Re: [Sks-devel] The pool is shrinking

[Robert J. Hansen]

Mostly this is a response to Arnold, as for some reason his email never
showed up in my inbox:

> I thought SKS and PGP-keys is about one's ability to hide private
> data (by encryption).

Tools do not have intrinsic purposes.  There's the stuff they're
designed for and there's the stuff they actually wind up getting used
for, and very often the two are nothing alike.

The #1 use of OpenPGP today is for Linux distros to verify system
packages.  That accounts for 95% of all OpenPGP usage -- maybe more.

Tools are just tools.  We, we human beings, are the ones who have
purposes and ambitions and goals.

> GDPR is also about one's ability to hide private data

They are different far more than they are similar.

If I use OpenPGP to secure my communications, I'm not imposing anything
on people who acquire my communications.  If they can break the crypto,
go for it.  If they can't, tough luck.  But I'm not telling people who
already have the data, "oh sorry, you can't have it now."

The GDPR is completely different.  You can give me your personal
information.  I can give you complete up-front disclosure about what
you're getting into.  You can review it, you can decide that yes you
want to do this, you can give me your data... and then, ten years later,
you can force me "hey, I changed my mind, you've got to erase data now."

The OpenPGP model *compels absolutely no one*.  GDPR is built around the
idea *the EU has the right to compel people to delete data.*

I'm an American.  If the EU thinks it has the right to compel me to obey
a law I had no say in, well, good luck.

> To me, it is very strange to read one strongly supports one form of
> privacy, while totally ignoring other forms.

Then I think you really need to study ethics.

*How we do something* is just as important as *what it is we do*.  I
think there's a lot to be said about pursuing privacy in a way that
imposes no obligations on any other people.  And I think there's a lot
to be said against pursuing privacy in a way that imposes obligations on
people who don't even live in the EU.

> Remember, people in different parts of the world do have different
> values and different needs.

Yep.  And in America, we value our right to be left alone from the
government telling us that we're required to take certain acts just
because some people in Europe insist we follow their laws.

___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] The pool is shrinking

[Ryan Hunt]

One could argue the inverse, to me its very strange that administrators of
a scheme designed from the onset to be resilient to governmental scale
interference would widely open their arms to multinational scale
interference.

Its about pretty good privacy, not perfect privacy.. by design w/PGP and
SKS, public keys are designed to be public, and not private.. in order to
keep the private part secure, allowing people to arbitrary purge public
data entirely undermines the entire thing.

-Ryan

On Thu, Aug 15, 2019 at 6:39 PM Arnold  wrote:

> I thought SKS and PGP-keys is about one's ability to hide private data (by
> encryption). GDPR is also about one's ability to hide private data (by
> having
> private data, that can be used in correlations, removed from large
> databases). Yet,
> SKS administrators who apparently live outside the EU argue strongly that
> there is
> no need for them to support GDPR.
>
> To me, it is very strange to read one strongly supports one form of
> privacy, while
> totally ignoring other forms. In fact it seems to me these operators are
> not only
> ignoring other forms, but it seems they do not even acknowledge the fact
> that to
> *some* people in the world the other (GDPR) form may be very important as
> well.
> Remember, people in different parts of the world do have different values
> and
> different needs.
>
> Arnold
>
> On 15-08-2019 18:39, Robert J. Hansen wrote:
> >> Well, it was just one of many example sites...
> >
> > Again: I'm going to go with the real advice given to me by real lawyers.
> >
> >> So as an example, US SKS key server operators do not have to honor
> >> removal request (in this case shut-down the server) from EU citizens,
> >> when they receive a letter from a lawyer?
> >
> > Depends on the individual.  I rarely travel to Europe and have no
> > financial holdings there.  It gives me a great ability to say "no, I'm
> > not signatory to your treaty, go away."  Other Americans may have enough
> > ties to Europe to make it possible for EU courts to apply leverage.
> >
> >> I remember also that plenty of US sites (small and large), where I
> >> did business with, asked for my consent as EU citizen, when they
> >> changed their privacy policy once the GDPR took place.
> >
> > Some of them do business in Europe and are susceptible to pressure by
> > the EU.  Some of them were just jumping on the bandwagon.
> >
> >> Has an US SKS key server operator then not 'business' ties with EU
> >> citizens, when storing their personal data like name and email address?
> >
> > No.  Those are considered facts no different than tracking a name and
> > phone number.  Mere facts cannot be suppressed by the United States
> > government; citizens are allowed to share them to our heart's content.
> >
> >> And has Mr. Rude then the right to freely distribute this data, without
> >> protecting it, to the whole world?
> >
> > I don't know anything about him or where he lives or which laws he must
> > follow.
> >
> > ___
> > Sks-devel mailing list
> > Sks-devel@nongnu.org
> > https://lists.nongnu.org/mailman/listinfo/sks-devel
> >
>
>
> ___
> Sks-devel mailing list
> Sks-devel@nongnu.org
> https://lists.nongnu.org/mailman/listinfo/sks-devel
>
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] The pool is shrinking

