Yakamo,
Hmmm… please define/explain how servers hosted in the Republic of South Africa is subjected to GDPR? (We have our own/similar version, but NOT GDPR)
--- Hendrik Visage HeViS.Co Systems Pty Ltd
T/A Envisage Systems / Envisage Cloud Solutions +27-84-612-5345 or +27-21-945-1192 [hidden email] _______________________________________________ Sks-devel mailing list [hidden email] https://lists.nongnu.org/mailman/listinfo/sks-devel |
In reply to this post by stuff
> They are!
No, they're not. GDPR only applies to business entities that trade with EU citizens in EU member nations. If a German boards a flight in Colorado to travel to Texas, they don't get to claim GDPR protections on their tickets. It's once the flight connects to an EU member state the airline has to worry about GDPR. There are (or at least were) a large number of US-based keyserver operators who were immune to the GDPR. _______________________________________________ Sks-devel mailing list [hidden email] https://lists.nongnu.org/mailman/listinfo/sks-devel |
None of that is correct. The GDPR does not only apply to business
entities, it does not only apply to trade, it does not only apply to EU citizens and it does not only apply in EU member nations. For a short introduction, look at this article: <https://kirkpatrickprice.com/blog/what-is-gdpr-personal-data-and-who-is-a-gdpr-data-subject/> Whether or not it is possible to actually enforce the GDPR outside the EU, however, is a different story. On 13.08.19 17:00, Robert J. Hansen wrote: >> They are! > No, they're not. > > GDPR only applies to business entities that trade with EU citizens in EU > member nations. If a German boards a flight in Colorado to travel to > Texas, they don't get to claim GDPR protections on their tickets. It's > once the flight connects to an EU member state the airline has to worry > about GDPR. > > There are (or at least were) a large number of US-based keyserver > operators who were immune to the GDPR. > > _______________________________________________ > Sks-devel mailing list > [hidden email] > https://lists.nongnu.org/mailman/listinfo/sks-devel _______________________________________________ Sks-devel mailing list [hidden email] https://lists.nongnu.org/mailman/listinfo/sks-devel |
In reply to this post by Robert J. Hansen-3
Hi,
On Tue, 2019-08-13 at 11:00 -0400, Robert J. Hansen wrote: > > They are! > > No, they're not. I think your assessment is wrong. > > There are (or at least were) a large number of US-based keyserver > operators who were immune to the GDPR. I fail to see how this is in accordance with the GDPR. Section 3.2 states¹: > This Regulation applies to the processing of personal data of data > subjects who are in the Union by a controller or processor not > established in the Union, where the processing activities are related > to: > > the offering of goods or services, irrespective of whether a > payment of the data subject is required, to such data subjects in the > Union This is exactly the case for OpenPGP Keyservers. Cheers, Tobi 1: https://gdpr-info.eu/art-3-gdpr/ _______________________________________________ Sks-devel mailing list [hidden email] https://lists.nongnu.org/mailman/listinfo/sks-devel |
EU Can write whatever it wants down on a piece of paper, but that dont mean its anything more than a piece of paper to me... they have no authority here, I don't recognize their authority and there is absolutely nothing that they can do about it.. So it dont really matter if they say its applicable to me, because its not. Argue semantics til your blue in the face, the end result is nobody doing business with or within the EU has any obligation whatsoever to even concern themselves with the GDPR.. and that's never going to change, regardless what everyone's opinions are on the matter. -R On Tue, Aug 13, 2019 at 9:40 AM Tobias Mueller <[hidden email]> wrote: Hi, _______________________________________________ Sks-devel mailing list [hidden email] https://lists.nongnu.org/mailman/listinfo/sks-devel |
In reply to this post by Tobias Mueller
>> There are (or at least were) a large number of US-based keyserver
>> operators who were immune to the GDPR. > > I fail to see how this is in accordance with the GDPR. The EU is free to claim whatever authority it wants, but until it can enforce that authority it's bluster. If I, as a US citizen with no overseas business ties, receive a GDPR notice, I'm going to laugh and throw it away as it's not binding within the US. The EU can't even haul me into court over it. _______________________________________________ Sks-devel mailing list [hidden email] https://lists.nongnu.org/mailman/listinfo/sks-devel |
In reply to this post by Ryan Hunt-3
You should respect their right to privacy, if not for legal ones, then moral. On Tue, Aug 13, 2019 at 16:04 Ryan Hunt <[hidden email]> wrote:
_______________________________________________ Sks-devel mailing list [hidden email] https://lists.nongnu.org/mailman/listinfo/sks-devel |
I don't believe anything you do in public has any expectation of privacy.. no moral qualms about it. On Tue, Aug 13, 2019 at 10:09 AM Philihp Busby <[hidden email]> wrote:
