Notes on operating fediverse services (Mastodon, Pleroma etc) from an English law point of view
monologue post, I set out an introductory analysis / overview of the English laws which are likely to apply to people in England who operate decentralised fediverse services which implement the ActivityPub protocol. In particular, people who run instances of Mastodon, Pleroma, and other similar software for others to use.
There are some health warnings:
as always, nothing here is legal advice.
this post focusses on those who run the server application for use by others, rather than who provide underlying infrastructure (e.g. platform-as-a-service or infrastructure-as-a-service), although some of the considerations are likely to be similar.
this is not exhaustive. I may add to it, as and when I get some time. But I thought a starting point, even if an incomplete one, was better than no starting point.
Lastly, this is an amble through laws not themes. In the future, perhaps I will write an accompany post which is more of a guide for operators, focussing on themes and "do's and do not's".
Neil, I've got a question or a comment!
Great! I don't have a commenting system here (and have no wish for one), but please do:
come and chat with me in the fediverse. (And, if you care, here is my fediverse set up).
or Twitter, if you are more old-fashioned :P
If you need advice relating to anything here (or not here) in terms of operating a fediverse service, you're welcome to get in touch.
The Investigatory Powers Act 2016
It is likely, in my view, that the operation of a fediverse service, especially one which the operator makes available to other people to use, is the provision of a telecommunications service, and that the operator is a "telecommunications operator" for the purposes of the Investigatory Powers Act 2016.
Assisting law enforcement / other public authorities
From the perspective of being required to assist law enforcement and other public authorities, the implications in practice of being a telecommunication operator will, I suspect, be close to zero (if not actually zero) for most operators.
The Investigatory Powers Act 2016 does not require a telecommunications operator to do anything by default. Its obligations in terms of retention and disclosure of communications data, or to provide access to stored content (e.g. direct messages) and so on are triggered only by a relevant public authority issuing some kind of official obligation on the operator.
Until the operator receives one of these (and assuming it is valid, and what is being requested is reasonably practicable etc.), the operator need do nothing. And, frankly, if an operator does receive one of these, this is one of the circumstances where contacting a lawyer before doing anything would be sensible.
I suspect that few operators will ever need to consider this aspect of the Investigatory Powers Act 2016 and that, for those who do, it is most likely to be in connection with a Part 3 notice for the acquisition by law enforcement of communications data.
(Yes, the UK/USA Data Access Agreement under the USA's CLOUD Act could be wielded here too. Perhaps, in fact, it may be one of the more likely uses of the instrument, especially if the fediverse continues to increase in popularity...?)
Avoiding unlawful interception
There are, however, things the operator would want to avoid under the Investigatory Powers Act 2016, the most pressing of which is likely to be avoiding unlawful interception. For example, unauthorised monitoring or manipulation of direct messages.
I am speaking at a conference later this week about avoiding unlawful interception, and I will link the slides here when I've done it (I don't want to "spoil" the presentation right now), but it is highly likely that, for all common administrative functions of running a fediverse server which entail interception, there will be a relatively simple way to do so in accordance with the Investigatory Powers Act 2016's prohibition on unlawful interception.
The UK's eCommerce regulations, which implement the EU's eCommmerce directive, contain both obligations on providers of certain services, and protections for them.
The key entry condition is whether or not the operation of a fediverse server is an "information society service".
"Information society service"
The short form definition of "information society service" is:
any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, and at the individual request of a recipient of a service”)
The bit which gives me most pause is the "normally provided for remuneration".
Case law indicates that this means little more than "has some kind of economic context" to it. It definitely does not require a direct payment from a user.
It also indicates a focus on the specific service itself - i.e. the instance under examination - rather than an assessment of whether other services of a similar type are provided for remuneration or not.
My view - and, remember, nothing here is legal advice - is that a fediverse service operated by someone who solicits donations, or which is operated in the course of a business or other economic activity, is likely to amount to an information society service.
Instances operated by groups of friends which do not solicit donations, or by someone for their own use, seem to me to be less likely to fall within the definition. But it may - keep reading - be attractive for them to establish some kind of economic activity, and perhaps soliciting donations may be sufficient.
I suspect, in the fullness of time, we'll see litigation about this.
And what if a fediverse service is an information society service?
There are two main implications which arise from having the status of an information society service.
The first is the obligation to provide certain information to users.
On the face of it, this is not very tricky - it is pretty basic information - but Regulation 6(1)(b), a requirement to provide "the geographic address at which the service provider is established", will be unattractive to some.
