You bring up an interesting point, because of how the fediverse works, every server (that has an active subscription) essentially has a mirror of the original data. So if Facebook have data from people who never consented to that, then they would surely be breaking GDPR rules? GDPR rules say that they can only PROCESS the data (or mine it - if you want to use a more realistic term) if a user has explicitly agreed to that, implicit agreement doesn’t count. So this is going to interesting to see how they manage this - providing that they don’t process the data and simply present it, as is - they don’t break GDPR, but the second that they start processing it, they breach GDPR. Now - they can process data that belongs to their users, but they would have to write code that ensures they don’t ingest posts from any user that is not a meta user - for the purposes of harvesting it.
Yes, this is exactly the sticky issue we get into. And I’m wondering if lawyers would be able to make a case that using ActivityPub alone automatically gives your consent to have your data exist on an instance outside your own. Once they have data you’ve consented to give they can do with it as they please, essentially arguing you’ve become a consenting party when you consented to federation. I don’t know the GDPR well enough to have any answers, but you can bet Meta lawyers do.
I don’t think Facebook would be having high level NDA-protected talks with Mastodon people if they weren’t trying to work all this out. And by work out, I mean how to monetize/data mine. I’ve been talking about this with people all day, many of whom didn’t see a problem with this, but eventually all of them have had the lightbulb turn on when they realize the potential abuse Meta could do with/to ActivityPub.
If, by some miracle, Meta wants to be the good guy for a change, let them prove it. I would love to see defederation by default, and let Meta prove they’re trustworthy to federate to. And even then, have a really itchy defederate trigger finger if they even hint at pulling another Cambridge Analytica fiasco. But getting everyone on-board with that is probably impossible, especially if Meta starts throwing money around.
Meta can have the data, that part yes you consent to by using ActivityPub software, though there is a whole other argument to get into later about whether “normal” users really understand that. But no Meta absolutely cannot process that data, for creating shadow profiles or anything like that - unless the user explicitly opts in. GDPR is quite clear that you cannot infer that a user agree based on some other influence (in this case the user using ActivityPub) - the user MUST have been presented with a dialog explaining what Meta would do with the data and giving the user the option to say they agree or disagree with it.
Thank you for the clarification there. I hope you don’t mind having this conversation with me, I’m learning a lot by interacting with people on this topic. I don’t want you to feel like I’m arguing with you though. So the GDPR seems fairly bullet proof, but it only applies within the EU. So how about a scenario like this:
Your instance is hosted in the EU and has the full protection of the GDPR. My instance is hosted in the US where the GDRP does not apply. Your instance federates with mine. I federate with Meta. Meta now has your data but they didn’t get it from a GDPR protected source. You consented to give it to me, and I consented to give it to them. They have no obligation to uphold the GDPR because they’ve had no interaction with your instance whatsoever, they’ve simply accepted what I gave them and that transaction occurred within the jurisdiction of the US.
Maybe the GDPR still works here, I don’t know. But I guess my point is that if I can come up with endless scenarios like this, lawyers can too, and they know infinitely more about the law than I do. Hell, they can even come up with their own interpretations of law and act on them for years, only changing their practices when they’re forced to by someone actually suing them. Which by then they’ve already collected and sold millions worth of data.
I feel like outside the federated system, meta would rely on geographic metadata (eg IP address) to identify if a user was within the scope of the GDPR or not. But they aren’t going to have access to any of this information, when they receive the data from another server in the fediverse. There will be zero way for them to identify if a user from any server in the fediverse would be applicable to the GDPR or not, because any user from any country can basically sign up anywhere. It will be difficult for them to argue against that - since it’s highly publicised that when Mastodon was struggling under the strain of the massive influx of new users - that people were being advised to find an instance that aligned to their interests rather than just their geographical location. Indeed I am on a Scottish server - where I arrived in 2019, but I have recently started another account on a US server ( allthingstech.social) so I would indeed be a user protected by GDPR on a US server. Because Meta have no way of knowing where a user comes from, the only thing they can definitely legally do - is process data from their own known users - but they are crossing into dangerous territory the second they start trying to process data from users outside their own instance. In my opinion anyway.
And no I don’t mind debating at all. There needs to be a lot more debate, and a lot less death threats and screaming matches online - in order for us to start resolving anything.
