Mastodon: 403 user login disable loop is GDPR incompliant.

But isnt this your account? https://mastodon.social/@Wraptile

Also when a user is suspended all of their posts likes follows and followers are purged so theres no data there to hold hostage

But isnt this your account? https://mastodon.social/@Wraptile

Also when a user is suspended all of their posts likes follows and followers are purged so theres no data there to hold hostage

Nothing is purged. All data and profile is still fully available:

Even _if_ data was purged it would be great if instead it would be delivered to the user and redirect of user would be allowed. I'm not certain if it's required by GDPR but seems like a reasonable expectation.

Also while i cant say for certain im pretty sure you got locked out of your account for valid reasons just by looking at your profile and posts. I mean in one post you literally dared someone to go to the mods with your behavior.

Also while i cant say for certain im pretty sure you got locked out of your account for valid reasons just by looking at your profile and posts. I mean in one post you literally dared someone to go to the mods with your behavior.

How is that relevant to the current issue?

I think you're not suspended, your account is simply temporarily disabled. For reference on disable vs. silence vs. suspend: https://docs.joinmastodon.org/usage/moderation/

What you're effectively asking for is that "disable logins" be rethought to instead allow you to log in, but with limited functionality instead (e.g. "disable posting privilege"), right?

there is no GDPR requirement that you need to be able to retrieve your data through mastodon's UI. If you can't log in, but there is still personal data stored on the server, you will need to email your admins to request it.

i think it's definitely valuable for us to re-think the messaging/UX around "disable logins", and i'm happy to re-open this issue if we want to edit it into being that, but there's no GDPR violation here.

i think it's definitely valuable for us to re-think the messaging/UX around "disable logins", and i'm happy to re-open this issue if we want to edit it into being that, but there's no GDPR violation here.

I disagree. GDPR requires platform to give users an ability to control, export and delete their data. Contacting via dead email that no one is reading or making a new account on different node at direct messaging mods is far from covering this.

The fact this Mastodon already has it but the current 403 loop breaks this compability. I'm not sure how this ridiculous feature of silent 403 looping with no message, notification or access to user settings even made it to master!
If it weren't for Hanlon's razor I'd go as far as to say there's some hidden agenda here.

plenty of companies effectively implement the GDPR with no code changes whatsoever, and the GDPR applies to all companies, not just those that have a web presence. many many companies require you to email them to get your data export. The GDPR specifies only that the export must be in a common, machine-readable format but it does not mandate how you must be able to obtain that export.

Contacting via dead email that no one is reading

If you don't get a response after asking for your export, then they would not be in compliance with the GDPR.

@nightpool regardless of your interpretation of the law - the auto export/delete feature is already there. There's no reason whatsoever why "login disabled" users should not have access to it.

I've been waiting for my data for two weeks now - clearly this is GDPR incompliant and to boot to that it's GDPR incompliant on purpose since the features are all there.