[Autocrypt] Keyservers and GDPR

Vincent Breitmoser look at my.amazin.horse
Tue May 22 15:44:09 EDT 2018


Hey there,

(cross-posting on all the cool pgp lists)

so Dominik and I have been thinking a bit about how GDPR might affect
OpenKeychain, and its interoperability with public keyservers.  Turns out this
is a hard question - in the end we couldn't answer whether publishing a tool
that offers keyserver interoperability really made us a "data controller"?

But let's start with keyservers first: "Processing" of data in the GDPR sense
includes storage and distribution. Names and email addresses are personally
identifiable information (PII). This makes the provider of a keyserver a data
processor in the sense of the GDPR.

Now, since the PII that is uploaded is not used to fulfill contractual
obligations, keyservers actually need informed consent from the user about what
is going to happen with that data.  It's unclear how such consent might look
like given the API interface.  But what's worse, in the current implementation
of SKS and the public keyserver pool, it is impossible by design to remove
a user's data once it is published.  This conflicts with the "right to be
forgotten".

My personal conclusion is that keyservers that support user id packets are,
quite simply, incompatible with GDPR law. Has anyone else thought about this?
It's fairly unlikely that there will be actual consequences since keyservers
aren't widely used, but running a keyserver on this assumption is hardly
reassuring.

From the view of an app, the GDPR requires "privacy by design" and "privacy by
default". This conflicts with a workflow that asks the user for their email
address and name, and then irremovably uploads this information to a public
listing. On the other hand, it can be argued that this is a tool that only does
what the user asks it to do, the decision and responsibility lies with the user.
Looking at some extreme cases: a Browser surely doesn't take responsibility for
what the user inputs on websites. But a Twitter client does take responsibility
for informing the user when they publish their location in their tweets.

For OpenKeychain, we plan to move uploading of key material a bit farther out of
the way and do a better job at informing the user what's going to happen. But
that's a stopgap measure, since the user can't simply be asked to waive their
rights. Hopefully we can soon move away from keyservers for key discovery or
distribution.

Thoughts?

 - V

PS: randomly signing this message /o/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.mayfirst.org/pipermail/autocrypt/attachments/20180522/360a72bc/attachment.sig>


More information about the Autocrypt mailing list