!Hubzilla Support Forum
Is there finally an official way of including an imprint and a privacy policy
  • on a hub running master (as opposed to dev)
  • that survives git pulls
  • that's #GDPR compliant
  • that's ideally documented somewhere (i.e. no need to reverse-engineer another hub)?

Besides, are an imprint and a privacy policy actually necessary for a private, single-user hub? (Because as far as I understand, they are.)
  
Not yet in Master, but 3.8RC has the changes merged in to redirect template loads from the system locations to another location. The docs need to be updated yet, but basically you create the new file and add a line to .htconfig.php to point the default to the new location. It works also for pages in the doc tree (you can create custom - hub specific doc files to replace individual files in the doc tree). There is an error currently with non-existent files not resolving properly which is "on the list" to figure out yet

So, short answer, not yet in Master but very soon.

GDPR compliance is up to a given hub admin to determine. I don't think anyone around here has the legal credentials to give any definite assurances. If you want legal advice, ask a lawyer.

  
Remember when the iPhone was new? "There's an #app for that" quickly became a meme.

Nowadays, it's more like, "You need an app for that." The number of things that absolutely require a #smartphone app is increasing rapidly.

Now you may ask what's so bad about that. What's so bad about that is that "smartphone" means either an #iPhone or an #Android phone with Google Play services installed and running. The app in question is a non-free, proprietary, closed-source binary blob that is only available at the Apple App Store (for iOS) and the Google Play Store (for Android). And no, the app isn't available as a simple *.apk download anywhere. You want the Android app — you need the Google Play Store and a #Google account.

Don't ask for #FLOSS alternatives available on F-Droid or even on OpenRepos for #Maemo and #Sailfish. The app communicates with the service via a proprietary, undocumented connection. No chance for an API. Even if somebody were able to reverse-engineer the protocol and create a FLOSS alternative, whoever owns and runs the original will do anything to stop the alternative from working — from changing the protocol on short notice every now and then to deleting accounts of users of the alternative and denying them the creation of a new account to suing the creator of the alternative into surrender.

Needless to say that these official apps aren't, have never been and will never be open source and/or Free Software, so no official apps on F-Droid. And they aren't, have never been and will never be available for any mobile platform that doesn't have any million-selling devices in Germany (or the USA or whichever big Western country is mainly targetted by the app), so no official Sailfish port.

So not only do these things require a smartphone app, but they require a smartphone with the right OS, they require Google to spy on you unless you've got an iPhone, and they make a Google account a necessity so you can acquire the app in the first place unless you've got an iPhone.

And there's a lot that absolutely requires a smartphone app meanwhile, and it gets more and more. Some banks have shut down their online banking portals; online banking now requires a smartphone app. New banks start to pop up that require a smartphone app for everything. Needless to say that these apps are only available at the Apple App Store and the Google Play Store. Public transportation wants to increasingly move towards the use of smartphones as tickets, and guess where the required apps will only be available.

Sure, the companies want to appear modern and up-to-date and save money by shutting down Web servers and such. But they imply that everybody has got either a more recent iPhone or a more recent native Android device with stock firmware and a Google account.

This excludes the following kinds of people from more and more services altogether:
  • People who don't have a smartphone because they can't afford one.
  • People who don't have a smartphone because they don't know how to use one.
  • People who boycott mobile phones altogether.
  • People who don't have a smartphone because they want to avoid being spied on, and not having a smartphone is easier than finding a secure one or tweaking a regular one, especially for non-tech-savvy non-geeks.
  • People who have an older smartphone which still works, but which is too old to run that app.
  • People who have a smartphone running an OS that isn't supported by the app developers (Maemo, Firefox OS, Ubuntu Mobile, Windows Mobile, Windows Phone, Blackberry OS, Symbian etc., essentially everything that's neither iOS nor Android).
  • People with not officially supported Sailfish OS devices which therefore don't have Aliendalvik. (Or people with Sailfish OS devices altogether if the app requires Android > 4.4.4.)
  • People with Sailfish OS devices who flat-out refuse to activate Aliendalvik.
  • People with Sailfish OS devices who do run Aliendalvik, but no Google Play stuff.
  • People who have installed a Google-free, more or less vanilla Android flavour on their Android device.
  • People who have a theoretically compatible device, be it Android, be it Sailfish OS with Aliendalvik, but who boycott Google and refuse to register a Google account.

