Wonder how this works if I implemented my own server for the protocol and a BlueSky user views it through their app?
Will they try exercising dominion over the data layer?
Will ads become part of the protocol, such that my client for the protocol must show their ads? Will 3rd party clients have to pay for data from some servers, who monetize by ad revenue? Of I run a server, will they take the content hosted there for free and then interleave ads for their users? The economics of this are unclear.
Yes, this is a very loaded, biased headline and implication. Seems oddly personal.
If the assumption is that "Jack" will remain at BlueSky indefinitely, perhaps looking at his history, and what the average founder does will show that's highly unlikely to be the case in the long-term.
Perhaps the headline should be updated with this in mind.
Given that https://www.crunchbase.com/organization/bluesky-514d/company... shows him as the only investor, it's reasonable to assume he's by far the controlling (if not only) shareholder. I'm not a lawyer, but it's reasonable IMHO to think that unless/until Bluesky gets additional institutional capital that would frown on this, it could effectively name Jack as a "licensee" or "assign" - the words in the policy - at any time without needing to alert the public, and give him full IP rights to user data.
CEO is obviously lying. "My lawyers disobeyed my instructions" is wholly unbecoming a CEO. CEO's job is to get the big stuff right, not pass the buck to the people who work for her.
I don't think people realize how beta the platform is. The whole thing is a kind of a (extremely high quality) hack that wasn't expected to host 50k people. They went with the ToS they got without polishing and are iterating in real-time.
>I really think we need a non-profit foundation for the social media
So much this! It is not like it requires faang level engineering to provide the valuable parts (to the user) of these services. I'd gladly donate to a nonprofit whose only political agenda is privacy and data sovereignty.
Perpetual/irrevocable rights to your posts are they only way Web 2.0 stuff can work. Every TOS includes a stanza like this one from Google:
By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive licence to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit
They can't do that under the GDPR: you can demand at any time that your personal data be deleted (and everything you create and all data stored about you by any social network is, by definition, personal data).
> and everything you create and all data stored about you by any social network is, by definition, personal data
This isn’t true. This is a common misconception. GDPR strictly defines personal data into a narrow band of attributes. Generally any content that you make public that doesn’t identify a natural person or is sensitive by some other definition is not personal data.
> Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
> Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR.
> Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.
Your understanding is a bit strange considering that your username below your post makes your post related to a person (you) and is therefore personal data.
A contribution to a social network tells something about you. Even if it is just a recipe you share. The only way that would work is when the social network allows 100% anonymous posts. Which is very difficult for liability reasons.
That is the pseudo-anonymization clause there. Someone can look you up. Even if you are just a number, that is enough, if someone can link the number to an IP an from there to a person.
> This isn’t true. This is a common misconception. GDPR strictly defines personal data into a narrow band of attributes. Generally any content that you make public that doesn’t identify a natural person or is sensitive by some other definition is not personal data.
No, this isn't correct. I've spent too many hours in calls with lawyers (from the EC) regarding this. You quoted the exact line that makes it difficult:
> Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR.
This is applied very strictly. If you have a datum that can be used to identify a specific person out of *any* arbitrary set of people then that datum is personal information. Remember the COVID apps which worked using pseudorandom numbers shared by bluetooth? Those numbers are personal information despite the technical implementation being required to link person to ID being very hard. Same thing for the SHA2 of a COVID certificate (just the hash, no other information over the holder).
Not all regulators apply the laws the same / correctly and commercial companies who have an army of lawyers ride roughneck over the laws because they have bigger pockets than any regulator.
> If you have a datum that can be used to identify a specific person out of any arbitrary set of people then that datum is personal information.
Exactly. Content that doesn’t identify a natural person isn’t personal information. I don’t think we disagree on this. Conversely any content that can be used to identify a natural person is personal data. If I post “Jack Dorsey is a really cool dude” that’s not personally identifiable information. If I post “I am Lucas Nicodemus and I believe Jack Dorsey is a really cool dude” it is. Similarly, if I post “my unique ID in some system is X and I am a cool dude” it’s also personal information.
“Welcome to the Y Combinator website (including all websites to which this Privacy Policy is posted, the “Site”), which is operated by Y Combinator Management, LLC and its affiliates (collectively, “Y Combinator,” “we”, “us” and/or “our”).”
