The pool is shrinking

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
91 messages Options
12345
Reply | Threaded
Open this post in threaded view
|

Re: The pool is shrinking

H Visage
Yakamo,

 Hmmm… please define/explain how servers hosted in the Republic of South Africa is subjected to GDPR? (We have our own/similar version, but NOT GDPR)



On 13 Aug 2019, at 15:59 , [hidden email] wrote:

They are!

Yakamo

On Tue, 13 Aug 2019 08:57:37 -0500
Travis Megee <[hidden email]> wrote:

You're also assuming all admins are subject to GDPR.

Travis

On 8/13/2019 8:56 AM, [hidden email] wrote:
Also would like to point out that this is Kristian covering his own ass not the admins!

Please read it again!

Yakamo


On Tue, 13 Aug 2019 15:46:39 +0200
Tobias Frei <[hidden email]> wrote:

Hi Yakamo,

Have you already seen these two messages?

https://lists.nongnu.org/archive/html/sks-devel/2019-02/msg00070.html

https://lists.nongnu.org/archive/html/sks-devel/2019-03/msg00026.html

Best regards
Tobias Frei

Am 13.08.19 um 15:41 schrieb [hidden email]:
Hi Boti,

SKS servers are breaking the GDPR in multiple ways, its just a matter of time before something happens.

All it would take is one motivated person and things get serious real quick.

Especially i would say right now for the admin of mattrude or any others allowing the free distribution to any third party of the keys via dumps, without user consent which doesnt work with the GDPR at all, this is sure to turn to a nightmare real fast for those admins.

Yakamo


On Tue, 13 Aug 2019 09:02:20 +0200
[hidden email] wrote:

In many country of EU there were a period of patience to let firms fully covers their GDPR implementation.

However we have GDPR in effect last two years but authorities still had a so called "soft" penalty or no penalty just warn practice which is nearly over.

In mid and longer term the penalty fees will be harmonized. Today every country has its own penalty fees and penalty practice.

There is no more exceptions anymore such as it is technically impossible to delete data, etc.

So will the blockchain illegal among with sks in EU if stored data has PI records?

Cheers,
   Boti
_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel





--


_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel

---
Hendrik Visage
HeViS.Co Systems Pty Ltd
T/A Envisage Systems / Envisage Cloud Solutions
+27-84-612-5345 or +27-21-945-1192
[hidden email]




_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: The pool is shrinking

Robert J. Hansen-3
In reply to this post by stuff
> They are!

No, they're not.

GDPR only applies to business entities that trade with EU citizens in EU
member nations.  If a German boards a flight in Colorado to travel to
Texas, they don't get to claim GDPR protections on their tickets.  It's
once the flight connects to an EU member state the airline has to worry
about GDPR.

There are (or at least were) a large number of US-based keyserver
operators who were immune to the GDPR.

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: The pool is shrinking

SKS Devel mailing list
None of that is correct. The GDPR does not only apply to business
entities, it does not only apply to trade, it does not only apply to EU
citizens and it does not only apply in EU member nations. For a short
introduction, look at this article:
<https://kirkpatrickprice.com/blog/what-is-gdpr-personal-data-and-who-is-a-gdpr-data-subject/>


Whether or not it is possible to actually enforce the GDPR outside the
EU, however, is a different story.

On 13.08.19 17:00, Robert J. Hansen wrote:

>> They are!
> No, they're not.
>
> GDPR only applies to business entities that trade with EU citizens in EU
> member nations.  If a German boards a flight in Colorado to travel to
> Texas, they don't get to claim GDPR protections on their tickets.  It's
> once the flight connects to an EU member state the airline has to worry
> about GDPR.
>
> There are (or at least were) a large number of US-based keyserver
> operators who were immune to the GDPR.
>
> _______________________________________________
> Sks-devel mailing list
> [hidden email]
> https://lists.nongnu.org/mailman/listinfo/sks-devel

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: The pool is shrinking

Tobias Mueller
In reply to this post by Robert J. Hansen-3
Hi,

On Tue, 2019-08-13 at 11:00 -0400, Robert J. Hansen wrote:
> > They are!
>
> No, they're not.
I think your assessment is wrong.

>
> There are (or at least were) a large number of US-based keyserver
> operators who were immune to the GDPR.

