[4]Skip to Main Content

#[1]help [2]prev [3]next

[4]Skip to Main Content
[5]Dreamwidth Studios

[6]denise: Image: Me, facing away from camera, on top of the Castel
Sant'Angelo in Rome (Default)
Denise ([7] [staff profile] [8]denise) wrote[9]2022-[10]11-[11]20 12:13
am
* [12]Previous Entry
* [13]Add Memory
* [14]Share This Entry
* [15]Next Entry

[16]A guide to potential liability pitfalls for people running a Mastodon
instance

I posted [17]a thread on Twitter about potential legal liabilities for
United States people who decide to run a Mastodon instance, and the
response made it clear there's a lot of people who could use the
extended background. So here is a guide to potential liability pitfalls
for people who are running a Mastodon instance, and how to mitigate
them. This is mostly US-specific, but I noted which things to think
about are likely to apply worldwide. This is not legal advice and you
should contact a lawyer licensed in your jurisdiction for the exact
details of the liability you're exposed to and a detailed risk
assessment.
This is not about just creating a Mastodon account: it's for people who
are running a Mastodon server. If you just made an account on someone
else's server, you can safely ignore this.
Mastodon calls each specific server an "instance". My Twitter thread
made it super clear that people, even people who are running instances,
don't know what this means, so having used the Mastodon technical
language in the intro, I will now shift to calling them "servers" from
here on out. (In several places I am using more commonly understood
terms rather than the correct technical terms.)
I'm only addressing legal/liability issues, not the practicality of
running a service. Things like "make backups", "keep backups offsite/on
a different network", "try restoring from backup occasionally to make
sure they're working", "evaluate every release of every new package
installed on the machine you're hosting on to weigh security fixes vs
potential for your platform breaking", "lock down the machine you're
hosting on to minimize network intrusions", "what kind of content
moderation policies you should have for social other than legal
purposes" etc, are all outside the scope of this document.
A very kind internet lawyer on Twitter provided a few posts that you
may want to read for this, although the second was written in 2010 and
doesn't cover some of the other stuff I'm going to get into:
* [18]Copywrong Again: Founding the Next Pinterest or Napster?
* [19]If You Build It, They Will Abuse It

Introduction

Mastodon is a decentralized ('federated') network that makes it very
easy for people to start their own Mastodon servers ('instances') and
communicate with the larger universe ('the fediverse'). The impending
entropy-related demise of Twitter has been prompting a lot of people to
start up their own Mastodon servers for them and their friends, and
people are thinking about them like starting Discord servers. Because
Discord hosts their 'servers' for you, under their URL and on their
hardware, the potential liability accrues to Discord, not to the person
who started a Discord server.
However, the same isn't true for Mastodon. Because Mastodon servers are
self-hosted, appear under URLs the server owner controls, and are on
hardware that server owners arrange the details of, the potential
liability for anything posted on an individual Mastodon server
(including content that was originally posted on another Mastodon
server but appears under your URL due to federation) accrues to the
individual server owner, not to Mastodon gGmbH, the nonprofit that
handles the code and oversees the protocol.
If you control any platform on the internet that accepts user-generated
content, there are multiple sources of liability that can land on your
head. Some of them can be mitigated with a few simple actions, some of
them can be mitigated with policy documents, and some of them you can
look at and go "this risk is small and the potential outcomes are tiny,
so my personal risk assessment says that I can ignore it". You need to
make those decisions with an informed sense of the potential risks,
however.
This document is intended to cover the absolute basics of "potential
liability sources for running an online service in the US". It also
applies to services that accept user-generated content other than
Mastodon: if you host your own forum, you should think about these
things too. It does not apply to services that you don't host/control,
such as Discord or Slack. The general rule of thumb: if you pay a
company that isn't the company that makes the product to host it,
and/or the content appears at a domain you registered and control, this
all is probably stuff you should think about.

Legal structures and considerations for overall ass-covering

The absolute safest thing to do, to shield your own personal assets, is
register a LLC (limited liability company), get a separate bank account
in the name of the LLC, transfer any assets and liabilities (donations
you receive / bills you pay) to the LLC, and get insurance in the name
of the LLC. This is obviously complete overkill for anyone who's
running a really small server, especially because the annual fees for
LLC registration are likely to exceed whatever amount your users chip
in, but if you're running an open-registration server or you exceed
20-30k users, or you have a lot of personal assets, you should think
hard about it and talk to a lawyer. (Especially because there are lots
of ways to fuck up a single-person LLC and lose the liability
protection.)
If you decide that registering a LLC is overkill, you should increase
your own personal insurance coverage. Your homeowners' or renters'
insurance should let you add an umbrella rider that will give you
liability coverage (including paying a lawyer to defend you if you're
sued) relatively cheaply. I recommend a policy minimum of $2m of
coverage per incident. In 99% of cases, you won't need it in the
slightest; in that last 1% of cases, it will save your fucking ass.
If you accept donations, sell merchandise, or collect money in any way,
the IRS is going to want you to pay taxes on that money. Talk to an
accountant about how you can minimize your tax liability. If you only
have small amounts of income related to the enterprise, you can
probably skate under the radar with only a tiny increase of
tax-bill-related risk, but the IRS has been leaning on most money
transfer platforms like PayPal to lower the threshold at which they
send you tax documents lately. (PayPal used to be $20k, for instance;
now it's $600.)
If your money transfer platform issues you a 1099-K at the end of the
year because you crossed their reporting threshold, that 1099-K has to
be accounted for on your taxes or else the IRS will 'correct' your
return. If the IRS corrects your return, they will not apply any
possible cost-of-doing-business deductions like server hosting cost
against that income, which can result in you owing way more in taxes
and penalties than you should.
Keep track of all of the money you spend on running the server --
hosting costs, domain registration costs, etc -- and how much money you
take in. If your money transfer platform issues you a 1099-K, take it
all to an accountant, fling it on their desk, and say 'help' and they
will.
Depending on the activity of your users, you may receive contacts from
law enforcement asking you for information about your users. I get into
that at the very end of the document.

