Practically speaking, running FB in a way that doesn't transfer anything out of the EU would involve either:

1. Siloing off the EU facebook, with no contact with the US side

or

2. Building a federated facebook, which transfers across e.g. only the timeline entries US friends are granted view access to

The former would not be well-accepted, as it would cut off communication from e.g. international relatives, and would be a rather large project to launch. The latter would be an even bigger rearchitecture, which would likely take, at a minimum, several years to complete, since it's unlikely this was ever anticipated as being a possibility when FB was originally created.

So, I sympathize with them - while in the long term they might be able to find a solution, in the short-to-medium term, FB would have no choice to stop operating.

That's already business as usual with China, but companies like Facebook have absolutely no problem with that silo as it protects them and benefits their bottom line.

But somehow, use cases that protect users, those suddenly pose major blockers.

Do you honestly think that's true? I bet they'd move mountains to remove that silo if they could.

Think? I know for a fact it's true. In fact, do you know a single company operating in China that doesn't silo away their China operations?

What makes you think they have "absolutely no problem with it"? You don't think it would be operationally simpler and more profitable to allow communication between Chinese and non-Chinese accounts?

No, not really. Companies operating in China silo their services because Chinese laws demand access to servers, and by siloing the company ensures that the Chinese regime does keep it's hands off stuff they have no business accessing.

Siloing services in China has zero to do with CCP's demands and everything to do with a company's self-interest.

CCIP demands access to servers -> companys silo to protect data from CCP

But then claim siloing has "zero to do with CCP's demands". Having trouble understanding this logic.

This is not to say I “want” this — what I want is for everyone in the world to be one big happy group of friends, but I don’t know how to get there from here, and silos look to me like the next thing that will happen.

[0] I don’t know how it works in most places, but in the UK there are Rules: https://commonslibrary.parliament.uk/who-regulates-political...

Also, if a European citizen shares photos with an American friend, this friend will fetch the image from an European server, so that the US government doesn't have access to the remaining photos, unless they contact European authorities.

A lot of communication data has two people associated, and a lot of it is highly sensitive. If a US person and a French person chat how does each get the messages? Message data is obviously highly sensitive and shouldn't be shared.

Does the US person need to hit the French servers to see new messages, and vice versa? What about quoting?

Message metadata (i.e. the fact that these two people are talking at all) is also pretty valuable -- the classic pen register is just a record of which calls were made to which numbers. Where do you store the metadata of the thread? It arguably belongs to and is private to both people.

I would imagine each user has a copy of the other's messages in their own account, and that's what they would be hitting.

What happens when the law makes that illegal?

> What happens when the law makes that illegal?

just follow the Chinese model. complete blackout between the European Union, China and ROW. this is where this thing is headed, so we might as well start thinking about it.

People are acting like this is a trivial problem both technically & legally but it’s not. I don’t have sympathy for Facebook but if you are a small company handling data in the EU and other data outside it I have sympathy as it’s going to cost a lot in architectural complexity and compliance costs.

My GDPR compliance training said that data strictly necessary for the provision of a service is something a business can freely use to that end without explicit consent. This is why GitHub doesn’t show cookie popups: https://github.blog/2020-12-17-no-cookie-for-you/

So “User @Alice sent $message to user @Bob” is necessary for a chat platform, but “Notice to advertisers: User @Alice posts a lot about cars, cats, and funny shaped carrots” isn’t even though advertisers pay for the continued existence of the service.

The reality that the EU government has recognized is that a FISA order of the parent company could compel a US organization to pull data from the EU servers to provide to the US government; and it’s a valid critique.

My understanding was that it's not about that.

> the reality is that recent EU regulatory action has come down not on where the data is stored, but whether the parent company is in the US

Interesting, do you have any source on this particular aspect? I haven't heard this before.

It's a legal deadlock.

IF [thing] be used to identify [person] from any arbitrary set of [persons] THEN [thing] is PII.

You are right that the same logic would make any American communication website illegal. I think the end goal for the EU here is to require all communication platforms used by EU citizens to be entirely run by the EU.

Is that so? I'd like to know more about this then, I don't see how that would be practical at all then.

> Principally, it asserts that U.S. data and communication companies must provide stored data for a customer or subscriber on any server they own and operate when requested by warrant, but provides mechanisms for the companies or the courts to reject or challenge these if they believe the request violates the privacy rights of the foreign country the data is stored in.

https://en.wikipedia.org/wiki/CLOUD_Act.

I think that's the difference. Facebook could be forced to keep all PII in the EU for the purpose of protecting peoples data from unlawful (EU) use but still have to surrender it to US law enforcement. Would that violate the EU law?

I think their end goal is regulatory convergence. They don't want companies to be able to trivially circumvent laws protecting their citizens simply by operating in a different jurisdiction, which is to say, if you want to play by different rules, barriers are inevitable, or else the rules are meaningless. Over the long run, the hope is that people can converge on similar enough rules that the barriers become unnecessary.

