Post Ar31GKFhlbll6rf2Qa by kimapr@ublog.kimapr.net
(DIR) More posts by kimapr@ublog.kimapr.net
(DIR) Post #Ar2d7L9YeNzYOhy5fk by kravietz@agora.echelon.pl
2025-02-12T10:48:58.682104Z
0 likes, 0 repeats
As JD Vance delivered his speech about “European overregulation” and criticized “endless compliance costs imposed on the US companies by GDPR” I have seen some voices from Europe who said something to the effect “I don‘t know a single EU company happy about #GDPR either”.Well, it’s kind of obvious companies aren’t happy because GDPR was not made to make companies happy but to protect the privacy of consumers 😄 This regulation is based on fundamental differences between US and EU legal systems. In EU, you own and control your personal data. In US it’s owned by whoever managed to extort it from you, and then aggregate, personalise and resell to any other entity anywhere. For example, if you want to pay higher insurance premium because you have genetic tendencies to diabetes or obesity - well, that’s the US way of doing business, but it’s not the only one, nor it’s somehow axiomatically “better”. And yes, high insurance premiums also have the effect of increasing overall country’s GDP, just as a house burnt and rebuilt also does this magic, yet somehow few people celebrate it 😉Then someone asked me if I really “feel that my data is better protected thanks to GDPR”. And yes, as a matter of fact the most invasive behavioural profiling aren’t being rolled out by companies like Twitter or Facebook to EU specifically because of GDPR, while in US they just roll them out without asking anyone. Anyone… of course except for the states which have regulations very similar or even more restrictive than GDPR, such as California. Yet, because California is “their”, these companies and their CEOs with high media presence simply shut up and make their apps compliant with CCPA without all this barking about “how GDPR kills out business”. It’s the same with EU VAT, about which Vance also whined, whereas US sales tax accounting rules are not even harmonized across states. But hey, you know what? An US business that has to emply a tax consulting company to get multi-state accounting right also increases overall GDP! 😄 So effectively what in US is perceived as each state’s fundamental right, sign of their diversity and key part of their autonomy, in the EU is portrayed as something equivalent to Soviet Union style central planning. And when they post all the memes about “bottle caps” in EU, they of course never mention a gazillion of state-level archaic or absurd regulations which are nonetheless binding, especially if someone likes to build a class lawsuit around them.And now as Tesla opened a new factory in #China, I’ve never seen Musk make a single critical remark about the overregulation in China, even though it’s even more complex than EU and US taken together due to its vast geographic and administrative diversity.
(DIR) Post #Ar2d7MMMAHp88gxpGC by divVerent@blob.cat
2025-02-12T11:51:49.484881Z
0 likes, 1 repeats
@kravietz My problem with GDPR is the opposite - namely how it harms big corporations least.For example, me running a SSH server on my personal vserver became technically illegal as the SSH protocol does not support the necessary disclosures, and happily logs every login attempt to the system log (where it tends to age out after 7 days as no one ever looks there anyway unless something is wrong).I am aware that this kind of log would be permitted under the GDPR if it were properly disclosed. I would also be required to disclose my home address to the entire world just because I run SSH.IMHO the very least GDPR should have done would be an exclusion so entities that do not use data in a way that requires explicit permission do not need to comply with the disclosure, legal entity etc. requirements. Maybe further conditioned by not making any profit.
(DIR) Post #Ar2fKZBA0uZvZS9VNQ by engravecavedave@mastodon.social
2025-02-12T12:03:05Z
0 likes, 0 repeats
@kravietz but you have to understand, the regulations in China don't protect the consumer at the expense of profits. The EU regulations do. It's why Apple comply with authoritarian governments without batting an eyelid but throw a hissyfit the moment the EU focces them to sideload
(DIR) Post #Ar2fKaGrxAjsxRpZui by divVerent@blob.cat
2025-02-12T12:16:37.627516Z
0 likes, 0 repeats
@engravecavedave @kravietz Yes, I see it as a well intentioned attempt with way too much collateral damage.The entire #Fediverse rather obviously violates the #GDPR - albeit my local instance may provide all the necessary disclosures and ask all the necessary permissions, none of the remote instances that host copies of my posts do.And to me that is fine - I expect that result when making posts “public”. But I just say, we are lucky #Gravenreuth is dead, he would have a field day with this, port scanning the internet then C&D-ing then suing anyone with an SSH service on their server, and even more so, every Fediverse and #Matrix service provider…
(DIR) Post #Ar2rWCDUPcIVHMYNmK by samueljohnson@mstdn.social
2025-02-12T12:44:35Z
0 likes, 0 repeats
@divVerent @kravietz Running SSH on your own server is illegal? Got a credible citation for that?
(DIR) Post #Ar2rWCqU4dUPEInWYi by divVerent@blob.cat
2025-02-12T14:33:11.429350Z
0 likes, 1 repeats
@samueljohnson @kravietz It's not been decided by a court, but:- SSH port is open to anyone.- Anyone who connects to it - and be it by entering http://ipaddress:22 in the browser address bar - will cause log lines to be written.- The logging includes the source IP address, which is generally considered PII.As such, it quite obviously falls into the scope of the GDPR.As for the logging of the IPs itself, that clearly falls under "legitimate interest" as per Article 6(1) GDPR - so that is fine per se.Art. 13 GDPR is the real problem with SSH - the right to be informed. The protocol doesn't even provide a _way_ for the connecting individual to be informed about these things.
