Unless you dox yourself what kind of personal information are instances sharing? On top of that stuff that isn’t due to the normal functioning of the site as a public message board?
What’s questionable is embedding images, lemm.ee mitigates that with proxying, but ultimately the web is the web and you can’t proxy the whole web. Clicking a link will still lead you somewhere else and if your browser pre-loads links then that’s up to you.
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Little of the information that instance share is not personal. Identifiable is also very broad. It’s enough that it would be possible for someone with the right tools and access to other information to identify you. EG Your ISP could be subpoenaed to reveal the customer behind a dynamic IP-address, making it a personal datum.
It’s an extremely broad definition. If it wasn’t, tracking cookies would not be a big deal unless you had the real name of someone connected to the cookie ID.
ultimately the web is the web and you can’t proxy the whole web. Clicking a link will still lead you somewhere else and if your browser pre-loads links then that’s up to you.
That’s exactly what my first reaction was. But the law sees it differently. No one is required to use an ad-blocker, VPN, or know anything about the internet. When you make a website or something, it is up to you to make sure that no one’s rights are violated. In fairness, if it was otherwise, tracking pixels would be fine.
We’re not at a point yet, where outgoing links must come with a warning, but it would be safer. Someone is always the first to lose a court over something. I noticed news media use rel=noreferrer. I think that’s the least one needs to do (“data minimization”).
Don’t expect me to defend the GDPR. It’s neoliberal/conservative bullshit; even an abandonment of enlightenment values. But it’s the law nevertheless and a lot of people on Lemmy positively love it.
Little of the information that instance share is not personal.
The only PII contained in that post you wrote is your user name. My instance has no idea what IP address or whatnot you used, it gets sent “user posted message”, “user voted”, etc. messages by lemmy.world. It does not interact with you.
The information that your instance shares with the rest of the world is a) pseudonymous, unless you dox yourself no connection can be made between your handle and your actual person and b) said information transfer is part of the primary service of the platform. You wouldn’t be here if things wouldn’t get shared that way, hence, you consented.
If it wasn’t, tracking cookies would not be a big deal unless you had the real name of someone connected to the cookie ID.
Cookies are no issue. Tracking without consent is. Lemmy isn’t tracking you. You have an account with lemmy.world. You presumably have taken notice of its privacy policy. lemmy.world is run by a Dutch foundation, and yes they have a legal department… or at least lawyers. If you’re a EU citizen the GDPR applies, otherwise other stuff might apply, they’re spelling it all out.
EG Your ISP could be subpoenaed to reveal the customer behind a dynamic IP-address, making it a personal datum.
…yes? You gave lemmy.world the right to log your IP when you signed up. They’re not retaining it longer than necessary because of the general GDPR provision of data frugality, but if a court order knocks on their door saying that they need your IP they can also be required to wait until you log in and then send that fresh IP directly to the authorities. Newsflash: The GDPR does not provide opsec against EU state actors. Off to the darknet with you if you care about that. It does provide opsec against ad networks, data brokers, etc… well at least in so far as it’s actually enforced.
Don’t expect me to defend the GDPR. It’s neoliberal/conservative bullshit; even an abandonment of enlightenment values.
The only PII contained in that post you wrote is your user name.
I think you have California law in mind here? I’ll boil down the GDPR’s definition of personal data for this particular case.
‘[P]ersonal data’ means any information relating to an identifiable natural person.
All the data that is associated with a user account relates to that user. All of it is personal data.
[A]n identifiable natural person is one who can be identified by reference to an identifier such as an online identifier
Now that I come to mention it, I think a static IP is a sufficient identifier in itself, without further recourse to ISP data.
lemmy.world is run by a Dutch foundation, and yes they have a legal department… or at least lawyers.
Indeed, it’s heart-warming to see how the legal section grows every time I check. Which is a problem, because I’m pretty sure they need to give everyone the option to decline or accept every time they change it. Well, maybe in another couple months or years, it will be somewhat in compliance with EU regulations.
You gave lemmy.world the right to log your IP when you signed up
Unless you dox yourself what kind of personal information are instances sharing? On top of that stuff that isn’t due to the normal functioning of the site as a public message board?
What’s questionable is embedding images, lemm.ee mitigates that with proxying, but ultimately the web is the web and you can’t proxy the whole web. Clicking a link will still lead you somewhere else and if your browser pre-loads links then that’s up to you.
Don’t IP addresses get associated with posts?
Why would they? Serves no purpose.
I’ll quote the definition from the GDPR:
Little of the information that instance share is not personal. Identifiable is also very broad. It’s enough that it would be possible for someone with the right tools and access to other information to identify you. EG Your ISP could be subpoenaed to reveal the customer behind a dynamic IP-address, making it a personal datum.
It’s an extremely broad definition. If it wasn’t, tracking cookies would not be a big deal unless you had the real name of someone connected to the cookie ID.
That’s exactly what my first reaction was. But the law sees it differently. No one is required to use an ad-blocker, VPN, or know anything about the internet. When you make a website or something, it is up to you to make sure that no one’s rights are violated. In fairness, if it was otherwise, tracking pixels would be fine.
We’re not at a point yet, where outgoing links must come with a warning, but it would be safer. Someone is always the first to lose a court over something. I noticed news media use rel=noreferrer. I think that’s the least one needs to do (“data minimization”).
Don’t expect me to defend the GDPR. It’s neoliberal/conservative bullshit; even an abandonment of enlightenment values. But it’s the law nevertheless and a lot of people on Lemmy positively love it.
The only PII contained in that post you wrote is your user name. My instance has no idea what IP address or whatnot you used, it gets sent “user posted message”, “user voted”, etc. messages by lemmy.world. It does not interact with you.
The information that your instance shares with the rest of the world is a) pseudonymous, unless you dox yourself no connection can be made between your handle and your actual person and b) said information transfer is part of the primary service of the platform. You wouldn’t be here if things wouldn’t get shared that way, hence, you consented.
Cookies are no issue. Tracking without consent is. Lemmy isn’t tracking you. You have an account with lemmy.world. You presumably have taken notice of its privacy policy. lemmy.world is run by a Dutch foundation, and yes they have a legal department… or at least lawyers. If you’re a EU citizen the GDPR applies, otherwise other stuff might apply, they’re spelling it all out.
…yes? You gave lemmy.world the right to log your IP when you signed up. They’re not retaining it longer than necessary because of the general GDPR provision of data frugality, but if a court order knocks on their door saying that they need your IP they can also be required to wait until you log in and then send that fresh IP directly to the authorities. Newsflash: The GDPR does not provide opsec against EU state actors. Off to the darknet with you if you care about that. It does provide opsec against ad networks, data brokers, etc… well at least in so far as it’s actually enforced.
The fuck are you on about.
I think you have California law in mind here? I’ll boil down the GDPR’s definition of personal data for this particular case.
‘[P]ersonal data’ means any information relating to an identifiable natural person.
All the data that is associated with a user account relates to that user. All of it is personal data.
[A]n identifiable natural person is one who can be identified by reference to an identifier such as an online identifier
Now that I come to mention it, I think a static IP is a sufficient identifier in itself, without further recourse to ISP data.
Indeed, it’s heart-warming to see how the legal section grows every time I check. Which is a problem, because I’m pretty sure they need to give everyone the option to decline or accept every time they change it. Well, maybe in another couple months or years, it will be somewhat in compliance with EU regulations.
The IP was simply an example that came from the court case I linked earlier. Oh, but not in this particular fork. https://www.techdirt.com/2022/02/07/german-court-fines-site-owner-sharing-user-data-with-google-to-access-web-fonts/
The enlightenment bit was too much? I see where you’re coming from. Well, you probably don’t want to read my rant.