Hey, i'm a software developer and i'm considering trying to build a site using ActivityPub, but i have a few concerns about it.
My first concern is that if the platform is open source someone can host a malicious version of it, where certain requests may be ignored (such as deletion).
This leads into my next concern which is GDPR, because now i can't be certain that a users data gets deleted upon their request and i'm not certain whether i would be liable since my instance federates with the malicious instance (which may also not be hosted in the EU which is itself problematic, and even if i'm not liable it's still not great).
I considered if it was viable to make the platform invite based somehow, so that it doesn't federate with everything by default, but that also sort of defeats the purpose of using ActivityPub.
The loss of control over content is also something that i don't particularly like, since some people may use their own instance for harassment or something else gross, but i guess that wouldn't be my problem since i just wrote the code and wouldn't have anything to do with the hosting of such sites.
i'd appreciate any feedback since i think the technology and the fediverse is very interesting, i would definitely like to try it out, but i'm not sure how to go about these challenges.
People have been asking the admins directly and never got an answer (AFAIK). Maybe on Mastodon it's been discussed more thoroughly.
But anyway, when you're federating, you're only "sharing" what the user wishes to be public anyway.
You're not federating their personal information (like email address), which is your responsibility when it comes to stuff like data protection and locality. But what your users post online is not your responsibility, as long as you take reasonable precautions against illegal activity etc.
It's not unlike email and such - if a user sends an email from your service, they can request to delete it from your server, but it's not up to you to delete it from recipient's servers.
Considering EU likes to promote interoperability of services, I'd say they are aware of such limitations. Just make sure to make your service compliant, and make users know you have no power over other servers.
I'd assume it would be the malicious service that would be liable if anyone at all. Are you able to delete an email from another service after it's sent under GDPR?