(DIR) Post #Ar2uPDmKVRzvxVDQVk by kravietz@agora.echelon.pl
2025-02-12T14:44:09.847008Z
0 likes, 0 repeats
@divVerent As far as I remember my encounters with GDPR, an IP address is not PII automatically, just like not every mention of “John Smith” in book is PII merely because it looks like a name of a person. The definition of PII is functional that is a piece of data is PII when it can be linked to an individual. If you log in to SSH from a static broadband IP and are using an username like john.smith then the IP address collected with this login session could be PII. If you log in from a dynamic IP using an username admin then it will unlikely constitute PII, specifically because the “linked to an individual” doesn’t work here. If a SSH bruteforcing bot logs with a sequence of generic usernames like admin, paul etc then it’s not PII either.There’s plenty of FUD around GDPR in circulation, introduced by overzealous but incompetent lawyers who miss the IT angle, or by equally overzealous IT folks who miss the legal angle :) If in doubt, you can always ask your national PII authority and you will usually get a binding answer if you present it with enough detail - e.g. “I run a SSH server that is open to anyone in the world but limited connections exclusively for people who have an existing work-related account there”.@samueljohnson
(DIR) Post #Ar2uPDyNmddgYsr3IW by divVerent@blob.cat
2025-02-12T15:05:32.190629Z
0 likes, 0 repeats
@kravietz @samueljohnson Asking the national authority is very likely to result in "don't do that then", especially e.g. for running a Fediverse instance and not just SSH where one very _likely_ can ignore this for now.And yes, SSH also logs the username, at which point it can become real and complete PII.
(DIR) Post #Ar2ubofFBxO1pguIOe by samueljohnson@mstdn.social
2025-02-12T15:05:03Z
0 likes, 0 repeats
@divVerent @kravietz Your assertion that an IP address is "generally considered PII" is entirely false and you cannot provide a citation from any credible source to support that proposition.I suggest you look up some definitions of PII and then consider the many reasons why an IP address is never included.Better not to spread misinformation.
(DIR) Post #Ar2ubpm14GOjGz5Dai by divVerent@blob.cat
2025-02-12T15:07:50.308978Z
0 likes, 0 repeats
@samueljohnson @kravietz My reference for IP addresses generally counting as personal identifiers is https://gdpr.eu/eu-gdpr-personal-data/
(DIR) Post #Ar2xu20ccAQoIPHe0O by kravietz@agora.echelon.pl
2025-02-12T15:17:34.337397Z
0 likes, 0 repeats
@divVerent Actually, this is a very bad source for GDPR advice, because it’s a website run by ProtonVPN whose purpose is to present GDPR as a scary thing that only their VPN protects you from 😂And yes, on this website it indeed is unclear, but it’s done on purpose (see above). On the ICO guidance which I’ve just referred you to it’s quite clear - you need a combination of indicators that together uniquely identify an individual for that data to be PII. If it’s not unique or insufficient to identify that person, it’s not PII.This is what they literally say:By itself, the name ‘John Smith’ may not always be personal data because there are many individuals with that name. However, if the name is combined with other information (such as an address, a place of work, or a telephone number) this is often sufficient to clearly identify one individual.They use conditional statements (“often sufficient”) because they deal with a generic topic. If you ask them about your SSH server, they will quite certainly answer “nah, it’s not PII”… unless you explicitly assign your users with usernames like john.smith.dob.07-03-1998… in which case the IP will be the least of your worries :)@samueljohnson
(DIR) Post #Ar2xu324oFBnTCyJua by divVerent@blob.cat
2025-02-12T15:44:44.942478Z
0 likes, 0 repeats
@kravietz @samueljohnson Wow, that's evil, I definitely assumed gdpr.eu was _by_ the EU to inform the public about GDPR. After all, doesn't the domain name say so?But yeah, point taken.
(DIR) Post #Ar2xzofn6u52flIZsW by theorytoe@ak.kyaruc.moe
2025-02-12T15:45:47.388352Z
4 likes, 0 repeats
@kravietz gdpr exists because the EU wants to be the only one allowed to spy on their citizens
(DIR) Post #Ar2y5Sci0HZw1YY3fM by divVerent@blob.cat
2025-02-12T15:46:49.800954Z
0 likes, 0 repeats
@kravietz @samueljohnson I think the problem is that the IP address and user names _may_ be identifiers, and as sshd can't tell _whether_ they are or not, the log _has_ to be considered PII in the end.After all, someone could just try logging in to my SSH server and gives me the user name you mentioned. That no such account exists doesn't matter, now my log file knows when John Smith was born and which Chinese IP he got.
(DIR) Post #Ar2yIDxdpTJyJXQRc0 by kravietz@agora.echelon.pl
2025-02-12T15:46:57.579995Z
1 likes, 0 repeats
@theorytoe And that’s fine, I personally prefer to be spied upon by one country rather than the whole world including US, China, Cyprus, Seychelles and Russia.
(DIR) Post #Ar2yYCS1D9rQGRFgPI by samueljohnson@mstdn.social
2025-02-12T15:23:24Z
0 likes, 0 repeats
@divVerent @kravietz An IP address does NOT identify a person. At best it identifies a device or an Internet connection at a particular moment. It itself reveals nothing about a specifically identifiable person.I suggest you also look up exemptions from application of GDPR. Individuals and entities not subject to GDPR are not "technically" breaking the law when it simply doesn't apply to them.
(DIR) Post #Ar2yYDAKYPJ2Trz4TY by divVerent@blob.cat
2025-02-12T15:52:00.315679Z
0 likes, 0 repeats
@samueljohnson @kravietz From what I understand, no GDPR exemption applies to "I want to use SSH to access my own server" or "I want to run a Quake server that does not log".In fact, the latter distributes usernames and in-game chat to other players, and that alone is data processing and sharing.
(DIR) Post #Ar2yd1at0LcA2WhUEy by theorytoe@ak.kyaruc.moe
2025-02-12T15:52:51.939904Z
3 likes, 0 repeats
@kravietz again its more of "what happens when they violate it and are outside the eu"if the eu blocks a site because of that thats basically orwellian teir action. of course ive never heard of anything like that because the eu is on cordial terms with the us...but what happens if say a us company is given reason to not care? bureaucracy wont matter if nobody views you as a bureaucratic threat... also gdpr seems to be arbitrarily enforced, as with most eu tech law
(DIR) Post #Ar2yfzd2lefaoV7o9I by kravietz@agora.echelon.pl
2025-02-12T15:51:22.594546Z
0 likes, 0 repeats
@divVerent It’s not sshd to determine if something is PII, it’s you as the owner of the service. The main thing the GDPR requires is that users give you their consent for processing their PII when they voluntarily submit them to your service.The hypothetical scenario of “what if someone maliciously pollutes my data with their PII” is a science fiction that doesn’t have much precedents in the GDPR enforcement specifically because of the legal purpose on which it was founded.@samueljohnson
(DIR) Post #Ar2yg0niPSngRt7qQC by divVerent@blob.cat
2025-02-12T15:53:24.985027Z
0 likes, 0 repeats
@kravietz @samueljohnson It is a common convention to use <first letter first name><last name> user names in SSH, so by running a SSH server, you likely have to assume getting those together with IP addresses and timestamps in your logs.Question is if user accidentally hitting your service due to typos or similar becomes your responsibility.
