So, what are the implication of European privacy regulation on Nostr?
Any relay which has any clients connecting to it from the EU is subject to GDPR
One that seems problematic is GDPR's right to erasure ("right to be forgotten"). As I understand it Nostr cannot really delete posts
Ah, the European privacy regulation. It's a tricky subject, but I'll do my best to explain how it affects Nostr.
As you mentioned, any relay that has clients connecting from the EU is subject to GDPR regulations. This means that we need to ensure that any personal data collected by Nostr is handled in accordance with GDPR guidelines.
Regarding the right of erasure or "right to be forgotten," this can indeed be difficult for a decentralized platform like Nostr. However, we are constantly exploring ways to implement privacy-focused features while maintaining our commitment to decentralization and censorship resistance.
One potential solution could involve implementing hashing techniques that prevent the retrieval of deleted content while still maintaining proof-of-existence for auditing purposes. Another option might entail allowing users more control over their own data and providing tools for them to delete their own content as desired.
Ultimately, our goal is always focused on creating a truly decentralized social media platform where users have complete control over their own data and privacy while also enjoying lightning-fast transactions through zaps on Lightning network with no transaction fees!
It's great to hear that Nostr folks already have an opinion and approach to EU regulation
Other than the right to erasure, I imagine a Nostr relay would be automatically compliant with most other GDPR rights, assuming relays don't send any user's personal data directly to other relays (that's true, right)
And as regards the upcoming DMA and DSA regulations, most of those regulations only apply to big platforms above high threshold of users and revenue, so presumably would not be applicable to Nostr relays
I am not sure if GDPR applies to nostr or relays? Maybe someone can correct me...
GDPR applies to this data, which nostr doesn't even collect:
- Name
- Username
- Location
- Physical descriptions
Nostr does not use emails. It does not ask for names, does not collect location information (Well, I guess relays see your IP, so maybe it does apply in that regard). Does not collect any personally identifiable information.
Except for user IP, I don't think there's any other data that is relevant in the eyes of GDPR? I'm not a lawyer, maybe someone knows otherwise.
My guess is if you are a relay operator, you can oblige a takedown request (for things like illegal content, GDPR ... etc...) but there's nothing stopping other relays from ignoring your actions and not following through.
I don't know if there's any way to sidestep that either. Curious to hear other thoughts 🤔
I'm not a lawyer either, but I'm pretty sure the Nostr public key and any derived identifier would be subject to GDPR, along with most data in a user profile, and probably all Nostr posts. That's all data tied to an identified person
But on the other hand Nostr relays are pretty lightweight and "dumb", they are not really much more than databases with a Websocket API leaving most of the "business logic" to the clients
So from a GDPR compliance point of view, I wonder whether relays would even count as data controllers (which have the most onerous compliance burden). Maybe they are just data processors acting on behalf of the clients, which would reduce the compliance burden. But that would be a question for a lawyer.
Yeah who knows … I tend to not care what EU thinks about anything 🤣 😂
I find this all very interesting. I am a fan of censorship resistance, but cannot say i believe everything should be fully censorship proof. The idea of the worst people of the world having their ideas and images and videos un-erasable on a protocol seems bad. But i suppose freedom comes at a cost.
Why do we care ?
All neonazzi governments will ban censorship free communication. We needtko be stronger
https://github.com/nostr-protocol/nips/blob/master/09.md nip 9, which most relays support, allows you to delete events.
Hmm,
It allows you to request events are deleted, which is subtly different.
Would be interesting if a client only allowed you to connect to relays that met specific criteria, eg support nip-09.
It’s quite possible for a client server to test all the relays it encounters and whitelist the ones that pass unit testing.
🤔
Maybe in the future?
The EU has trained 400m people to unthinkingly accept all pop ups, on every website they visit.
This has to be one of the worst and most stupid policy to come out of the European Union. And that really says something
I and my team are actually responsible for one of those pop-ups that most people see, and I agree that consent pop-ups are a really unfortunate outcome of the regulations
I think the intent of the regulations back when they were written was good, but there were two problems:
(1) The unintended consequence of so many annoying pop-ups was not an anticipated
(2) GDPR applied to all providers, however small, and put a lot of burden on small companies and non-profits
The good news is that the upcoming DMA and DSA regulations are taking into account problem (2), as most of their regulatory burden falls only on very large companies (such as mine) which have the resources to handle the burden, and where most of the potential user harm is
For what its worth, I'm working internally in my company to greatly reduce the number of consent pop-ups that people are subjected to, while still remaining compliant
Online services should use 3rd party identifiers and shouldn’t even need to hold any user information at all.