It's the same crap as services of whatever kind that can only be contacted via WhatsApp — and neither via phone call nor via e-mail nor via snail mail nor via any other messenger service.
  

  
This may be a "Wait, this exists?" moment for some, but I'd like to know a few things about how that observer language feature works.

Let's assume I write a post in two languaged with language tags so that German-speaking Hubzilla users get a German text while everyone else gets an English text.

Is the observer's language only determined if the observer is a logged-in member or also for outside viewers? I mean, I know that Hubzilla can do the latter, the registration page usually shows up in the observer's language before they register already. So how are posts with observer language tags displayed to visitors who are not logged in?

Also, how are posts with observer language tags displayed to users of other networks such as Diaspora* or Friendica? What do they get to see? Their language? English? Their language and English? Their language and English plus the non-parsed Hubzilla-specific BBcode tags? Other gibberish? Nothing because what's between Hubzilla-specific tags isn't parsed at all?

!Hubzilla Support Forum
  
observer.language isn't implemented in bbcode, so a lot of these questions are a bit off mark. It is a conditional construct implemented in Comanche, which is the page description language used on the webserver. So it applies only to people viewing this page on this server. The variable is set to the determined language of the interface, based on the viewer's browser preferences and any language over-rides that were applied to the session.

I think somebody filed an issue to ask us to put this construct in bbcode, but it never happened because I had the same kinds of questions as you as to what it would mean on other servers and most importantly how we would even know what the browser language was on another server.
  
Actually (it's all coming back now) we did put observer.language in a couple of other locally generated things like help pages and wikis or something like that; and made it available to markdown code. I'm not happy with that decision but didn't fight it. Again, none of this is federated off site. It doesn't do anything in posts and I haven't tried, but should just display the raw tag since it isn't something that is recognised in that context.

  
You know, Hubzilla could maybe have used the #DSGVO a.k.a. #GDPR a.k.a. "European privacy law" to its advantage.

Especially in Germany (where lawyers are right now misusing GDPR as a "get rich quick" scheme without any clients telling them to), a number of privately-operated forums have shut down right before May 25th because they could impossibly comply with GDPR, some of them having been close to 20 years old like the German Depeche Mode fan forum. And I guess that nobody dares to launch a new German-speaking forum anywhere in the EU now, leaving the former forum users pretty much homeless if they neither speak nor understand English.

What we could have done is get into contact with these people and offer them a new home on Hubzilla, thereby increasing and diversifying its user community. Hubzilla can be used as a forum host all right even though such a forum looks more like a blog than a bulletin board

I guess it's hard to regather them now. Besides, I don't know if Hubzilla's current hub infrastructure can cope with hundreds or even thousands of people flocking in at once. And since we aren't talking about extremely computer-savvy FLOSS geeks who can set up a LAMP stack at the drop of a hat, I've got my doubts that this will lead to more people running public hubs.

In fact, seeing as we're talking about people who right now neither know what the Federated Web is nor how it works, and who are therefore likely to have trouble picking a hub (and wrapping their mind about them all being interconnected), they'll all pile onto the same hub until it's full, and when it's full, they'll believe Hubzilla itself is full. That's why launching one new hub for any community in danger of losing their forum won't work: It'll probably be overcrowded in no time.

(Same as with everything else. Why does everyone have a Gmail account? Why does everyone have an iPhone or a Samsung Galaxy? And so on? Because choosing what everyone else uses is a no-brainer. That's why launching more than one new hub might not work either: Folks won't know which one to pick and all join the one with the most users.)

Next problem: It's hard to know about something like this happening in advance. German news media didn't mention anything about forums closing down due to GDPR before these forums were actually shut down. And then it was too late.

Last but not least, potential future hub admins (and probably also regular users) will have their doubts that Hubzilla is GDPR-compliant enough to not be shut down. As of now, I'm afraid these doubts are justified.

!Hubzilla Outreach
  
Question is what was the reason for them to shutdown. GDPR is very broad. Its hard for me to realize what made those forums close down? They shared all credentials with 3rd party without consent? stored everything in open somwhere overseas? Used nonhttps connections? Stored passwords in plain text? What is the legit reason for closing down?
  
For example:

Impossibility to document everything that's done with visitors' and members' data down to the tiniest little detail.

Creating a fully compliant imprint was too difficult or downright impossible.

Impossibility to implement a functionality that wipes an 18-year-old forum clean of all data of any one user. Also, while it's about "private data", there is no clear definition of what exactly is considered "private" on a forum.

Having to negotiate with, for example, YouTube (and therefore Alphabet/Google) due to the exchange of cookies and IP addresses (these already count as personal data and fall under GDPR) for 10 years worth of embedded videos.

Having to negotiate with Google because everyone and their dog have been using Google Analytics because they were too lazy to implement their own analytics system.

And so forth. All this is stuff that German lawyers may get you for. And in the case of GDPR and in German understanding, "may" is already too likely to be shrugged off.

Last but not least, there are Abmahnanwälte looming over them like hawks waiting for prey plus the prospect of having to pay up to €40,000,000 if not fully compliant.

See, in Germany, GDPR compliance isn't understood as "that'll do". Germans are super-ultra-thorough. So are German lawyers, especially if there's something in it for them. So, in Germany, GDPR compliance means to fulfill every last paragraph and sub-paragraph to a tee, and if there are multiple ways of reading a passage in GDPR, assume the worst because so will greedy lawyers.
  
But in case of embeds, you need to just change the privacy policy and say that this is happening or switch off preview renders.

Also as far as analitics go. The easiest way is switching it off. Problem solved. I think those old forums had other issues such as no https implementation, storing passwords in database in plaintext and other technical things that should not have taken place anyway.
  
Für alle, die noch glauben, daß das mit der DSGVO nicht so schlimm wird und da nichts passieren wird:

Es passiert schon.

Heise berichtet, daß die ersten Abmahnanwälte schon angefangen haben, mit kostenpflichtigen Abmahnungen wegen DSGVO-Verstößen um sich zu werfen. Reaktionszeit für die Betroffenen: 2 Tage.

In der Kommentarsektion berichtet ein User, daß eine seiner Seiten, die sonst keinerlei Traffic mehr hatte, pünktlich zum 25.5. von einem Webcrawler der NetEstate GmbH erfaßt wurde, der automatisch nach Postadressen sucht. Die Seite ist kurz darauf abgemahnt worden.

Heißt im Klartext: Die Abmahnanwälte haben die DSGVO längst als Goldgrube erkannt und nutzen jetzt Webcrawler, um vollautomatisiert möglichst viele Websites abzuschürfen, die sie kostenpflichtig abmahnen können.

Macht daraus, was ihr wollt – totale Stümperei von Neulandausdruckern, ein Selbstbereicherungsgesetz der Abmahnlobby oder ein weiterer als solcher geplanter Schritt zur Eliminierung des freien Internet zugunsten eines Web, das von einigen wenigen US-amerikanischen Großkonzernen mit millionenschweren Rechtsabteilungen kontrolliert wird.

Aber seht zu, daß Hubzilla so konform wird wie möglich.

#Datenschutzgrundverordnung #DSGVO #GDPR #Abmahnanwälte #Abmahnwelle #Abmahnung