[Arnold]

I thought SKS and PGP-keys is about one's ability to hide private data (by
encryption). GDPR is also about one's ability to hide private data (by having
private data, that can be used in correlations, removed from large databases). 
Yet,
SKS administrators who apparently live outside the EU argue strongly that there 
is
no need for them to support GDPR.

To me, it is very strange to read one strongly supports one form of privacy, 
while
totally ignoring other forms. In fact it seems to me these operators are not 
only
ignoring other forms, but it seems they do not even acknowledge the fact that to
*some* people in the world the other (GDPR) form may be very important as well.
Remember, people in different parts of the world do have different values and
different needs.

Arnold

On 15-08-2019 18:39, Robert J. Hansen wrote:
>> Well, it was just one of many example sites...
> 
> Again: I'm going to go with the real advice given to me by real lawyers.
> 
>> So as an example, US SKS key server operators do not have to honor
>> removal request (in this case shut-down the server) from EU citizens,
>> when they receive a letter from a lawyer?
> 
> Depends on the individual.  I rarely travel to Europe and have no
> financial holdings there.  It gives me a great ability to say "no, I'm
> not signatory to your treaty, go away."  Other Americans may have enough
> ties to Europe to make it possible for EU courts to apply leverage.
> 
>> I remember also that plenty of US sites (small and large), where I
>> did business with, asked for my consent as EU citizen, when they
>> changed their privacy policy once the GDPR took place.
> 
> Some of them do business in Europe and are susceptible to pressure by
> the EU.  Some of them were just jumping on the bandwagon.
> 
>> Has an US SKS key server operator then not 'business' ties with EU
>> citizens, when storing their personal data like name and email address?
> 
> No.  Those are considered facts no different than tracking a name and
> phone number.  Mere facts cannot be suppressed by the United States
> government; citizens are allowed to share them to our heart's content.
> 
>> And has Mr. Rude then the right to freely distribute this data, without
>> protecting it, to the whole world?
> 
> I don't know anything about him or where he lives or which laws he must
> follow.
> 
> ___
> Sks-devel mailing list
> Sks-devel@nongnu.org
> https://lists.nongnu.org/mailman/listinfo/sks-devel
> 


___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

[Sks-devel] Exploiting GDPR (Re: The pool is shrinking)

[Hendrik Visage]

And then reading Cryptogram this month:
https://www.schneier.com/blog/archives/2019/08/exploiting_gdpr.html 


Exploiting GDPR to Get Private Information

[2019.08.13] A researcher abused the GDPR to get information on his fiancee:

It is one of the first tests of its kind to exploit the EU's General Data 
Protection Regulation (GDPR), which came into force in May 2018. The law 
shortened the time organisations had to respond to data requests, added new 
types of information they have to provide, and increased the potential penalty 
for non-compliance.