_______________________________________________ Sks-devel mailing list [hidden email] https://lists.nongnu.org/mailman/listinfo/sks-devel |
In reply to this post by Robert J. Hansen-3
Hi,
On Tue, 2019-08-13 at 11:59 -0400, Robert J. Hansen wrote: > If I, as a US citizen with no > overseas business ties, receive a GDPR notice, I'm going to laugh and > throw it away as it's not binding within the US. The EU can't even > haul me into court over it. Fair enough. Then you're ignoring the consequences (or rather believe that none exist) rather than saying that the GDPR wouldn't apply to US- based operators. Your assessment of the situation was wrong and deserved to be refuted. Cheers, Tobi _______________________________________________ Sks-devel mailing list [hidden email] https://lists.nongnu.org/mailman/listinfo/sks-devel |
> Fair enough. Then you're ignoring the consequences (or rather believe
> that none exist) rather than saying that the GDPR wouldn't apply to US- > based operators. Enforcement is the sine qua non of law. GDPR does not apply to purely US-based operators because there is no way for the EU to either compel our compliance or punish our noncompliance. _______________________________________________ Sks-devel mailing list [hidden email] https://lists.nongnu.org/mailman/listinfo/sks-devel |
In reply to this post by Gabor Kiss
Robert J. Hansen wrote:
> Enforcement is the sine qua non of law. GDPR does not apply to purely > US-based operators because there is no way for the EU to either compel > our compliance or punish our noncompliance. Please have a read: https://gdpr.eu/compliance-checklist-us-companies/ If this applies to US companies do you think non-profit US SKS operators are excempted? I kindly request that Mr. Rude, for example, no longer provides key dumps to the whole world, containing EU citizens data, without EU citizens consent. https://keyserver.mattrude.com/dump/ Regards Stefan -- box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56 GPG: C93E252DFB3B4DB7EAEB846AD8D464B35E12AB77 (avail. on Hagrid, WKD) _______________________________________________ Sks-devel mailing list [hidden email] https://lists.nongnu.org/mailman/listinfo/sks-devel |
Interesting wordings, ie. The law also includes the threat of large fines for non-compliance, which can reach 4% of global revenue or €20 million, depending on the severity and circumstances We recommend So far, the EU’s reach has not been tested, can help avoid drawing scrutiny from EU regulatory authorities --- Hendrik Visage _______________________________________________ Sks-devel mailing list [hidden email] https://lists.nongnu.org/mailman/listinfo/sks-devel |
In reply to this post by Stefan Claas
I guess I'm pointing out the obvious to most readers, but despite that official-looking domain name, "This is not an official EU Commission or Government resource. The europa.eu webpage concerning GDPR can be found here [link removed]. Nothing found in this portal constitutes legal advice." On Aug 15, 2019 00:29, Stefan Claas <[hidden email]> wrote:
_______________________________________________ Sks-devel mailing list [hidden email] https://lists.nongnu.org/mailman/listinfo/sks-devel |
In reply to this post by Stefan Claas
> Please have a read:
Did. I'm going to believe the privacy lawyer I pay $450 an hour to more than I'm going to trust a sketchy website that's not even officially affiliated with the EU. Quoting from it: "You may be wondering how the European Union will enforce a law in territory it does not control." Yep. "The fact is, foreign governments help other countries enforce their laws through mutual assistance treaties and other mechanisms all the time." Yep. Except that in America, the government *can't* help enforce many parts of the GDPR. The courts prohibit them from doing it. You walk into an American court waving a GDPR writ and it doesn't matter how many EU bureaucrats sign it: if it intrudes on an American citizen's freedom of speech the government is prohibited from participating. This is bog-standard American Constitutional law. "GDPR Article 50 addresses this question directly." No it doesn't. Have you *read* Article 50? "In relation to third countries and international organisations, the Commission and supervisory authorities shall take appropriate steps to..." It doesn't enact *anything*. All it says is, "We want the Commission to do X. We don't know if it's even possible to do X. We don't really care. We're ordering them to do X anyway." It's great to have aspirations, but Article 50 isn't even *law*. All it says is, "we're instructing our guys to look into it." > If this applies to US companies do you think non-profit US SKS operators are > excempted? It does not apply to US companies, except those that have business units in the EU or have extensive business ties with the EU. Doesn't apply to me. Have a nice day. :) _______________________________________________ Sks-devel mailing list [hidden email] https://lists.nongnu.org/mailman/listinfo/sks-devel |
Robert J. Hansen wrote:
> I'm going to believe the privacy lawyer I pay $450 an hour to more than > I'm going to trust a sketchy website that's not even officially > affiliated with the EU. Well, it was just one of many example sites, when one is googling for "has the US comply to the GDPR". If one does the same he will also find US sites giving US citizens advice. > Quoting from it: > > "You may be wondering how the European Union will enforce a law in > territory it does not control." > > Yep. > > "The fact is, foreign governments help other countries enforce their > laws through mutual assistance treaties and other mechanisms all the time." > > Yep. Except that in America, the government *can't* help enforce many > parts of the GDPR. The courts prohibit them from doing it. You walk > into an American court waving a GDPR writ and it doesn't matter how many > EU bureaucrats sign it: if it intrudes on an American citizen's freedom > of speech the government is prohibited from participating. This is > bog-standard American Constitutional law. So as an example, US SKS key server operators do not have to honor removal request (in this case shut-down the server) from EU citizens, when they receive a letter from a lawyer? I remember also that plenty of US sites (small and large), where I did business with, asked for my consent as EU citizen, when they changed their privacy policy once the GDPR took place. > It does not apply to US companies, except those that have business units > in the EU or have extensive business ties with the EU. Has an US SKS key server operator then not 'business' ties with EU citizens, when storing their personal data like name and email address? And has Mr. Rude then the right to freely distribute this data, without protecting it, to the whole world? If that is the case then EU citizens having 'business' with the US can do the same with US citizens data. Well, just my thoughts. Regards Stefan -- box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56 GPG: C93E252DFB3B4DB7EAEB846AD8D464B35E12AB77 (avail. on Hagrid, WKD) _______________________________________________ Sks-devel mailing list [hidden email] https://lists.nongnu.org/mailman/listinfo/sks-devel |
> Well, it was just one of many example sites...
Again: I'm going to go with the real advice given to me by real lawyers. > So as an example, US SKS key server operators do not have to honor > removal request (in this case shut-down the server) from EU citizens, > when they receive a letter from a lawyer? Depends on the individual. I rarely travel to Europe and have no financial holdings there. It gives me a great ability to say "no, I'm not signatory to your treaty, go away." Other Americans may have enough ties to Europe to make it possible for EU courts to apply leverage. > I remember also that plenty of US sites (small and large), where I > did business with, asked for my consent as EU citizen, when they > changed their privacy policy once the GDPR took place. Some of them do business in Europe and are susceptible to pressure by the EU. Some of them were just jumping on the bandwagon. > Has an US SKS key server operator then not 'business' ties with EU > citizens, when storing their personal data like name and email address? No. Those are considered facts no different than tracking a name and phone number. Mere facts cannot be suppressed by the United States government; citizens are allowed to share them to our heart's content. > And has Mr. Rude then the right to freely distribute this data, without > protecting it, to the whole world? I don't know anything about him or where he lives or which laws he must follow. _______________________________________________ Sks-devel mailing list [hidden email] https://lists.nongnu.org/mailman/listinfo/sks-devel |
In reply to this post by Stefan Claas
And then reading Cryptogram this month:
Exploiting GDPR to Get Private Information [2019.08.13] A researcher abused the GDPR to get information on his fiancee: It is one of the first tests of its kind to exploit the EU's General Data Protection Regulation (GDPR), which came into force in May 2018. The law shortened the time organisations had to respond to data requests, added new types of information they have to provide, and increased the potential penalty for non-compliance. "Generally if it was an extremely large company -- especially tech ones -- they tended to do really well," he told the BBC. "Small companies tended to ignore me. "But the kind of mid-sized businesses that knew about GDPR, but maybe didn't have much of a specialised process [to handle requests], failed." He declined to identify the organisations that had mishandled the requests, but said they had included: a UK hotel chain that shared a complete record of his partner's overnight stays two UK rail companies that provided records of all the journeys she had taken with them over several years a US-based educational company that handed over her high school grades, mother's maiden name and the results of a criminal background check survey.