Edit:
The GDPR applies to data on people. So in your example - it doesn’t matter how Meta got the data, the point is that they have data on citizens that are protected by the GDPR, the fact that the data arrived indirectly via a US server, doesn’t remove the protection afforded to the EU citizen
You bring up an interesting point, because of how the fediverse works, every server (that has an active subscription) essentially has a mirror of the original data. So if Facebook have data from people who never consented to that, then they would surely be breaking GDPR rules? GDPR rules say that they can only PROCESS the data (or mine it - if you want to use a more realistic term) if a user has explicitly agreed to that, implicit agreement doesn’t count. So this is going to interesting to see how they manage this - providing that they don’t process the data and simply present it, as is - they don’t break GDPR, but the second that they start processing it, they breach GDPR. Now - they can process data that belongs to their users, but they would have to write code that ensures they don’t ingest posts from any user that is not a meta user - for the purposes of harvesting it.
Yes, this is exactly the sticky issue we get into. And I’m wondering if lawyers would be able to make a case that using ActivityPub alone automatically gives your consent to have your data exist on an instance outside your own. Once they have data you’ve consented to give they can do with it as they please, essentially arguing you’ve become a consenting party when you consented to federation. I don’t know the GDPR well enough to have any answers, but you can bet Meta lawyers do.
I don’t think Facebook would be having high level NDA-protected talks with Mastodon people if they weren’t trying to work all this out. And by work out, I mean how to monetize/data mine. I’ve been talking about this with people all day, many of whom didn’t see a problem with this, but eventually all of them have had the lightbulb turn on when they realize the potential abuse Meta could do with/to ActivityPub.
If, by some miracle, Meta wants to be the good guy for a change, let them prove it. I would love to see defederation by default, and let Meta prove they’re trustworthy to federate to. And even then, have a really itchy defederate trigger finger if they even hint at pulling another Cambridge Analytica fiasco. But getting everyone on-board with that is probably impossible, especially if Meta starts throwing money around.
Meta can have the data, that part yes you consent to by using ActivityPub software, though there is a whole other argument to get into later about whether “normal” users really understand that. But no Meta absolutely cannot process that data, for creating shadow profiles or anything like that - unless the user explicitly opts in. GDPR is quite clear that you cannot infer that a user agree based on some other influence (in this case the user using ActivityPub) - the user MUST have been presented with a dialog explaining what Meta would do with the data and giving the user the option to say they agree or disagree with it.
Thank you for the clarification there. I hope you don’t mind having this conversation with me, I’m learning a lot by interacting with people on this topic. I don’t want you to feel like I’m arguing with you though. So the GDPR seems fairly bullet proof, but it only applies within the EU. So how about a scenario like this:
Your instance is hosted in the EU and has the full protection of the GDPR. My instance is hosted in the US where the GDRP does not apply. Your instance federates with mine. I federate with Meta. Meta now has your data but they didn’t get it from a GDPR protected source. You consented to give it to me, and I consented to give it to them. They have no obligation to uphold the GDPR because they’ve had no interaction with your instance whatsoever, they’ve simply accepted what I gave them and that transaction occurred within the jurisdiction of the US.
Maybe the GDPR still works here, I don’t know. But I guess my point is that if I can come up with endless scenarios like this, lawyers can too, and they know infinitely more about the law than I do. Hell, they can even come up with their own interpretations of law and act on them for years, only changing their practices when they’re forced to by someone actually suing them. Which by then they’ve already collected and sold millions worth of data.
I feel like outside the federated system, meta would rely on geographic metadata (eg IP address) to identify if a user was within the scope of the GDPR or not. But they aren’t going to have access to any of this information, when they receive the data from another server in the fediverse. There will be zero way for them to identify if a user from any server in the fediverse would be applicable to the GDPR or not, because any user from any country can basically sign up anywhere. It will be difficult for them to argue against that - since it’s highly publicised that when Mastodon was struggling under the strain of the massive influx of new users - that people were being advised to find an instance that aligned to their interests rather than just their geographical location. Indeed I am on a Scottish server - where I arrived in 2019, but I have recently started another account on a US server ( allthingstech.social) so I would indeed be a user protected by GDPR on a US server. Because Meta have no way of knowing where a user comes from, the only thing they can definitely legally do - is process data from their own known users - but they are crossing into dangerous territory the second they start trying to process data from users outside their own instance. In my opinion anyway.
And no I don’t mind debating at all. There needs to be a lot more debate, and a lot less death threats and screaming matches online - in order for us to start resolving anything.
Edit:
The GDPR applies to data on people. So in your example - it doesn’t matter how Meta got the data, the point is that they have data on citizens that are protected by the GDPR, the fact that the data arrived indirectly via a US server, doesn’t remove the protection afforded to the EU citizen