I don’t think I’m going to add edit and delete support in this app because I think it was a horrible mistake to add those features to a client 🤣
as upset repeatedly in the past and many debates and discussions, I don’t think there’s any other viable way to do, threatening in a purely decentralized way because I think you’re just create another set of problems that are probably likely far worse
oh man, that voice dictation didn’t come out quite right I think it’s because I still have a cold
🤣
@prologic@twtxt.net @david@daiwei.me I just want to bring up the following: From a data protection point of view, edits and deletions are important. But that’s about it, I will not join discussions on that topic. :-)
So just because I enjoy this kind of thing (looking into laws and trying to understand them…):
GDPR is about roles, not ownership
There’s no property right in personal data under GDPR. The whole regime hangs on three roles:
- Data subject — the person the data is about.
- Controller (Art. 4(7)) — “the natural or legal person … which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
- The rights in Arts. 16 and 17 are exercised by a data subject against a controller. They compel a third party to rectify or erase. They are not self-executing duties that a piece of software must expose.
That’s the key. In your architecture, for a user’s own posts about themselves sitting in their own feed on their own device:
- the user is the data subject, and
- the user is also the only person “determining the purposes and means” of that data.
There is no third party controller to compel. The “right to erasure” is a right to make someone else delete — and there is no someone else. It is satisfied the instant the user can change the file. A UI button is a convenience, not a legal requirement. Omitting it removes zero rights, because the data is a plain-text file the user can edit or delete by any means — editor, sed, git, their file manager. Full practical control is retained; nobody is being denied anything by anyone.
The only place where this would be an issue is the Twtxt Search Engine – But as the GDPR also points out:
Art. 17
The one place the “it propagated and I can’t recall it” problem is legally acknowledged is Art. 17(2), and it explicitly scales to what’s technically feasible:
“…the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure…”
Best-effort, given the technology. A decentralised, append-only, content-addressed feed is the available technology, and its limits are baked into the standard the law applies. Nobody — not the user, not you — is obliged to guarantee every cached copy vanishes.
I will very likely add a way to delete your feed(s) from the search engine, because I do thing that’s important. But as Art 17 points out, we can’t really guaranteed deletion in everyone’s caches around the planet haha 😆