Copyright

The relevant section of US law that applies to US-based online
platforms is [20]17 USC §512 aka the DMCA aka the Digital Millennium
Copyright Act. It says that online platforms are not liable for the
copyright violations posted by their users if they 1) do not have
"actual knowledge" of infringing activity and 2) register a designated
agent with the US Copyright Office to receive and handle reports of
copyright violations on your platform and post a notice saying who your
designated agent is.
Even if you have a single-user Mastodon server, the fact Mastodon can
cause federated content (other people's posts) to show under your URL
means that you should register a designated agent. If a rightsholder
sees the YourServer copy of an infringing post, they will go after you
because it appears under your URL. The recent surge in "automated DMCA
enforcement" copyright troll legal shops means that you should register
a designated agent, check the email address you give regularly for
copyright violation DMCA notices, and follow the process set forth in
the law for handling them.
You register a designated agent by [21]signing up with the Copyright
Office. You used to be able to use a PO box, but they've changed that:
you must give an actual street address (although I've seen people still
registered with PO boxes, so they might not check very hard). If you
have security or doxxing concerns, find a private mailbox service that
gives you a 'real' looking street address. The cost to register a
designated agent is $6 and you're required to re-register every 3 years
or whenever there's a meaningful change in your registration
information. (Note that the copyright office [22]sends you your renewal
notice three months early, and if you renew the second you get the
notice, you lose 3 months' worth of fee you paid. It's only $.25, but
it's the principle of the thing.)
You can look at [23]our DMCA policy for an overview of what a DMCA
notice is required to contain and what the process looks like. You need
to post a similar document on your platform. (Ours is CC-BY-SA and you
can use it if you want. Please do note -- I'll get to it in a second --
that we deliberately assume a small amount of potential legal risk to
mitigate some of what we feel are the worst abuses of the DMCA
process.)
If you get a DMCA notice that doesn't contain all 6 required items, you
can tell the rightsholder that they need to revise their notice. When
you receive a notice that contains everything it needs to contain,
you're required by law to "respond[...] expeditiously to remove, or
disable access to, the material that is claimed to be infringing or to
be the subject of infringing activity". In practice, this means "do it
as soon as you get it"; the exact definition of "expeditiously" is
fuzzy.
Once you've disabled the material that's claimed to be infringing, the
person who posted it can file a counter-notification saying that they
don't believe their use of the content is infringing. If they file a
counter-notification, you need to forward the counter-notification to
the person who filed the DMCA notice so they can file a lawsuit over
use of the material if they disagree. If you do get a notice that the
rightsholder has filed a lawsuit, the material needs to stay down. If
you don't get a notice that the rightsholder has filed a lawsuit, you
need to restore access to the material that's claimed to be infringing
no sooner than 10 days and no later than 14 days.
The law requires you to "provide[...] for the termination in
appropriate circumstances of subscribers and account holders of the
service provider's system or network who are repeat infringers". The
definition of "repeat offender" is not articulated in the law; most
providers have settled on a "3 strikes" or "5 strikes" policy.
The risk we deliberately and consciously assume is that we allow for a
"I'm not going to file a counternotification but I feel that my use
here is fair use" response from the user who posted the allegedly
infringing material that doesn't count as a "strike" for the purposes
of determining repeat-offender status. This is because filing a
counternotification means providing all your contact information to the
person who filed the original DMCA notice, so it's a very common abuse
tactic for someone to file a flood of complete bullshit DMCA claims
against someone whose contact information they want to get so they
either nuke the person's social media account or force them to turn
over personal information. Our policy adds a tiny bit of risk to us in
exchange for closing off that attack vector; we're willing to do that
because subsequent case law has acknowledged that providers can reject
notices that aren't issued in "good faith".
That precedent, established in [24]Lenz v. Universal Music Corp., 801
F.3d 1126 (9th Cir. 2015), says that providers should conduct a fair
use analysis before accepting any DMCA notice (and rightsholders should
conduct a fair use analysis before issuing any DMCA notice, but good
fucking luck there). If you're willing to get down into the weeds of
copyright law and really stay on top of case law, and you're
comfortable with assuming a small amount of extra risk, you can reject
notices for content you believe is fair use or notices you feel are
issued for abusive purposes and tell the rightsholder that you won't be
processing the notice. It is a risk, though, and if you're in a life
situation where you need to be more risk-averse, just process every
notice you get that has the six required elements.
Failure to comply with the steps necessary to claim "safe harbor" under
the DMCA opens you up to being held liable for any copyright
infringement on your server. Court judgements for copyright violations
can be absolutely massive -- starting at six figures and only going up
-- so you should do everything you can to comply.
The DMCA itself only applies to servers hosted in the US. However, it
implements several WIPO international treaties, and most other
countries have some form of similar obligation placed on server
operators to handle copyright violations on their server. (The EU's
2019 Copyright Directive and Australia's News Media Bargaining Code are
much more brutal, for instance.)

The Children's Online Privacy Protection Act (COPPA)

The Children's Online Privacy Protection Act of 1998 (COPPA) is a
United States federal law, located at 15 USC §§6501-6506. (Read it
online by [25]starting with 6501 and keep hitting 'next' until you get
to 6506.) It specifies loads of things you need to do in order to
collect data from children under 13, including getting parental consent
to let someone under 13 create an account.
Complying with those things you need to do to let someone under 13
create an account (and being able to prove that you've complied with
them if the FTC ever comes knocking) is fucking irritating. In
practice, almost every service in the US that's not specifically aimed
at kids complies with COPPA by not letting children under 13 register
for their service, usually by requiring users to submit their date and
year of birth when they register and blocking registration from anyone
whose DOB makes them under 13. (If you lack the ability to block
registration from anyone under 13 after verifying DOB, don't accept the
DOB information; just put "you must be 13 to hold an account on this
service" in a very prominent place in your signup pathway. If you
collect the DOB but can't act on it, it's affirmative proof that you
knew the user was under 13 and let them sign up anyway.)
The FTC is the regulatory agency that enforces COPPA, and it does not
fuck around. The largest COPPA violation fine ever issued was against
TikTok, for $5.7 million. Penalties are "up to $43,280 for each
violation", assessed against the service. Fortunately, risk mitigation
is easy: just don't let anyone under 13 sign up for your server. As
long as you're not "directing your service" to people under 13 and you
don't allow signups by people under 13, you don't trigger any of
COPPA's recordkeeping and permissions requirements. (The exact details
of what "directing your service" to children is live at [26]16 CFR
§312.2.)
The FTC has [27]a useful FAQ on COPPA compliance.
This is US legislation, but the US enforces it against any platform
that accepts signups from the US, even if the platform is not US-based.
Enforcement is significantly less likely if you're based outside the US
and don't deliberately market to children or make your site "directed
to children" as defined above, but unless you specifically want to
allow kids on your server, just block registration from anyone under
13.

Child sexual abuse material

"Child sexual abuse material" (CSAM) or "child sexual exploitation
material" (CSEM) is the preferred term for what people (including,
regrettably, US lawmakers) call "child pornography".
The law around it is a giant messy ball of scenarios, exceptions,
exceptions to the exceptions, etcetera, and I can only cover the bare
minimum. There are multiple levels of liability involving CSAM. The
strictest, [28]18 USC §2251, covers "any photograph, film, video,
picture, or computer or computer-generated image or picture, whether
made or produced by electronic, mechanical, or other means, of sexually
explicit conduct" in which a minor (someone under 18) is "engaging in
sexually explicit conduct", or "is a digital image, computer image, or
computer-generated image that is, or is indistinguishable from, that of
a minor engaging in sexually explicit conduct", or "such visual
depiction has been created, adapted, or modified to appear that an
identifiable minor is engaging in sexually explicit conduct" ([29]18
USC §2256(8).) This covers photo and video of a minor or a
computer-generated image indistinguishable from a minor engaged in
sexually explicit conduct.
Drawn/artistic images of an apparent minor engaged in sexually explicit
conduct, or written depictions of an apparent minor engaged in sexually
explicit conduct, or "material that is harmful to minors" ("any
communication, consisting of nudity, sex, or excretion"), that are also
"obscene" are in the second category. The definition of obscenity was
set forth in the court case [30]Miller v California, 413 U.S. 15
(1973), and has been back-adopted into the US code in a few places,
this included. The definition of obscenity is material that, "taken as
a whole and with reference to its context,
1. predominently appeals to a prurient interest of minors;
2. is patently offensive to prevailing standards in the adult community
as a whole with respect to what is suitable material for minors; and;
3. lacks serious literary, artistic, political, or scientific value for
minors."
If you find, on your server, whether it's locally posted or federated
content, photo or video of a minor engaged in sexually explicit conduct
or computer-generated images that are indistinguishable from a minor
engaged in sexually explicit conduct ([31]2251, [32]2252), someone
advertising that they have images or video of a minor engaged in
sexually explicit conduct for sale anywhere else on the internet
([33]2252A), someone attempting to induce a minor to produce images of
themselves engaged in sexually explicit conduct ([34]2251), someone
attempting to buy or sell a minor for the purposes of producing images
or video of sexually explicit conduct ([35]2251A), someone linking to a
domain name that misleads someone into viewing "material that is
harmful to minors" that is also obscene ([36]2252B, [37]2252B(d) for
the definitions) you must follow the reporting requirements in [38]18
USC §2258A to report it to the National Center for Missing and
Exploited Children (NCMEC)'s [39]CyberTipline. You used to need to
register with them to make a report, but pleasantly, they've changed
that; these days you can just [40]report it without the account.
You are affirmatively required by [41]18 USC §2258A to "preserve any
visual depictions, data, or other digital files that are reasonably
accessible and may provide context or additional information about the
reported material or person" and "maintain the materials in a secure
location and take appropriate steps to limit access by agents or
employees of the service to the materials to that access necessary to
comply with the requirements of this subsection". This means you must
not delete it and the associated information about the poster until law
enforcement tells you that you can, but you do have to make it
not-visible.
As long as you follow these obligations, [42]18 USC §2258B immunizes
you from criminal or civil liability for any CSAM posted to your server
(unless you act or fail to act with "actual malice or reckless
disregard", which practically speaking means "you knew people were
trading CSAM on your server or any reasonable person would have been
able to figure out people were trading CSAM on your server").
Material that is not in one of those "mandatory reporting" categories
but does fall into the wider universe of "stuff involving minors that
is only illegal if it is also obscene" doesn't need to be reported to
NCMEC, but you may still be liable for it. (See [43]United States v
Thomas Arthur, in which Mr Arthur was convicted of possessing CSAM
images, but also of multiple counts of running a website that contained
no CSAM but did contain written depictions of erotic activity involving
minors that he did not personally author but were hosted on his site.
It's Western District of Texas, which is massively conservative and the
"contemporary prevailing community standards in the adult community" is
extremely conservative for the determination of the Miller test: still,
hosting the website added an extra 15 years to his sentence.)
[44]18 USC §2258A affirmatively does not require you to proactively
search your service or monitor your users for violations of any of
these laws. If you do want to, however, a consortium of researchers,
online providers, and law enforcement agencies have developed
[45]PhotoDNA, a service that lets you compare images your users upload
to a database of hashes of known CSAM material. (The service, operated
by Microsoft in partnership with law enforcement, doesn't store the
CSAM themselves; NCMEC and the International Center for Missing and
Exploited Children perform mathematical operations on the images to
produce a "fingerprint" that's used for the comparison.) They offer a
[46]cloud-based API that you can use, and the service is free.
Whether or not small providers should use PhotoDNA is a hotly debated
topic in content moderation that I'm not going to get into here,
because I'd be writing this all week. It's immensely helpful to help
services find CSAM trading rings they otherwise wouldn't; it's also an
opaque effort by a public-private-law enforcement consortium that's had
some but not exhaustive levels of scientific validation and is, by
necessity, somewhat of a black box system. (To say nothing of the
technical hassle of setting it up.)
The laws in this section only apply to people and servers located in
the US. If you are outside the US, please get legal advice on your
country's obligations they impose on providers regarding CSAM. It is
the single thing you absolutely should not fuck around with.
(Especially if you are in Australia, whose laws are fucking ridiculous
about anything that even gestures near CSAM.)

General Data Protection Regulation and Digital Services Act

The [47]GDPR (General Data Protection Regulation) and [48]DSA (Digital
Services Act) are EU regulations having the force of law in the EU.
(GDPR still applies in the UK despite the UK having left the EU; GDPR
also applies in countries that are members of the European Economic
Area that are not also EU members.) GDPR is a privacy and data
protection law; DSA is a law about illegal content online (and how
services handle/moderate it, and how they keep their users informed of
their moderation policies).
If you're in an EU country or an EEA country, and you're reading this
for the framework of "what possible things should I ask someone who
knows more about EU law about", please skip this section and go find a
lawyer who's licensed in the EU and familiar with GDPR and DSA. I am
directing this section at US platforms only.
Both GDPR and DSA are supposed to apply to any service, even those from
outside the EU, that has EU users.
The important parts of GDPR:
* you can't process someone's data unless you have a "lawful purpose";
* consent to process data must be "a specific, freely-given,
plainly-worded, and unambiguous affirmation given by the data subject";
* you must have a "concise, transparent, intelligible and easily
accessible" privacy policy;
* you must "provide, upon request, an overview of the categories of
data that are being processed" as well as "a copy of the actual data";
* you must allow people to opt out of being tracked for marketing
purposes;
* you must allow people to request the erasure of all the data you have
stored on them;
* you must not transfer data of EU citizens outside the EU without
consent;
* you must report data breaches to EU regulators within 72 hours of you
discovering them, as well as to your users;
* you must design all new features with data protection in mind;
* you must get GDPR compliance certifications from any company you send
data to, including the operators of any plugins
Further obligations are imposed on any business that has more than 250
employees globally, which is not likely to be an issue for anyone
running a Mastodon server, and if it does you probably have enough
resources to get actual legal advice.
Practically speaking, small US services are very unlikely to ever run
into GDPR compliance issues. A few folks got somewhat into the weeds of
what features Mastodon offers server admins to comply with GDPR in my
Twitter thread, and the consensus was that as long as you have a
written privacy policy you are probably okay, especially if you're in
the US. Our lawyer's conclusions, for DW, was that our existing
practices and privacy policy were good enough, and we were small
enough, that our risk exposure was very low, and Mastodon server
operators in the US are probably even more protected because GDPR only
applies to entities engaged in "economic activity". Absolutely do not
take my word for it, though; talk to an actual lawyer with experience
in GDPR compliance.
Some Mastodon servers are blocking any server that's located in the EU
and restricting signups to avoid having any EU citizen data on their
server. That's one way to minimize your GDPR risk exposure, and if
you're really risk-averse, I recommend it.
The Digital Services Act covers the liabilities and responsibilities of
services around notice-and-takedown of illegal material, disinformation
and harmful content, and algorithmic targeting and advertising
targeting. It isn't in effect yet -- providers have until January 1,
2024 to come into compliance. It is exceptionally vague, offers little
in the way of implementation guidelines, and nobody has any idea yet
what it's going to look like in practice. It is a fucking terrible law.
We are all mostly waiting around until someone comes up with some best
practices we can all just copy, especially because "micro-enterprises"
are exempted from the worst of the requirements. Make a note to check
around in six months or so and see what US businesses with no EU
presence and minimal EU users come up with.

California Online Privacy Protection Act (CalOPPA)

[49]CalOPPA is California's version of GDPR (thankfully without a lot
of the really cumbersome bits). You need to follow it if you have any
California-based users. It requires that you:
1. have a privacy policy;
2. that is prominently linked on your homepage or on every page of your
site;
3. that you comply with;
4. and includes information about:
a) categories of personally identifying information you collect;
b) all third parties with whom you may share personally identifying
information;
c) a description of the process by which your users can request changes
to their personally identifying information;
d) a description of how you'll notify your users about any major
changes to your privacy policy;
e) the effective date of the privacy policy.
"Personally identifying information" is defined as: first and last
names, physical address, email address, telephone number, Social
Security number, any other contact information both physical or online,
date of birth, details of physical appearance, and any other
information stored online that may identify an individual.
As long as you have a privacy policy, your privacy policy contains all
of that required information, and you follow the privacy policy, you're
good here. Our [50]privacy policy is also CC-BY-SA, but you shouldn't
use it wholesale: it needs a lot of editing for your actual situation,
and it would not hurt to run it by a lawyer.

FOSTA/SESTA

[51]FOSTA/SESTA are bills passed in the US that became law in 2018.
They are absolute fucking vague and damaging bullshit. They basically
say that anything having to do with "knowingly assisting, facilitating,
or supporting sex trafficking" means that [52]Section 230 immunity
doesn't apply.
What constitutues "knowingly assisting, facilitating, or supporting sex
trafficking"? We don't fucking know! What distinguishes consensual sex
work from sex trafficking for the purposes of this law? You know the
legal system is trying to say that all consensual sex work is actually
sex trafficking. (Obligatory reading: the [53]Backpage saga.) Only one
person [54]has been prosecuted under FOSTA/SESTA so far, the owner of
the now-defunct CityXGuide, and that was in the Northern District of
Texas, which, like its Western cousin, is also famously conservative
about anything involving sex work. Some sites interpret their
obligations as "you can't have any sex workers on the platform"; some
interpret it as "you can have sex workers on the platform but they
can't talk about sex work". Switter, [55]a platform for sex workers,
ran into multiple issues finding providers that would provide them
services because of FOSTA/SESTA; they were a Mastodon server with some
tweaks.
Many, many, many sex workers have written excellent analyses of the
regulatory and legal backdrop involving discussion of sex work online
and how platforms and providers address (or don't address)
distinguishing consensual sex work from coercive sex trafficking, and I
urge you to find some of them and read their excellent work.
([56]Ashley Lake posts a lot about the topic; she's a great starting
point.)
What you do about this will, like almost everything else in this guide,
come down to what your personal risk tolerance level is.

Other countries' laws

India has just passed the "Information Technology (Intermediary
Guidelines and Digital Media Ethics Code) Rules 2021"; Russia has
Federal Law No. 530-FZ (On Amendments to the Federal Law "On
Information, Information Technologies and Information Protection"), the
UK has a pending, not-yet-passed "Online Safety Bill", various other
countries have their own laws regulating social media, etc. All of them
try to define "bad stuff you must take down" and "reports you need to
make to us". Most of them kick in at a certain size threshold (Russia's
strictest laws only apply to sites with over 500,000 users a day; some
countries go by numbers of employees, etc.) Russia even goes so far as
to say that you can't hold any data on Russian users on servers that
are physically located outside of Russia.
Many countries have some form of "internet ministry" that keeps a
registry of sites on the Naughty List and requires ISPs in that country
to use the naughty list as a blocklist/filter list for all of their
customers. Russia's is [57]Roskomnadzor aka Rozkom (fuck Rozom,
seriously); the UK is proposing to give that ability to [58]Ofcom,
China has the whole Great Firewall run by the [59]Cyberspace
Administration of China etc.
Roskom will regularly send you nastygrams if someone inside Russia
found your platform and discovered content that they don't like,
including content that is "unreliable information" or "spreads
anti-Russian materials". They will tell you that you have to take it
down or else (the "or else" is rarely explicitly spelled out). Assuming
you're in the US and do not visit Russia, you can safely ignore Rozkom
(because fuck Rozkom, seriously). We send all their mail directly to
trash and never even look at it; we are, correspondingly, blocked in
Russia, but almost everyone in Russia knows how to access the internet
by VPN or Tor anyway.
If you wind up with a large number of Russian dissidents on your
service, Rozkom may send you individualized reports that aren't from
the same source as their semi-automated nastygrams, asking you to
remove content or asking for information about your users like IP
addresses, etc. Do not give them any information unless they
domesticate a subpoena in the US (more about that later). I,
personally, judge my personal risk such that, after having refused at
least one request for user information, I will not physically visit
Russia or any state that has close communication with Russia (such as
Belarus), but we have a lot of Russian dissidents on DW who came over
from LJ when LJ got sold to a Russian company, I've directly done
multiple things that annoyed the current owners of LJ aka the state
bank of Russia aka Putin's cronies, and also, I'm queer. This
resolution is likely overkill for anyone who has not directly and
personally pissed off one of Putin's cronies. (You will know if you
have directly and personally pissed off one of Putin's cronies.)
China's CAC rarely contacts actual platforms; they handle all their
censorship via the Great Firewall. You may wind up on the Great
Firewall, but again, people living inside China with ties to the
non-Chinese internet are very good at VPNs and proxies.
The UK has not yet passed the Online Safety Bill (and if you're in the
UK and reading this: call your MP and tell them it's a fucking terrible
law and they should not pass it). If they do, you'll have to calculate
whether you have enough users in the UK that Ofcom blocking you would
be massively disruptive. (If you're a user in the UK, you might want to
download a good VPN that will let you set your location to outside of
the UK if the OSB passes, because a lot of small US-based sites are
just going to go ahead and get blocked rather than complying with the
bullshit, but you probably already have one for all the US sites that
block EU users because of GDPR.)
Various other countries may occasionally try to contact you asking for
information about your users or asking you to remove content that they
think violates their laws. As I mentioned above, our policy is that
anyone who wants information from us must obtain a domesticated US
court order requiring us to provide that information before we will,
unless the country has entered into an agreement with the US under the
[60]CLOUD Act and the data being requested is covered by the CLOUD act.
(The list of countries with reciprocal agreements is maintained by
[61]the Justice Department and is currently the UK and Australia.) We
do not remove material that's illegal under another country's laws but
not US law, unless we believe the material violates our Terms of
Service in some other way.

The Stored Communications Act, National Security Letters, and law enforcement
requests for data

The Stored Communications Act, [62]18 USC Chapter 121, covers the
details of what you can and can't disclose about your users' private
communications. In practice, the exact details of what the SCA applies
to is fuzzy for social media where some communications are intended to
be public and some are intended to be private or for a limited audience
of recipients. You should generally treat any post other than
completely public as covered by the SCA.
Based on all the government subpoenas and warrants I've ever had to
handle during my entire career, I will note that some law enforcement
agencies write their warrants very specifically -- asking only for
metadata and subscriber information and not any stored communications
-- and some agencies write their warrants extremely sloppily. (The US
Marshal's Service, the agency that handles federal arrest warrants and
violations of federal parole, among other things, gets my gold star for
the most narrowly-scoped search warrants I've ever seen, for the
record.)
[63]18 USC §2702 covers when you are permitted to voluntarily disclose
the contents of private communications that are covered by the SCA:
1) when you're disclosing the communication to the person the poster
intended it to be seen by;
2) under circumstances covered by [64]18 USC §2517, [65]18 USC
§2511(2)(a), or [66]18 USC §2703;
3) when the poster authorizes you to disclose it;
4) when you're disclosing it to a service or provider that's
responsible for getting it to where it's intended (ie, you can send it
to another Mastodon server if the recipient is on that Mastodon
server);
5) if you disclosing it is necessary for "protection of the rights or
property" of your server;
6) if you're reporting something to NCMEC as you're required to by
[67]18 USC §2258A;
7) to law enforcement, if you became aware of the contents through the
normal administration of your server and you reasonably believe it
involves the commission of a crime;
8) to a government, if you "in good faith, believe[...] that an
emergency involving danger of death or serious physical injury to any
person requires disclosure without delay of communications relating to
the emergency";
9) to a foreign government, "pursuant to an order from a foreign
government that is subject to an executive agreement that the Attorney
General has determined and certified to Congress satisfies section
2523" (aka [68]18 USC §2523).
[69]18 USC §2703 covers when you are required to disclose the contents
of communications covered by the Stored Communications Act: when you
receive a search warrant or subpoena that was issued by a United States
court, or a foreign search warrant from a country that has reciprocity
with the US (as covered by [70]18 USC §2523). (The list of countries
with reciprocal agreements is maintained by [71]the Justice Department
and is currently the UK and Australia.)
If you disclose the contents of communications covered by the Stored
Communications Act when you shouldn't, you can incur liability. The
safest stance to take is that you categorically will not disclose the
contents of any subscriber data, whether that's "limited-reach post,
DM, PM, or other private communications covered by the SCA" or
"metadata and subscriber records such as saved IP addresses used to
access the site, email address provided at registration, and the
recipient of communications but not the actual contents", without a
search warrant unless it's reporting CSAM to NCMEC as required by
[72]18 USC §2258A.
You are allowed to charge the requesting agency for complying with a
subpoena to produce electronic records. The exact amount you're allowed
to charge varies by state law and whether it's a state agency or a
federal agency. You are also allowed to object to a subpoena on the
grounds that the data it requires you to produce is "not reasonably
accessible because of undue burden or cost". This isn't something you'd
DIY; if you want to charge a fee or move to quash the subpoena because
of undue burden, you will need a lawyer.
There's a small chance you may also receive a [73]National Security
Letter, asking for metadata about a user or a post. NSLs can't be used
to access "stored communications", only metadata. NSLs are authorized
by [74]the Electronic Communications Privacy Act of 1986, certain parts
of the [75]PATRIOT Act of 2001, several reauthorizations of the PATRIOT
act in subsequent years, and various case law (all of which mostly
concern [76]18 USC §2510-2523). NSLs do not need to be signed by a
judge and do not need to be ordered by a court.
If you do get one, it is likely that the NSL will include a
nondisclosure provision, ie "you can't tell anyone you got this
letter", if the director of the FBI certifies "that otherwise there may
result a danger to the national security of the United States;
interference with a criminal, counterterrorism, or counterintelligence
investigation; interference with diplomatic relations; or danger to the
life or physical safety of any person". The constitutionality of the
nondisclosure provision has been litigated multiple times; some of the
worst abuses have been mitigated. However, if you get a NSL, you should
immediately find a lawyer who's experienced in handling NSLs who can
tell you what to do and whether you can contest the NSL. If you freeze
at the thought of trying to find someone, call [77]the EFF, and read
their whole back catalog of posts about NSLs.
In my entire career of doing this stuff, no site I've ever worked for
has ever received a NSL: it's rare for smaller sites to get them unless
you attract a userbase that may be under investigation for potential
terrorist acts or violations of national security. (I would bet cash
American money that Truth Social and Gab have each gotten at least
one.) I'm including information on this mostly so that, on the
extremely off chance you do get one, you don't freak out. Don't post
about getting it, don't tell your SO/friend/partner/therapist/etc about
getting it, just call the EFF. Don't tell them you got one, either: say
"I need a referral to a lawyer who is experienced with National
Security Letters" rather than saying "I got a NSL and need a lawyer for
it".

End notes

I will repeat that this document isn't legal advice; it's intended only
to familiarize you with concepts that you potentially will have to deal
with if you run any platform of any size that accepts or displays
user-generated content in any way. I've had to deal with every
consideration on this list except FOSTA/SESTA and National Security
Letters at some point in my career, and the point at which you should
be familiar with them is fewer users than you think.
I would say that DMCA notices are the ones you're likely going to have
to deal with first out of everything on this list, and the way Mastodon
handles federation means that you could see your first at very, very
few users. If you are very lucky, you won't ever have to deal with CSAM
ever, but it's also possible you may have to deal with "someone over
the age of 18 is soliciting nudes from someone under the age of 18"
relatively early, and yes, that does count as something you have to
report to NCMEC (under [78]18 USC §2251) if you are made aware of it.
COPPA, GDPR, and CalOPPA are things you can cover your ass on by having
a privacy policy that covers everything you do with data and preventing
anyone under the age of 13 from registering for your server.
I didn't mention it anywhere in this document, but you should also have
a formal Terms of Service, distinct from the privacy policy and DMCA
policy but incorporating them by reference. Our [79]Terms of Service is
also CC-BY-SA, and you're welcome to use it as a basis for yours as
long as you edit the parts that refer to our specific company name and
contact information. (I've also done recent Twitter threads about the
Terms of Service of another newly created social media platform that
covered a lot of issues I found with that site's ToS; if you have
questions about any of the clauses in the ToS, why they're there, or
what they mean, I can answer those in general terms.) (But again, it's
not legal advice and you should talk to a lawyer who is competent in
drafting Terms of Service and doesn't just copy and paste clauses from
other places.)
Since I'm posting this for a wider audience, I will leave this post
open to discussion from people who don't have a DW account. If you
choose 'anonymous' as a response type, please sign your comment with
some form of name or pseudonymous identifier so I can identify multiple
comments from the same person! You can also log in using [80]OpenID if
you have an account somewhere on the internet that serves as an OpenID
provider.
__________________________________________________________________

* [81]21 comments
* [82]Post a new comment

[83]Flat | [84]Top-Level Comments Only
[85]brainwane: My smiling face, including a small gold bindi (Default)

no subject

[86][personal profile] [87]brainwane 2022-11-20 05:39 am
(UTC)([88]link)
Thanks for writing this up - will link to it in talking with my
instance admins.
* [89]Thread
* [90]Reply to this
* [91]Thread
* [92]Hide 1 comment
* [93]Show 1 comment

[94]denise: Image: Me, facing away from camera, on top of the Castel
Sant'Angelo in Rome (Default)

no subject

[95][staff profile] [96]denise 2022-11-20 05:51 am (UTC)([97]link)
You're very welcome!
* [98]Thread
* [99]Reply to this
* [100]Thread from start
* [101]Parent

[102]technoshaman: GQ Nebula pride flag (purple over white over green)
by Laurie Ray (they/them) (gq)

THANK YOU!

[103][personal profile] [104]technoshaman 2022-11-20 06:43 am
(UTC)([105]link)
This is a YUGE service. Interesting to know that the EU's answer to
DMCA is *worse* than ours...
* [106]Thread
* [107]Reply to this
* [108]Thread
* [109]Hide 4 comments
* [110]Show 4 comments

[111]denise: Image: Me, facing away from camera, on top of the Castel
Sant'Angelo in Rome (Default)

Re: THANK YOU!

[112][staff profile] [113]denise 2022-11-20 07:14 am (UTC)([114]link)
Yes, here's a good article about all the problems it has:
[115]https://www.techradar.com/news/eu-copyright-directive-what-does-it
-mean-and-should-you-be-worried
* [116]Thread
* [117]Reply to this
* [118]Thread from start
* [119]Parent
* [120]Thread
* [121]Hide 3 comments
* [122]Show 3 comments

[123]ratcreature: RatCreature as a sloth (sloth)

Re: THANK YOU!

[124][personal profile] [125]ratcreature 2022-11-20 10:48 am
(UTC)([126]link)
The run up to that law was so far the only time I actually looked up
who my local representatives in the EU parliament and their positions
were and wrote annoyed emails. Some of the draft proposals were even
worse than the end result iirc, so maybe all the outrage had some
impact at least.
* [127]Thread
* [128]Reply to this
* [129]Thread from start
* [130]Parent
* [131]Thread
* [132]Hide 2 comments
* [133]Show 2 comments

[134]denise: Image: Me, facing away from camera, on top of the Castel
Sant'Angelo in Rome (Default)

Re: THANK YOU!

[135][staff profile] [136]denise 2022-11-20 08:03 pm (UTC)([137]link)
Yeah, the whole thing is just garbage. I seriously hope it doesn't
pass.
* [138]Thread
* [139]Reply to this
* [140]Thread from start
* [141]Parent
* [142]Thread
* [143]Hide 1 comment
* [144]Show 1 comment

[145]ratcreature: FAIL! (fail!)

Re: THANK YOU!

[146][personal profile] [147]ratcreature 2022-11-20 08:15 pm
(UTC)([148]link)
I think the EU passed the directive, but is now suing a bunch of
governments because only four countries (Germany, Netherlands, Malta
and Hungary) passed national laws within the deadline...
* [149]Thread
* [150]Reply to this
* [151]Thread from start
* [152]Parent

[153]elendraug: (Default)

no subject

[154][personal profile] [155]elendraug 2022-11-20 07:44 am
(UTC)([156]link)
Thank you so much for this.
* [157]Thread
* [158]Reply to this

[159]pauamma: Cartooney crab wearing hot pink and acid green facemask
holding drink with straw (Default)

no subject

[160][personal profile] [161]pauamma 2022-11-20 12:29 pm
(UTC)([162]link)

I will not physically visit Russia or any state that has close
communication with Russia (such as Belarus)

I would add to that (for you or anyone similarly situated) not to fly
through Russian airspace or that of a client country, or close enough
to either that your flight may end up landing there in an emergency or
if someone calls in a fake bomb threat (*cough*Belarus*cough*).
* [163]Thread
* [164]Reply to this

[165]ilyena_sylph: (Dreamwidth "d", rainbow-colored by Sophie)
(Dreamwidth)

no subject

[166][personal profile] [167]ilyena_sylph 2022-11-20 03:55 pm
(UTC)([168]link)
I love that you are able to do this again with everything in me.
* [169]Thread
* [170]Reply to this

[171]badgermind: (Default)

no subject

[172][personal profile] [173]badgermind 2022-11-20 05:51 pm
(UTC)([174]link)
Thank you :)
* [175]Thread
* [176]Reply to this

[177]owl: Stylized barn owl (Default)

no subject

[178][personal profile] [179]owl 2022-11-20 05:51 pm (UTC)([180]link)
How do you think the Online Safety Bill is likely to affect DW if it
gets passed?
* [181]Thread
* [182]Reply to this
* [183]Thread
* [184]Hide 2 comments
* [185]Show 2 comments

[186]denise: Image: Me, facing away from camera, on top of the Castel
Sant'Angelo in Rome (Default)

no subject

[187][staff profile] [188]denise 2022-11-20 08:04 pm (UTC)([189]link)
We'll likely treat it the same way as Rozkom's demands: "we will not
comply, if that means you block us, you block us". Get a VPN.
* [190]Thread
* [191]Reply to this
* [192]Thread from start
* [193]Parent
* [194]Thread
* [195]Hide 1 comment
* [196]Show 1 comment

[197]owl: Stylized barn owl (Default)

no subject

[198][personal profile] [199]owl 2022-11-21 03:41 pm (UTC)([200]link)
Already have one. I'mw writing to my MP about this, anything in
particular I should include as a problem? (I mean, it's mostly all
terrible, but leaning on two or three points is probably mroe
effective).
* [201]Thread
* [202]Reply to this
* [203]Thread from start
* [204]Parent

[205]sporky_rat: Jonathan Frid as Barnabas Collins looking classy af
over his silver headed cane (classy af yo)

no subject

[206][personal profile] [207]sporky_rat 2022-11-20 10:40 pm
(UTC)([208]link)

"(The US Marshal's Service, the agency that handles federal arrest
warrants and violations of federal parole, among other things, gets my
gold star for the most narrowly-scoped search warrants I've ever seen,
for the record.)"

Grandfather was always very fond of dealing with them because they were
very specific in what they wanted.
* [209]Thread
* [210]Reply to this
* [211]Thread
* [212]Hide 1 comment
* [213]Show 1 comment

[214]denise: Image: Me, facing away from camera, on top of the Castel
Sant'Angelo in Rome (Default)

no subject

[215][staff profile] [216]denise 2022-11-21 06:16 am (UTC)([217]link)

Their agents are also extremely clear about not wanting anything but
EXACTLY what's in the warrant, which I appreciate! (I mean, I have
never worked at a place that would volunteer any more than exactly what
was on the warrant, but I appreciate that they're that clear.)
* [218]Thread
* [219]Reply to this
* [220]Thread from start
* [221]Parent

[222]gwendolyngrace: (Default)

no subject

[223][personal profile] [224]gwendolyngrace 2022-11-20 11:37 pm
(UTC)([225]link)
Thank you for this!
* [226]Thread
* [227]Reply to this

[228]slybrarian: A stylized lightning bolt in gold, on a black circular
gear. (Default)

no subject

[229][personal profile] [230]slybrarian 2022-11-21 03:18 am
(UTC)([231]link)
Thank you, I will definitely be sharing this with the folks running my
instance. I like the general idea of Mastodon, but I do wonder how well
it can scale up beyond managing the low single-digit number of users
without running into legal and technical issues in the modern digital
environment. Hopefully the actual developers are also paying attention
and making sure the software has the management tools needed to keep
the instance managers safe.
* [232]Thread
* [233]Reply to this

[234]squirrelitude: (Default)

no subject

[235][personal profile] [236]squirrelitude 2022-11-21 05:53 pm
(UTC)([237]link)
In your estimation, how practical would it be to have a person or small
group that simply routed DMCA requests/responses for a collection of
instances? They'd pay the small fee and provide a public face, and then
just... route. They'd have to be trustworthy, moderately discreet, and
have sufficient executive function. Can you foresee any issues that
would arise with such a model?
* [238]Thread
* [239]Reply to this
* [240]Thread
* [241]Hide 1 comment
* [242]Show 1 comment

[243]denise: Image: Me, facing away from camera, on top of the Castel
Sant'Angelo in Rome (Default)

no subject

[244][staff profile] [245]denise 2022-11-22 12:40 am (UTC)([246]link)
There are loads of companies that offer this model today! We don't use
them because we can do it ourselves and not waste the money for
essentially forwarding mail, and they don't do the necessary fair use
calculations etc because most of them aren't lawyers, but "someone
whose name and address you can put on the paperwork and they'll forward
you all well-formed notifications" is a service you can buy.
* [247]Thread
* [248]Reply to this
* [249]Thread from start
* [250]Parent

[251]cesy: "Cesy" - An old-fashioned quill and ink (Default)

no subject

[252][personal profile] [253]cesy 2022-11-21 09:23 pm (UTC)([254]link)

For anyone in the UK, here is a starting point:
https://decoded.legal/blog/2022/11/notes-on-operating-fediverse-service
s-mastodon-pleroma-etc-from-an-english-law-point-of-view
* [255]Thread
* [256]Reply to this
__________________________________________________________________

* [257]21 comments
* [258]Post a new comment

[259]Flat | [260]Top-Level Comments Only
[261]Log in
Account name: ____________________ Password: ____________________ [ ]
Remember me Log in

Other options:
* [262]Forget your password?
* [263]Log in with OpenID?

×

*
* [264]menu

[265]Log in
* [266]Create
+ [267]Create Account
+ [268]Display Preferences
* [269]Explore
+ [270]Interests
+ [271]Directory Search
+ [272]Site and Journal Search
+ [273]Latest Things
+ [274]Random Journal
+ [275]Random Community
+ [276]FAQ
* [277]Shop
+ [278]Buy Dreamwidth Services
+ [279]Gift a Random User
+ [280]DW Merchandise

* ____________________ [Interest________] Go

* [281]Privacy Policy o
* [282]Terms of Service o
* [283]Diversity Statement o
* [284]Guiding Principles o
* [285]Site Map o
* [286]Make a Suggestion o
* [287]Open Source o
* [288]Help/Support

Copyright © 2009-2022 Dreamwidth Studios, LLC. [289]Some rights
reserved.

References

1. https://www.dreamwidth.org/support/faq
2. https://www.dreamwidth.org/go?dir=prev&itemid=91757&journal=denise
3. https://www.dreamwidth.org/go?dir=next&itemid=91757&journal=denise
4. https://denise.dreamwidth.org/91757.html#content
5. https://www.dreamwidth.org/
6. https://denise.dreamwidth.org/icons
7. https://denise.dreamwidth.org/profile
8. https://denise.dreamwidth.org/
9. https://denise.dreamwidth.org/2022/
10. https://denise.dreamwidth.org/2022/11/
11. https://denise.dreamwidth.org/2022/11/20/
12. https://www.dreamwidth.org/go?dir=prev&itemid=91757&journal=denise
13. https://www.dreamwidth.org/tools/memadd?journal=denise&itemid=91757
14. https://www.dreamwidth.org/tools/tellafriend?journal=denise&itemid=91757
15. https://www.dreamwidth.org/go?dir=next&itemid=91757&journal=denise
16. https://denise.dreamwidth.org/91757.html
17. https://twitter.com/rahaeli/status/1593819064161665024
18. https://gust.com/blog/copywrong-again-founding-the-next-pinterest-or-napster/
19. https://bottomlinelawgroup.com/2010/11/12/if-you-build-it-they-will-abuse-it/
20. https://www.law.cornell.edu/uscode/text/17/512
21. https://www.copyright.gov/dmca-directory/
22. https://twitter.com/mmasnick/status/1593874393910083584?s=20&t=q2-u-zzDakDbpRU061ONGw
23. https://www.dreamwidth.org/legal/dmca
24. https://en.wikipedia.org/wiki/Lenz_v._Universal_Music_Corp.
25. https://www.law.cornell.edu/uscode/text/15/6501
26. https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-312/section-312.2
27. https://www.ftc.gov/business-guidance/resources/complying-coppa-frequently-asked-questions
28. https://www.law.cornell.edu/uscode/text/18/2251
29. https://www.law.cornell.edu/uscode/text/18/2256#8
30. https://en.wikipedia.org/wiki/Miller_v._California
31. https://www.law.cornell.edu/uscode/text/18/2251
32. https://www.law.cornell.edu/uscode/text/18/2252
33. https://www.law.cornell.edu/uscode/text/18/2252A
34. https://www.law.cornell.edu/uscode/text/18/2251
35. https://www.law.cornell.edu/uscode/text/18/2251A
36. https://www.law.cornell.edu/uscode/text/18/2252B
37. https://www.law.cornell.edu/uscode/text/18/2252B#d
38. https://www.law.cornell.edu/uscode/text/18/2258A
39. https://www.missingkids.org/gethelpnow/cybertipline
40. https://report.cybertip.org/
41. https://www.law.cornell.edu/uscode/text/18/2258A
42. https://www.law.cornell.edu/uscode/text/18/2258B
43. https://www.courtlistener.com/docket/16474360/united-states-v-arthur/
44. https://www.law.cornell.edu/uscode/text/18/2258A
45. https://www.microsoft.com/en-us/photodna
46. https://www.microsoft.com/en-us/PhotoDNA/CloudService
47. https://gdpr.eu/
48. https://ec.europa.eu/info/strategy/priorities-2019-2024/europe-fit-digital-age/digital-services-act-ensuring-safe-and-accountable-online-environment_en
49. https://consumercal.org/about-cfc/cfc-education-foundation/california-online-privacy-protection-act-caloppa-3/
50. https://www.dreamwidth.org/legal/privacy
51. https://en.wikipedia.org/wiki/FOSTA-SESTA
52. https://en.wikipedia.org/wiki/Section_230
53. https://en.wikipedia.org/wiki/Backpage
54. https://www.justice.gov/usao-ndtx/pr/us-attorney-seeking-victims-advertised-cityxguidecom
55. https://www.vice.com/en/article/7kb7vx/switter-the-twitter-for-sex-workers-is-shutting-down
56. https://twitter.com/AshleyLatke
57. https://en.wikipedia.org/wiki/Roskomnadzor
58. https://en.wikipedia.org/wiki/Ofcom
59. https://en.wikipedia.org/wiki/Cyberspace_Administration_of_China
60. https://en.wikipedia.org/wiki/CLOUD_Act
61. https://www.justice.gov/dag/cloudact
62. https://www.law.cornell.edu/uscode/text/18/part-I/chapter-121
63. https://www.law.cornell.edu/uscode/text/18/2702
64. https://www.law.cornell.edu/uscode/text/18/2517
65. https://www.law.cornell.edu/uscode/text/18/2511#2_a
66. https://www.law.cornell.edu/uscode/text/18/2703
67. https://www.law.cornell.edu/uscode/text/18/2258A
68. https://www.law.cornell.edu/uscode/text/18/2523
69. https://www.law.cornell.edu/uscode/text/18/2703
70. https://www.law.cornell.edu/uscode/text/18/2523
71. https://www.justice.gov/dag/cloudact
72. https://www.law.cornell.edu/uscode/text/18/2258A
73. https://en.wikipedia.org/wiki/National_security_letter
74. https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act
75. https://en.wikipedia.org/wiki/Patriot_Act
76. https://www.law.cornell.edu/uscode/text/18/2510
77. https://www.eff.org/issues/national-security-letters
78. https://www.law.cornell.edu/uscode/text/18/2251
79. https://www.dreamwidth.org/legal/tos
80. https://www.dreamwidth.org/support/faqbrowse?faqid=145
81. https://denise.dreamwidth.org/91757.html#comments
82. https://denise.dreamwidth.org/91757.html?mode=reply
83. https://denise.dreamwidth.org/91757.html?view=flat#comments
84. https://denise.dreamwidth.org/91757.html?view=top-only#comments
85. https://brainwane.dreamwidth.org/icons
86. https://brainwane.dreamwidth.org/profile
87. https://brainwane.dreamwidth.org/
88. https://denise.dreamwidth.org/91757.html?thread=1057133#cmt1057133
89. https://denise.dreamwidth.org/91757.html?thread=1057133#cmt1057133
90. https://denise.dreamwidth.org/91757.html?replyto=1057133
91. https://denise.dreamwidth.org/91757.html?thread=1057133#cmt1057133
92. https://denise.dreamwidth.org/91757.html#cmt1057133
93. https://denise.dreamwidth.org/91757.html?thread=1057133#cmt1057133
94. https://denise.dreamwidth.org/icons
95. https://denise.dreamwidth.org/profile
96. https://denise.dreamwidth.org/
97. https://denise.dreamwidth.org/91757.html?thread=1057389#cmt1057389
98. https://denise.dreamwidth.org/91757.html?thread=1057389#cmt1057389
99. https://denise.dreamwidth.org/91757.html?replyto=1057389
100. https://www.dreamwidth.org/go?redir_type=threadroot&journal=denise&talkid=1057389
101. https://denise.dreamwidth.org/91757.html?thread=1057133#cmt1057133
102. https://technoshaman.dreamwidth.org/icons
103. https://technoshaman.dreamwidth.org/profile
104. https://technoshaman.dreamwidth.org/
105. https://denise.dreamwidth.org/91757.html?thread=1057645#cmt1057645
106. https://denise.dreamwidth.org/91757.html?thread=1057645#cmt1057645
107. https://denise.dreamwidth.org/91757.html?replyto=1057645
108. https://denise.dreamwidth.org/91757.html?thread=1057645#cmt1057645
109. https://denise.dreamwidth.org/91757.html#cmt1057645
110. https://denise.dreamwidth.org/91757.html?thread=1057645#cmt1057645
111. https://denise.dreamwidth.org/icons
112. https://denise.dreamwidth.org/profile
113. https://denise.dreamwidth.org/
114. https://denise.dreamwidth.org/91757.html?thread=1057901#cmt1057901
115. https://www.techradar.com/news/eu-copyright-directive-what-does-it-mean-and-should-you-be-worried
116. https://denise.dreamwidth.org/91757.html?thread=1057901#cmt1057901
117. https://denise.dreamwidth.org/91757.html?replyto=1057901
118. https://www.dreamwidth.org/go?redir_type=threadroot&journal=denise&talkid=1057901
119. https://denise.dreamwidth.org/91757.html?thread=1057645#cmt1057645
120. https://denise.dreamwidth.org/91757.html?thread=1057901#cmt1057901
121. https://denise.dreamwidth.org/91757.html#cmt1057901
122. https://denise.dreamwidth.org/91757.html?thread=1057901#cmt1057901
123. https://ratcreature.dreamwidth.org/icons
124. https://ratcreature.dreamwidth.org/profile
125. https://ratcreature.dreamwidth.org/
126. https://denise.dreamwidth.org/91757.html?thread=1058413#cmt1058413
127. https://denise.dreamwidth.org/91757.html?thread=1058413#cmt1058413
128. https://denise.dreamwidth.org/91757.html?replyto=1058413
129. https://www.dreamwidth.org/go?redir_type=threadroot&journal=denise&talkid=1058413
130. https://denise.dreamwidth.org/91757.html?thread=1057901#cmt1057901
131. https://denise.dreamwidth.org/91757.html?thread=1058413#cmt1058413
132. https://denise.dreamwidth.org/91757.html#cmt1058413
133. https://denise.dreamwidth.org/91757.html?thread=1058413#cmt1058413
134. https://denise.dreamwidth.org/icons
135. https://denise.dreamwidth.org/profile
136. https://denise.dreamwidth.org/
137. https://denise.dreamwidth.org/91757.html?thread=1059693#cmt1059693
138. https://denise.dreamwidth.org/91757.html?thread=1059693#cmt1059693
139. https://denise.dreamwidth.org/91757.html?replyto=1059693
140. https://www.dreamwidth.org/go?redir_type=threadroot&journal=denise&talkid=1059693
141. https://denise.dreamwidth.org/91757.html?thread=1058413#cmt1058413
142. https://denise.dreamwidth.org/91757.html?thread=1059693#cmt1059693
143. https://denise.dreamwidth.org/91757.html#cmt1059693
144. https://denise.dreamwidth.org/91757.html?thread=1059693#cmt1059693
145. https://ratcreature.dreamwidth.org/icons
146. https://ratcreature.dreamwidth.org/profile
147. https://ratcreature.dreamwidth.org/
148. https://denise.dreamwidth.org/91757.html?thread=1060205#cmt1060205
149. https://denise.dreamwidth.org/91757.html?thread=1060205#cmt1060205
150. https://denise.dreamwidth.org/91757.html?replyto=1060205
151. https://www.dreamwidth.org/go?redir_type=threadroot&journal=denise&talkid=1060205
152. https://denise.dreamwidth.org/91757.html?thread=1059693#cmt1059693
153. https://elendraug.dreamwidth.org/icons
154. https://elendraug.dreamwidth.org/profile
155. https://elendraug.dreamwidth.org/
156. https://denise.dreamwidth.org/91757.html?thread=1058157#cmt1058157
157. https://denise.dreamwidth.org/91757.html?thread=1058157#cmt1058157
158. https://denise.dreamwidth.org/91757.html?replyto=1058157
159. https://pauamma.dreamwidth.org/icons
160. https://pauamma.dreamwidth.org/profile
161. https://pauamma.dreamwidth.org/
162. https://denise.dreamwidth.org/91757.html?thread=1058669#cmt1058669
163. https://denise.dreamwidth.org/91757.html?thread=1058669#cmt1058669
164. https://denise.dreamwidth.org/91757.html?replyto=1058669
165. https://ilyena-sylph.dreamwidth.org/icons
166. https://ilyena-sylph.dreamwidth.org/profile
167. https://ilyena-sylph.dreamwidth.org/
168. https://denise.dreamwidth.org/91757.html?thread=1058925#cmt1058925
169. https://denise.dreamwidth.org/91757.html?thread=1058925#cmt1058925
170. https://denise.dreamwidth.org/91757.html?replyto=1058925
171. https://badgermind.dreamwidth.org/icons
172. https://badgermind.dreamwidth.org/profile
173. https://badgermind.dreamwidth.org/
174. https://denise.dreamwidth.org/91757.html?thread=1059181#cmt1059181
175. https://denise.dreamwidth.org/91757.html?thread=1059181#cmt1059181
176. https://denise.dreamwidth.org/91757.html?replyto=1059181
177. https://owl.dreamwidth.org/icons
178. https://owl.dreamwidth.org/profile
179. https://owl.dreamwidth.org/
180. https://denise.dreamwidth.org/91757.html?thread=1059437#cmt1059437
181. https://denise.dreamwidth.org/91757.html?thread=1059437#cmt1059437
182. https://denise.dreamwidth.org/91757.html?replyto=1059437
183. https://denise.dreamwidth.org/91757.html?thread=1059437#cmt1059437
184. https://denise.dreamwidth.org/91757.html#cmt1059437
185. https://denise.dreamwidth.org/91757.html?thread=1059437#cmt1059437
186. https://denise.dreamwidth.org/icons
187. https://denise.dreamwidth.org/profile
188. https://denise.dreamwidth.org/
189. https://denise.dreamwidth.org/91757.html?thread=1059949#cmt1059949
190. https://denise.dreamwidth.org/91757.html?thread=1059949#cmt1059949
191. https://denise.dreamwidth.org/91757.html?replyto=1059949
192. https://www.dreamwidth.org/go?redir_type=threadroot&journal=denise&talkid=1059949
193. https://denise.dreamwidth.org/91757.html?thread=1059437#cmt1059437
194. https://denise.dreamwidth.org/91757.html?thread=1059949#cmt1059949
195. https://denise.dreamwidth.org/91757.html#cmt1059949
196. https://denise.dreamwidth.org/91757.html?thread=1059949#cmt1059949
197. https://owl.dreamwidth.org/icons
198. https://owl.dreamwidth.org/profile
199. https://owl.dreamwidth.org/
200. https://denise.dreamwidth.org/91757.html?thread=1061485#cmt1061485
201. https://denise.dreamwidth.org/91757.html?thread=1061485#cmt1061485
202. https://denise.dreamwidth.org/91757.html?replyto=1061485
203. https://www.dreamwidth.org/go?redir_type=threadroot&journal=denise&talkid=1061485
204. https://denise.dreamwidth.org/91757.html?thread=1059949#cmt1059949
205. https://sporky-rat.dreamwidth.org/icons
206. https://sporky-rat.dreamwidth.org/profile
207. https://sporky-rat.dreamwidth.org/
208. https://denise.dreamwidth.org/91757.html?thread=1060461#cmt1060461
209. https://denise.dreamwidth.org/91757.html?thread=1060461#cmt1060461
210. https://denise.dreamwidth.org/91757.html?replyto=1060461
211. https://denise.dreamwidth.org/91757.html?thread=1060461#cmt1060461
212. https://denise.dreamwidth.org/91757.html#cmt1060461
213. https://denise.dreamwidth.org/91757.html?thread=1060461#cmt1060461
214. https://denise.dreamwidth.org/icons
215. https://denise.dreamwidth.org/profile
216. https://denise.dreamwidth.org/
217. https://denise.dreamwidth.org/91757.html?thread=1061229#cmt1061229
218. https://denise.dreamwidth.org/91757.html?thread=1061229#cmt1061229
219. https://denise.dreamwidth.org/91757.html?replyto=1061229
220. https://www.dreamwidth.org/go?redir_type=threadroot&journal=denise&talkid=1061229
221. https://denise.dreamwidth.org/91757.html?thread=1060461#cmt1060461
222. https://gwendolyngrace.dreamwidth.org/icons
223. https://gwendolyngrace.dreamwidth.org/profile
224. https://gwendolyngrace.dreamwidth.org/
225. https://denise.dreamwidth.org/91757.html?thread=1060717#cmt1060717
226. https://denise.dreamwidth.org/91757.html?thread=1060717#cmt1060717
227. https://denise.dreamwidth.org/91757.html?replyto=1060717
228. https://slybrarian.dreamwidth.org/icons
229. https://slybrarian.dreamwidth.org/profile
230. https://slybrarian.dreamwidth.org/
231. https://denise.dreamwidth.org/91757.html?thread=1060973#cmt1060973
232. https://denise.dreamwidth.org/91757.html?thread=1060973#cmt1060973
233. https://denise.dreamwidth.org/91757.html?replyto=1060973
234. https://squirrelitude.dreamwidth.org/icons
235. https://squirrelitude.dreamwidth.org/profile
236. https://squirrelitude.dreamwidth.org/
237. https://denise.dreamwidth.org/91757.html?thread=1061741#cmt1061741
238. https://denise.dreamwidth.org/91757.html?thread=1061741#cmt1061741
239. https://denise.dreamwidth.org/91757.html?replyto=1061741
240. https://denise.dreamwidth.org/91757.html?thread=1061741#cmt1061741
241. https://denise.dreamwidth.org/91757.html#cmt1061741
242. https://denise.dreamwidth.org/91757.html?thread=1061741#cmt1061741
243. https://denise.dreamwidth.org/icons
244. https://denise.dreamwidth.org/profile
245. https://denise.dreamwidth.org/
246. https://denise.dreamwidth.org/91757.html?thread=1062253#cmt1062253
247. https://denise.dreamwidth.org/91757.html?thread=1062253#cmt1062253
248. https://denise.dreamwidth.org/91757.html?replyto=1062253
249. https://www.dreamwidth.org/go?redir_type=threadroot&journal=denise&talkid=1062253
250. https://denise.dreamwidth.org/91757.html?thread=1061741#cmt1061741
251. https://cesy.dreamwidth.org/icons
252. https://cesy.dreamwidth.org/profile
253. https://cesy.dreamwidth.org/
254. https://denise.dreamwidth.org/91757.html?thread=1061997#cmt1061997
255. https://denise.dreamwidth.org/91757.html?thread=1061997#cmt1061997
256. https://denise.dreamwidth.org/91757.html?replyto=1061997
257. https://denise.dreamwidth.org/91757.html#comments
258. https://denise.dreamwidth.org/91757.html?mode=reply
259. https://denise.dreamwidth.org/91757.html?view=flat#comments
260. https://denise.dreamwidth.org/91757.html?view=top-only#comments
261. https://www.dreamwidth.org/login
262. https://www.dreamwidth.org/lostinfo
263. https://www.dreamwidth.org/openid/
264. https://denise.dreamwidth.org/91757.html
265. https://www.dreamwidth.org/login
266. https://www.dreamwidth.org/nav/create
267. https://www.dreamwidth.org/create
268. https://www.dreamwidth.org/manage/settings/?cat=display
269. https://www.dreamwidth.org/nav/explore
270. https://www.dreamwidth.org/interests
271. https://www.dreamwidth.org/directorysearch
272. https://www.dreamwidth.org/search
273. https://www.dreamwidth.org/latest
274. https://www.dreamwidth.org/random
275. https://www.dreamwidth.org/community/random
276. https://www.dreamwidth.org/support/faq
277. https://www.dreamwidth.org/nav/shop
278. https://www.dreamwidth.org/shop
279. https://www.dreamwidth.org/shop/randomgift
280. https://www.zazzle.com/dreamwidth*
281. https://www.dreamwidth.org/legal/privacy
282. https://www.dreamwidth.org/legal/tos
283. https://www.dreamwidth.org/legal/diversity
284. https://www.dreamwidth.org/legal/principles
285. https://www.dreamwidth.org/site/
286. https://www.dreamwidth.org/site/suggest
287. https://www.dreamwidth.org/site/opensource
288. https://www.dreamwidth.org/support
289. https://www.dreamwidth.org/site/opensource