One of the major benefits of being a provider of an information society service is the shielding provisions in the Regulations and, in particular in the context of the hosting of a fediverse service, the shield for the provision of hosting services.
In a nutshell, if a provider of a fediverse service would otherwise be liable for the acts or omissions of a user of the service, the provider is shielded from that liability as long as:
they do not know about the problematic conduct; and
if they become aware of problematic conduct, they act "expeditiously" to remove or disable access to the information in question.
This shield is not available if the user was acting under the authority or control of the service provider - in essence, the service provider can't use this shield for something which its own problematic acts or omissions.
Operating moderation does not make a provider liable for all content on the instance, but if a provider becomes aware of problematic content through its moderation, it needs to act to maintain the shield.
(Now, I'm not a fan of the way this is set up. I think it imposes an unrealistic burden on service providers, to become legal experts if they become aware of something potentially problematic, and that it encourages a position of taking stuff down to avoid potential liability. But it seems unlikely that this position will change for the better any time soon.)
If you are not a provider of an information society service, this shield is not available to you. That doesn't mean that you become liable for all your users' content, as there still needs to be a legal basis for a claim against you, as the service provider, but it does mean that a potentially useful defence is unavailable.
This alone might be sufficient for people providing fediverse services to their friends to make a genuine effort to establish an economic context, perhaps by asking for donations every so often.
But if they trust their friends not to post risky stuff, perhaps it is not worth the bother?
One of the areas of law which could render a service provider liable for what a user of its fediverse service posts is that of defamation.
s5(2) Defamation Act 2013 establishes a defence for operators of websites, when an action for defamation is brought against them in respect of a statement posted on the website.
But is a fediverse service a "website"?
Ah, the joy of legislation which is not technology neutral.
The defence applies to "operators of websites", so I expect argument as to whether the operation of a fediverse service - an implementation of the ActivityPub protocol - is a "website" or not.
There is no statutory definition of "website".
My view - for what little it is worth - is that there are good arguments as to why instances of today's common ActivityPub implementations (including Mastodon and Pleroma) should be regarded as websites.
Would that extent to all potential implementations of ActivityPub? I don't know.
If the fediverse service is a website, there's a potential shield, but it comes at a price
It's a defence for the operator of a website to show that it was not the operator who posted the statement on the website. Now, this reverses the burden of proof - the operator needs to show that it was not the person who posted the statement - but it is still a useful starting point.
The defence does not apply if:
- the person making the claim for defamation was unable to identify the person who posted the allegedly defamatory content in a manner which lets them bring proceedings against that person
- (Whether someone is sufficient identifiable if a claimant could obtain an order permitting them to serve on the poster via the fediverse itself (e.g. by making a post @-mentioning them, or sending them a direct message) is a fun one.)
- the person making the claim notifies the operator that they need assistance; and
- the operator fails to provide the legally-required assistance.
The schedule to The Defamation (Operators of Websites) Regulations 2013 sets out what a fediverse service provider would need to do, if it received a relevant notice. It's not trivial, but being aware of its existence is a good starting point.
Again, simply doing moderation is not enough to vitiate the defence. The defence is not defeated by reason only of the fact that the operator of the website moderates the statements posted on it by others.
Reacting to an order to remove a statement
It is possible that a fediverse service operator might receive a court order, compelling it to stop distributing material which contains the defamatory statement.
An operator in the UK, which failed to respond to an order from a court in the UK, could face reasonably serious consequences.
There has been a lot of chatter about data protection and the fediverse and, to my mind, some of it has been of questionable accuracy. As always, understanding how something works in practice is critical. So, if you are getting your advice from fediverse and Twitter feds, caveat reader.
This post is not, and will never be, an exhaustive analysis. And there are issues which are genuinely grey areas. And some topics - such as those of international transfers - are such a dissatisfactorily (a new word?) messy area of law that it is of little surprise if they remain messy when applied to the fediverse.
Even if the UK GDPR doesn't apply, its principles may be beneficial to your users
You don't have to be in scope of a law to think that what it requires is - in whole or in part - sensible and beneficial.
Even if you are not in scope of the UK GDPR, you may think that providing transparency to people about what you do with their personal data, looking after it appropriately, and not doing creepy things with it, are all worthy goals.
Assessing if the UK GDPR does apply
For the UK GDPR to apply to a fediverse service operator, the operation of the service must fall within both the material and territorial scope of the UK GDPR. In other words, the tests relating to both the "what" and the "where" of the service.
The material scope
The "what" test - the "material scope" - has a number of limbs, and the one which is most likely of relevance to some fediverse services is in Article 2(2)(a):
[The UK GDPR] does not apply to ... the processing of personal data by an individual in the course of a purely personal or household activity
If you're running the service as a business, or through a limited company, this isn't going to apply.
But for those spinning up an instance of a fediverse service for them and their friends, for a hobby, I think there's far more scope for argument.
And probably so even if the friends donate towards the costs which the person operating the service incurs - chipping in for petrol money for a car share with friends to a football match doesn't mean that the outing is any the less a personal or household activity, to use a probably terrible offline analogy.
The territorial scope
The "where" test - the "territorial scope" - only applies if the service provider isn't out of scope by virtue of the "what" test.
The "where" test is a little convoluted (again, this is high level, not down in the weeds, which may be very important weeds nevertheless), but, in essence, brings a service provider in scope if:
they are established / located in the UK (even if their servers are outside the UK); or
they are not established in the UK, but they either or both:
- advertise / promote their fediverse service to people in the UK; and
- monitor the behaviour of users in the UK.
So a service provider which:
- is not established in the UK; and
- doesn't promote their service as being especially useful or suitable for people in the UK and who avoids "targeting" the UK (e.g. no targeted advertising, no use of a .uk domain, no expressly asking for donations in GBP); and
- who doesn't "monitor [anyone's] behaviour"
should escape the UK GDPR's tentacles, even if they have users in the UK.
What does a provider have to do if they are in scope of the UK GDPR?
I've written plenty about the GDPR, the UK GDPR, and data protection.
I - and I may be alone in this, in the data protection community? - also think that the UK Information Commissioner's Office website is really rather good, if you are not sure where else to look.
There are some interesting questions which I am sure will occupy data protection conversations for quite some time to come:
are users with moderation rights controllers in their own right (joint controllers with the instance administrator), or processors of the instance admin (and, if so, there must be a valid Article 28 processing agreement in place); and
the question of international transfers may rear its messy head.
Telecoms (Security) Act 2021
Nope! I wouldn't see a provider of a fediverse service as being in scope.
The (still in draft) Online Safety Bill
I reserved my second sigh for this.
This is still a bill, so there's no obligation right now anyway.
But it is very possible - I'd go as far as to say "likely" - that fediverse services will end up in scope, in particular in terms of the "user-to-user services" rules.
I've written about those before, and how they might impact Free / open source software projects.
Looking through the latest draft bill over the weekend, my view remains that there is no obvious carve-out for people who run platforms as a hobby. There are arguments which one can make in some, limited, contexts, but the ongoing theme of treat-everyone-who-hosts-something-as-if-they-are-Facebook is likely to bite here.
It looks as if there might be an attempt to force this through Parliament soon, but what state it will be in if it does make it through, I don't know. So a "watch this space" rather than "abandon hope immediately".
Other countries' laws
I had ambitions to include references to other countries' laws, in particular:
the EU GDPR (which may apply whether or not the UK GDPR applies, for similar reasons to those I discuss above in respect of the UK GDPR).
the EU's TERREG (Regulation 2021/784, addressing the dissemination of terrorist content online).
the EU's Digital Services Act.
But this post is more than long enough as it is, and I'd better do some "real work" now...
What about single-user instances?
I was asked a great question, as to how much of this - if any - applies to single-user instances, meaning people who host their own fediverse server, for their own use.
The post here focusses on what happens when someone runs an instance and gives access to others. My quick response would be:
Investigatory Powers Act 2016: still a telecommunications operator, because you control a telecommunication system. But the likelihood of any obligations reaching you seems even more remote than the circumstances above, and, if you are the only user, I cannot see how you could intercept something, let alone do so unlawfully.
eCommerce Regs: not an information society service. You won't, IMHO, get the protection afforded by the liability shield as a consequence, but since you would be the person who did the infringing act (including by retooting/boosting something infringing), the shield would be unavailable anyway.
Defamation: same as eCommerce Regs, in that you won't get a statutory shield for your own defamatory content (including boosting others' defamatory content).
UK GDPR: outside the material scope, in my view, as someone doing it for the own, solely personal, activities.
Telecoms (Security) Act: still no
Online Safety Bill: honestly, it's ambiguous. It makes very little sense, applying most of what is there to someone running their own instance but, based on the definitions, I couldn't 100% rule it out, as other fediverse users will interact with your server. I don't think it has been considered properly.