Re: First Amendment and Marines?
I go away for the weekend, and my mailbox catches fire... ;-) On 29/01/2022 16:38, jonkomer via Gnupg-users wrote: > (a) Unfortunately, OpenPG email encryption is incompatible > with GDPR and should not be used by those that either want > or need to be GDPR compliant. This is not so; the use of email encryption *improves* GDPR compliance. > (b) GDPR appears to be a topic that, for some strange reason, > elicits emotional reactions by the OpenPG creators and > maintainers. GDPR elicits interesting reactions in general! ;-) > (c) GPG and OpenPG appear to be very much US-centric > endevours. That fact ought to be taken into account by the > new users. On the contrary, Europe is (in my experience) over-represented in the OpenPGP development community, and there has been extensive discussion of its implications for PGP both in this group and elsewhere. > If the ultimate goal of OpenPG is the wider adaption of > encrypted e-mail, finding technical means to make it usable > by those that *wish to be GDPR compliant* - without forcing > such MO on everyone - appears to be a worthwhile effort. Agreed in general, however I'm not sure what you mean by "forcing such MO on everyone". A OpenPGP_signature Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: First Amendment and Marines?
On 30/01/2022 10:12, Klaus Ethgen wrote: > > When it comes to keyservers, with the same argument you could state that > bitcoin is illegal. (No information in the key chain can be removed. And > there is even child porn inside that key chain that could never ever > again be removed!) > > There are more technologies out there where informations, once in, could > never removed again. Yes, and this is both morally and legally terrifying. The fact that nobody has yet been taken to court over this particular issue merely makes the legality of it "untested". A OpenPGP_signature Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: First Amendment and Marines?
Am 30.01.22 um 15:44 schrieb Johan Wevers via Gnupg-users: On 29-01-2022 18:58, Robert J. Hansen via Gnupg-users wrote: But if you're an American without EU ties, the GDPR is yet another piece of foreign legislation we don't need to pay attention to. And when Europeans baldly say "the GDPR applies worldwide, you must follow it," what we hear is "the EU overrides your silly Constitution." However, the opposite also occurs: some US companies appear to be shocked when I, as a European without any ties to the US, claim I won't comply to a DMCA request because we don't have such a law here. With Directive 2001/29/EC, there is indeed a similar law in Europe, but it does not have the same broad scope as the DMCA. -- /¯\ No | \ / HTML |Juergen Bruckner Xin |juergen@bruckner.email / \ Mail | smime.p7s Description: S/MIME Cryptographic Signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: First Amendment and Marines?
However, the opposite also occurs: some US companies appear to be shocked when I, as a European without any ties to the US, claim I won't comply to a DMCA request because we don't have such a law here. Yes! And when American companies are so foolish as to demand an EU citizen comply with a DMCA takedown notice, I encourage you to laugh at the silliness. :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: First Amendment and Marines?
On 29-01-2022 18:58, Robert J. Hansen via Gnupg-users wrote: > But if you're an American without EU ties, the GDPR is yet another piece > of foreign legislation we don't need to pay attention to. And when > Europeans baldly say "the GDPR applies worldwide, you must follow it," > what we hear is "the EU overrides your silly Constitution." However, the opposite also occurs: some US companies appear to be shocked when I, as a European without any ties to the US, claim I won't comply to a DMCA request because we don't have such a law here. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: First Amendment and Marines?
Hi, Am Sa den 29. Jan 2022 um 17:38 schrieb jonkomer via Gnupg-users: > (a) Unfortunately, OpenPG email encryption is incompatible > with GDPR and should not be used by those that either want > or need to be GDPR compliant. That is, simply to say, nonsense. There is nothing related that GDPR law that is OpenPGP related. (Independent, that the GDPR is stupidly made.) When it comes to keyservers, with the same argument you could state that bitcoin is illegal. (No information in the key chain can be removed. And there is even child porn inside that key chain that could never ever again be removed!) There are more technologies out there where informations, once in, could never removed again. Regards Klaus Ps. By the way, I am neither a maintainer nor the creator of GnuPG or the OpenPGP standard. -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: First Amendment and Marines?
On 1/29/2022 at 11:06 PM, "Mauricio Tavares via Gnupg-users" wrote: > The patient can choose any, all, any combination, or none of them. > And still get treatment. > Can you provide which regulation states that? I could have used it many times. = It's in the HIPPA act which requires the patient's consent to share the date, and is in the pre-treatment or pre-hospittalization consent form itself. The worst the hospital can do, if the person refuses release to the Insurance Company, is to bill the patient as self-pay. The hospital cannot refuse treatment. Can't speak about Covid, because *The Science* seems to vary between conservative and liberal states. There are many horror stories, but it is not for this mailing list. Vedaal___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: First Amendment and Marines?
On Sat, Jan 29, 2022 at 10:17 PM vedaal via Gnupg-users wrote: > > On 1/29/2022 at 5:39 PM, "Mauricio Tavares via Gnupg-users" > wrote > > > Not quite. It cares about personal data from people residing in > Europe at the time said data was collected. And even then, you need to > be targeting EU/EEA residents. So, if a German citizen goes to FL and > needs to stop at the emergency care to have a shark bite taken care > of, that data now is owned by the hospital forever, which will figure > out how to make money with it without asking permission. > > = > > This is NOT true, > (but may make sense to someone who has never been a hospital patient in the > US.) > > Every hospitalized patient is given a consent form prior to treatment, which > they may edit or refuse to sign. > -It allows release of medical information to the Insurance Carrier, > -to the Patient's private Physician, > -to a third party designated by the patient as a 'next-of-kin-with medical > proxy', should the patient not be in a condition to make decisions, > -or to a third party statistical group following the frequency and outcome of > a particular condition requiring hospitalization. > 1. I myself have been told in more than one occasion by floor supervisors I would not get service at a certain state-owned medical institution unless I signed the consent form. I believe that is also the case with covid vaccines. 2. I sat in a presentation by a certain university owned hospital about how to get access to their patients' data for research. They did state once the data is in their system, it is theirs. Yes, since they are a *medical* organization (this is a subtle detail most people are not aware of) they are subject to HIPAA, but the data is now theirs. And that while a patient could oppose to have his data used, he would have to fill out the forms for each and every single research data, which meant he had to be aware that the data was going to be used in the research. That was one of the questions *I* asked. I also asked about GDPR, to which they replied "oh, we have no European data." I did get an earful from my boss because of those questions, but hey. 3. Note the data offered was not necessarily deidentified. Let me rephrase it: deidentification of data per HIPAA, FERPA, the Privacy Act of 1974 (and its revisions), and NIST sp 800 series is at best pseudoanonymized data per GDPR. So, to quote https://www.theverge.com/2021/6/23/22547397/medical-records-health-data-hospitals-research, it is a "privacy placebo." (I really like that term) 4. https://www.nejm.org/doi/full/10.1056/NEJMp2102616 talks about "deidentified" EHR data being aggregate and sold. > The patient can choose any, all, any combination, or none of them. > And still get treatment. > Can you provide which regulation states that? I could have used it many times. > > Vedaal > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > https://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: First Amendment and Marines?
On 1/29/2022 at 5:39 PM, "Mauricio Tavares via Gnupg-users" wrote Not quite. It cares about personal data from people residing in Europe at the time said data was collected. And even then, you need to be targeting EU/EEA residents. So, if a German citizen goes to FL and needs to stop at the emergency care to have a shark bite taken care of, that data now is owned by the hospital forever, which will figure out how to make money with it without asking permission. = This is NOT true, (but may make sense to someone who has never been a hospital patient in the US.) Every hospitalized patient is given a consent form prior to treatment, which they may edit or refuse to sign. -It allows release of medical information to the Insurance Carrier, -to the Patient's private Physician, -to a third party designated by the patient as a 'next-of-kin-with medical proxy', should the patient not be in a condition to make decisions, -or to a third party statistical group following the frequency and outcome of a particular condition requiring hospitalization. The patient can choose any, all, any combination, or none of them. And still get treatment. Vedaal___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: First Amendment and Marines?
On Sat, Jan 29, 2022 at 12:59 PM Robert J. Hansen via Gnupg-users wrote: > > > I was simply trying to help an organization > > that is, for *their own good business reasons* very much > > motivated to adhere to GDPR, use existing IT infrastructure > > to move to a more secure method of communication. > > And, for those people and businesses who have to do business with the > EU, the GDPR is worth complying with even when it's not strictly > enforceable. For instance, United States airline companies that fly > into the EU voluntarily comply with the GDPR for EU citizens flying > within the United States, because if they don't they might find their > access to European airports restricted. > > But if you're an American without EU ties, the GDPR is yet another piece > of foreign legislation we don't need to pay attention to. And when Not quite. It cares about personal data from people residing in Europe at the time said data was collected. And even then, you need to be targeting EU/EEA residents. So, if a German citizen goes to FL and needs to stop at the emergency care to have a shark bite taken care of, that data now is owned by the hospital forever, which will figure out how to make money with it without asking permission. > Europeans baldly say "the GDPR applies worldwide, you must follow it," > what we hear is "the EU overrides your silly Constitution." One can argue that the US has done the same. Some of it -- if you want to do business in the US, you better follow American rules -- makes sense though, but we are difressing here. > At which point we tell you to have that argument with the Marines, > please. That position you're pushing is a thoroughly silly one, and it > deserves to be called out as such. > > I don't hate you. I don't dislike you. I don't hold you in contempt. > In fact, I don't even *know* you. You said something many Americans > find very silly, and we laughed. That's all that happened. :) > > > (a) Unfortunately, OpenPG email encryption is incompatible > > with GDPR and should not be used by those that either want > > or need to be GDPR compliant. > > No, it's quite possible to be GDPR compliant, as evidenced by the fact > the German government has adopted it. I'm pretty sure the German > government has a number of lawyers specializing in EU regulation, and > they're fine with it. > I not only agree but also would add that The Bundesamt für Sicherheit in der Informationstechnik (German Federal Office for Information Security) itself, which handles computer and communication security -- critical infrastructure protection, internet security, certification of security products -- for the German government, uses it. Badly at times[1], but that is another bag of cats. > Perhaps you might want to ask, "how is the German government complying > with GDPR?" > Better than the Irish government, but once again I digress. > > (c) GPG and OpenPG appear to be very much US-centric > > endevours. > > It's not. I agree. Given that it is open source, you can run your own setup completely independently, including web of trust. Therefore, you can control data lifetime. [1] https://www.somethingofdoom.com/2021/11/german-federal-office-for-information.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: First Amendment and Marines?
On Samstag, 29. Januar 2022 17:38:24 CET jonkomer via Gnupg-users wrote: > Posting the question was worthwhile, as I have learned > that: > > (a) Unfortunately, OpenPG email encryption is incompatible > with GDPR and should not be used by those that either want > or need to be GDPR compliant. I disagree with this conclusion. For example, you could use OpenPGP keys with pseudonymous user ids or even with identical user ids. Obviously, this would make using OpenPGP more difficult because the email clients couldn't easily map OpenPGP keys to email addresses. OTOH, some email clients actually support mapping of OpenPGP keys to contacts. Maybe even the company's internal address book could be used for this. This way uploading those OpenPGP keys to keyservers wouldn't leak email addresses. Arguably, the OpenPGP keys themselves could still be considered as person identifiable information. In this case, you might want to use symmetric encryption (which OpenPGP also supports). But that makes using encryption even more difficult because now you have to share the passwords used for symmetric encryption and, at the same time, make sure that those passwords are kept secret. > (b) GDPR appears to be a topic that, for some strange reason, > elicits emotional reactions by the OpenPG creators and > maintainers. I don't know who you mean by "the OpenPGP creators and maintainers". Neither Phil Zimmermann, the original author of PGP, nor Werner Koch, the original author and maintainer of GnuPG, have participated in this thread. OTOH, some people who have replied to you are also on the mailing list where the future of the OpenPGP standard is discussed. > (c) GPG and OpenPG appear to be very much US-centric > endevours. That fact ought to be taken into account by the > new users. I find it ironic that you are accusing GnuPG of being a US-centric endeavor. You really need to do some more research before jumping to such absurd conclusions. Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: First Amendment and Marines?
Small correction: The standard is called OpenPGP, not OpenPG. IIRC, OpenPGP is an open protocol specification by the IETF that succeeded the original proprietary Pretty Good Privacy. GNU Privacy Guard (often abbreviated to GnuPG or GPG), the software this mailing- list is for, is merely one implementation of the standard (albeit an extremely widespread one). Sorry if I come across condescending, my intention is only to avoid misunderstandings. -- Jonas Tobias Hopusch OpenPGP Keys for encrypted communication are available via Web Key Directory (WKD) or from https://downloads.jotoho.de/openpgp/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: First Amendment and Marines?
I was simply trying to help an organization that is, for *their own good business reasons* very much motivated to adhere to GDPR, use existing IT infrastructure to move to a more secure method of communication. And, for those people and businesses who have to do business with the EU, the GDPR is worth complying with even when it's not strictly enforceable. For instance, United States airline companies that fly into the EU voluntarily comply with the GDPR for EU citizens flying within the United States, because if they don't they might find their access to European airports restricted. But if you're an American without EU ties, the GDPR is yet another piece of foreign legislation we don't need to pay attention to. And when Europeans baldly say "the GDPR applies worldwide, you must follow it," what we hear is "the EU overrides your silly Constitution." At which point we tell you to have that argument with the Marines, please. That position you're pushing is a thoroughly silly one, and it deserves to be called out as such. I don't hate you. I don't dislike you. I don't hold you in contempt. In fact, I don't even *know* you. You said something many Americans find very silly, and we laughed. That's all that happened. :) (a) Unfortunately, OpenPG email encryption is incompatible with GDPR and should not be used by those that either want or need to be GDPR compliant. No, it's quite possible to be GDPR compliant, as evidenced by the fact the German government has adopted it. I'm pretty sure the German government has a number of lawyers specializing in EU regulation, and they're fine with it. Perhaps you might want to ask, "how is the German government complying with GDPR?" (c) GPG and OpenPG appear to be very much US-centric endevours. It's not. OpenPGP_signature Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
First Amendment and Marines?
My personal preferences have nothing to do with the topic discussed here. I was simply trying to help an organization that is, for *their own good business reasons* very much motivated to adhere to GDPR, use existing IT infrastructure to move to a more secure method of communication. I was the one to suggest to them to use e-mail and OpenPG encryption. The reasons were two-fold: first to avoid one of those centralized, web-browser based, single-point-of-failure, essentially insecure communication setups so common today; the second was to make their member's communication interoperable with general Internet population in order to increase organization's visibility and promote wider adoption of encrypted e-mail. I posted my original question only in order to find out some technical details on how to do that. Posting the question was worthwhile, as I have learned that: (a) Unfortunately, OpenPG email encryption is incompatible with GDPR and should not be used by those that either want or need to be GDPR compliant. (b) GDPR appears to be a topic that, for some strange reason, elicits emotional reactions by the OpenPG creators and maintainers. (c) GPG and OpenPG appear to be very much US-centric endevours. That fact ought to be taken into account by the new users. If the ultimate goal of OpenPG is the wider adaption of encrypted e-mail, finding technical means to make it usable by those that *wish to be GDPR compliant* - without forcing such MO on everyone - appears to be a worthwhile effort. I thank again to all that have contributed their answers, comments and opinions. Jon K. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users