“With respect to the content or other materials you upload through the Site or share with other users or recipients (collectively, “User Content”), you represent and warrant that you own all right, title and interest in and to such User Content, including, without limitation, all copyrights and rights of publicity contained therein. By uploading any User Content you hereby grant and will grant Y Combinator and its affiliated companies a nonexclusive, worldwide, royalty free, fully paid up, transferable, sublicensable, perpetual, irrevocable license to copy, display, upload, perform, distribute, store, modify and otherwise use your User Content for any Y Combinator-related purpose in any form, medium or technology now known or later developed.”
It is a source of amusement that this site is a gathering place for rabid privacy absolutists, but it also not possible to delete anything here, as far as I can tell.
You can get your account deleted, but they have a policy of not deleting content because it contributed to a conversation, especially when there are replies
> We try not to delete entire account histories because that would gut the threads the account had participated in. However, we care about protecting individual users and take care of privacy requests every day, so if we can help, please email hn@ycombinator.com. We don't want anyone to get in trouble from anything they posted to HN. [More here].
See the FAQ & link
The general issue is this is a public forum that is scrapped by many parties, so the data is replicated to many unknown places.
I am rabid about privacy... but I am also involved in government and am rabid about transparency and completeness: these are not incompatible thoughts. I both believe everyone should have access to decentralized end-to-end encrypted communication technology and also believe that public meetings should be permanently archived.
If you want to send me content in private, you should get to do so... but, the ability to retroactively delete content you sent either to me or more so purposefully sent to the world has absolutely nothing to do with "privacy".
I find that the crowd here isn’t all that privacy absolutist (ala EFF).
The views I see on stuff like telemetry or ad tracking tend to lean towards that either being inevitable, or just the cost of doing business.
Sure you have some of the privacy absolutists too, but the crowd seems more varied, with perhaps a slight skew the other way, at least to the Slashdot of yore.
That doesn't help. Web3 is decentralised blockchain etc. where it's actually impossible to delete content, Web2 is where you have meaningful user interaction; in both cases your lawyers will insist you need to cover your backside by requiring your users to grant you an irrevocable copyright licence so that you're safe from e.g. a DMCA lawsuit from a user if they delete their account and all their messages and yet someone else on the forum is quoting them in a reply.
> BlueSky's Privacy Policy says they'll stalk everything you do on the site, but also what you were doing before you got there & what you do after
> They'll use cookies, pixel tags, & web beacons on app, web, & emails to stalk you all over the web
> They'll use info for targeted ads Personal Information Collec...Our uses of these Technolog...We use your information for...4. HOW WE DISCLOSE YOUR PER...
BlueSky's Privacy Policy says that there's no such thing as good InfoSec & if anything happens to your data because they don't care, it's 100% not their fault
> They 'may' 'attempt' to notify you of a breach
> Reminder: if you want to argue this, its individual private arbitration. 6. SECURITY OF YOUR INFORMA...
Don't build your castles on other people's land folks...
51 comments
[ 5.7 ms ] story [ 121 ms ] threadWill they try exercising dominion over the data layer?
Will ads become part of the protocol, such that my client for the protocol must show their ads? Will 3rd party clients have to pay for data from some servers, who monetize by ad revenue? Of I run a server, will they take the content hosted there for free and then interleave ads for their users? The economics of this are unclear.
If the assumption is that "Jack" will remain at BlueSky indefinitely, perhaps looking at his history, and what the average founder does will show that's highly unlikely to be the case in the long-term.
Perhaps the headline should be updated with this in mind.
Even more surprising, the author is apparently a lawyer: https://threadreaderapp.com/user/ashleygjovik
Whilst that explains picking apart the ToS, it seems odd to name "Jack".
1. The CEO is lying
2. The CEO did not read the ToS the lawyers wrote && did not expect these terms from the "standard social media ToS" they requested from the lawyers
Both are not a good impression to give for the brand BlueSky is trying to create
I really think we need a non-profit foundation for the social media protocols that will replace the walled gardens we have today.
So much this! It is not like it requires faang level engineering to provide the valuable parts (to the user) of these services. I'd gladly donate to a nonprofit whose only political agenda is privacy and data sovereignty.
By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive licence to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit
This isn’t true. This is a common misconception. GDPR strictly defines personal data into a narrow band of attributes. Generally any content that you make public that doesn’t identify a natural person or is sensitive by some other definition is not personal data.
> Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
> Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR.
> Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.
See: https://commission.europa.eu/law/law-topic/data-protection/r...
A contribution to a social network tells something about you. Even if it is just a recipe you share. The only way that would work is when the social network allows 100% anonymous posts. Which is very difficult for liability reasons.
So it seems like whether it's identifying depends on the situation? Where else do you use that username?
My username trivially identifies me with a web search. Someone else's might not.
No, this isn't correct. I've spent too many hours in calls with lawyers (from the EC) regarding this. You quoted the exact line that makes it difficult:
> Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR.
This is applied very strictly. If you have a datum that can be used to identify a specific person out of *any* arbitrary set of people then that datum is personal information. Remember the COVID apps which worked using pseudorandom numbers shared by bluetooth? Those numbers are personal information despite the technical implementation being required to link person to ID being very hard. Same thing for the SHA2 of a COVID certificate (just the hash, no other information over the holder).
Not all regulators apply the laws the same / correctly and commercial companies who have an army of lawyers ride roughneck over the laws because they have bigger pockets than any regulator.
Exactly. Content that doesn’t identify a natural person isn’t personal information. I don’t think we disagree on this. Conversely any content that can be used to identify a natural person is personal data. If I post “Jack Dorsey is a really cool dude” that’s not personally identifiable information. If I post “I am Lucas Nicodemus and I believe Jack Dorsey is a really cool dude” it is. Similarly, if I post “my unique ID in some system is X and I am a cool dude” it’s also personal information.
You don't even have to go that far. Check the "Legal" link in the footer of this very page: https://www.ycombinator.com/legal/
“Welcome to the Y Combinator website (including all websites to which this Privacy Policy is posted, the “Site”), which is operated by Y Combinator Management, LLC and its affiliates (collectively, “Y Combinator,” “we”, “us” and/or “our”).”
“With respect to the content or other materials you upload through the Site or share with other users or recipients (collectively, “User Content”), you represent and warrant that you own all right, title and interest in and to such User Content, including, without limitation, all copyrights and rights of publicity contained therein. By uploading any User Content you hereby grant and will grant Y Combinator and its affiliated companies a nonexclusive, worldwide, royalty free, fully paid up, transferable, sublicensable, perpetual, irrevocable license to copy, display, upload, perform, distribute, store, modify and otherwise use your User Content for any Y Combinator-related purpose in any form, medium or technology now known or later developed.”
I'm sure theres a "but what if the deleted comment was a solution to an problem" remark.
> We try not to delete entire account histories because that would gut the threads the account had participated in. However, we care about protecting individual users and take care of privacy requests every day, so if we can help, please email hn@ycombinator.com. We don't want anyone to get in trouble from anything they posted to HN. [More here].
See the FAQ & link
The general issue is this is a public forum that is scrapped by many parties, so the data is replicated to many unknown places.
If you want to send me content in private, you should get to do so... but, the ability to retroactively delete content you sent either to me or more so purposefully sent to the world has absolutely nothing to do with "privacy".
This is a website version of "caution - hot" on coffee cups.
The views I see on stuff like telemetry or ad tracking tend to lean towards that either being inevitable, or just the cost of doing business.
Sure you have some of the privacy absolutists too, but the crowd seems more varied, with perhaps a slight skew the other way, at least to the Slashdot of yore.
Isn't Jack selling bluesky as web3.0?
> They'll use cookies, pixel tags, & web beacons on app, web, & emails to stalk you all over the web
> They'll use info for targeted ads Personal Information Collec...Our uses of these Technolog...We use your information for...4. HOW WE DISCLOSE YOUR PER... BlueSky's Privacy Policy says that there's no such thing as good InfoSec & if anything happens to your data because they don't care, it's 100% not their fault
> They 'may' 'attempt' to notify you of a breach
> Reminder: if you want to argue this, its individual private arbitration. 6. SECURITY OF YOUR INFORMA...
Don't build your castles on other people's land folks...
GDPR lawyers will absolutely LOVE this