sks-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] Keyservers and GDPR


From: Kristian Fiskerstrand
Subject: Re: [Sks-devel] Keyservers and GDPR
Date: Wed, 23 May 2018 12:03:32 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0

On 05/23/2018 11:27 AM, ilf wrote:
> tl;dr: Keep calm and keep running keyservers.
> 
> Vincent Breitmoser:
>> (cross-posting on all the cool pgp lists)
> 
> (I wonder, if this really needs to be an all the four lists. I think
> sks-devel@ might be the most appropriate. Having said that, I'm only
> replying to gnupg-devel@ because I'm not subscribed to address@hidden Feel
> free to relay my message.)

As I think this has a valuable viewpoint I'm posting it to sks-devel.
And yes, this is mostly in line with my own thinking, I don't expect the
need for radical changes unless we see actual attempts to go after the
infrastructure.

> 
>> My personal conclusion is that keyservers that support user id packets
>> are, quite simply, incompatible with GDPR law.
> 
> There is a ton of FUD about the GDPR out there right now. Most of it   
> frivolous. (Actually, a lot of it is deliberate fearmongering by people
> who happen to sell legal advice on the GDPR.)
> 
> First of all, the GDPR is not completely new. All EU member states
> already have data protection laws, some - like Germany - already very 
> strong ones. The concepts (PII, responsibilities, technological and
> organisational measures, information and documentation obligations) have
> already been in place with the old Data Protection Directive from 1995,
> which the GDPR is updating. I admit that the GDPR can be read and
> interpreted in a fatalist way. But most people leaning that way seem to
> not have read the older laws.
> 
> Laws are not set in stone. Laws include leeways, deliberate or
> unintended. Laws do not depend on their interpretation by laypeople.
> There is a huge dedicated system for its interpretation, conflict
> resolve, judgement and enforcement.
> 
> In the case of the GDPR, the very first step of that system are National
> Data Protection Authorities (DPA). They have the power - and the
> responsibility - to investigate possible violations of the GDPR. They
> have been understaffed for years, in many countries dangerously so. They
> are getting a lot more powers and responsibilities with the GDPR, but
> their resources are growing way slower than their tasks. They are simply
> understaffed and overworked. So from all the possible GDPR violations
> they will be notified about, they will work off the biggest and most
> obvious ones first. Their focus will be on the Facebooks - and not on
> small nerd projects or personal websites. They have the power to say "we
> don't care about this weird thing called keyserver" - and the probably
> will.
> 
> Now even if someone found data protection law infringements with a
> keyserver, filed a specific and well-worded legal complaint with a DPA,
> and a DPA found the resources to look into it, and the DPA found some
> violation of the GDPR (four big IFs!) - the DPAs will not go around and
> issue sanctions and fine people. First of all, their job is not to
> generate revenues by fines. Their job is to enforce data protection law.
> If a DPA did find an issue with a keyserver - or the very concept - they
> would reach out and talk to the people running the servers. They would
> hear their perspective, learn more about the very concept - and try to
> work out a viable solution to provide the service without possible data
> protection infringements. This is their job and their goal.
> 
> The most feared sanction of some undefined GDPR violation is a fine. As
> I layed out, DPAs don't want to issue fines, they want to stop privacy
> violations. And they will not blindly issue a fine without talking to
> you first. That being said, they obviously do have the power to issue
> fines. After due process. However, this power is also not new, it has
> also existed in many countries. And DPAs don't run around and fine
> people left and right (you would have heard about that), they exercise
> their power in a balanced way. And fines are always in relation to the
> economic and personal circumstances of the - then guilty and obstinate -
> data protection violators. I guess most keyservers are run by 
> non-profit individuals or institutions. Even if a company runs a
> keyserver, it doesn't make money with that service. Therefore, I think
> the chance of *any* fine is negligible - and the chance of an
> unreasonably high fine is almost zero. And if it ever came to this, the
> community and public alarmed by public outcry would probably donate more
> than the fine issued.
> 
> To sum up: Keep calm and keep running keyservers. You'll be fine.
> 
> More elaboration in German:
> https://netzpolitik.org/2018/bussgelder-bei-datenschutzverstoessen-angst-vor-einem-phantom/
> 
> 
> Disclaimer: IANAL. This is not legal advice.
> 
> 
> 
> _______________________________________________
> Gnupg-devel mailing list
> address@hidden
> http://lists.gnupg.org/mailman/listinfo/gnupg-devel
> 


-- 
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
"I disapprove of what you say, but I will defend to the death your right
to say it."
Evelyn Beatrice Hall (summarizing Voltaire

Attachment: signature.asc
Description: OpenPGP digital signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]