(DIR) Post #Ar2ylDm7bCRk8TrdHU by theorytoe@ak.kyaruc.moe
2025-02-12T15:54:21.496579Z
1 likes, 0 repeats
@kravietz i wont claim that im an expert either because i clearly am notbecause the claim of "you own and control your data" never seems to actually hold up in reality at least from what ive seen
(DIR) Post #Ar2z1gL9AAWtMU60UC by samueljohnson@mstdn.social
2025-02-12T15:55:27Z
0 likes, 0 repeats
@divVerent @kravietz A username in a log file with an associated IP address do NOT, in themselves, constitute personally identifiable Information.Even if they did it's not a given that the GDPR applies.An introductory course will clarify. There are many freely available.
(DIR) Post #Ar2z1hSH19pAosRDEW by divVerent@blob.cat
2025-02-12T15:57:19.904159Z
0 likes, 0 repeats
@samueljohnson @kravietz I may be overly paranoid there given I work for a US company and knows its processes about GDPR, which was written by internal lawyers who want to play it safe (and also apply the rules worldwide).But here we definitely consider any IP address and any user name PII, simply because it _may_ be. We're aware that it may depend on the actual user name or IP address in question, but simply because it _can_ be, we must treat it as such.
(DIR) Post #Ar2zOQXI5Y2b0SccAi by 7666@comp.lain.la
2025-02-12T16:00:59.228174Z
5 likes, 1 repeats
@divVerent @kravietz @samueljohnson >run ssh scanbot on all IPs announced by an ASN>generate thousands of lines of logs on anything listening>ask for log lines to be removed under GDPR>network operator tells you to fuck off>sue for damages>rinse and repeattime to get rich off the backs of europeans bois
(DIR) Post #Ar2zVMZdDbPakF1YWG by pwm@lab.nyanide.com
2025-02-12T16:02:42.709597Z
0 likes, 1 repeats
@7666 @kravietz @divVerent @samueljohnson I love democracy
(DIR) Post #Ar2zh11x8p49P9pMu0 by samueljohnson@mstdn.social
2025-02-12T16:00:46Z
0 likes, 0 repeats
@divVerent @kravietz As you are clearly applying what you think "ought to be the case" logic I am done here. Bye.
(DIR) Post #Ar2zh22hNXFyXlBThg by divVerent@blob.cat
2025-02-12T16:04:48.296508Z
0 likes, 0 repeats
@samueljohnson @kravietz I'd honestly like to know what a game project like Xonotic can do to NOT make it illegal for server admins to host a game server.But sadly this seems overly complicated. We did some things, like server admins can set up a consent dialog at connection - but it's still hard to know what to actually put there, and for now it's up to each admin.It's also unclear what responsibility the FOSS project carries vs the server admins.
(DIR) Post #Ar2zjZbXZDPhDHh1JA by kravietz@agora.echelon.pl
2025-02-12T15:59:29.438144Z
1 likes, 0 repeats
@theorytoe Do you know that US enforces US income tax against all US citizens regardless of whether they live physically? And Russia enforces Russian censorship laws against any website globally regardless of whether it’s hosted or what language it’s published in?Countries just do this and there’s nothing surprising in this, but the whole concept of jurisdiction implies that we may not give a shit about Russian or Chinese censorship laws if you live in EU or US because we are outside of their jurisdiction.That is, unless you start doing business with them, which is why Musk politely registered Twitter International in EU so that he can process his EU income there, and this is why Apple complies with Russian censorship requests for the same purpose.So if you run an US website you don’t need to care about EU regulations - and Russian, and Chinese, and Australian ones - as long as you start generating income in these countries.
(DIR) Post #Ar2zoHGjAMGZnICWPI by divVerent@blob.cat
2025-02-12T16:06:08.107476Z
0 likes, 0 repeats
@7666 @kravietz @samueljohnson That won't work:>ask for log lines to be removed under GDPR>network operator tells you to fuck offThat's not gonna happen.Network operator will wait a week and then tell you "the log lines have been successfully removed".Because that's what logrotate does.
(DIR) Post #Ar308xmGpTEvQMooYi by kravietz@agora.echelon.pl
2025-02-12T16:07:09.162702Z
0 likes, 0 repeats
@divVerent As I have spent half of my professional life in global corporations I can testify that no corporate lawyer will tell you otherwise, simply because it’s easier to assume that generally an IP address is PII for that company’s internal (!) purposes. That’s the general rule of thumb they apply so that their employees protect all data that might be PII even if it’s not. This is why you will have a requirement that any spreadsheet that might contain PII must be stored on company protected systems rather than on Dropbox, sent encrypted etc.When that company runs a specific client-facing projects which e.g. collects people’s first name and year of birth, you can rest assured the corporate lawyers will look at this specific set of data and determine whether this constitutes PII or not.@samueljohnson
(DIR) Post #Ar308yo50EHUcGfm1A by divVerent@blob.cat
2025-02-12T16:09:51.407805Z
0 likes, 0 repeats
@kravietz @samueljohnson Yes, that's how it works. And as a matter of fact, we definitely can't even HAVE any spreadsheets with end user IPs in them :)And yes, explicitly collecting such data is under rather high scrutiny, so much I can tell. Also free text fields are basically banned, with only few exceptions under particularly strong controls.Obviously, more accurate review is done by corporate lawyers indeed on a case by case basis.
