Hi,
In order to get a fruitful dialogue on these matters, some
clarifications regarding the role of the sks-keyservers.net pool of
keyservers seems necessary.
sks-keyservers.net is not an organization, but is an automated service,
operated by me as a private individual, that detects public keyservers
through crawling the open internet. The service has been offered free of
charge to the public [since 2006], at which point it replaced a previous
service of a similar nature, and with [the source code open source]. The
service functions by generating the necessary DNS records for a [DNS
Round-Robin] consisting of underlying keyservers that matches the
necessary criteria to be considered up to date with the overall ecosystem.
Since this discussion affects the overall OpenPGP ecosystem, and these
matters relates to security enhancing software, of which transparency
between the various operators within the system is imperative; I've CCed
a relevant mailing list with matters related to keyservers. Please keep
this mailing list CCed in all further communications on this matter.
With regards to the specific claims a request for deletion was received
on 5/29/18, 2:24 PM CET. A response was sent 5/31/18, 11:21 PM that (i)
explained that sks-keyservers.net is not the appropriate recipient for a
request to delete as it only links to underlying keyservers that store
the data, and these are operated by more than 100 different operators
world-wide, and linking to [the blog post regarding deletion requests]
that is written and used for similar such requests describing this
situation. A keyserver operates in a blockchain like model of always
adding data, never deleting it.
Some discussions are currently ongoing in the community with regards to
alternative models for the keyservers to operate, however they will all
imply changing the security model that has been used by the PGP Web of
Trust for several decades, but no consensus has currently been reached.
These discussions can be found in the archives of the sks-devel mailing
list well as other relevant mailing lists.
In any case, sks-keyservers.net service only generates DNS records such as
$ dig a pool.sks-keyservers.net
;; ANSWER SECTION:
pool.sks-keyservers.net. 3588 IN A 74.50.54.68
pool.sks-keyservers.net. 3588 IN A 130.133.110.62
pool.sks-keyservers.net. 3588 IN A 85.93.216.115
pool.sks-keyservers.net. 3588 IN A 130.206.1.111
pool.sks-keyservers.net. 3588 IN A 37.44.0.28
pool.sks-keyservers.net. 3588 IN A 178.32.66.144
pool.sks-keyservers.net. 3588 IN A 193.70.2.173
pool.sks-keyservers.net. 3588 IN A 178.175.148.28
pool.sks-keyservers.net. 3588 IN A 85.227.82.204
pool.sks-keyservers.net. 3588 IN A 192.146.137.98
and is not the correct recipient for any such request.
References:
[the source code open source]
https://git.sumptuouscapital.com/?p=sks-keyservers-pool.git;a=summary
[DNS Round-Robin]
https://en.wikipedia.org/wiki/Round-robin_DNS
[since 2006]
(i) https://lists.nongnu.org/archive/html/sks-devel/2006-12/msg2.html
(ii)
https://blog.sumptuouscapital.com/2016/12/10-year-anniversary-for-sks-keyservers-net/
[the blog post regarding deletion requests]
https://blog.sumptuouscapital.com/2016/03/openpgp-certificates-can-not-be-deleted-from-keyservers/
On 2/19/19 11:32 AM, casew...@ico.org.uk wrote:
> 19 February 2019
>
>
>
> *Case Reference Number RFA0751305*
>
>
>
> Dear Mr Fiskerstrand
>
>
> We are writing to you because we have received a complaint from Mr Dean
> Hughes regarding the way SKS Keyservers handles its data protection
> obligations.
>
> *The ICO’s role *
>
> Part of our role is to consider complaints from individuals who believe
> their data protection rights have been infringed.
>
> *Complaint raised with us*
>
> Mr Hughes has complained that SKS Keyservers has not complied with his
> request for erasure. Mr Hughes has complained that the keyservers share
> and make personal details publically available, such as his name and
> email addresses.
>
> Mr Hughes has stated that he willingly submitted his personal data to
> your organisation years ago but would now like for it be deleted from
> both your organisation’s keyservers and the keyservers with which also
> shared his data.
>
> Furthermore, it has been suggest that the records Mr Hughes has asked to
> be deleted contain personal data from more than 20 years ago, which
> include his name and email addresses.
>
> *What you need to do now*
>
> We want you to revisit the way you have handled this matter and consider
> any further action that you can take that may resolve this complaint.
>
> If you feel that you have complied with the Data Protection law in this
> case, please explain to us why.
>
> We would also like you to provide the following information:
>
> * Details of how you have handled this request for erasure.
>
>