Re: [Sks-devel] Data protection concern[Ref. RFA0751305]

[Jim Popovitch]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Fri, 2019-03-08 at 15:15 +0100, Kristian Fiskerstrand wrote:
> 
> and no further action will be taken from them.

..at this time.  IANAL, but you should really talk to a lawyer to make sure
that you (and your assets) are fully protected from future ICO or private
action by claimant. Never, ever, ever put faith in the words of a lawyer of
judicial agency that you haven't personally paid for advice.  The system
sucks, but that's how it works.

- -Jim P.
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEECPbAhaBWEfiXj/kxdRlcPb+1fkUFAlyCma8ACgkQdRlcPb+1
fkUw4g//dg9vDItd3TY54yQd1Ghu6ePwlBd803AWvSqXAxjmxVcAT/Tas8D0KHen
CM0PoZrPgF7w1GOPoMEULrdw4RZF+ZzssEH/CTetomqDB7yNVXhzz2LIVQ5Jkv1w
3Q5h+1PDhYHd3MFoonkFe4lC/5h+KedZCc6oWNk3wFpgWvxTLH56ehnWbAuid7F/
FYNSgDOxFGY3qCOJ3dPXqYPJg9u2SiNPo1Ner+2nnsSV5n+y+k43SzolMEktZavi
uEAnbWy1vjod2jUQUaN7ykKFWNuvQxhtN8ZG1d5rQzRav+0ufA/6V7ZVZ09V7Sjd
x7z+abrfhAkmE7tdE6IksDRkOqtSAXTMKp9DanKUc0060+01ObWyJLRVjKFL0iWR
6svQrfk9IAk3OUYzOmwMCGccyLXL44bLwAf+34QulZO+d8xdU5zNSvMmf8vtQkK4
tRGsvEqmH4r0sFpJW4yoGc6UsTuRkvuuP9ud/lkxAnn5d2k/6p8UAHtKM3Sz8cLM
guUNN64OmBuc6+YivrRI76DhfbHhubOyRVBWKj3nNtCG2RP8B4yEFqpc3cJbwmwT
Hl5GxFeAKyWEL5LxhvhJv/EtE8FjyY4qf1CA0uR+konJZF7xNzUZTeXwPh/j2P8O
1A5YtoKIdRLy3944mc+xaSE4KLRZ+IRntaNlgyCtNHFYr/h4/ZY=
=f4Pl
-END PGP SIGNATURE-


___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] Data protection concern[Ref. RFA0751305]

[Tobias Frei]

Hi Kristian, hi Andrew,

that email conversation was scary, informative and relieving at the same
time. Thank you for sharing.

Best regards
Tobias Frei

On Fri, Mar 8, 2019, 16:08 Kristian Fiskerstrand <
kristian.fiskerstr...@sumptuouscapital.com> wrote:

> On 3/8/19 3:19 PM, Andrew Gallagher wrote:
> > On 08/03/2019 14:15, Kristian Fiskerstrand wrote:
> >> The ICO has concluded in this case and no further action will be taken
> >> from them.
> >
> > Was there any legal reasoning attached to this decision?
>
> It was a relatively good summary of situation including the data being
> shared voluntarily and the nature of the keyserver gossipping network
> also containing nodes being outside of the reach of GDPR. An important
> factor in the treatment is however timely response to erasure request
> with sufficient information.
>
>
> --
> 
> Kristian Fiskerstrand
> Blog: https://blog.sumptuouscapital.com
> Twitter: @krifisk
> 
> Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
> fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
> 
> Corruptissima re publica plurimæ leges
> The greater the degeneration of the republic, the more of its laws
>
> ___
> Sks-devel mailing list
> Sks-devel@nongnu.org
> https://lists.nongnu.org/mailman/listinfo/sks-devel
>
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] Data protection concern[Ref. RFA0751305]

[Kristian Fiskerstrand]

On 3/8/19 3:19 PM, Andrew Gallagher wrote:
> On 08/03/2019 14:15, Kristian Fiskerstrand wrote:
>> The ICO has concluded in this case and no further action will be taken
>> from them.
> 
> Was there any legal reasoning attached to this decision?

It was a relatively good summary of situation including the data being
shared voluntarily and the nature of the keyserver gossipping network
also containing nodes being outside of the reach of GDPR. An important
factor in the treatment is however timely response to erasure request
with sufficient information.


-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

Corruptissima re publica plurimæ leges
The greater the degeneration of the republic, the more of its laws



signature.asc
Description: OpenPGP digital signature
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] Data protection concern[Ref. RFA0751305]

[Andrew Gallagher]

On 08/03/2019 14:15, Kristian Fiskerstrand wrote:
> The ICO has concluded in this case and no further action will be taken
> from them.

Was there any legal reasoning attached to this decision?