(DIR) Post #Ar30GKIzTCMNJtdNrs by phnt@fluffytail.org
2025-02-12T16:11:11.959182Z
2 likes, 2 repeats
@theorytoe @kravietz It never holds up, because the protections the EU citizen is supposed to have thanks to GDPR can be mostly avoided through TOS/EULA wording. One of the very few that is always enforceable is the right to be forgotten, but even that can be made to be ludicrously annoying to do, so you just give up.One of the big selling points for GDPR was that transfer of your data to 3rd parties had to be disclosed. So what did the companies do? They've put those connections on page 60 of their TOS/EULA that literally nobody reads. Part of GDPR successfully avoided.On a related note. The mandated cookie banners and their option buttons aren't supposed to have "dark patterns" (bright color for the "fully agree" option and a normal bg color for the "Allow only essential" option). Goes how many of those cookie banners actually follow this rule... Basically none of them. Or another option to bypass this rule is to create payment options for your site related to ad tracking for example, make all the buttons have the same shape and color. That's it, now everybody will agree to the "full" tracking, because other options are behind a paywall.Basically every EU law related to tech is a joke similar to this.
(DIR) Post #Ar30HwIlgZbHSAIcPA by mischievoustomato@tsundere.love
2025-02-12T16:10:58.738508Z
1 likes, 0 repeats
@theorytoe @kravietz > but what happens if say a us company is given reason to not care?friend told me that their company just stopped giving service to EU clients when gdpr rolled out.
(DIR) Post #Ar30WEFXkhSzAjbYO0 by theorytoe@ak.kyaruc.moe
2025-02-12T16:14:04.086050Z
0 likes, 0 repeats
@kravietz again, none of it matters if you literally dont care what anybody else says. Russia can get away with getting ignored because they actually have big infrastructure to work with. The EU? the moment the US stops caring about the EU, the moment the eu will be technologically crippled because of their dependence...
(DIR) Post #Ar30YfCEXJXZKCDXgu by kravietz@agora.echelon.pl
2025-02-12T16:11:10.439562Z
0 likes, 0 repeats
@divVerent It’s not “overly complicated”. It’s you who’s making it overly complicated in spite of efforts of several people who are trying to explain how this works.@samueljohnson
(DIR) Post #Ar30YgEOgkriXCEmhc by divVerent@blob.cat
2025-02-12T16:14:28.312559Z
0 likes, 1 repeats
@kravietz @samueljohnson I am probably too dumb to understand it.So can you tell me the _concrete_ step every Xonotic server admin has to take? Art. 27 GDPR e.g. is already a quite strong requirement, as it effectively requires every server admin to appear with their real name and address - and server admins outside the EU even need to name a person in the EU?
(DIR) Post #Ar30YgSZq2CxFAs6nw by theorytoe@ak.kyaruc.moe
2025-02-12T16:14:31.616926Z
1 likes, 0 repeats
@phnt @kravietz yeah thisevery kind of eu law in tech seems to be some form of reaction to something happening in the market that the EU doesnt like so they law it away, but it only really ends up hurting those who had nothing to do with it in the first place
(DIR) Post #Ar30f85i1FaYg5FUh6 by divVerent@blob.cat
2025-02-12T16:15:41.344249Z
0 likes, 0 repeats
@kravietz @samueljohnson (might depend on what the word "occasional" and "large scale" here means)
(DIR) Post #Ar30kqflh2m0OQqI2y by phnt@fluffytail.org
2025-02-12T16:16:42.897701Z
1 likes, 2 repeats
@theorytoe @kravietz They only serve as a way to go on witch hunts against Apple/Microsoft/Google. Those are basically the only three tech companies whose non-compliance usually gets enforced. Although for laughable fines.
(DIR) Post #Ar30q7qNHMYT61JsTg by kravietz@agora.echelon.pl
2025-02-12T16:16:34.410030Z
0 likes, 0 repeats
@divVerent What is Xonotic server?@samueljohnson
(DIR) Post #Ar30q8xV8LqkYPf5E0 by divVerent@blob.cat
2025-02-12T16:17:39.422715Z
0 likes, 0 repeats
@kravietz @samueljohnson A server that runs a game of a first person shooter game. It primarily converts player input events to updates of player and projectile positions and sends these to other clients. It also distributes in-game nick names and in-game chat.
(DIR) Post #Ar30sICJkpjBmscIHg by mischievoustomato@tsundere.love
2025-02-12T16:16:06.073997Z
0 likes, 0 repeats
@phnt @kravietz @theorytoe Did the cookie banners do anything but make people blindly click "accept all" every time? I think there's an extension that does that
(DIR) Post #Ar30sJ1Mh2YqLCV3qq by kravietz@agora.echelon.pl
2025-02-12T16:17:28.272824Z
1 likes, 0 repeats
@mischievoustomato I never click Accept all if there’s Refuse All or Necessary Only, which is like 90% cases.@theorytoe @phnt
(DIR) Post #Ar30sJrTZIFEwosg4m by theorytoe@ak.kyaruc.moe
2025-02-12T16:18:02.202837Z
2 likes, 0 repeats
@kravietz @phnt @mischievoustomato >delete cookies on exit
(DIR) Post #Ar30uEUCWbKor5uGoq by menherahair@eientei.org
2025-02-12T16:18:24.109247Z
1 likes, 2 repeats
@theorytoe @kravietz >also gdpr seems to be arbitrarily enforced, as with most eu tech lawit has to be enforced by countries and not actual eu which just supplies leverage, so in most places you can kill yourself because they love bigmac and not spending money on intercontinental legal shit more than they hate discord pedophiles and failed login attempts in 2 days worth of syslogs
(DIR) Post #Ar310OPoWMnrO6nA12 by phnt@fluffytail.org
2025-02-12T16:19:31.523337Z
0 likes, 1 repeats
@mischievoustomato @kravietz @theorytoe Yeah, "I still don't care about cookies" can do that, if it can't be hidden. Funnily enough this type of extension is also legally in a grey area, because it technically automatically agrees to something the user didn't agree to him(her)self. The author of that extension covers his ass in the extension description with this:>In most cases, it just blocks or hides cookie related pop-ups. When it's needed for the website to work properly, it will automatically accept the cookie policy for you (sometimes it will accept all and sometimes only necessary cookie categories, depending on what's easier to do). It doesn't delete cookies.
