“The SCOPE Act takes effect this Sunday, Sept. 1, and will require everyone to verify their age for social media.”

So how does this work with Lemmy? Is anyone in Texas just banned, is there some sort of third party ID service lined up…for every instance, lol.

But seriously, how does Lemmy (or the fediverse as a whole) comply? Is there some way it just doesn’t need to?

  • bdonvr@thelemmy.club
    link
    fedilink
    arrow-up
    66
    arrow-down
    1
    ·
    4 months ago

    As someone neither living nor hosting my instance in Texas I’ll basically ignore it, and if it came to it I’d block the entirety of Texas if they somehow convince courts to enforce this outside of Texas.

  • tyler@programming.dev
    link
    fedilink
    arrow-up
    57
    arrow-down
    4
    ·
    4 months ago

    Lemmy isn’t social media. Ignoring that though, the law actually says:

    According to the Texas Office of the Attorney General, this new law will primarily “apply to digital services that provide an online platform for social interaction between users that: (1) allow users to create a public or semi-public profile to use the service, and (2) allow users to create or post content that can be viewed by other users of the service. This includes digital services such as message boards, chat rooms, video channels, or a main feed that presents users content created and posted by other users.”

    Which literally applies to every single site on the entire planet that has a comment section. This law is incredibly unenforceable.

  • UncleGrandPa@lemmy.world
    link
    fedilink
    arrow-up
    50
    arrow-down
    1
    ·
    edit-2
    4 months ago

    The answer? Block Texas

    Not joking. If suddenly hundreds or thousands of sites would become unavailable. It wouldn’t last a week

      • abff08f4813c@j4vcdedmiokf56h3ho4t62mlku.srv.us
        link
        fedilink
        arrow-up
        4
        arrow-down
        1
        ·
        4 months ago

        At times like this I wish we had /c/LegalAdvice - would love for someone who says “IAAL” to chime in.

        Some of the biggest lemmy instances - lemmy.world, feddit.de - are based in the EU. I don’t understand how EU based instances like these would be able to get away with not following GDPR.

        Though, it may be more that GDPR doesn’t apply, as per https://decoded.legal/blog/2022/11/notes-on-operating-fediverse-services-mastodon-pleroma-etc-from-an-english-law-point-of-view/

        [The UK GDPR] does not apply to … the processing of personal data by an individual in the course of a purely personal or household activity
        But for those spinning up an instance of a fediverse service for them and their friends, for a hobby, I think there’s far more scope for argument.

        In any case it seems like asking a fediverse instance to be compliant with the GDPR is possible, see for an example at https://sciences.re/ropa/ and https://mastodon.social/@robin/109331826373808946 for a discussion.

        • General_Effort@lemmy.world
          link
          fedilink
          arrow-up
          2
          ·
          4 months ago

          a purely personal or household activity

          No chance. This is what makes it legal to share data within a family and, to a degree, among friends. Running an open social media platform is neither a personal nor a household activity.

          The UK is not part of the EU. They kept the GDPR when they left, but it should not be assumed that the UK interpretation is always the same.

          The GDPR is not very thoroughly enforced; much to the chagrin of some people. This may or may not change in the future. It would be politically quite unpopular, a bit like thoroughly enforcing no-parking zones.

          • a purely personal or household activity
            No chance. This is what makes it legal to share data within a family and, to a degree, among friends. Running an open social media platform is neither a personal nor a household activity.

            Hmm.

            So running a single user instance for my own personal use (and keeping in mind the nature of federation meaning the only stuff my instance sends out is the stuff that I write) is absolutely not covered by the above?

            The UK is not part of the EU. They kept the GDPR when they left, but it should not be assumed that the UK interpretation is always the same.

            That is a very good point indeed.

            The GDPR is not very thoroughly enforced; much to the chagrin of some people. This may or may not change in the future. It would be politically quite unpopular, a bit like thoroughly enforcing no-parking zones.

            Seems risky to rely on low enforcement though. For those of us who love federation and privacy and want to federate while complying with the GDPR - what must be done?

            • General_Effort@lemmy.world
              link
              fedilink
              arrow-up
              1
              ·
              4 months ago

              (and keeping in mind the nature of federation meaning the only stuff my instance sends out is the stuff that I write)

              The stuff you write is personal data as long as it can be connected to your identity and so protected under the GDPR. But that’s a problem for other people.

              Your problem is the personal data of other people that come under your control. For starters, you need to answer this question: What legal basis do you have for processing that data?

              For those of us who love federation and privacy and want to federate while complying with the GDPR - what must be done?

              They need legal experts on the team. As GDPR-fans will tell you, data protection is a fundamental human right. We don’t let just anyone perform surgery, so don’t expect that just anyone should be able to run a social media site.

              Complying with the GDPR is challenging at the best of times. When you handle personal data, some of it sensitive, at the scale of a fediverse instance, it becomes extremely hard.

              Strictly speaking, it’s impossible. EG you need to provide information about what you do with the data in simple language. The information also needs to be complete. If the explanation is too long and people just click accept without reading, that’s not proper consent. You need to square that circle in a way that any judge will accept. That’s impossible for now. Maybe in a few years, when there’s more case law, there’ll be a solid consensus.

              Complying as well as possible will require the input of legal experts, specialized in the law of social media sites. The GDPR is not the only relevant law. There’s also the DSA, quite possibly other stuff I am not aware of, and local laws.

              Definite problems, I can see:

              1. Under german law, an instance owner has to provide an address, that may be served legal papers.
              2. It’s possible to embed images, but under the GDPR, there must not be connections to 3rd party servers without consent. In fact, all out-going links are a problem.
              3. Federation itself. You can’t federate with instance, if you haven’t made sure that they comply with GDPR.
      • General_Effort@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        4 months ago

        It is a problem. If anyone complains or sues about GDPR compliance, they will get fined and/or have to pay damages.

        There’s also other regulations, like the DSA. I’m fairly sure the GDPR isn’t the only legal problem.

      • Kaboom@reddthat.com
        link
        fedilink
        arrow-up
        2
        arrow-down
        4
        ·
        4 months ago

        It’s going to be a big problem when the EU catches wind. Gpdr is a nasty law, hard to comply with properly, and has harsh fines. And no, “we tried to comply” will not fly

        • Don_alForno@feddit.org
          link
          fedilink
          Deutsch
          arrow-up
          3
          arrow-down
          1
          ·
          4 months ago

          hard to comply with properly

          Not at all. Don’t collect personal data that’s not technically necessary for the service to work. Tell users what data is collected and for what purposes. Done.

  • gravitas_deficiency@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    29
    ·
    4 months ago

    lol it doesn’t

    Texass is gonna have to play whack-a-mole and do it the hard way. And I’m pretty sure the more technically inclined members of the fediverse are going to have loads of fun fucking with whatever IT measures they try to mitigate this with, because they’re certainly not going to be drawing the best and brightest minds.

    Put another way: weaponized non-neurotypicals are gonna have some fun fucking with a state government that doesnt like them, because the feeling is very much mutual.

  • ulkesh@lemmy.world
    link
    fedilink
    arrow-up
    23
    ·
    4 months ago

    It’s called the “Fuck Texas” response to such a garbage law. And good luck enforcing it especially with federated sites.

  • Dasus@lemmy.world
    link
    fedilink
    arrow-up
    7
    ·
    4 months ago

    Comply?

    “Is there some way it just doesn’t need to” = “Is there some scenario in which Texas laws don’t apply worldwide?”

    Yes. There is.

    • SirEDCaLot@lemmy.today
      link
      fedilink
      arrow-up
      4
      ·
      4 months ago

      To expand on this- In general you must comply with the laws of any jurisdiction where you have a business presence. This for example Meta is a USA company, but they have offices in the EU and they sell advertising in the EU from EU offices so they have to comply with EU laws for EU users. They can’t just wave off and say ‘we are a USA company, EU regs don’t apply to us’.

      Lemmy is not a corporation. There is no business presence in Texas, unless an instance admin lives there or hosts the server there. So Lemmy, both as a whole and as individual instances, can simply give Texas the middle finger and say ‘we aren’t subject to your laws as we have no presence or business in your state. We are in the state of California (or whatever) and are subject to the laws of our home state. It is not our job to enforce Texas laws in California on servers hosted in Virginia.’

      Thus Texas trying to enforce their laws on a Cali company is like Hollywood studios sending DMCA notices to Finland.

      • Dasus@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        4 months ago

        Thus Texas trying to enforce their laws on a Cali company is like Hollywood studios sending DMCA notices to Finland.

        My point exactly.

  • 𝕸𝖔𝖘𝖘@infosec.pub
    link
    fedilink
    English
    arrow-up
    3
    ·
    4 months ago

    This has “DMCA notice to a Russian music site” vibes. Basically, we do nothing. They have absolutely zero authority outside of Texas. If the instance is inside Texas’s borders, that’s a different story, but if the instance is located outside, it has no obligation to follow Texas’s law. They can’t do anything. They can’t block Lemmy, because it’s federated. They can’t sue Lemmy, because it’s federated. They have zero recourse, except for slam their feet on the ground and cry like a petulant child.

    • cordlesslamp@lemmy.today
      link
      fedilink
      arrow-up
      0
      ·
      4 months ago

      I’m curious to why can’t they do anything to Lemmy because it’s federated.

      Can they just block all the domain names of lemmy through ISP?

      As for suing, can they just go after the server owners or the hosting service?

      • luciferofastora@lemmy.zip
        link
        fedilink
        arrow-up
        0
        ·
        4 months ago

        Good luck finding “all the domain names”. IDK about suing, but unlike centralised monoliths like Facebook, you’d have to sue every instance violating your rules separately, and that’s assuming you can pin down who and where to sue for each of them.

  • Furbag@lemmy.world
    link
    fedilink
    arrow-up
    2
    ·
    4 months ago

    Social media is probably a very poorly or very narrowly defined term. Either they called out Facebook, Reddit, Snapchat, etc by name or they gave some broad description of social media that could apply to everything from Facebook all the way down to somebody’s Vbulletin forum and this will be unenforceable for the vast majority of websites. Compliance is likely voluntary for the little fish in social media. I imagine that they aren’t even aware that Lemmy exists.