-- 
Andrew Gallagher



signature.asc
Description: OpenPGP digital signature
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] Data protection concern[Ref. RFA0751305]

[Kristian Fiskerstrand]

Hi,

In order to get a fruitful dialogue on these matters, some
clarifications regarding the role of the sks-keyservers.net pool of
keyservers seems necessary.

sks-keyservers.net is not an organization, but is an automated service,
operated by me as a private individual, that detects public keyservers
through crawling the open internet. The service has been offered free of
charge to the public [since 2006], at which point it replaced a previous
service of a similar nature, and with [the source code open source]. The
service functions by generating the necessary DNS records for a [DNS
Round-Robin] consisting of underlying keyservers that matches the
necessary criteria to be considered up to date with the overall ecosystem.

Since this discussion affects the overall OpenPGP ecosystem, and these
matters relates to security enhancing software, of which transparency
between the various operators within the system is imperative; I've CCed
a relevant mailing list with matters related to keyservers. Please keep
this mailing list CCed in all further communications on this matter.

With regards to the specific claims a request for deletion was received
on 5/29/18, 2:24 PM CET. A response was sent 5/31/18, 11:21 PM that (i)
explained that sks-keyservers.net is not the appropriate recipient for a
request to delete as it only links to underlying keyservers that store
the data, and these are operated by more than 100 different operators
world-wide, and linking to [the blog post regarding deletion requests]
that is written and used for similar such requests describing this
situation. A keyserver operates in a blockchain like model of always
adding data, never deleting it.

Some discussions are currently ongoing in the community with regards to
alternative models for the keyservers to operate, however they will all
imply changing the security model that has been used by the PGP Web of
Trust for several decades, but no consensus has currently been reached.
These discussions can be found in the archives of the sks-devel mailing
list well as other relevant mailing lists.

In any case, sks-keyservers.net service only generates DNS records such as
$ dig a pool.sks-keyservers.net
;; ANSWER SECTION:
pool.sks-keyservers.net. 3588   IN  A   74.50.54.68
pool.sks-keyservers.net. 3588   IN  A   130.133.110.62
pool.sks-keyservers.net. 3588   IN  A   85.93.216.115
pool.sks-keyservers.net. 3588   IN  A   130.206.1.111
pool.sks-keyservers.net. 3588   IN  A   37.44.0.28
pool.sks-keyservers.net. 3588   IN  A   178.32.66.144
pool.sks-keyservers.net. 3588   IN  A   193.70.2.173
pool.sks-keyservers.net. 3588   IN  A   178.175.148.28
pool.sks-keyservers.net. 3588   IN  A   85.227.82.204
pool.sks-keyservers.net. 3588   IN  A   192.146.137.98

and is not the correct recipient for any such request.

References:
[the source code open source]
https://git.sumptuouscapital.com/?p=sks-keyservers-pool.git;a=summary

[DNS Round-Robin]
https://en.wikipedia.org/wiki/Round-robin_DNS

[since 2006]
(i) https://lists.nongnu.org/archive/html/sks-devel/2006-12/msg2.html
(ii)
https://blog.sumptuouscapital.com/2016/12/10-year-anniversary-for-sks-keyservers-net/

[the blog post regarding deletion requests]
https://blog.sumptuouscapital.com/2016/03/openpgp-certificates-can-not-be-deleted-from-keyservers/

On 2/19/19 11:32 AM, casew...@ico.org.uk wrote:
> 19 February 2019
> 
>  
> 
> *Case Reference Number RFA0751305*
> 
>  
> 
> Dear Mr Fiskerstrand
> 
> 
> We are writing to you because we have received a complaint from Mr Dean
> Hughes regarding the way SKS Keyservers handles its data protection
> obligations.
>  
> *The ICO’s role *
>  
> Part of our role is to consider complaints from individuals who believe
> their data protection rights have been infringed.
> 
> *Complaint raised with us*
> 
> Mr Hughes has complained that SKS Keyservers has not complied with his
> request for erasure. Mr Hughes has complained that the keyservers share
> and make personal details publically available, such as his name and
> email addresses.
>  
> Mr Hughes has stated that he willingly submitted his personal data to
> your organisation years ago but would now like for it be deleted from
> both your organisation’s keyservers and the keyservers with which also
> shared his data.
>  
> Furthermore, it has been suggest that the records Mr Hughes has asked to
> be deleted contain personal data from more than 20 years ago, which
> include his name and email addresses.
>  
> *What you need to do now*
>  
> We want you to revisit the way you have handled this matter and consider
> any further action that you can take that may resolve this complaint.
>  
> If you feel that you have complied with the Data Protection law in this
> case, please explain to us why.
>  
> We would also like you to provide the following information: 
> 
>   * Details of how you have handled this request for erasure.
>  
>