(DIR) Post #Ar315H7X4RDWD9ZL5U by kravietz@agora.echelon.pl
2025-02-12T16:18:34.331549Z
0 likes, 0 repeats
@divVerent And where’s PII in that? Do you require people’s real name, detailed address, DOB and somehow correlate this data to establish their real identity?@samueljohnson
(DIR) Post #Ar315IDwy3wddLZyjI by divVerent@blob.cat
2025-02-12T16:20:23.852531Z
0 likes, 0 repeats
@kravietz @samueljohnson None of that happens; IP addresses are tracked and sometimes used for banning bad actors by server admins.In-game chat occasionally falls under Article 9(1), although neither the game nor server admins _ask_ for such info.
(DIR) Post #Ar31ByDvj7v7dAkoAy by 7666@comp.lain.la
2025-02-12T16:21:02.444987Z
0 likes, 0 repeats
@divVerent @kravietz @samueljohnson logrotate's Default settings on something like Debian 12 is rotate 4 and weekly, so that would require a change specific for GDPR compliance and applied holistically across all public facing systems to get it down to a week, in addition to spawning downstream jobs to purge that PII data out of things like syslog collectors and backup servers. You do get one month to comply (plus two more with appropriate justification), but the point is most admins won't change defaults, exposing them to frivolous requests in GDPR clothing or they won't remember that backups exist - if you're lucky you may even catch a data controller that says "yeah we deleted your data" and you're able to prove they may have forgotten a place through enumerating their infrastructure (e.g. OCSP data).Good luck!
(DIR) Post #Ar31GKFhlbll6rf2Qa by kimapr@ublog.kimapr.net
2025-02-12T16:18:00.582077Z
0 likes, 0 repeats
@mischievoustomato @kravietz @theorytoe @phnt that sounds like a stupid extension. why not make one that clicks "accept none" instead (or whatever fucked up convoluted equivalent the corpos concoct)
(DIR) Post #Ar31GKpVcUPQtuPdEe by mischievoustomato@tsundere.love
2025-02-12T16:21:23.510094Z
0 likes, 0 repeats
@kimapr @kravietz @theorytoe @phnt I don't want anything to be randomly broken and I genuinely don't give half a shit about cookies
(DIR) Post #Ar31GLZar9GxCpyR4C by theorytoe@ak.kyaruc.moe
2025-02-12T16:22:19.369686Z
0 likes, 0 repeats
@mischievoustomato @kravietz @phnt @kimapr and as far as the relative privacy gain? not really that much depending on if you accept or not
(DIR) Post #Ar31NIkpjbM8UVXzvM by waifu@mai.waifuism.life
2025-02-12T16:23:20.207Z
1 likes, 1 repeats
@mischievoustomato@tsundere.love @kimapr@ublog.kimapr.net @kravietz@agora.echelon.pl @theorytoe@ak.kyaruc.moe @phnt@fluffytail.org wtf but cookies are awesome sometimes they have chocolate chips
(DIR) Post #Ar31ZZLdriNVQkc7oO by phnt@fluffytail.org
2025-02-12T16:25:52.780770Z
2 likes, 2 repeats
@waifu @theorytoe @kravietz @kimapr @mischievoustomato >clicks accept all>cookies have been dispatched to your location, enjoy
(DIR) Post #Ar31ZkAhcjAD00a2mu by mischievoustomato@tsundere.love
2025-02-12T16:23:55.451576Z
1 likes, 0 repeats
@waifu @theorytoe @phnt @kravietz @kimapr oh yeah those are delicious
(DIR) Post #Ar31bspiOKOyRQmf2W by kravietz@agora.echelon.pl
2025-02-12T16:21:54.708973Z
0 likes, 0 repeats
@theorytoe It never starts from “EU doesn’t like”, it’s always “EU citizens don’t like”. I’m EU citizen and I don’t like my every move being tracked, analyzed, monetized and resold by some shady company running in Seychelles. And I don’t give a shit about the business profits of an US citizen running a company in Seychelles any more than he gives about mine. @phnt
(DIR) Post #Ar31btv4LuHLoKIS1Y by theorytoe@ak.kyaruc.moe
2025-02-12T16:26:16.744578Z
2 likes, 0 repeats
@kravietz @phnt >It never starts from “EU doesn’t like”, it’s always “EU citizens don’t like”.you missed my point earlier, its even been about the EU citizen, it never wasif it was about EU citizens, the EU would be making in-house software or contracting eu companies to make software that actually respected the rights of citizens rather than writing pages of legal bullshit to fine US companies whenever they feel like it.if you go the the point of "I only want to be spied on by the EU", you miss the whole point of trying to have privacy in the first place! the government can do whatever the fuck they want with your data regardless of what you say because they are the government...