I fail to see how this is in accordance with the GDPR.
Section 3.2 states¹:

> This Regulation applies to the processing of personal data of data
> subjects who are in the Union by a controller or processor not
> established in the Union, where the processing activities are related
> to:
>
>     the offering of goods or services, irrespective of whether a
> payment of the data subject is required, to such data subjects in the
> Union

This is exactly the case for OpenPGP Keyservers.

Cheers,
  Tobi

1: https://gdpr-info.eu/art-3-gdpr/ 


_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: The pool is shrinking

Ryan Hunt-3
EU Can write whatever it wants down on a piece of paper, but that dont mean its anything more than a piece of paper to me... they have no authority here, I don't recognize their authority and there is absolutely nothing that they can do about it.. So it dont really matter if they say its applicable to me, because its not.

Argue semantics til your blue in the face, the end result is nobody doing business with or within the EU has any obligation whatsoever to even concern themselves with the GDPR.. and that's never going to change, regardless what everyone's opinions are on the matter.

-R

On Tue, Aug 13, 2019 at 9:40 AM Tobias Mueller <[hidden email]> wrote:
Hi,

On Tue, 2019-08-13 at 11:00 -0400, Robert J. Hansen wrote:
> > They are!
>
> No, they're not.
I think your assessment is wrong.

>
> There are (or at least were) a large number of US-based keyserver
> operators who were immune to the GDPR.

I fail to see how this is in accordance with the GDPR.
Section 3.2 states¹:

> This Regulation applies to the processing of personal data of data
> subjects who are in the Union by a controller or processor not
> established in the Union, where the processing activities are related
> to:
>
>     the offering of goods or services, irrespective of whether a
> payment of the data subject is required, to such data subjects in the
> Union

This is exactly the case for OpenPGP Keyservers.

Cheers,
  Tobi

1: https://gdpr-info.eu/art-3-gdpr/


_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: The pool is shrinking

Robert J. Hansen-3
In reply to this post by Tobias Mueller
>> There are (or at least were) a large number of US-based keyserver
>> operators who were immune to the GDPR.
>
> I fail to see how this is in accordance with the GDPR.

The EU is free to claim whatever authority it wants, but until it can
enforce that authority it's bluster.  If I, as a US citizen with no
overseas business ties, receive a GDPR notice, I'm going to laugh and
throw it away as it's not binding within the US.  The EU can't even haul
me into court over it.

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: The pool is shrinking

Philihp Busby
In reply to this post by Ryan Hunt-3
You should respect their right to privacy, if not for legal ones, then moral.

On Tue, Aug 13, 2019 at 16:04 Ryan Hunt <[hidden email]> wrote:
EU Can write whatever it wants down on a piece of paper, but that dont mean its anything more than a piece of paper to me... they have no authority here, I don't recognize their authority and there is absolutely nothing that they can do about it.. So it dont really matter if they say its applicable to me, because its not.

Argue semantics til your blue in the face, the end result is nobody doing business with or within the EU has any obligation whatsoever to even concern themselves with the GDPR.. and that's never going to change, regardless what everyone's opinions are on the matter.

-R

On Tue, Aug 13, 2019 at 9:40 AM Tobias Mueller <[hidden email]> wrote:
Hi,

On Tue, 2019-08-13 at 11:00 -0400, Robert J. Hansen wrote:
> > They are!
>
> No, they're not.
I think your assessment is wrong.

>
> There are (or at least were) a large number of US-based keyserver
> operators who were immune to the GDPR.

I fail to see how this is in accordance with the GDPR.
Section 3.2 states¹:

> This Regulation applies to the processing of personal data of data
> subjects who are in the Union by a controller or processor not
> established in the Union, where the processing activities are related
> to:
>
>     the offering of goods or services, irrespective of whether a
> payment of the data subject is required, to such data subjects in the
> Union

This is exactly the case for OpenPGP Keyservers.

Cheers,
  Tobi

1: https://gdpr-info.eu/art-3-gdpr/


_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: The pool is shrinking

Ryan Hunt-3
I don't believe anything you do in public has any expectation of privacy.. no moral qualms about it.

On Tue, Aug 13, 2019 at 10:09 AM Philihp Busby <[hidden email]> wrote:
You should respect their right to privacy, if not for legal ones, then moral.

On Tue, Aug 13, 2019 at 16:04 Ryan Hunt <[hidden email]> wrote:
EU Can write whatever it wants down on a piece of paper, but that dont mean its anything more than a piece of paper to me... they have no authority here, I don't recognize their authority and there is absolutely nothing that they can do about it.. So it dont really matter if they say its applicable to me, because its not.

Argue semantics til your blue in the face, the end result is nobody doing business with or within the EU has any obligation whatsoever to even concern themselves with the GDPR.. and that's never going to change, regardless what everyone's opinions are on the matter.

-R

On Tue, Aug 13, 2019 at 9:40 AM Tobias Mueller <[hidden email]> wrote:
Hi,

On Tue, 2019-08-13 at 11:00 -0400, Robert J. Hansen wrote:
> > They are!
>
> No, they're not.
I think your assessment is wrong.

>
> There are (or at least were) a large number of US-based keyserver
> operators who were immune to the GDPR.

I fail to see how this is in accordance with the GDPR.
Section 3.2 states¹:

> This Regulation applies to the processing of personal data of data
> subjects who are in the Union by a controller or processor not
> established in the Union, where the processing activities are related
> to:
>
>     the offering of goods or services, irrespective of whether a
> payment of the data subject is required, to such data subjects in the
> Union

This is exactly the case for OpenPGP Keyservers.

Cheers,
  Tobi

1: https://gdpr-info.eu/art-3-gdpr/


_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: The pool is shrinking

Tobias Mueller
In reply to this post by Robert J. Hansen-3
Hi,

On Tue, 2019-08-13 at 11:59 -0400, Robert J. Hansen wrote:
>   If I, as a US citizen with no
> overseas business ties, receive a GDPR notice, I'm going to laugh and
> throw it away as it's not binding within the US.  The EU can't even
> haul me into court over it.
Fair enough. Then you're ignoring the consequences (or rather believe
that none exist) rather than saying that the GDPR wouldn't apply to US-
based operators.
Your assessment of the situation was wrong and deserved to be refuted.

Cheers,
  Tobi


_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: The pool is shrinking

Robert J. Hansen-3
> Fair enough. Then you're ignoring the consequences (or rather believe
> that none exist) rather than saying that the GDPR wouldn't apply to US-
> based operators.

Enforcement is the sine qua non of law.  GDPR does not apply to purely
US-based operators because there is no way for the EU to either compel
our compliance or punish our noncompliance.

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: The pool is shrinking

Stefan Claas
In reply to this post by Kiss Gabor (Bitman)
Robert J. Hansen wrote:

> Enforcement is the sine qua non of law.  GDPR does not apply to purely
> US-based operators because there is no way for the EU to either compel
> our compliance or punish our noncompliance.

Please have a read:

https://gdpr.eu/compliance-checklist-us-companies/

If this applies to US companies do you think non-profit US SKS operators are
excempted?

I kindly request that Mr. Rude, for example, no longer provides key dumps to
the whole world, containing EU citizens data, without EU citizens consent.

https://keyserver.mattrude.com/dump/

Regards
Stefan

--
box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
GPG: C93E252DFB3B4DB7EAEB846AD8D464B35E12AB77 (avail. on Hagrid, WKD)

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: The pool is shrinking

H Visage


On 15 Aug 2019, at 00:29 , Stefan Claas <[hidden email]> wrote:


Interesting wordings, ie.

The law also includes the threat of large fines for non-compliance, which can reach 4% of global revenue or €20 million, depending on the severity and circumstances 

We recommend

So far, the EU’s reach has not been tested, 

can help avoid drawing scrutiny from EU regulatory authorities

---
Hendrik Visage



_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: The pool is shrinking

Tobias Frei
In reply to this post by Stefan Claas
I guess I'm pointing out the obvious to most readers, but despite that official-looking domain name, 

"This is not an official EU Commission or Government resource. The europa.eu webpage concerning GDPR can be found here [link removed]. Nothing found in this portal constitutes legal advice." 




On Aug 15, 2019 00:29, Stefan Claas <[hidden email]> wrote:

Robert J. Hansen wrote:

> Enforcement is the sine qua non of law.  GDPR does not apply to purely
> US-based operators because there is no way for the EU to either compel
> our compliance or punish our noncompliance.

Please have a read:

https://gdpr.eu/compliance-checklist-us-companies/

If this applies to US companies do you think non-profit US SKS operators are
excempted?

I kindly request that Mr. Rude, for example, no longer provides key dumps to
the whole world, containing EU citizens data, without EU citizens consent.

https://keyserver.mattrude.com/dump/

Regards
Stefan

--
box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
GPG: C93E252DFB3B4DB7EAEB846AD8D464B35E12AB77 (avail. on Hagrid, WKD)

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel



_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: The pool is shrinking

Robert J. Hansen-3
In reply to this post by Stefan Claas
> Please have a read:

Did.

I'm going to believe the privacy lawyer I pay $450 an hour to more than
I'm going to trust a sketchy website that's not even officially
affiliated with the EU.  Quoting from it:

"You may be wondering how the European Union will enforce a law in
territory it does not control."

Yep.

"The fact is, foreign governments help other countries enforce their
laws through mutual assistance treaties and other mechanisms all the time."

Yep.  Except that in America, the government *can't* help enforce many
parts of the GDPR.  The courts prohibit them from doing it.  You walk
into an American court waving a GDPR writ and it doesn't matter how many
EU bureaucrats sign it: if it intrudes on an American citizen's freedom
of speech the government is prohibited from participating.  This is
bog-standard American Constitutional law.

"GDPR Article 50 addresses this question directly."

No it doesn't.  Have you *read* Article 50?  "In relation to third
countries and international organisations, the Commission and
supervisory authorities shall take appropriate steps to..."

It doesn't enact *anything*.  All it says is, "We want the Commission to
do X.  We don't know if it's even possible to do X.  We don't really
care.  We're ordering them to do X anyway."

It's great to have aspirations, but Article 50 isn't even *law*.  All it
says is, "we're instructing our guys to look into it."

> If this applies to US companies do you think non-profit US SKS operators are
> excempted?

It does not apply to US companies, except those that have business units
in the EU or have extensive business ties with the EU.

Doesn't apply to me.  Have a nice day.  :)

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: The pool is shrinking

Stefan Claas
Robert J. Hansen wrote:

> I'm going to believe the privacy lawyer I pay $450 an hour to more than
> I'm going to trust a sketchy website that's not even officially
> affiliated with the EU.

Well, it was just one of many example sites, when one is googling
for "has the US comply to the GDPR". If one does the same he will
also find US sites giving US citizens advice.

> Quoting from it:
>
> "You may be wondering how the European Union will enforce a law in
> territory it does not control."
>
> Yep.
>
> "The fact is, foreign governments help other countries enforce their
> laws through mutual assistance treaties and other mechanisms all the time."
>
> Yep.  Except that in America, the government *can't* help enforce many
> parts of the GDPR.  The courts prohibit them from doing it.  You walk
> into an American court waving a GDPR writ and it doesn't matter how many
> EU bureaucrats sign it: if it intrudes on an American citizen's freedom
> of speech the government is prohibited from participating.  This is
> bog-standard American Constitutional law.

So as an example, US SKS key server operators do not have to honor
removal request (in this case shut-down the server) from EU citizens,
when they receive a letter from a lawyer?

I remember also that plenty of US sites (small and large), where I
did business with, asked for my consent as EU citizen, when they
changed their privacy policy once the GDPR took place.

> It does not apply to US companies, except those that have business units
> in the EU or have extensive business ties with the EU.

Has an US SKS key server operator then not 'business' ties with EU
citizens, when storing their personal data like name and email address?

And has Mr. Rude then the right to freely distribute this data, without
protecting it, to the whole world? If that is the case then EU citizens
having 'business' with the US can do the same with US citizens data.

Well, just my thoughts.

Regards
Stefan

--
box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
GPG: C93E252DFB3B4DB7EAEB846AD8D464B35E12AB77 (avail. on Hagrid, WKD)

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: The pool is shrinking

Robert J. Hansen-3
> Well, it was just one of many example sites...

Again: I'm going to go with the real advice given to me by real lawyers.

> So as an example, US SKS key server operators do not have to honor
> removal request (in this case shut-down the server) from EU citizens,
> when they receive a letter from a lawyer?

Depends on the individual.  I rarely travel to Europe and have no
financial holdings there.  It gives me a great ability to say "no, I'm
not signatory to your treaty, go away."  Other Americans may have enough
ties to Europe to make it possible for EU courts to apply leverage.

