Re: Data protection concern[Ref. RFA0751305]

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Data protection concern[Ref. RFA0751305]

Kristian Fiskerstrand-6
Hi,

In order to get a fruitful dialogue on these matters, some
clarifications regarding the role of the sks-keyservers.net pool of
keyservers seems necessary.

sks-keyservers.net is not an organization, but is an automated service,
operated by me as a private individual, that detects public keyservers
through crawling the open internet. The service has been offered free of
charge to the public [since 2006], at which point it replaced a previous
service of a similar nature, and with [the source code open source]. The
service functions by generating the necessary DNS records for a [DNS
Round-Robin] consisting of underlying keyservers that matches the
necessary criteria to be considered up to date with the overall ecosystem.

Since this discussion affects the overall OpenPGP ecosystem, and these
matters relates to security enhancing software, of which transparency
between the various operators within the system is imperative; I've CCed
a relevant mailing list with matters related to keyservers. Please keep
this mailing list CCed in all further communications on this matter.

With regards to the specific claims a request for deletion was received
on 5/29/18, 2:24 PM CET. A response was sent 5/31/18, 11:21 PM that (i)
explained that sks-keyservers.net is not the appropriate recipient for a
request to delete as it only links to underlying keyservers that store
the data, and these are operated by more than 100 different operators
world-wide, and linking to [the blog post regarding deletion requests]
that is written and used for similar such requests describing this
situation. A keyserver operates in a blockchain like model of always
adding data, never deleting it.

Some discussions are currently ongoing in the community with regards to
alternative models for the keyservers to operate, however they will all
imply changing the security model that has been used by the PGP Web of
Trust for several decades, but no consensus has currently been reached.
These discussions can be found in the archives of the sks-devel mailing
list well as other relevant mailing lists.

In any case, sks-keyservers.net service only generates DNS records such as
$ dig a pool.sks-keyservers.net
;; ANSWER SECTION:
pool.sks-keyservers.net. 3588   IN      A       74.50.54.68
pool.sks-keyservers.net. 3588   IN      A       130.133.110.62
pool.sks-keyservers.net. 3588   IN      A       85.93.216.115
pool.sks-keyservers.net. 3588   IN      A       130.206.1.111
pool.sks-keyservers.net. 3588   IN      A       37.44.0.28
pool.sks-keyservers.net. 3588   IN      A       178.32.66.144
pool.sks-keyservers.net. 3588   IN      A       193.70.2.173
pool.sks-keyservers.net. 3588   IN      A       178.175.148.28
pool.sks-keyservers.net. 3588   IN      A       85.227.82.204
pool.sks-keyservers.net. 3588   IN      A       192.146.137.98

and is not the correct recipient for any such request.

References:
[the source code open source]
https://git.sumptuouscapital.com/?p=sks-keyservers-pool.git;a=summary

[DNS Round-Robin]
https://en.wikipedia.org/wiki/Round-robin_DNS

[since 2006]
(i) https://lists.nongnu.org/archive/html/sks-devel/2006-12/msg00002.html
(ii)
https://blog.sumptuouscapital.com/2016/12/10-year-anniversary-for-sks-keyservers-net/

[the blog post regarding deletion requests]
https://blog.sumptuouscapital.com/2016/03/openpgp-certificates-can-not-be-deleted-from-keyservers/

On 2/19/19 11:32 AM, [hidden email] wrote:

> 19 February 2019
>
>  
>
> *Case Reference Number RFA0751305*
>
>  
>
> Dear Mr Fiskerstrand
>
>
> We are writing to you because we have received a complaint from Mr Dean
> Hughes regarding the way SKS Keyservers handles its data protection
> obligations.
>  
> *The ICO’s role *
>  
> Part of our role is to consider complaints from individuals who believe
> their data protection rights have been infringed.
>
> *Complaint raised with us*
>
> Mr Hughes has complained that SKS Keyservers has not complied with his
> request for erasure. Mr Hughes has complained that the keyservers share
> and make personal details publically available, such as his name and
> email addresses.
>  
> Mr Hughes has stated that he willingly submitted his personal data to
> your organisation years ago but would now like for it be deleted from
> both your organisation’s keyservers and the keyservers with which also
> shared his data.
>  
> Furthermore, it has been suggest that the records Mr Hughes has asked to
> be deleted contain personal data from more than 20 years ago, which
> include his name and email addresses.
>  
> *What you need to do now*
>  
> We want you to revisit the way you have handled this matter and consider
> any further action that you can take that may resolve this complaint.
>  
> If you feel that you have complied with the Data Protection law in this
> case, please explain to us why.
>  
> We would also like you to provide the following information: 
>
>   * Details of how you have handled this request for erasure.
>      
>   * Details of why Mr Hughes did not receive a response from SKS
>     Keyservers when exercising his rights.
>      
>   * Details of the organisation’s retention notice (as it would seem
>     that this is not on the website).
>      
>   * Details of SKS Keyservers’ lawful basis for processing this data and
>     why it is disclosing individuals’ –including Mr Hughes’– data
>     publically.
>      
>   * Details of any safeguards in place to help ensure you handle
>     personal data properly, particularly in relation to this specific
>     matter.
>      
>   * Details of any steps you have taken to add to or strengthen these
>     safeguards.
>
>  
> For your reference I have attached evidence that supports Mr Hughes’
> data protection concerns pertaining to his personal data.
>  
> On a separate note, we would like to see a copy of SKS Keyservers’
> privacy policy to ensure that the organisation is compliant with its
> information rights and practices. This is because, it would appear that
> there is not a privacy policy on the website and this is an obligation
> under the new legislation, to inform its users, transparently, that the
> organisation is processing information that acts accordingly with GDPR
> and the Data Protection Act 2018 (‘DPA’).
>  
> You must provide this response as soon as possible and in any event
> within *14 days*.
>  
> If you do not provide the information we have requested, we will either
> base our decision on the information available or consider issuing an
> Information Notice.
>  
> *Advice and assistance*
>  
> Our website contains advice and guidance about the processing of
> personal data and an organisation’s obligations under the Data
> Protection law.  I recommend that you review the information on our
> website before finalising your reply.
>  
> Should you wish to discuss this case any further, or require any
> clarification, please do not hesitate to contact me.
>  
> Yours sincerely
>  
> Ryan Garner
> Case Officer
> Information Commissioner’s Office
> 0330 414 6876
>  
> *ICO Statement*
> You should be aware that the Information Commissioner often receives
> request for copies of the letters we send and receive when dealing with
> casework. Not only are we obliged to deal with these in accordance with
> the access provisions of the data protection framework and the Freedom
> of Information Act 2000, it is in the public interest that we are open
> and transparent and accountable for the work that we do.
>  
> For information about what we do with personal data see our privacy
> notice at www.ico.org.uk/privacy-notice
> <http://www.ico.org.uk/privacy-notice>
>

--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Corruptissima re publica plurimæ leges
The greater the degeneration of the republic, the more of its laws

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel

Supporting evidence-1.txt (7K) Download Attachment
signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Data protection concern[Ref. RFA0751305]

Kristian Fiskerstrand-6
On 2/19/19 6:13 PM, Kristian Fiskerstrand wrote:
> Hi,
>
> In order to get a fruitful dialogue on these matters, some
> clarifications regarding the role of the sks-keyservers.net pool of
> keyservers seems necessary.
>

The ICO has concluded in this case and no further action will be taken
from them.


--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Corruptissima re publica plurimæ leges
The greater the degeneration of the republic, the more of its laws


_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Data protection concern[Ref. RFA0751305]

Andrew Gallagher
On 08/03/2019 14:15, Kristian Fiskerstrand wrote:
> The ICO has concluded in this case and no further action will be taken
> from them.

Was there any legal reasoning attached to this decision?