(DIR) Post #Ar31elHAwe8Fs906YS by theorytoe@ak.kyaruc.moe
2025-02-12T16:26:49.863884Z
2 likes, 0 repeats
@phnt @kravietz @waifu @mischievoustomato @kimapr cookie dronestrike
(DIR) Post #Ar31q1dITGZBmsicwS by mischievoustomato@tsundere.love
2025-02-12T16:28:31.305665Z
2 likes, 0 repeats
@theorytoe @kravietz @phnt > if it was about EU citizens, the EU would be making in-house software or contracting eu companies to make software that actually respected the rights of citizens rather than writing pages of legal bullshit to fine US companies whenever they feel like it.america invents, china copies, europe regulates
(DIR) Post #Ar31stSTJvfjIr1UmW by theorytoe@ak.kyaruc.moe
2025-02-12T16:29:21.906302Z
0 likes, 0 repeats
@mischievoustomato @kravietz @phnt >china copiesI mean they have innovated more than the us has in recent years
(DIR) Post #Ar326VDmEJPKBgdg3M by kravietz@agora.echelon.pl
2025-02-12T16:27:32.763481Z
0 likes, 0 repeats
@divVerent None of that happensSo why would you even care about GDPR? Remember, purpose of GDPR is to ensure users of a service are informed about what data is collected, for what purpose and ensure their consent is given.What kind of consent your service be asking from its users? “Do you grant permission for us to process your made-up nickname that may be remotely correlated with your first name, or not”?I can only think of only potential GDPR use here, that is a contact form where someone could ask for removal of specific public chat entries where they accidentally posted their real name, address etc. Or someone doxxed them, and that’s it. But that’s a reasonable thing to have regardless of GDPR.@samueljohnson
(DIR) Post #Ar326WKu5Ihbe4ysng by divVerent@blob.cat
2025-02-12T16:31:49.255196Z
0 likes, 0 repeats
@kravietz @samueljohnson That's not how the lawyers I had talked to see GDPR - merely handling IP addresses that _might_ constitute an Identifier, to them, was enough to bring on the big guns.Public chat BTW can't be removed as it isn't even stored - it's sent to all clients when it happens, and then is gone from the server (clients may log, as a setting in the engine, and there's no good way for one player to hunt down and ask other players to remove their chat from their logs). Kinda like IRC, except that there isn't even a persistent topic line.But yes, _maybe_ we're lucky and nothing's actually required. As the GDPR wording does seem to include this, we have to wait till we see what the courts say.Matrix and Fediverse are much more interesting GDPR targets anyway - e.g. does any US Fediverse instance technically have to name a representative in the EU?
(DIR) Post #Ar32NsNxMKU6x8gVwe by kravietz@agora.echelon.pl
2025-02-12T16:30:11.502952Z
0 likes, 0 repeats
@theorytoe I don’t know what “the government” you’re talking about because, thanks to GDPR, I have no idea who you are and where you’re from. From your rather pessimistic stance, I imply you must be living in Russia or North Korea… Neither in US nor EU “the government can do whatever the fuck they want with your data”.@phnt
(DIR) Post #Ar32NtTJJuMUK2CIvg by theorytoe@ak.kyaruc.moe
2025-02-12T16:34:56.329391Z
3 likes, 0 repeats
@kravietz @phnt >“the government can do whatever the fuck they want with your data”.who is stopping EU from doing such a thing... the law? they *make* the law they can tweak it however they want to... Sure people wouldn't like it, but since when has that been a deterrent for any government? Historically speaking, not many.again, if youre a schizo about privacy these things are obvious outright
(DIR) Post #Ar32SJhziKugqvAtrE by sun@shitposter.world
2025-02-12T16:35:46.602480Z
1 likes, 1 repeats
@theorytoe @kravietz @phnt does the gdpr apply to government, i didn't think it did
(DIR) Post #Ar32ZqJgsPxK0mOaJM by kravietz@agora.echelon.pl
2025-02-12T16:36:00.407856Z
0 likes, 0 repeats
@divVerent That’s not how the lawyers I had talked to see GDPRIt depends what lawyers you talked to and what questions you asked. To a lawyer, “can X potentially be Y” is a very different question from “I keep IP for a week and made-up nickname until user deletes it, do I fall under GDPR”.You never ask a lawyer “can X potentially” because you’ll always get “potentially yes” answer.@samueljohnson
(DIR) Post #Ar32ZrHbHfsV0aQQgy by divVerent@blob.cat
2025-02-12T16:37:07.416552Z
0 likes, 0 repeats
@kravietz @samueljohnson The answer to the second question, of course, is always "yes, you might fall under GDPR".They will never tell you definitely that something does not, as that'd may be the more dangerous option.
(DIR) Post #Ar32bTNl7KDrSe4lAu by theorytoe@ak.kyaruc.moe
2025-02-12T16:37:24.008351Z
0 likes, 0 repeats
@sun @kravietz @phnt from some hunting on official sites, not explicitly...
(DIR) Post #Ar33IjXkuDog2JNc6y by kravietz@agora.echelon.pl
2025-02-12T16:41:52.235412Z
0 likes, 0 repeats
@divVerent What I mean is that if you ask a generic question, you get a generic answer - “maybe yes, maybe no”.But when you deal with a specific service which you know exactly how it operates, there’s no need to ask generic question if you can finally ask a very specific one.And you’ll get a specific answer - yes or no.@samueljohnson
(DIR) Post #Ar33IkrI152I7BWjCK by divVerent@blob.cat
2025-02-12T16:45:12.686174Z
0 likes, 0 repeats
@kravietz @samueljohnson As we do not control how server admins set up their server, it's not really possible to get general guidance though.It appears that reality seems to be that every single server admin needs their own lawyer. That's gonna be expensive.
(DIR) Post #Ar33r37QdDB4atQdW4 by 7666@comp.lain.la
2025-02-12T16:50:55.434999Z
1 likes, 1 repeats
@kravietz @theorytoe @phnt oh yeah? Did EU citizens not like E2E encryption too? because if so y'all can fuck right offhttps://www.forbes.com/sites/larsdaniel/2024/12/19/eus-chat-control-the-end-of-private-messaging-as-we-know-it/
(DIR) Post #Ar344EtCBFpkrd3otk by theorytoe@ak.kyaruc.moe
2025-02-12T16:53:49.520382Z
0 likes, 0 repeats
@7666 @kravietz @phnt my point stands...
(DIR) Post #Ar344X5uUihRKH9EDQ by kravietz@agora.echelon.pl
2025-02-12T16:50:53.655945Z
0 likes, 0 repeats
@divVerent No, it doesn’t have to cost you a penny. Firstly, most national data protection authorities (DPA) will respond to questions at no cost. Second, you do that once with a very specific question - “I collect IP and silly nickname” and you get answer “no, you’re not in scope”.Third, you post that on admin’s forum: “I’ve asked DPA with this server set up and they said this; if you repeat my setup, you’re likely covered”. You can even post that DPA response verbatim, blurring your details.If some admin is suddenly desperate to collect users’ real names and shoe size, it’s their problem not yours.@samueljohnson
(DIR) Post #Ar344YFsBAGMvSohNo by divVerent@blob.cat
2025-02-12T16:53:52.527807Z
0 likes, 0 repeats
@kravietz @samueljohnson In my case that'd be the Hessische Beauftragte für Datenschutz und Informationsfreiheit. Pretty sure he can't speak for the 15 other German states, and the rest of the EU, so at best this would create legal safety for server operators in Hesse.Can try, though. Just hope he won't say "OMG you can't do that" and then the entire project becomes illegal in the EU, as then "we know".