--- Hendrik Visage HeViS.Co Systems Pty Ltd
T/A Envisage Systems / Envisage Cloud Solutions +27-84-612-5345 or +27-21-945-1192 [hidden email] _______________________________________________ Sks-devel mailing list [hidden email] https://lists.nongnu.org/mailman/listinfo/sks-devel |
That title is actually click bait!
He didnt exploit anything about the GDPR, he just found someone stupid that didnt know how the law worked. The problem was the company miss handling his request! Yakamo On Thu, 15 Aug 2019 20:56:59 +0200 Hendrik Visage <[hidden email]> wrote: > And then reading Cryptogram this month: > https://www.schneier.com/blog/archives/2019/08/exploiting_gdpr.html <https://www.schneier.com/blog/archives/2019/08/exploiting_gdpr.html> > > Exploiting GDPR to Get Private Information > > [2019.08.13] A researcher abused the GDPR to get information on his fiancee: > > It is one of the first tests of its kind to exploit the EU's General Data Protection Regulation (GDPR), which came into force in May 2018. The law shortened the time organisations had to respond to data requests, added new types of information they have to provide, and increased the potential penalty for non-compliance. > > "Generally if it was an extremely large company -- especially tech ones -- they tended to do really well," he told the BBC. > > "Small companies tended to ignore me. > > "But the kind of mid-sized businesses that knew about GDPR, but maybe didn't have much of a specialised process [to handle requests], failed." > > He declined to identify the organisations that had mishandled the requests, but said they had included: > > a UK hotel chain that shared a complete record of his partner's overnight stays > two UK rail companies that provided records of all the journeys she had taken with them over several years > a US-based educational company that handed over her high school grades, mother's maiden name and the results of a criminal background check survey. > > > > On 15 Aug 2019, at 15:57 , Stefan Claas <[hidden email]> wrote: > > > > Robert J. Hansen wrote: > > > >> I'm going to believe the privacy lawyer I pay $450 an hour to more than > >> I'm going to trust a sketchy website that's not even officially > >> affiliated with the EU. > > > > Well, it was just one of many example sites, when one is googling > > for "has the US comply to the GDPR". If one does the same he will > > also find US sites giving US citizens advice. > > > >> Quoting from it: > >> > >> "You may be wondering how the European Union will enforce a law in > >> territory it does not control." > >> > >> Yep. > >> > >> "The fact is, foreign governments help other countries enforce their > >> laws through mutual assistance treaties and other mechanisms all the time." > >> > >> Yep. Except that in America, the government *can't* help enforce many > >> parts of the GDPR. The courts prohibit them from doing it. You walk > >> into an American court waving a GDPR writ and it doesn't matter how many > >> EU bureaucrats sign it: if it intrudes on an American citizen's freedom > >> of speech the government is prohibited from participating. This is > >> bog-standard American Constitutional law. > > > > So as an example, US SKS key server operators do not have to honor > > removal request (in this case shut-down the server) from EU citizens, > > when they receive a letter from a lawyer? > > > > I remember also that plenty of US sites (small and large), where I > > did business with, asked for my consent as EU citizen, when they > > changed their privacy policy once the GDPR took place. > > > >> It does not apply to US companies, except those that have business units > >> in the EU or have extensive business ties with the EU. > > > > Has an US SKS key server operator then not 'business' ties with EU > > citizens, when storing their personal data like name and email address? > > > > And has Mr. Rude then the right to freely distribute this data, without > > protecting it, to the whole world? If that is the case then EU citizens > > having 'business' with the US can do the same with US citizens data. > > > > Well, just my thoughts. > > > > Regards > > Stefan > > > > -- > > box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56 > > GPG: C93E252DFB3B4DB7EAEB846AD8D464B35E12AB77 (avail. on Hagrid, WKD) > > > > _______________________________________________ > > Sks-devel mailing list > > [hidden email] > > https://lists.nongnu.org/mailman/listinfo/sks-devel > > --- > Hendrik Visage > HeViS.Co Systems Pty Ltd > T/A Envisage Systems / Envisage Cloud Solutions > +27-84-612-5345 or +27-21-945-1192 > [hidden email] > > > -- _______________________________________________ Sks-devel mailing list [hidden email] https://lists.nongnu.org/mailman/listinfo/sks-devel |
In reply to this post by Robert J. Hansen-3
I thought SKS and PGP-keys is about one's ability to hide private data (by
encryption). GDPR is also about one's ability to hide private data (by having private data, that can be used in correlations, removed from large databases). Yet, SKS administrators who apparently live outside the EU argue strongly that there is no need for them to support GDPR. To me, it is very strange to read one strongly supports one form of privacy, while totally ignoring other forms. In fact it seems to me these operators are not only ignoring other forms, but it seems they do not even acknowledge the fact that to *some* people in the world the other (GDPR) form may be very important as well. Remember, people in different parts of the world do have different values and different needs. Arnold On 15-08-2019 18:39, Robert J. Hansen wrote: >> Well, it was just one of many example sites... > > Again: I'm going to go with the real advice given to me by real lawyers. > >> So as an example, US SKS key server operators do not have to honor >> removal request (in this case shut-down the server) from EU citizens, >> when they receive a letter from a lawyer? > > Depends on the individual. I rarely travel to Europe and have no > financial holdings there. It gives me a great ability to say "no, I'm > not signatory to your treaty, go away." Other Americans may have enough > ties to Europe to make it possible for EU courts to apply leverage. > >> I remember also that plenty of US sites (small and large), where I >> did business with, asked for my consent as EU citizen, when they >> changed their privacy policy once the GDPR took place. > > Some of them do business in Europe and are susceptible to pressure by > the EU. Some of them were just jumping on the bandwagon. > >> Has an US SKS key server operator then not 'business' ties with EU >> citizens, when storing their personal data like name and email address? > > No. Those are considered facts no different than tracking a name and > phone number. Mere facts cannot be suppressed by the United States > government; citizens are allowed to share them to our heart's content. > >> And has Mr. Rude then the right to freely distribute this data, without >> protecting it, to the whole world? > > I don't know anything about him or where he lives or which laws he must > follow. > > _______________________________________________ > Sks-devel mailing list > [hidden email] > https://lists.nongnu.org/mailman/listinfo/sks-devel > _______________________________________________ Sks-devel mailing list [hidden email] https://lists.nongnu.org/mailman/listinfo/sks-devel |
One could argue the inverse, to me its very strange that administrators of a scheme designed from the onset to be resilient to governmental scale interference would widely open their arms to multinational scale interference. Its about pretty good privacy, not perfect privacy.. by design w/PGP and SKS, public keys are designed to be public, and not private.. in order to keep the private part secure, allowing people to arbitrary purge public data entirely undermines the entire thing. -Ryan On Thu, Aug 15, 2019 at 6:39 PM Arnold <[hidden email]> wrote: I thought SKS and PGP-keys is about one's ability to hide private data (by _______________________________________________ Sks-devel mailing list [hidden email] https://lists.nongnu.org/mailman/listinfo/sks-devel |
Free forum by Nabble | Edit this page |