First: I’m not proceeding with this proposal.
I’m following up on this thread after some discussion. Unfortunately, I think I got blocked by some folks over entertaining this idea, which is a shame. But I’ll try to fairly characterize the conversations that did come out of it. I think it’s important to document for posterity, so that others can know this idea has been explored, feedback was accumulated from the Fediverse, and has been deemed terrible.
What was this proposal? It was a way to self-service GDPR-like end-user digital rights on the Fediverse, from peer servers.
Let’s go through the few pros I built up in conversations, letting the idea run on its legs:
- This is not a security feature. This is to let a peer know “the authorized user B can exercise the digital rights of user B”.
- Quick, easy self-service “right to know/forgotten” one’s data on good-faith federated peers
- Raise industry standard to self-service, which could provide helpful standard if things wound up in a court anywhere
And the cons:
- Relying on the GDPR absolutely sucks, for multiple reasons.
- Sending GDPR letters should be treated as dangerous (meatspace vulnerability).
- GDPR is not worldwide comprehensive. Hello, USA.
- To do legal enforcement against a bad actor would require significant personal/group resources.
-
Deletew/ user targeting can act as a “right to be forgotten”. - Bad actors will just ignore these requests anyway. This is particularly dangerous because they can use this information to target people.
It took me a particularly longer while to realize that, once the law gets involved, it is already way too late.
My conclusion: Don’t do. It’s not worth letting the good actors be good if it means the bad actors get their way.