Keyservers and GDPR

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Keyservers and GDPR

Vincent Breitmoser
Sigh, I just now noticed that I wasn't actually subscribed to sks-devel anymore,
I thought I was.  I humbly apologize for the noise, and will go read the
relevant threads now :)

 - V


_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: Keyservers and GDPR

Niels Dettenbach (Syndicat IT & Internet)
Am 22. Mai 2018 21:44:09 MESZ schrieb Vincent Breitmoser <[hidden email]>:
>Now, since the PII that is uploaded is not used to fulfill contractual
>obligations

I'm not a lawyer, but i see this vice versa.

Users upload their keys for the purpose of their usage in the "web of trust" and expect their availability (storage, processing)there for this.

A contract with the server owner/admin IS emerged with the transfer of the data in the conventional keyserver protocol without any further "written" contract.

Extended, written explicite order is required if the keyserver (their owner) want to use that data for other purposes, not covered by the specs.

This is my view. But clearifying this needs a good las expert with a good understanding in the specs and the whole process.


just my two cents.

Niels.

--
Niels Dettenbach
Syndicat IT & Internet
http://www.Syndicat.com

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: Keyservers and GDPR

Kristian Fiskerstrand-6
In reply to this post by Vincent Breitmoser
On 05/23/2018 11:27 AM, ilf wrote:
> tl;dr: Keep calm and keep running keyservers.
>
> Vincent Breitmoser:
>> (cross-posting on all the cool pgp lists)
>
> (I wonder, if this really needs to be an all the four lists. I think
> sks-devel@ might be the most appropriate. Having said that, I'm only
> replying to gnupg-devel@ because I'm not subscribed to sks-devel@. Feel
> free to relay my message.)

As I think this has a valuable viewpoint I'm posting it to sks-devel.
And yes, this is mostly in line with my own thinking, I don't expect the
need for radical changes unless we see actual attempts to go after the
infrastructure.

>
>> My personal conclusion is that keyservers that support user id packets
>> are, quite simply, incompatible with GDPR law.
>
> There is a ton of FUD about the GDPR out there right now. Most of it   
> frivolous. (Actually, a lot of it is deliberate fearmongering by people
> who happen to sell legal advice on the GDPR.)
>
> First of all, the GDPR is not completely new. All EU member states
> already have data protection laws, some - like Germany - already very 
> strong ones. The concepts (PII, responsibilities, technological and
> organisational measures, information and documentation obligations) have
> already been in place with the old Data Protection Directive from 1995,
> which the GDPR is updating. I admit that the GDPR can be read and
> interpreted in a fatalist way. But most people leaning that way seem to
> not have read the older laws.
>
> Laws are not set in stone. Laws include leeways, deliberate or
> unintended. Laws do not depend on their interpretation by laypeople.
> There is a huge dedicated system for its interpretation, conflict
> resolve, judgement and enforcement.
>
> In the case of the GDPR, the very first step of that system are National
> Data Protection Authorities (DPA). They have the power - and the
> responsibility - to investigate possible violations of the GDPR. They
> have been understaffed for years, in many countries dangerously so. They
> are getting a lot more powers and responsibilities with the GDPR, but
> their resources are growing way slower than their tasks. They are simply
> understaffed and overworked. So from all the possible GDPR violations
> they will be notified about, they will work off the biggest and most
> obvious ones first. Their focus will be on the Facebooks - and not on
> small nerd projects or personal websites. They have the power to say "we
> don't care about this weird thing called keyserver" - and the probably
> will.
>
> Now even if someone found data protection law infringements with a
> keyserver, filed a specific and well-worded legal complaint with a DPA,
> and a DPA found the resources to look into it, and the DPA found some
> violation of the GDPR (four big IFs!) - the DPAs will not go around and
> issue sanctions and fine people. First of all, their job is not to
> generate revenues by fines. Their job is to enforce data protection law.
> If a DPA did find an issue with a keyserver - or the very concept - they
> would reach out and talk to the people running the servers. They would
> hear their perspective, learn more about the very concept - and try to
> work out a viable solution to provide the service without possible data
> protection infringements. This is their job and their goal.
>
> The most feared sanction of some undefined GDPR violation is a fine. As
> I layed out, DPAs don't want to issue fines, they want to stop privacy
> violations. And they will not blindly issue a fine without talking to
> you first. That being said, they obviously do have the power to issue
> fines. After due process. However, this power is also not new, it has
> also existed in many countries. And DPAs don't run around and fine
> people left and right (you would have heard about that), they exercise
> their power in a balanced way. And fines are always in relation to the
> economic and personal circumstances of the - then guilty and obstinate -
> data protection violators. I guess most keyservers are run by 
> non-profit individuals or institutions. Even if a company runs a
> keyserver, it doesn't make money with that service. Therefore, I think
> the chance of *any* fine is negligible - and the chance of an
> unreasonably high fine is almost zero. And if it ever came to this, the
> community and public alarmed by public outcry would probably donate more
> than the fine issued.
>
> To sum up: Keep calm and keep running keyservers. You'll be fine.
>
> More elaboration in German:
> https://netzpolitik.org/2018/bussgelder-bei-datenschutzverstoessen-angst-vor-einem-phantom/
>
>
> Disclaimer: IANAL. This is not legal advice.
>
>
>
> _______________________________________________
> Gnupg-devel mailing list
> [hidden email]
> http://lists.gnupg.org/mailman/listinfo/gnupg-devel
>

--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
"I disapprove of what you say, but I will defend to the death your right
to say it."
Evelyn Beatrice Hall (summarizing Voltaire


_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel

signature.asc (499 bytes) Download Attachment