For example, suppose a country passes an air quality law that forces companies to reduce emissions from factories. They might suspect that instead of updating their factories, companies might sell their manufacturing equipment to new companies that mysteriously pop up right across the border and happily sell finished goods back across the border. Anticipating that, the country would want to do something to prevent it. The measures they come up with might be onerous and inefficient in the short run, but in the long run, the two countries would be motivated to converge on regulatory regimes that were mutually acceptable.

(not intending to endorse or criticize this idea, just giving my best understanding of how countries approach questions like this)

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

[.. other permissible purposes snipped ..]

Generally, the GDPR issues with sending to another country boil down to whether the EU accepts that the other country's government will allow the company protect the data in ways compatible with the GDPR. When sending that data to another company happens for reasons incidental to the permissible purpose of your data (eg EU-to-EU data processed in the US) this becomes an issue, as you've not consented to that risk. If you are specifically requesting that your data be sent to, say, the US, however, then processing that data in the US becomes necessary and thus much more justified.

From a technical perspective, you can certainly silo your data and transfer only as needed. This is however way more complicated, as you need to now deal with the fact that you're potentially performing joins across high-latency datastores, where you might need to be careful about what query data you're sending across the wire, and where your different silos need to apply access controls against each other. If you didn't engineer for this from the start, it's a big shift in architecture.

The issue is not your feed, that's what Facebook wants you to believe, you agreed to share that data with other FB users. the issue is they transfer personal data of EU citizens to the US to process them and sell them or use them to improve their adv war machine. Or give it to their US government.

But if I visit a web page hosted in Europe, and that page uses the FB cookies, Google analytics, etc. maybe I'm unaware what and how the data is being collected.

They relied on the cookie banners as explicit consents (i.e. if you click this "OK" button, you give explicit consent to all our data gathering and sending), but that might be not fully compliant with GDPR.

NOYB has used this as an example of something that would be illegal.

The main issue is differences between EU and US law.

An if that happens, if Facebook really gets banned from operating in Europe, I'm pretty sure “good enough” technical solution approved by the EU administration would be found pretty quick.

I certainly have not spent any time to look into the actual legislation - so don't take this as "everything would be fine" - but I feel a solution could be found that governments would be ok with if FB would be willing to spend the engineering effort.

That's why simply storing EU data in the EU isn't enough when there's a US company involved. Our surveillance state isn't just horrible for privacy, it's also bad for business.

1) Providing end-to-end encryption on user data travelling from Europe to outside Europe.

2) Your option for number 1, but then allowing users to freely consent with their data to be shared internationally (which they can then revoke later if required).

I'm sure there are others... Also IANAL but a social media post may be covered under the "legitimate interests" scope of GDPR (but facebook's tracking data would certinally not be covered).

That's insufficient as the US CLOUD Act allows the US government to compel a US company to cough up the data even if it is hosted in the EU and subject to EU privacy laws.

The only workaround I could see is one where they would spin out Facebook EU as a legally independent non-US entity (giving shares in it to Meta shareholders) and federate that with FB US.

What is not is all of the tracking that they do - not only on the Meta properties, but also all of the other websites who are dumb enough to execute code or otherwise expose their users to Facebook. Lots of them do it unwittingly too.

If a user in Florida tries to view a post by a user in Germany, doesn't the German user's data have to leave the EU?

For those downvoting me, I'd love to hear why you think it's more complicated than that. Contrary to popular belief, the people who wrote the GDPR are pretty technically sophisticated and understand that data on the internet has to move between countries from time to time.

1. Sam makes a post.

2. FB predicts Pat will comment on this post if they see it.

3. Pat sees the post, and writes a comment.

4. FB predicts Alex will reply to Pat's comment if they see it.

5. Alex sees the comment, and writes a reply.

To show why data transfer is such an issue, assume Sam, Pat, and Alex are all in jurisdictions with EU-style privacy regulations and that don't have data transfer agreements with each other.

How would you build a system that supports 1-5, a user journey that is core to Facebook's usage, in a way compliant with these regulations? For example, where is the discussion stored? Where do the models in (2) and (4) run?

As far as I can tell, the really difficult aspect here is how and where to permanently store the fact that the two users are talking to each other once the comments are actually made, since the mere fact that they are talking to each other demonstrates a relationship between them which may be considered PII in some contexts. Or at least, it would be difficult if the US also had privacy laws like the EU's, and IMO any coherent solution should be able to work if the US adopts something like GDPR. Unlike the message contents, this is quite difficult to store in a privacy-preserving way. I think the discussion would be more interesting and feel less like attacking a strawman if people were to focus on the interesting questions like this one, rather than the extremely uninteresting question of whether Facebook can serve posts to the US at all (which it obviously can).

> One option would be to serve this data directly from the European server.

What do you think happens with the data when you "serve it directly from the European server" to a user in Florida?

Exactly, it leaves the EU to go to Florida. ;-)

So the only thing the US government could get, are the public facing posts/images which the user posted but nothing more. If the profile is private, even less. No messenger data (except when send to users in the US).

Meta could be more accommodating to the wishes of the EU and place a greater focus on privacy, but that would mean changing how they do business. Meta clearly don't believe that it's possibly for their businesses to be profitable without data mining the crap out of their users. I know it's not a popular opinion, but business like Facebook and Instagram are the direct reason why the EU feel the need to step in and regulate.