(DIR) Post #Ar34JtgKnTUtivVlA0 by skylar@misskey.yandere.love
2025-02-12T16:56:05.103650Z
3 likes, 0 repeats
@mischievoustomato @kravietz @theorytoe @phnt they made me think the US should restart WW2 and carpet bomb europe again
(DIR) Post #Ar34VN6TkRsG9uDB7g by ElDeadKennedy@shitposter.world
2025-02-12T16:58:44.525860Z
1 likes, 2 repeats
@7666 @kravietz @theorytoe @phnt huh eu citizens like weird stuff
(DIR) Post #Ar358I4SOR1FqOp8To by kravietz@agora.echelon.pl
2025-02-12T17:00:00.353344Z
0 likes, 0 repeats
@7666 Chat Control is probably the only example of an EU digital regulation that I disagree… except it’s not a law and it’s far from it That’s how every democratic country works - some people see a problem and propose a fix, and then they’re having a debate. There certainly is a real problem in what Chat Control wants to fix, the debate is about whether the fix is proportional and doesn’t cause more problems. So far it seems it’s not proportional and it does cause more problems, which is why the law is being discussed.What most people don’t understand about EU is that it’s not some single commission sitting in Brussels, it’s 27 Member States with delegates to the European Commission, then dozens of technical commissions and bodies, and then 700+ elected people in European Parliament.Of course there’s debates and proposals being raised all the time, including ones we don’t like. At the same time the typical news cycle of an average EU critic looks like this:Not giving a shit about the regulation while it’s being proposed and debated for five yearsSeeing a random article hyping moral outrage from an organisation that has a vested interest against this particular wording that has been agreedPost some angry “stupid EU wants X” comments online, sign a petitionBack to item 1@theorytoe @phnt
(DIR) Post #Ar358JGXwyHfYBUIxk by theorytoe@ak.kyaruc.moe
2025-02-12T17:05:45.624748Z
2 likes, 0 repeats
@kravietz @7666 @phnt "instead of making a cultural precedent for parents to control and limit their children's activity online we will instead make vague laws that can be arbitrarily enforced with no repercussions"
(DIR) Post #Ar35KGBBFfHTS7fyyW by mischievoustomato@tsundere.love
2025-02-12T16:30:11.135235Z
0 likes, 0 repeats
@theorytoe @kravietz @phnt true, but it's an old saying. I'm quite happy with deepseek, runs weird on my laptop though
(DIR) Post #Ar35Qk19E87JjQ4e9I by lonestarr@mugicha.club
2025-02-12T17:09:07.139894Z
1 likes, 0 repeats
I simply eat the cookies (Amerifat mode)
(DIR) Post #Ar35sIfGWB4T0RynoG by sapphire@shortstacksran.ch
2025-02-12T17:14:05.241499Z
2 likes, 0 repeats
@skylar @kravietz @theorytoe @phnt @mischievoustomato <accept all bombing><manage preferences>
(DIR) Post #Ar35ul6pjTRFny2xsm by publius@mastodon.sdf.org
2025-02-12T17:14:31Z
0 likes, 0 repeats
@kravietz It's a good thing to have heavy compliance costs on things you would rather not happen. Except, of course, that Vance is sucking the teat of people whose interests are fundamentally, diametrically opposed to those of the common man.
(DIR) Post #Ar35yMAmO467cmblUe by 7666@comp.lain.la
2025-02-12T17:14:45.662474Z
0 likes, 0 repeats
@kravietz @theorytoe @phnt why does it take the EU five years to figure out that their shitty idea is shitty
(DIR) Post #Ar36slBOaVRlPMn8SW by maxmustermann@shitposter.world
2025-02-12T17:25:23.527791Z
0 likes, 1 repeats
@7666 @kravietz @theorytoe @phnt I think that one got snatched by the courts. At least the last retarded regulation was.
(DIR) Post #Ar36zwWMpZdKbH1fQe by phnt@fluffytail.org
2025-02-12T17:26:39.982367Z
2 likes, 1 repeats
@7666 @kravietz @theorytoe Because basically every member state treats EU elections as a way to get rid of politicians they don't want at home. Failed politicians get payed more compared to being in a government/opposition and the voters don't have to deal with their stupid ideas at home. It's basically a win-win situation. And that's why EU proposals are mostly stupid, because they are made by largely stupid politicians nobody wants in their own government.The problem is that this voting behavior potentially exposes everybody to even more stupid ideas that are above laws of every member, but nobody cares about that. Eventually this problem will solve it self. The question is when.
(DIR) Post #Ar371dpTIWIvCvluHg by kravietz@agora.echelon.pl
2025-02-12T17:04:37.853194Z
0 likes, 0 repeats
@divVerent All DPA laws are based on GDPR so they should be similar in their basic assumptions. While they may differ in some gory legal details, I doubt they will present contradictory positions on topics as basic whether particular data set is PII. And you don’t have to ask in your own name, and you don’t have to post the answer anywhere.In any case, prosecution is very unlikely because someone would need to file a formal complaint and then it likely gets dropped on one of the first conditions that is that GDPR excludes services run for personal entertainment purposes.At this stage having a favourable opinion from some local DPA gives you as much as legal safety as anyone can possibly have.@samueljohnson
(DIR) Post #Ar371eGPgLr4YUNQHI by divVerent@blob.cat
2025-02-12T17:26:55.330548Z
0 likes, 0 repeats
@kravietz @samueljohnson Well, I just asked the DPA of my last place I lived in Germany. Let's see.
(DIR) Post #Ar379DpNr1V2slLTOq by kravietz@agora.echelon.pl
2025-02-12T17:10:04.793398Z
0 likes, 0 repeats
@ElDeadKennedy I read in Alabama it’s illegal to dress as a priest for Halloween, but I wouldn’t generalize it as “haha stupid US citizens can’t dress as a priest”. Different people say different things. That guy on video isn’t the sole authority on the EU law and he’s expressing his opinion. You may agree or not, but it’s not binding.@theorytoe @7666 @phnt
(DIR) Post #Ar379EjOUmIpgTYChc by theorytoe@ak.kyaruc.moe
2025-02-12T17:28:17.372208Z
0 likes, 0 repeats
@kravietz @7666 @phnt @ElDeadKennedy ah yes "I want to infringe human rights" is comparable to this...
(DIR) Post #Ar37LViJBGbhpTtaAC by ElDeadKennedy@shitposter.world
2025-02-12T17:30:34.837519Z
0 likes, 1 repeats
@kravietz @theorytoe @7666 @phnt you're really grinding those EU social credit scores. this guy is not getting his door knocked for his online activity
(DIR) Post #Ar37Z8V4Hj6Ht7CRLE by mischievoustomato@tsundere.love
2025-02-12T16:09:52.088149Z
0 likes, 0 repeats
@kravietz
(DIR) Post #Ar37Z9s9BP9i8z0NxA by mangeurdenuage@shitposter.world
2025-02-12T17:33:01.450717Z
0 likes, 1 repeats
@mischievoustomato @kravietz What's funny is that they just have to ban proprietary software/hardware there will be a boom on development.
(DIR) Post #Ar3a0L4ISi7fP2RAOW by Asklepian@abyss.cafe
2025-02-12T22:37:38.964Z
1 likes, 0 repeats
@mischievoustomato@tsundere.love @phnt@fluffytail.org @kravietz@agora.echelon.pl @theorytoe@ak.kyaruc.moe on Mac OS and iOS there is superagent for safari, by default it automatically clicks deny (so I have only seen one banner in the past year that made it through) but you can also set it to automatically accept all if you are masochist Unsure about chromium and Firefox alternatives since I only use WebKit on my Amiga and Mac
(DIR) Post #Ar4M377pYOwypOTlT6 by mischievoustomato@tsundere.love
2025-02-12T23:07:09.598009Z
0 likes, 0 repeats
@Asklepian @theorytoe @phnt @kravietz I wish I had a macbook
(DIR) Post #Ar4M389dj9zY1IKivY by phnt@fluffytail.org
2025-02-13T07:50:00.943760Z
0 likes, 1 repeats
@mischievoustomato @Asklepian @kravietz @theorytoe I wish I had a MacbookFor one moment in timeI wish I had a Macbook tonight
(DIR) Post #Ar4nrkG71mj9RLii48 by kgbvax@chaos.social
2025-02-13T07:21:03Z
0 likes, 0 repeats
@divVerent @kravietz >I am aware that this kind of log would be permitted under the GDPR if it were properly disclosed.By the same rationale, a phone displaying an incoming phone number would be illegal?Sounds like nonsense to me.
(DIR) Post #Ar4nrlNarSJ0uqECMi by divVerent@blob.cat
2025-02-13T13:01:41.091164Z
0 likes, 0 repeats
@kgbvax @kravietz Displaying? Not. Storing forever on a cloud service? Quite likely.And now guess where syslog on a vserver goes. Basically on a cloud service (the hoster).
(DIR) Post #Ar5CSv0kPbvcOyn9yS by kravietz@agora.echelon.pl
2025-02-13T13:28:51.775330Z
0 likes, 0 repeats
@divVerent From GDPR point of view responsibility is on the processor/controller. If users rely with their PII on you, you’re the processor/controller. But you are not responsible for any copies of the data made illegally e.g. by malware on users’ computers or legally by law enforcement on the ISP or VM hosting provider based on separate regulations. You don’t care about any VM disk copies, backups etc - that’s GDPR scope of the provider, because they collect the data, not you.@kgbvax
(DIR) Post #Ar5CSvOqxzD7bk4PY0 by divVerent@blob.cat
2025-02-13T17:37:17.817780Z
0 likes, 0 repeats
@kravietz @kgbvax Right, so in the above example of call logs - the phone owner is the GDPR-responsible entity as far as the data on the phone is concerned, but if the data is sent off to an entity like Google for Cloud Backup, Google is the controller of that, acting via a data processing agreement with the end user.So _technically_ the user is in part responsible for what the cloud service does, and at least has to disclose that a cloud service is involved.However, this concrete case is exempted by Recital 18 - personal data for domestic purposes. That's literally the only reason why it's OK to do that, including cloud backup.
(DIR) Post #ArDhu9WDEVrD3gefEu by cy@fedicy.us.to
2025-02-17T20:06:41Z
0 likes, 0 repeats
In fact, there are many companies happy with the EU GDPR. When you allow a company to cheat their customers, spy on them and sell their data for billions, that company can use their ill gotten gains to undercut other companies, driving them out of business. As with any regulation, companies that aren't hurting people will prosper, and companies that are hurting people will fail.That politician is just conveniently ignoring all the small businesses completely unimpacted by the GDPR because they don't collect data, who make more money, and achieve higher prosperity since Faceboogle is too inconvenienced to steal that money and prosperity from their customers first. Apparently he "doesn't know" about them.
(DIR) Post #ArDiIoRSjTYwvjBxc8 by debacle@framapiaf.org
2025-02-12T11:33:38Z
0 likes, 0 repeats
@kravietz "And I don‘t know a single #sweatshop happy about #labour safety laws either.""And I don‘t know a single #pimp happy about #sexworkers rights either.""And I don‘t know a single chemical #waste dump happy about #environment protection rules either."If #JDVance criticises our #GDPR, the #EU did the right thing!#privacy #humanRights #EUpol #dataProtection #AI
(DIR) Post #ArDiIqMZacq8t8v5Gq by cy@fedicy.us.to
2025-02-17T20:11:16Z
0 likes, 0 repeats
Also pimps are totally in support of sexworkers rights. That's why they operate brothels to protect their employees from abusive customers and inclement weather. Except when you make prostitution illegal. Then all the pimps that survive are conveniently evil gits. Funny how that works out...CC: @kravietz@agora.echelon.pl