> I remember also that plenty of US sites (small and large), where I
> did business with, asked for my consent as EU citizen, when they
> changed their privacy policy once the GDPR took place.

Some of them do business in Europe and are susceptible to pressure by
the EU.  Some of them were just jumping on the bandwagon.

> Has an US SKS key server operator then not 'business' ties with EU
> citizens, when storing their personal data like name and email address?

No.  Those are considered facts no different than tracking a name and
phone number.  Mere facts cannot be suppressed by the United States
government; citizens are allowed to share them to our heart's content.

> And has Mr. Rude then the right to freely distribute this data, without
> protecting it, to the whole world?

I don't know anything about him or where he lives or which laws he must
follow.

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Exploiting GDPR (Re: The pool is shrinking)

H Visage
In reply to this post by Stefan Claas
And then reading Cryptogram this month: 

Exploiting GDPR to Get Private Information

[2019.08.13] A researcher abused the GDPR to get information on his fiancee:

It is one of the first tests of its kind to exploit the EU's General Data Protection Regulation (GDPR), which came into force in May 2018. The law shortened the time organisations had to respond to data requests, added new types of information they have to provide, and increased the potential penalty for non-compliance.

"Generally if it was an extremely large company -- especially tech ones -- they tended to do really well," he told the BBC.

"Small companies tended to ignore me.

"But the kind of mid-sized businesses that knew about GDPR, but maybe didn't have much of a specialised process [to handle requests], failed."

He declined to identify the organisations that had mishandled the requests, but said they had included:

a UK hotel chain that shared a complete record of his partner's overnight stays
two UK rail companies that provided records of all the journeys she had taken with them over several years
a US-based educational company that handed over her high school grades, mother's maiden name and the results of a criminal background check survey.


On 15 Aug 2019, at 15:57 , Stefan Claas <[hidden email]> wrote:

Robert J. Hansen wrote:

I'm going to believe the privacy lawyer I pay $450 an hour to more than
I'm going to trust a sketchy website that's not even officially
affiliated with the EU.

Well, it was just one of many example sites, when one is googling
for "has the US comply to the GDPR". If one does the same he will
also find US sites giving US citizens advice.

Quoting from it:

"You may be wondering how the European Union will enforce a law in
territory it does not control."

Yep.

"The fact is, foreign governments help other countries enforce their
laws through mutual assistance treaties and other mechanisms all the time."

Yep.  Except that in America, the government *can't* help enforce many
parts of the GDPR.  The courts prohibit them from doing it.  You walk
into an American court waving a GDPR writ and it doesn't matter how many
EU bureaucrats sign it: if it intrudes on an American citizen's freedom
of speech the government is prohibited from participating.  This is
bog-standard American Constitutional law.

So as an example, US SKS key server operators do not have to honor
removal request (in this case shut-down the server) from EU citizens,
when they receive a letter from a lawyer?

I remember also that plenty of US sites (small and large), where I
did business with, asked for my consent as EU citizen, when they
changed their privacy policy once the GDPR took place.

It does not apply to US companies, except those that have business units
in the EU or have extensive business ties with the EU.

Has an US SKS key server operator then not 'business' ties with EU
citizens, when storing their personal data like name and email address?

And has Mr. Rude then the right to freely distribute this data, without
protecting it, to the whole world? If that is the case then EU citizens
having 'business' with the US can do the same with US citizens data.

Well, just my thoughts.

Regards
Stefan

--
box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
GPG: C93E252DFB3B4DB7EAEB846AD8D464B35E12AB77 (avail. on Hagrid, WKD)

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel

---
Hendrik Visage
HeViS.Co Systems Pty Ltd
T/A Envisage Systems / Envisage Cloud Solutions
+27-84-612-5345 or +27-21-945-1192
[hidden email]




_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Exploiting GDPR (Re: The pool is shrinking)

stuff
That title is actually click bait!

He didnt exploit anything about the GDPR, he just found someone stupid that didnt know how the law worked.

The problem was the company miss handling his request!

Yakamo

On Thu, 15 Aug 2019 20:56:59 +0200
Hendrik Visage <[hidden email]> wrote:

> And then reading Cryptogram this month:
> https://www.schneier.com/blog/archives/2019/08/exploiting_gdpr.html <https://www.schneier.com/blog/archives/2019/08/exploiting_gdpr.html>
>
> Exploiting GDPR to Get Private Information
>
> [2019.08.13] A researcher abused the GDPR to get information on his fiancee:
>
> It is one of the first tests of its kind to exploit the EU's General Data Protection Regulation (GDPR), which came into force in May 2018. The law shortened the time organisations had to respond to data requests, added new types of information they have to provide, and increased the potential penalty for non-compliance.
>
> "Generally if it was an extremely large company -- especially tech ones -- they tended to do really well," he told the BBC.
>
> "Small companies tended to ignore me.
>
> "But the kind of mid-sized businesses that knew about GDPR, but maybe didn't have much of a specialised process [to handle requests], failed."
>
> He declined to identify the organisations that had mishandled the requests, but said they had included:
>
> a UK hotel chain that shared a complete record of his partner's overnight stays
> two UK rail companies that provided records of all the journeys she had taken with them over several years
> a US-based educational company that handed over her high school grades, mother's maiden name and the results of a criminal background check survey.
>
>
> > On 15 Aug 2019, at 15:57 , Stefan Claas <[hidden email]> wrote:
> >
> > Robert J. Hansen wrote:
> >
> >> I'm going to believe the privacy lawyer I pay $450 an hour to more than
> >> I'm going to trust a sketchy website that's not even officially
> >> affiliated with the EU.
> >
> > Well, it was just one of many example sites, when one is googling
> > for "has the US comply to the GDPR". If one does the same he will
> > also find US sites giving US citizens advice.
> >
> >> Quoting from it:
> >>
> >> "You may be wondering how the European Union will enforce a law in
> >> territory it does not control."
> >>
> >> Yep.
> >>
> >> "The fact is, foreign governments help other countries enforce their
> >> laws through mutual assistance treaties and other mechanisms all the time."
> >>
> >> Yep.  Except that in America, the government *can't* help enforce many
> >> parts of the GDPR.  The courts prohibit them from doing it.  You walk
> >> into an American court waving a GDPR writ and it doesn't matter how many
> >> EU bureaucrats sign it: if it intrudes on an American citizen's freedom
> >> of speech the government is prohibited from participating.  This is
> >> bog-standard American Constitutional law.
> >
> > So as an example, US SKS key server operators do not have to honor
> > removal request (in this case shut-down the server) from EU citizens,
> > when they receive a letter from a lawyer?
> >
> > I remember also that plenty of US sites (small and large), where I
> > did business with, asked for my consent as EU citizen, when they
> > changed their privacy policy once the GDPR took place.
> >
> >> It does not apply to US companies, except those that have business units
> >> in the EU or have extensive business ties with the EU.
> >
> > Has an US SKS key server operator then not 'business' ties with EU
> > citizens, when storing their personal data like name and email address?
> >
> > And has Mr. Rude then the right to freely distribute this data, without
> > protecting it, to the whole world? If that is the case then EU citizens
> > having 'business' with the US can do the same with US citizens data.
> >
> > Well, just my thoughts.
> >
> > Regards
> > Stefan
> >
> > --
> > box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
> > GPG: C93E252DFB3B4DB7EAEB846AD8D464B35E12AB77 (avail. on Hagrid, WKD)
> >
> > _______________________________________________
> > Sks-devel mailing list
> > [hidden email]
> > https://lists.nongnu.org/mailman/listinfo/sks-devel
>
> ---
> Hendrik Visage
> HeViS.Co Systems Pty Ltd
> T/A Envisage Systems / Envisage Cloud Solutions
> +27-84-612-5345 or +27-21-945-1192
> [hidden email]
>
>
>


--


_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: The pool is shrinking

Arnold-27
In reply to this post by Robert J. Hansen-3
I thought SKS and PGP-keys is about one's ability to hide private data (by
encryption). GDPR is also about one's ability to hide private data (by having
private data, that can be used in correlations, removed from large databases). Yet,
SKS administrators who apparently live outside the EU argue strongly that there is
no need for them to support GDPR.

To me, it is very strange to read one strongly supports one form of privacy, while
totally ignoring other forms. In fact it seems to me these operators are not only
ignoring other forms, but it seems they do not even acknowledge the fact that to
*some* people in the world the other (GDPR) form may be very important as well.
Remember, people in different parts of the world do have different values and
different needs.

Arnold

On 15-08-2019 18:39, Robert J. Hansen wrote:

>> Well, it was just one of many example sites...
>
> Again: I'm going to go with the real advice given to me by real lawyers.
>
>> So as an example, US SKS key server operators do not have to honor
>> removal request (in this case shut-down the server) from EU citizens,
>> when they receive a letter from a lawyer?
>
> Depends on the individual.  I rarely travel to Europe and have no
> financial holdings there.  It gives me a great ability to say "no, I'm
> not signatory to your treaty, go away."  Other Americans may have enough
> ties to Europe to make it possible for EU courts to apply leverage.
>
>> I remember also that plenty of US sites (small and large), where I
>> did business with, asked for my consent as EU citizen, when they
>> changed their privacy policy once the GDPR took place.
>
> Some of them do business in Europe and are susceptible to pressure by
> the EU.  Some of them were just jumping on the bandwagon.
>
>> Has an US SKS key server operator then not 'business' ties with EU
>> citizens, when storing their personal data like name and email address?
>
> No.  Those are considered facts no different than tracking a name and
> phone number.  Mere facts cannot be suppressed by the United States
> government; citizens are allowed to share them to our heart's content.
>
>> And has Mr. Rude then the right to freely distribute this data, without
>> protecting it, to the whole world?
>
> I don't know anything about him or where he lives or which laws he must
> follow.
>
> _______________________________________________
> Sks-devel mailing list
> [hidden email]
> https://lists.nongnu.org/mailman/listinfo/sks-devel
>


_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: The pool is shrinking

Ryan Hunt-3
One could argue the inverse, to me its very strange that administrators of a scheme designed from the onset to be resilient to governmental scale interference would widely open their arms to multinational scale interference. 

Its about pretty good privacy, not perfect privacy.. by design w/PGP and SKS, public keys are designed to be public, and not private.. in order to keep the private part secure, allowing people to arbitrary purge public data entirely undermines the entire thing.

-Ryan

On Thu, Aug 15, 2019 at 6:39 PM Arnold <[hidden email]> wrote:
I thought SKS and PGP-keys is about one's ability to hide private data (by
encryption). GDPR is also about one's ability to hide private data (by having
private data, that can be used in correlations, removed from large databases). Yet,
SKS administrators who apparently live outside the EU argue strongly that there is
no need for them to support GDPR.

To me, it is very strange to read one strongly supports one form of privacy, while
totally ignoring other forms. In fact it seems to me these operators are not only
ignoring other forms, but it seems they do not even acknowledge the fact that to
*some* people in the world the other (GDPR) form may be very important as well.
Remember, people in different parts of the world do have different values and
different needs.

Arnold

On 15-08-2019 18:39, Robert J. Hansen wrote:
>> Well, it was just one of many example sites...
>
> Again: I'm going to go with the real advice given to me by real lawyers.
>
>> So as an example, US SKS key server operators do not have to honor
>> removal request (in this case shut-down the server) from EU citizens,
>> when they receive a letter from a lawyer?
>
> Depends on the individual.  I rarely travel to Europe and have no
> financial holdings there.  It gives me a great ability to say "no, I'm
> not signatory to your treaty, go away."  Other Americans may have enough
> ties to Europe to make it possible for EU courts to apply leverage.
>
>> I remember also that plenty of US sites (small and large), where I
>> did business with, asked for my consent as EU citizen, when they
>> changed their privacy policy once the GDPR took place.
>
> Some of them do business in Europe and are susceptible to pressure by
> the EU.  Some of them were just jumping on the bandwagon.
>
>> Has an US SKS key server operator then not 'business' ties with EU
>> citizens, when storing their personal data like name and email address?
>
> No.  Those are considered facts no different than tracking a name and
> phone number.  Mere facts cannot be suppressed by the United States
> government; citizens are allowed to share them to our heart's content.
>
>> And has Mr. Rude then the right to freely distribute this data, without
>> protecting it, to the whole world?
>
> I don't know anything about him or where he lives or which laws he must
> follow.
>
> _______________________________________________
> Sks-devel mailing list
> [hidden email]
> https://lists.nongnu.org/mailman/listinfo/sks-devel
>


_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
12345