Hey, i’m a software developer and i’m considering trying to build a site using ActivityPub, but i have a few concerns about it. My first concern is that if the platform is open source someone can host a malicious version of it, where certain requests may be ignored (such as deletion).
This leads into my next concern which is GDPR, because now i can’t be certain that a users data gets deleted upon their request and i’m not certain whether i would be liable since my instance federates with the malicious instance (which may also not be hosted in the EU which is itself problematic, and even if i’m not liable it’s still not great).
I considered if it was viable to make the platform invite based somehow, so that it doesn’t federate with everything by default, but that also sort of defeats the purpose of using ActivityPub.
The loss of control over content is also something that i don’t particularly like, since some people may use their own instance for harassment or something else gross, but i guess that wouldn’t be my problem since i just wrote the code and wouldn’t have anything to do with the hosting of such sites.
i’d appreciate any feedback since i think the technology and the fediverse is very interesting, i would definitely like to try it out, but i’m not sure how to go about these challenges.


IANAL, but the GDPR only concerns itself with personal data (name, address, email, IP etc.) for deletion requests. These however are not necessarily shared with other ActivityPub servers, so if you delete them of your own server it should be sufficient.