[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] About deleting keys

From: Petru Ghita
Subject: Re: [Sks-devel] About deleting keys
Date: Thu, 31 Oct 2013 23:15:59 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0


>> I don't expect anywhere to be a lawsuit against a key server
>> operator for providing keys without trusted signature on a UID.
>> However, we already had an example of a key server being shut down
>> because of legal threat based on illegally providing personal
>> identifiable data (according to some local law).
> I had talks to Data Protection Officers (Datenschutzbeauftragte) and a
> Lawyer here in germany discussing exactly this case.
> Even if this is a fake key and has no trusted signatures there can be
> a legal threat. The data is the UID ... and not the signatures ...

There are such laws also in Spain, so it is quite sure that it is a EU

But I don't really think that such a legal action is possible and
assuming it was possible that it would have any degree of success.

In my opinion the only "private" data we are holding on the sks servers
is the email. What the user types into the name is up to him, it does
not mean it is his name.

About the responsability of the server there are also some things that
could be said:

1) If user of my hosting server makes a webpages on which it is written
the following string: "Bill Gates address@hidden". Does he need to
submit that data to a data protection agency? Do I need to do so as his
service provider?

2) If instead of hosting web pages I run a proxy service and a one of my
user simply connects to a web pages where the previous string is present
do I need to allow a given Bill Gates to modify that string? Where do I
perform that modification exactly, I'm just being a proxy for content
generated elsewhere...

3) How do I exactly indentify Bill Gates? Is this the one from Microsoft
or is it Bill Gates Martinez? If I'd use his email address@hidden for
authetication, what happens if his name is actually Maria Bush and he is
actually a she? What if she wanted to write on the previous web pages
that her name was Bill Gates and post her email next to this nick name
she created for her?

4) How about a list of randomly or serialy constructed names or national
IDs? Have a look here: Those are all the
possible national IDs of Spain.

Besides all this, it is my understanding that the data protection law is
intended to give the final user some kind of protection against a
company that is actually using his personal data on it's own benefit,
which SKS server are not buit to do.

To sum it up:

- there is by architecture no intent on verifing nor identifying the
information stored on the SKS network nor the author of the data.

For me this is equivalent of trying to sue all the webpages that have
the string "1234" on them because the pin of all my credit cards and
they have no right to make it public!

While I understand that it might be intimidating "legal threat" is not
the same as "legal action" nor the same as "legal implications" or
"legal repercusions".

Kind regards,

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]