"Generally if it was an extremely large company -- especially tech ones -- they 
tended to do really well," he told the BBC.

"Small companies tended to ignore me.

"But the kind of mid-sized businesses that knew about GDPR, but maybe didn't 
have much of a specialised process [to handle requests], failed."

He declined to identify the organisations that had mishandled the requests, but 
said they had included:

a UK hotel chain that shared a complete record of his partner's overnight stays
two UK rail companies that provided records of all the journeys she had taken 
with them over several years
a US-based educational company that handed over her high school grades, 
mother's maiden name and the results of a criminal background check survey.


> On 15 Aug 2019, at 15:57 , Stefan Claas  wrote:
> 
> Robert J. Hansen wrote:
> 
>> I'm going to believe the privacy lawyer I pay $450 an hour to more than
>> I'm going to trust a sketchy website that's not even officially
>> affiliated with the EU.
> 
> Well, it was just one of many example sites, when one is googling
> for "has the US comply to the GDPR". If one does the same he will
> also find US sites giving US citizens advice.
> 
>> Quoting from it:
>> 
>> "You may be wondering how the European Union will enforce a law in
>> territory it does not control."
>> 
>> Yep.
>> 
>> "The fact is, foreign governments help other countries enforce their
>> laws through mutual assistance treaties and other mechanisms all the time."
>> 
>> Yep.  Except that in America, the government *can't* help enforce many
>> parts of the GDPR.  The courts prohibit them from doing it.  You walk
>> into an American court waving a GDPR writ and it doesn't matter how many
>> EU bureaucrats sign it: if it intrudes on an American citizen's freedom
>> of speech the government is prohibited from participating.  This is
>> bog-standard American Constitutional law.
> 
> So as an example, US SKS key server operators do not have to honor
> removal request (in this case shut-down the server) from EU citizens,
> when they receive a letter from a lawyer?
> 
> I remember also that plenty of US sites (small and large), where I
> did business with, asked for my consent as EU citizen, when they
> changed their privacy policy once the GDPR took place.
> 
>> It does not apply to US companies, except those that have business units
>> in the EU or have extensive business ties with the EU.
> 
> Has an US SKS key server operator then not 'business' ties with EU
> citizens, when storing their personal data like name and email address?
> 
> And has Mr. Rude then the right to freely distribute this data, without
> protecting it, to the whole world? If that is the case then EU citizens
> having 'business' with the US can do the same with US citizens data.
> 
> Well, just my thoughts.
> 
> Regards
> Stefan
> 
> --
> box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
> GPG: C93E252DFB3B4DB7EAEB846AD8D464B35E12AB77 (avail. on Hagrid, WKD)
> 
> ___
> Sks-devel mailing list
> Sks-devel@nongnu.org
> https://lists.nongnu.org/mailman/listinfo/sks-devel

---
Hendrik Visage
HeViS.Co Systems Pty Ltd
T/A Envisage Systems / Envisage Cloud Solutions
+27-84-612-5345 or +27-21-945-1192
hvis...@envisage.co.za





signature.asc
Description: Message signed with OpenPGP
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] The pool is shrinking

[Robert J. Hansen]

> Well, it was just one of many example sites...

Again: I'm going to go with the real advice given to me by real lawyers.

> So as an example, US SKS key server operators do not have to honor
> removal request (in this case shut-down the server) from EU citizens,
> when they receive a letter from a lawyer?

Depends on the individual.  I rarely travel to Europe and have no
financial holdings there.  It gives me a great ability to say "no, I'm
not signatory to your treaty, go away."  Other Americans may have enough
ties to Europe to make it possible for EU courts to apply leverage.

> I remember also that plenty of US sites (small and large), where I
> did business with, asked for my consent as EU citizen, when they
> changed their privacy policy once the GDPR took place.

