What is the SCOPE Act? New law expected to take effect Sunday aims to add extra layer of protection to kids online
www.click2houston.com
The new SCOPE Act takes effect this Sunday, adding protections for kids online through age verification and stricter marketplace regulations but one non-profit is challenging it. Will a judge block it? #OnlineSafety #ConsumerProtection #SCOPEAct

“The SCOPE Act takes effect this Sunday, Sept. 1, and will require everyone to verify their age for social media.”

So how does this work with Lemmy? Is anyone in Texas just banned, is there some sort of third party ID service lined up…for every instance, lol.

But seriously, how does Lemmy (or the fediverse as a whole) comply? Is there some way it just doesn’t need to?

  • General_Effort@lemmy.world
    0·
    2 months ago

    Deny a person that right, and you take a bit of their power away. By running my own single user instance, I make sure that I always own my own content, no one can take it away from me by suddenly shutting down their website (as has happened to e.g. elle.co for example).

    Hold on. You can’t keep personal data longer than needed. Making data disappear from the web is one important demand by the GDPR.

    Comments are problematic because they inherently relate to other persons beside yourself. It could be argued that you have to delete your own writings as well when you shut down your instance. Or it could be argued that other people’s post may be kept (possibly anonymized) because otherwise your personal data would be incomplete. The 2nd is obviously what reddit is doing. That seems to draw more criticism than praise from the lemmy community, to put it mildly.

    The GDPR gives you rights over data, like copyright does. It inherently gives you a right to control what other people do on their own with their own physical property.

    Of course, the same can be said of surgery but it’s still not allowed. Obviously the harm from letting anyone try it is much worse than strictly regulating it, but is running a social media site on the fediverse likewise so harmful? Is there no way at all to strike the balance?

    You don’t need to ask me. The GDPR is a terrible mistake, but that’s not what people want to hear. People don’t know the law and just chose to believe a happy fantasy. I believe, there is no way - at present - that an ordinary person can maintain an internet presence while being compliant with GDPR and other regulations. Mind, you also need to comply with the Digital Services Act and other stuff. With some skill, you can probably do a webpage, even with ads, but nothing where you interact with visitors and must collect data.

    Basically we need to get some organization like the EU branch of the Electronic Frontier Foundation (EFF) to research this and come up with a HOWTO guide that covers most of the average cases - along with pointers on when something is not covered by the guide (so at least you know going in that you’d need to pay for that extra legal firepower).

    Yes. The DPOs issue guidances and send out newsletters. That would be a place to start. Unfortunately, the different DPOs don’t agree on everything. Maybe in a few years, this will all be at a point where ordinary people can be on the safe side by simply following a manual. The problem is that this will still require extra time and effort. Well, content moderation also requires a lot of time and effort. Maybe it won’t be so much extra effort that it becomes impossible for hobbyists, but - on the whole - the future of the European internet belongs to big players.

    We could still have traditional federation - but just as you describe, the allow list for that is only for those instances where you know the folks (have contracts you said) and thus are assured that the transfer of content complies with the GDPR. For unknown instances, just do the link sharing. It could be implemented in a way that instances running older software would still see a post by the bot account with just the link inside. (Perhaps as an enhancement, folks could designate a trusted instance as the primary - e.g. my instance trusts lemmy.world as primary, so when it sends the links out, it sends out a lemmy.world link, to take the load off of my own instance from users clicking on links.)

    Or am I missing anything here?

    I was thinking the same. Ironically, that is a problem because if there is such an alternative, then it must be used. If you can reach your goal by processing less personal data, then you must do so.

    You’d only be hosting the communities created on your own instance. Apart from that, you’d simply authenticate the identities of users. One question is what that would do to server load. I don’t know.

    Unfortunately, confirming the identities also means transferring personal data. It would also mean that the remote instance is able to connect an IP-address to a username; potentially allowing the real life identity to be uncovered. Proxying the posts/comments may be the better solution, but when and how that should be done has no clear answer.

    Clearly they had technically knowledgable advisors at the very least.

    Yes. Those are commonly referred to as industry lobbyists.

    “Involuntary data transfer”

    I don’t know what exception that is. There are rules for data breaches. I’m not at all sure how much you have to do to block crawlers.

    • abff08f4813c@j4vcdedmiokf56h3ho4t62mlku.srv.usEnglish
      0·
      1 month ago

      Sorry for the late response, your last comment didn’t federate, so I just saw it.

      Agreed, but - while it might be permissible legally to wipe out my data and content, what if I want to retrieve a copy afterwards?

      You have the right to request a copy of all your personal data from whoever controls it. Apparently that feature is still missing from lemmy.

      I run my own single user instance and it’s not that hard… I’d have to make some SQL queries to the database directly to retrieve the info but it’s straightforward.

      Well, in that case, baring credible contradicting information from another source, I think it’s reasonable to accept the note from the former worker of a DPO. Would you agree?

      That quote is from here: https://lemmy.world/post/1060627

      Yep that’s the one.

      I think I agree with pretty much everything they wrote. From what I understand, the apostrophes indicate that this is not official jargon. You can’t prevent web-scraping with any reasonable effort, so you don’t have to. The internet already exists. It’s too late to stop it now; better focus on stopping future progress.

      Agreed.

      Mind that there is nothing involuntary about federation. It’s not like web-scraping in that respect. You can just turn it off. You are left with something like an old school forum or reddit. No problem.

      Yes but that also makes it less useful and viable, unfortunately. I guess it really is like email if we consider federation an essential feature. I can set up my own email server that doesn’t talk to any other, but then it’s not too useful since it’d just me sending emails to myself.

      So, federation is a must, but the question is how to make it work.

      Hmm. Will need a good think about this - perhaps I should adjust my commenting style to avoid direct quoting and such…

      If you take the view that context is a necessary part of your personal data, then merely avoiding quotes is probably not enough.

      What more would need to be done?

      • abff08f4813c@j4vcdedmiokf56h3ho4t62mlku.srv.usEnglish
        0·
        1 month ago

        And now I hit some kind of length limit so I had to break up the post. Moving right along,

        That’s why I had the idea of creating and using the federation-bot account - this way there’s no confirmation of identities or transfer of personal data.

        But what if someone wants to participate in a community on a different instance?

        It would still work. The difference instance would fetch the link containing the requested content and pass that on to the end user, where either the web UI running on the user’s browser or the user’s app would load the content. (Akin to a web browser loading the web page). It’d be up to to the piece running on the end user’s computer to match it all together.

        At least, the texts and their context, along with the username and home instance, need to be revealed.

        Yes, but the point is that, like an old-school forum, this is not revealed except by (and from) the original instance hosting the content, and only to the end user. It’s not revealed until the end user’s app/browser fetches the content from the original server. So since only a link is federated, the PII only exists on those two places. Meaning that the server admin has a much easier job to delete data, as they only have to get it deleted off their own instance.

        If the end user then does webscraping … well how can you prevent that?

        And if someone creates a malicious instance that follows the link and screenscrapes it … I assume it also falls under the “cannot prevent” bucket.

        Taking a mental step back, it’s probably premature to worry about technological implementations. Sending data around does not have to be a violation. Compliance will require partly better information, and partly different administration. The legal aspects should be worked out before the necessary tools for the administrators are implemented.

        The problem here is that means we devs have to sit back and wait. When will we get the answers we need? And how long do we have to be exposed before we can actually work on solving the problem?

        We really do need a foundation like the EFF to provide that legal advice and support, but I think coming up with technical fixes is still worthwhile even as we wait…

        There are also a lot of regulation for the backend, that instance owners have to comply with but which won’t be noticed by users. Documenting the data processing, who has access, possibly make data impact assessments, maybe notify the local data protection office, …

        This seems like a good legal guide for an admin’s and instance’s jurisdiction is a must.

        Oh, and by german law there also needs to be a (physical) address that can be served legal papers.

        Interesting. In the US you can hire a lawyer to service that purpose, typically. In some jurisdictions, I wonder if something like https://www.alliancevirtualoffices.com/ may also work.

        There’s also more from the DSA, like releasing transparency reports on moderation twice a year, making regular backups and testing those, … I’m not quite sure what all is demanded by the DSA.

        You’ve mentioned this a bunch of times but … what’s the DSA again? I have no doubt it’s related but curious to understand exactly what it is and how it fits in.

        Could there be jurisdictions that have only DSA and no GDPR, and others with GDPR and no DSA?