Last night, I read a thoughtful blog post from Sebastian Greger, which examines the challenges of implementing privacy in a decentralized, social web. As a part of my own POSSE plan, I had proposed implementing support for Webmention on This would allow me to track comments, likes, reposts, and other rich interactions across the web on my own site.

Sebastian correctly explains that when you pull in content from social media websites into your own site with the intention of owning the conversation, you are effectively taking ownership of other people's content. This could be in conflict with the GDPR regulation, for example, which sets tight rules on how personal data is processed, and requires us to think more about how personal data is syndicated on the web.

Data protection is important, but so is a decentralized, social web. These conversations, and the innovation that hopefully results from it, are important. If we fail to make the Open Web compliant with data regulations, we could empower walled gardens and stifle innovation towards a more decentralized web.


Ton Zijlstra (not verified):

Hi Dries. .... "when you pull in content".... that's not what happens with Webmention though, is it? Webmention actively pings you to ask you to add a reference to your content to your content. There's no personal data involved in that either, as it sends an URL. Or are you referring to something else (I use Webmention for trackbacks mostly)?

swentel (not verified):

FWIW, I'm going to build in a feature to anonymize display of usernames and avatars in the Drupal module. And there is also which will also be possible to use.

Christian (not verified):

Yes, that's a true point. I'm worried that the new GDPR will make the walled gardens even more powerful and independent/small solutions will have a hard time. The big players also raising the bar for privacy right now. Still above the requirements of the GDPR. But the real requirements will only become apparent in practice. And hopefully not as strict as currently interpreted by some people.

Mike Gifford (not verified):

This is a big problem. It's a much easier problem if tools like Drupal build in privacy by default policies like I've been suggesting here

GDPR is big, but many of the central elements can be allowed for in Core. Obviously it extends beyond what Drupal itself can do, but for many organizations this will be a big part of their compliance effort.

As far as the decentralized nature, I could be wrong, but each piece of content would probably have a unique identifier. Couldn't sites just ping others in the network with a "delete content" message and have that distribute?

Now that wouldn't guarantee that it would remove that content from the Internet, but it is at least as effective as having someone go to to remove content. Not sure how one would remove content from something like mind you. But don't think that the GDPR requires companies to do anything like that, given it was public.

Together we can figure this mess out and build a best practice that can improve privacy & also allow a more decentralized web. Thanks for highlighting this.

Add new comment

The content of this field is kept private and will not be shown publicly.

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.