fediverse. I could see things go sour real fast.
User generated content != PII.
Like, when Threads joins, what’s stopping them from swallowing all your user’s data?
What’s stopping you (or anyone else) to just bypass authorized fetch and swallow the data stream from anyone?
User generated content != PII.
Aren’t the usernames an identifier and therefore PII? As far as I understand you can’t even use a cookie or the user’s IP to determine unique visitors on a site because it identifies the user personally.
On the fediverse, every comment, every vote, every moderator action is completely public, and tied to the username. Unless the username is a throwaway and the user never ties it to their real identity in any way, that builds a ridiculously detailed profile of the user’s habits online. And still, you get enough of a profile I don’t doubt Google or Meta could manage to connect it to your profile easily unless you’re actively using a different persona.
It’s all completely public and available to anyone that wants it.
It’s even worse, images aren’t proxied right now so you can actually tie a username to an IP rather easily if you don’t use a VPN or block outside resources by default.
Not exactly a new threat to be fair, but really the only thing not being broadcasted everywhere about the user is their email address.
I guess the best one can do is clearly inform the user about the risks involved and honor incoming deletion requests properly, but man if a child get abused on the fediverse and you can barely yank the content, I can see a judge ruling that the fediverse as a whole is reckless.
What’s stopping you (or anyone else) to just bypass authorized fetch and swallow the data stream from anyone?
Exactly.
To my understanding, the key part is that you are supposed to disclose any type of information that you are sharing with third-parties through back channels.
If you set a third-party tracking cookie on your site, then yes, the third-party can use the cookie to correlate users from different sites. But if you do what you just did and place a image that displays the IP, how can any third-party access this information? You have my IP and a request log, so what? Is there any way that another Lemmy instance can use this to identify me?
On the fediverse, every comment, every vote, every moderator action is completely public, and tied to the username.
And distribution/collection of public information is not what the GDPR is trying to regulate!
Can you show where the GDPR excludes public information? Because if it doesn’t and can uniquely identify a person, then it’s still subject to this regulation.
Let’s say you go to a public forum and asks “please remove my PII”. To comply, they don’t need to remove your comments and posts, they just need to remove your username. Granted, the website owner might have the policy of deleting all the content, but you’ll have a hard time with the legal system to argue that they are not complying with the GDPR if they delete only the thing that really just identifies you uniquely.
an EU bubble develops with instances with contracts between eachother to be GDPR compliant and they all only federate with eachother.
Wouldn’t that be similar to what is happening with websites preventing access from the EU to avoid GDPR ?
Pretty much, although in this case I guess one can just make an account with one of such instances. But it would definitely make it harder for people like me who run their own instances.
IANAL, but fediverse instances need to find a way to automatically set up data processing agreements when initializing federation to be GDPR-compliant: https://gdpr.eu/what-is-data-processing-agreement/
I respect your efforts and your willingness to propose a solution to the various problems that Lemmy faces, particularly the moderation and image management aspects. I did not see your proposal until you linked it in this post.
I will say though the Fediverser project is closely aligned with alien.top, which in October 2023 was a one-way Reddit to Lemmy bridge. Many Lemmy users (myself included) were very upset with how that “solution” caused automated post traffic to flood servers all over Lemmy, drowning out swaths of discussion until admins defederated from it.
I am the type who puts money (at least what little I have) where their mouth is. However I can’t support Fediverser or Communick.news because of the above, I’m sorry. As a separate project you may have more success, mention me if you implement or are implementing some sort of extension to allow Lemmy to execute full data extraction and deletions per GDPR, or a proper admin or per user image management tool (offer open until May 31 2024).
- It would be separate from Fediverser. I’m just mentioning because by working on it I learned enough about Lemmy’s API and database to know that I can create a management dashboard that can work with the Django admin.
- alien.top is not mirroring posts anymore. The reason I am not working on the two-way bridge is (surprise!) because no one who expressed interest in it has shown up to support it as well.
- If you are offering donations on the condition that I do something that satisfies your expectations, it’s not a donation. I’m not here to chase people around the internet for $4/month. If you want to hire me to do your bidding, my consulting fee is 250€/hour. Pay me that and I can do the monkey dance. Please don’t ever come to me or anyone else with “do this and I will contribute”. It’s downright offensive.
This is what you wrote in the post:
- “Skin In The Game” is a powerful filter. No matter how much people will tell you that something is important to them, the true test is seeing how many are willing to pay the asking price. If not people are not willing to pay $2 per hour of work, then I can assume that this is not really important.
I’m telling you what is important to me by your definition, and you write the response you did. Very well then, it appears you don’t need support from people like me if you find it offensive. May you have a pleasant day.
Skin in the Game is about showing that you are willing to accept the risks and costs of standing up to your values. This is a separate thing from “I will only give money to X if they are willing to be subjected to my personal purity test”.
I am not saying that donating to me specifically would be a display of SITG. You (and by you I mean “anyone that wants to keep using Lemmy but is worried about potential GDPR violations”) could, e.g:
- get a lawyer to work and make a real assessment of the legal liabilities for admins and users in the EU.
- take initiative to pool together resources to find other Rust developers who could work on the Lemmy source code, pay them instead.
- contribute to a competing project to signal to the Lemmy devs that this is important.
- go ahead and tell the Lemmy devs “I am willing to contribute to your work specifically to reach the GDPR-compliance milestone”
The offensive part of your previous post is not that it makes the donation conditional on a milestone, but just you came as someone who is trying to use money as a way to control my behavior. You basically said “I don’t like what you did before, so I will only support you for something that I do like if you disown your previous actions”. This is completely removed from SITG and reminiscent of a struggle session.
My apologies if you thought my comment was trying to control you with money, I wasn’t trying to hire you. My offer is open to anybody that might just happen to be working on something like that for any reason, they can mention me for my support. The time limit is only so I don’t get 10 requests in 2025 from people when I’ve long forgotten about it.
Typical inertia I would say.
Some people commended but forgot about it. Some others didn’t actually want to support. A few might be betting on other platforms rather than Lemmy.
I’m not really that surprised.
that’s how it always goes, people wanna complain in the comments so they pretend it’s the worst problem in the world, then you ask them to spend $1 to fund development and fix it in the software they use every day and you get nothing lol
What’s astonishing to me is the amount of people who seem to think that because the GDPR exists – they’re entitled (by birthright I guess) to someone else’s labor. It feels like we’re bordering on feudalism the way people act like they’re owed something from developers.
GDPR has an impact on day to day lives of people in Europe.
When I was looking for a flat, every real estate agency made me sign a GDPR acknowledgement. It bothers them, but they have to comply.
So now that we have passed 24 hours
Bold of you to assume that people connect daily or pesistently on a platform that was born or enhanced, in great part, to find an escape to corporate addiction platforms!
Like, really, if it was to be binding for decision making on the Fediverse, I’d give it at least 7 full days, to account for people who mostly lurk on weekdays and only truly engage on weekend.
Not assuming anything except that at least 60 people read my comment and thought it was a good idea…
If you need $80/mo as a starting investment, I will step up and do a one time donation. Hopefully, you get the support you are looking for, but I don’t think this is going to be a sustainable model for you in the future.
It’s not a sustainable model, OP just wanted to see how many people would put their money where their outrage was
Tagging @maltfield@monero.town because I forgot that mentions only work in comments…
(I see my reply yesterday didn’t federate; trying again from an alt instance)
o hai. Curious that you expected a bunch of people to support you within a couple days. I never saw your proposal (buried in a comment thread in one post on lemmy). I’m only first hearing of this 6 hours after you specifically tagged me. I think you could do more to publish & advocate your proposals if you’re serious about them…
Before the incident described in the article you’re referencing, I had never spoken to any instance admins. Since I published it, I have spoken to several instance admins (many reached out to me), and they all expressed similar frustrations with the lemmy devs and fatigue in contributing to this project.
No matter how much people will tell you that something is important to them, the true test is seeing how many are willing to pay the asking price.
I think it’s important to consider that there’s many ways that people contribute to Lemmy. Equally as important as the work that the devs are doing is the work that the instance admins are doing. Collectively the community of instance admins are contributing much more money and time into lemmy than the developers are. That shouldn’t be discounted. Both should be appreciated.
There are other ways that people take time out of their lives to support Lemmy, such as finding and filing bug reports, writing documentation, answering questions about the fediverse to new users, raising awareness about lemmy on other centralized platforms, etc. These are also all contributions that benefits the project. Don’t discount them.
But when our contributions are met with disrespect, it pushes us away. Based on my conversations with countless Lemmy contributors in the past few days, that’s where a lot of people are. They don’t want to invest any more time or money into Lemmy because of their previous interactions with the Lemmy devs.
This can be repaired, but the Lemmy devs do need to work on fixing their Image Problem.
Hey, that’s weird. I got it yesterday, and even responded.
That’s great!
I didn’t see your initial proposal. However I sympathise with this post and I really understand the frustration you’re feeling with the lack of donations, having seen it time and time again in the open-source space.
I was going to pledge that I’d donate once I had the cash available, but seeing how you respond to people in the comments is leading me to reconsider. You may not be demanding donations, but to me it does look like you’re attempting to shame people into donating with a challenging tone. Quoting one of your responses:
Anyway, now you know it as well. If you think that this is a worthy effort, what are you going to do about it besides commenting here?
I still want to support you if you’re going to pursue this, since I myself have a strong interest in Lemmy being GDPR-compliant, but I ask you that you please reconsider how you approach the people that can potentially be supporters of your efforts.
Ok, you are right that I was more aggressive in this comment that I should. And you are right that is coming from a sense of frustration, but it’s not just because of my proposal.
I’m frustrated by the overall “what’s in it for me?” attitude that still prevails in a place that is so self-proclaimed “pro-collective” and “anti-corporate”, and I’m frustrated by the lack of consistency of the community. We all love to claim to hate Reddit and its practices, but I can bet the large majority went back to use it and are just waiting for the alternatives to magically be developed.