Some of them do business in Europe and are susceptible to pressure by
the EU.  Some of them were just jumping on the bandwagon.

> Has an US SKS key server operator then not 'business' ties with EU
> citizens, when storing their personal data like name and email address?

No.  Those are considered facts no different than tracking a name and
phone number.  Mere facts cannot be suppressed by the United States
government; citizens are allowed to share them to our heart's content.

> And has Mr. Rude then the right to freely distribute this data, without
> protecting it, to the whole world?

I don't know anything about him or where he lives or which laws he must
follow.

___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] The pool is shrinking

[Stefan Claas]

Robert J. Hansen wrote:

> I'm going to believe the privacy lawyer I pay $450 an hour to more than
> I'm going to trust a sketchy website that's not even officially
> affiliated with the EU.

Well, it was just one of many example sites, when one is googling
for "has the US comply to the GDPR". If one does the same he will
also find US sites giving US citizens advice.

> Quoting from it:
> 
> "You may be wondering how the European Union will enforce a law in
> territory it does not control."
> 
> Yep.
> 
> "The fact is, foreign governments help other countries enforce their
> laws through mutual assistance treaties and other mechanisms all the time."
> 
> Yep.  Except that in America, the government *can't* help enforce many
> parts of the GDPR.  The courts prohibit them from doing it.  You walk
> into an American court waving a GDPR writ and it doesn't matter how many
> EU bureaucrats sign it: if it intrudes on an American citizen's freedom
> of speech the government is prohibited from participating.  This is
> bog-standard American Constitutional law.

So as an example, US SKS key server operators do not have to honor
removal request (in this case shut-down the server) from EU citizens,
when they receive a letter from a lawyer?

I remember also that plenty of US sites (small and large), where I
did business with, asked for my consent as EU citizen, when they
changed their privacy policy once the GDPR took place.

> It does not apply to US companies, except those that have business units
> in the EU or have extensive business ties with the EU.

Has an US SKS key server operator then not 'business' ties with EU
citizens, when storing their personal data like name and email address?

And has Mr. Rude then the right to freely distribute this data, without
protecting it, to the whole world? If that is the case then EU citizens
having 'business' with the US can do the same with US citizens data.

Well, just my thoughts.

Regards
Stefan

-- 
box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
GPG: C93E252DFB3B4DB7EAEB846AD8D464B35E12AB77 (avail. on Hagrid, WKD)

___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] The pool is shrinking

[Robert J. Hansen]

> Please have a read:

Did.

I'm going to believe the privacy lawyer I pay $450 an hour to more than
I'm going to trust a sketchy website that's not even officially
affiliated with the EU.  Quoting from it:

"You may be wondering how the European Union will enforce a law in
territory it does not control."

Yep.

"The fact is, foreign governments help other countries enforce their
laws through mutual assistance treaties and other mechanisms all the time."

Yep.  Except that in America, the government *can't* help enforce many
parts of the GDPR.  The courts prohibit them from doing it.  You walk
into an American court waving a GDPR writ and it doesn't matter how many
EU bureaucrats sign it: if it intrudes on an American citizen's freedom
of speech the government is prohibited from participating.  This is
bog-standard American Constitutional law.

"GDPR Article 50 addresses this question directly."

No it doesn't.  Have you *read* Article 50?  "In relation to third
countries and international organisations, the Commission and
supervisory authorities shall take appropriate steps to..."

It doesn't enact *anything*.  All it says is, "We want the Commission to
do X.  We don't know if it's even possible to do X.  We don't really
care.  We're ordering them to do X anyway."

It's great to have aspirations, but Article 50 isn't even *law*.  All it
says is, "we're instructing our guys to look into it."

> If this applies to US companies do you think non-profit US SKS operators are
> excempted?

It does not apply to US companies, except those that have business units
in the EU or have extensive business ties with the EU.

Doesn't apply to me.  Have a nice day.  :)

___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel