My short response to all of that is: "meh".

Less briefly: Technically, I think you're right. The whole keyserver system doesn't appear to work at all against GDPR. But equally, a _system_ like ours doesn't seem a very likely target of any regulators. The law was mostly envisioned to keep *companies* in line - not a disparate collection of individuals running a service as a hobby. After all, most European countries already had existing individual privacy laws that the keyservers were theoretically already in breach of.

I'll personally risk it - but as you note - I'm not a lawyer either. 😉

Regards,
Chris


-----Original Message-----
From: Sks-devel [mailto:sks-devel-bounces+chris=***@nongnu.org] On Behalf Of Moritz Wirth
Sent: 29 April 2018 12:03
To: Fabian A. Santiago <***@garbage-juice.com>; sks-devel <sks-***@nongnu.org>
Subject: Re: [Sks-devel] Implications of GDPR

Hi Fabian,

first of all, I am not a lawyer so you should not rely on my response as it may be wrong :)

- The GDPR applies to all persons and companies who are located in the EU or offering goods, services or who monitor the behavior of EU data subjects - this means that all keyservers are affected regardless where they are physically located. (https://www.eugdpr.org/gdpr-faqs.html)

- Personal Data includes Names, Photos, social posts, IP-Addresses.. (so it seems that everything that can be connected to a person is included here).

- The Right to be forgotten: People have the right to get their data deleted if it is no longer necessary in relation to the purpose they were collected. I think this means that if someone wants to have their data deleted, you have to delete it - given the fact above that some keys include personal name or even photos, you would be required to delete them (even if you are in the USA). However, I am not sure - the text says "the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data." <-- Given the fact that it is not possible to delete data from a keyserver, I am not sure how this would be handled. (Same applies to for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) but I didnt check on that). (https://gdpr-info.eu/art-17-gdpr/)

- I heard that you must sign (physical) contracts with data processing companies (this may also include Google and Google Analytics, I am not sure about Google Fonts etc but since Google gets your IP...) if you share the data of your user with them (e.g using GA on your site).
("Controller will need to have in place an appropriate contract with any other Controller that it jointly shares data with if that Controller particularly is outside the EU."). Should not really matter (except for Google Fonts) - at the end the use of Tracking services is up to the keyserver admin itself
(https://www.netskope.com/blog/gdpr-data-processing-agreements/)

The first thing I would do is to include a checkbox in the webtemplate that every person who queries or uploads a key via the webinterface agrees to your data policy - in the data policy you should explain what happens when a key is uploaded, that it is distributed to other keyservers, (IPs are collected whatever you do) and that it is not possible to delete keys once they are uploaded.

If someone has more information on this or something to correct feel free to do so :)

Best regards,

Moritz

Hi Moritz,

My understanding is that the section you quoted on the "right to be
forgotten" refers to the controller's (i.e. your) obligation to inform
_other_ controllers processing the data (in this case: other keyserver
operators who, through gossip, have a "copy or replication" of the
personal data) about the data subject's request for deletion. "Technical
measures" in this context would, for instance, be a way to automatically
propagate the deletion to other servers; as this is not possible, you
only have to take "reasonable steps" to inform others, like sending an
email to your peers. If somebody wants you to delete their data, you
will definitely have to delete it, regardless of how difficult this is
to achieve with SKS.

A whole different issue is how you would get a data subject's permission
to process their data in the first place, and how you would notify them
about the fact that you are processing their data, both of which are
required by the GDPR.

Regards

Klaus-Uwe
--
Klaus-Uwe Mitterer

Email: ***@kumi.email

XMPP: ***@kumi.zone
Twitter: @kumitterer
Threema: PEBXP4H3
Telegram: @kumitterer

Skype: kumitterer
Mobile: +43 660 6340166

*** DISCLAIMER ***
This document is only intended for the person to whom it is
addressed. If you have received it, it was obviously addressed to you.
Therefore, you are free to read it, even if I didn't mean to send it to
you. However, if the contents of this email sound gibberish to you, you
were probably not the intended recipient - or you're just a mindless
cretin. If either is the case, you should immediately delete yourself
and destroy your computer. After doing this, please contact me
immediately. Well, obviously you can't use your computer for this, as
you have destroyed it. Also, you deleted yourself. Sorry, I digress...

In case I didn't send this email to you, I sincerely apologize. In
case of non-receipt of this email, I do not take any responsibility,
because it means that either you or your email provider or both use a
Microsoft Windows operating system. You know how glitchy that is, right?

Nor will I accept any liability, tacit or implied, for any damage
you may or may not incur as a result of receiving, or not, as the case
may be, from time to time, notwithstanding all liabilities implied or
otherwise and... erm... you know... whatever the case may be... IT
WASN'T ME. YOU'RE MEAN.

Of course this is possible. You can delete key by using the "sks drop <hash>" command. Now, if I understand it correctly the key will immediately be re-added because of gossiping keyservers. However, it would not be impossible to extend SKS to have a keyserver reject keys from a blacklist that each server admin would maintain, or possibly gossip. (If this does not exist already.)

I imagine this would be a useful instrument for more use-cases than this one. I imagine a server admin based in Germany would get in trouble if someone submitted a key with the user-id "The owner of this server denies the Holocaust", an action that is illegal in Germany. The server admin could get out of the trouble by adding the hash of that key to the blacklist.

I know I am suggesting censorship but it's not like SKS was ever meant to be a secure or reliable channel.

Actually anybody can send in your name and e-mail address (with a fake key
of course).
IMHO the current form of key servers won't survive the GDPR.
We have to destroy it then to rebuild from scratch.

My suggestion a key server should accept keys only with a special
ID record:
"This is a public information as written on http://gdpr.example.com"
or so. That is signed by owner. Whose identity is verified by someone else.
So key server is a toy for the strong set only. At least in the first
few years.

Gabor