It's where the data is stored and kept that is at issue.

You guys are just playing with semantics.

In terms of this context, easiest way would be to shard db infrastructure. Not even a remotely big deal for Facebook, with their size.

Hell, they should already want this, to avoid costly, and high ping time, intercontinental links.

But oh nooos, so hard to do. Absurd.

Think about internet archive, BitTorrent dumps of Facebook, etc.

If you're in a given geography/regulatory regime, and you read something on your smart phone, technically you were served that via some cell tower or ISP, those bits transited that infrastructure. In the US there's a massive clot of regulatory blockage working it's way slowly through the bowels of government around the term of art: "common carrier".

As with many things that devolve into nitpicking, there is a deeper issue: the EU is increasingly regretting becoming the host to, ironically, European-style colonialism on large-scale consumer Internet platforms. The PRC has its own Google, Twitter, Facebook, etc. The EU has Google, Twitter, Facebook, etc. and doesn't love that US companies and regulators are kind of driving the digital lives of the citizens.

The proximate tussle is about the durability of the storage involved. As a European regulator I might be much more comfortable with a write-through cache like TAO holding messages, or FBIDs of messages, including a German in the chat than I am with all such chats being held on a DFS in Prineville among other places, and having them ground over by a Spark or Hadoop job in Forest City among other places.

They'll kick it around and come up with some compromise that will serve end-users by accident at best. Europe won't develop a homegrown consumer Internet industry in our lifetimes. The odds are both US and EU legislators and regulators will miss a step and it'll be ByteDance everywhere by the time anyone reads this :)

Wouldn’t the true solution simply be for those who don’t want other regions to save to simply not have access, e.g firewall?

It would then been trivial for someone to crawl EU pages and rebuild the corpus of data.

The only real solution is to firewall off regions and prevent those users from accessing anything other than their own.

This is already what some countries like China do, for instance

Enlighten us?

Look, I realize I'm not an elite hacker news hacker, but how can I as a US user look at my friends posts in germany without them transferring data to me in the US?

What makes this so obviously a lie that such strong language is called for?

One example of that would a mandatory paid option which takes you out of all company data sharing stuff.

I dont use any facebook/Meta related platforms such as facebook, instagram or whatsapp. But it makes me sick seeing people around me addicted to it, due to their shady operation patterns.

Only as long as your users are fine to only talk with people from their "world region cluster". Everyone else would not be able to communicate with, say, family that lives overseas.

Can you explain to me how would you allow communication between EU and USA users without transferring any data out of EU? Expect for putting all the datacenters in EU?

[0] Obviously if there is some web forum hosted in Germany that a bunch of Germans living in Germany post to, and I -- in the US -- visit the forum, that involves data leaving Germany and flowing to the US. There's nothing wrong with that.

Even if you keep data for individual profile in corresponding country, any interaction with a content outside of EU is impossible without data transfer.

Ok you would have to make actual legal guarantees that no PII data will _ever_ be processed outside of the EU. given that this effectively means that if you fly out of the EU, or are _routed_ out of the EU, you won't be able to use those services. This is because PII is anything personal to you, and processing means anything that makes decisions, like routing based on IP or username.

This isn't actually a facebook specific problem S3/azure/google and their customers all have the same problem.

but of course yah boo facebook.

I’m not sure it this is still the case, but assuming it is, wouldn’t that make for a reasonable argument why it would be “impossible” (a.k.a. possible but non-trivial) to keep the data in the EU?

It's a bit of a prisoner's dilemma: if other people use Facebook, they get to see things you don't and have an advantage in some domains. So a lot of people "use" facebook. But if all of the businesses and groups get forced off of Facebook they'll just find another way to make announcments.

Same thing with car ownership: if everyone stopped owning cars, everyone could happily get around with bikes, feet, and public transit. The world would quickly restructure to accommodate it. Sure, some things would be lost (it would be harder to go to remote places to hike, for instance), but other things, like the ease of getting around your immediate neighborhood, or easy access to stores, or polluting the air with less CO2, would balance that out in many ways.

This is clearly wrong.

> Facebook led the way, where Americans spent an average 58 minutes a day on the app.

> Instagram was the second most used service, and it remained most popular among Gen-Z users, who spent almost 53 minutes per day, or 297 hours year;

With DAU of >2b people, I think you're drastically underestimating the scope of damage from a FB withdrawal from the EU.

https://www.forbes.com/sites/petersuciu/2021/06/24/americans...

Having seen how quickly MySpace became irrelevant, I am certain FB is acutely aware of how tenuous the position is as the king of social media. It is no wonder they behave like they do to capture and keep users.

If those services suddenly closed then I wouldn't have to use them!

It's silly, really; in order to contact specific people I must use all of: SMS, Email, Signal, Telegram, WhatsApp, Messenger, and Discord.

> WHAT IS THE MATTER WITH THAT, IF IT IS WHAT YOU WANT TO DO?

> "But nobody wants it! Everybody hates it."

> OH. WELL, THEN STOP.