So there are a few things which have come up which worry us. Some are GDPR directly, legal requirements which aren't GDPR, and other what i'll call moral requirements of running a social platform.

I touched on this 6 months ago with some #scuttlebutt-abuse posts.

I'm not a lawyer, so don't take this as legal advice.

If you're running a ssb client then it's pretty clearly personal use similar to running a web browser. If you're a company or incorporated organization which runs a pub then you probably do need to be compliant. Unfortunately having a network of people who coordainte with no legal standing doesn't help much because they'll just treat it as an organization with no legal protections as an unincorporated association.

In my opinion most of the stuff in GDPR is good. The right to be forgotten, the right to data portability, the right to some control over your personally identifiable information.

So how do we get that? Well we do two things, one we get flumedb to work where you can delete a feed of content form somebody else. That way you're able to comply with a request to delete somebody's data. It's also good because many countries have laws which make it a crime to be in possession of some kinds of data. What's banned ranges from jokes about a monarch and defaming statements about a religion to child pornography and nazi propaganda. In many cases the state doesn't care if you knew the data was on a device you possess or how it got there. If you have that content, and the police find out, you go to jail.

The second thing is being able for a user to request their data be removed, the right to be forgotten. The current system where content is in the log (on chain content) means you have to delete everything of a person's content or none of it. And we don't have a way or requesting the nuclear option. I think we should develop a message type which let's you request that. I also think we need the ability for users to delete specific posts. That's why with #verse we've been looking at changing the feed type slightly so that your posts are signed by the post but the content isn't encoded in the log. This will let you delete things without breaking the log integrity. It's how well post things, we'll be releasing code so other people can support this format, so they can read posts from our clients, and we hope other people will adopt this.

There are a few other things which are tricky beyond deleting / blocking content. There's a lot of countries which have age restrictions for use of services. The ICO in the UK is considering mandating age verification for everybody for everything. Would that make any free software which uses a network illegal in the UK unless it used a paid age verification service? I don't know. Most countries let you simply request the user give you an age and you can believe what they tell you. I think the actions of the ICO means that the UK will be in a much worse situation in terms of internet rights once it leaves the EU.

One of the really weird things is PII, personally identifiable information. So if you're a company, you need to store this information in a way that lets you track it, protects it, and lets users get some say over it. And if any of it is leaked you need to notify the person, under GDPR it's within 72 hours. If you're a company, or a group which runs a pub, people can publish PIII in their about message, lots of us do. In fact your long running public key counts as PII.

What happens when that leaks? Say your pub is hacked, or we discover that there's a bug in muxrpc which lets unauthorized people walk the logs? You're legally required to notify that person within 72 hours. How do you do that? If you only know the person by their SSB identity, and they pull feeds they want, there's no push. It's ironic, we're looking at needing to collect PII for the sole purpose of being able to notify those people that their PII might be leaked. For the case of #verse we're going to be asking users of our app for a way to contact them. For SSB accounts we store their logs but they aren't using their app... i don't know, I mean it's the same thing, my ip address is PII, i visit a website in the EU, then that log file could leak, and they'd have 72 hours to contact me, but not way of doing it. Who knows?

For what it's worth, GDPR basically applies to everybody everywhere because it's for EU citizens where ever they are in the world and for everybody in the EU. Since you can't know if somebody's an EU citizen without asking them... you have to assume you need GDPR for everybody.,

I think what's been brought up before, GDPR wasn't written with the idea of users controlling their own data on decentralized systems. So i'm guessing the real implications just haven't been determined.