--
Andrew Gallagher


_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Data protection concern[Ref. RFA0751305]

Kristian Fiskerstrand-6
On 3/8/19 3:19 PM, Andrew Gallagher wrote:
> On 08/03/2019 14:15, Kristian Fiskerstrand wrote:
>> The ICO has concluded in this case and no further action will be taken
>> from them.
>
> Was there any legal reasoning attached to this decision?

It was a relatively good summary of situation including the data being
shared voluntarily and the nature of the keyserver gossipping network
also containing nodes being outside of the reach of GDPR. An important
factor in the treatment is however timely response to erasure request
with sufficient information.


--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Corruptissima re publica plurimæ leges
The greater the degeneration of the republic, the more of its laws


_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Data protection concern[Ref. RFA0751305]

Tobias Frei
Hi Kristian, hi Andrew, 

that email conversation was scary, informative and relieving at the same time. Thank you for sharing.

Best regards 
Tobias Frei 

On Fri, Mar 8, 2019, 16:08 Kristian Fiskerstrand <[hidden email]> wrote:
On 3/8/19 3:19 PM, Andrew Gallagher wrote:
> On 08/03/2019 14:15, Kristian Fiskerstrand wrote:
>> The ICO has concluded in this case and no further action will be taken
>> from them.
>
> Was there any legal reasoning attached to this decision?

It was a relatively good summary of situation including the data being
shared voluntarily and the nature of the keyserver gossipping network
also containing nodes being outside of the reach of GDPR. An important
factor in the treatment is however timely response to erasure request
with sufficient information.


--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Corruptissima re publica plurimæ leges
The greater the degeneration of the republic, the more of its laws

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: Data protection concern[Ref. RFA0751305]

Jim Popovitch
In reply to this post by Kristian Fiskerstrand-6
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Fri, 2019-03-08 at 15:15 +0100, Kristian Fiskerstrand wrote:
>
> and no further action will be taken from them.

..at this time.  IANAL, but you should really talk to a lawyer to make sure
that you (and your assets) are fully protected from future ICO or private
action by claimant. Never, ever, ever put faith in the words of a lawyer of
judicial agency that you haven't personally paid for advice.  The system
sucks, but that's how it works.

- -Jim P.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEECPbAhaBWEfiXj/kxdRlcPb+1fkUFAlyCma8ACgkQdRlcPb+1
fkUw4g//dg9vDItd3TY54yQd1Ghu6ePwlBd803AWvSqXAxjmxVcAT/Tas8D0KHen
CM0PoZrPgF7w1GOPoMEULrdw4RZF+ZzssEH/CTetomqDB7yNVXhzz2LIVQ5Jkv1w
3Q5h+1PDhYHd3MFoonkFe4lC/5h+KedZCc6oWNk3wFpgWvxTLH56ehnWbAuid7F/
FYNSgDOxFGY3qCOJ3dPXqYPJg9u2SiNPo1Ner+2nnsSV5n+y+k43SzolMEktZavi
uEAnbWy1vjod2jUQUaN7ykKFWNuvQxhtN8ZG1d5rQzRav+0ufA/6V7ZVZ09V7Sjd
x7z+abrfhAkmE7tdE6IksDRkOqtSAXTMKp9DanKUc0060+01ObWyJLRVjKFL0iWR
6svQrfk9IAk3OUYzOmwMCGccyLXL44bLwAf+34QulZO+d8xdU5zNSvMmf8vtQkK4
tRGsvEqmH4r0sFpJW4yoGc6UsTuRkvuuP9ud/lkxAnn5d2k/6p8UAHtKM3Sz8cLM
guUNN64OmBuc6+YivrRI76DhfbHhubOyRVBWKj3nNtCG2RP8B4yEFqpc3cJbwmwT
Hl5GxFeAKyWEL5LxhvhJv/EtE8FjyY4qf1CA0uR+konJZF7xNzUZTeXwPh/j2P8O
1A5YtoKIdRLy3944mc+xaSE4KLRZ+IRntaNlgyCtNHFYr/h4/ZY=
=f4Pl
-----END PGP SIGNATURE-----


_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel