Open NfNitLoop opened 3 years ago
NfNitLoop
commented
3 years ago Ah, right, there's also #32 which is another way that a server admin could remove GDPR content.
But FeoBlog itself does not provide a way to contact a server admin to make a request. Is that a requirement under GDPR or can that be handled by other channels? (Maybe it'd be as simple as allowing a server to configure an admin e-mail or contact form URL?)
NfNitLoop
commented
3 years ago I might want to look into how systems like Mastodon handle this. If you post data to a single Mastodon server, it might get copied to other servers to show up in user feeds there. Do they have features that help w/ GDPR compliance?
NfNitLoop
commented
3 years ago (brainstorming) Here's an issue -- if I rely on revocation (#5) to remove someone's data, that requires they revoke their entire userID. Should I add something with a smaller scope that allows a user to remove their data from a particular server? A server-limited revocation?
This is somewhat appealing to me, because I could see a situation where someone sets up a server for a community that you don't want to be a part of. You could mark your data as not being allowed on that server.
But, it raises some complicated edge cases, and could hinder the distributed-ness of the system as a whole. And any offending server could just choose to ignore such requests.
Example edge cases:
OK yeah, I think I've talked myself out of this idea. It complicates things, and would only offer you "protection" from frinedly servers that honored such a feature.
See: https://www.reddit.com/r/rust/comments/o80zh4/feoblog_v040_released_today/h3367dw/?utm_source=reddit&utm_medium=web2x&context=3
What are the obligations servers have under GDPR?
My layman's understanding is that under GDPR users must be able to:
The REST API can already list all of a user's Items, so that may take care of point 1.
And eventually I'll implement #5 -- is that enough to handle point 2?
If folks know other GDPR obligations, please leave comments, IANAL.