Mailing List Archive

Small correction: The standard is called OpenPGP, not OpenPG.

IIRC, OpenPGP is an open protocol specification by the IETF that succeeded the
original proprietary Pretty Good Privacy.

GNU Privacy Guard (often abbreviated to GnuPG or GPG), the software this mailing-
list is for, is merely one implementation of the standard (albeit an extremely
widespread one).

Sorry if I come across condescending, my intention is only to avoid
misunderstandings.

--
Jonas Tobias Hopusch

OpenPGP Keys for encrypted communication are available via Web Key Directory (WKD)
or from https://downloads.jotoho.de/openpgp/

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

> I was simply trying to help an organization
> that is, for *their own good business reasons* very much
> motivated to adhere to GDPR, use existing IT infrastructure
> to move to a more secure method of communication.

And, for those people and businesses who have to do business with the
EU, the GDPR is worth complying with even when it's not strictly
enforceable. For instance, United States airline companies that fly
into the EU voluntarily comply with the GDPR for EU citizens flying
within the United States, because if they don't they might find their
access to European airports restricted.

But if you're an American without EU ties, the GDPR is yet another piece
of foreign legislation we don't need to pay attention to. And when
Europeans baldly say "the GDPR applies worldwide, you must follow it,"
what we hear is "the EU overrides your silly Constitution."

At which point we tell you to have that argument with the Marines,
please. That position you're pushing is a thoroughly silly one, and it
deserves to be called out as such.

I don't hate you. I don't dislike you. I don't hold you in contempt.
In fact, I don't even *know* you. You said something many Americans
find very silly, and we laughed. That's all that happened. :)

> (a) Unfortunately, OpenPG email encryption is incompatible
> with GDPR and should not be used by those that either want
> or need to be GDPR compliant.

No, it's quite possible to be GDPR compliant, as evidenced by the fact
the German government has adopted it. I'm pretty sure the German
government has a number of lawyers specializing in EU regulation, and
they're fine with it.

Perhaps you might want to ask, "how is the German government complying
with GDPR?"

> (c) GPG and OpenPG appear to be very much US-centric
> endevours.

It's not.

On Sat, Jan 29, 2022 at 12:59 PM Robert J. Hansen via Gnupg-users
<gnupg-users@gnupg.org> wrote:
>
> > I was simply trying to help an organization
> > that is, for *their own good business reasons* very much
> > motivated to adhere to GDPR, use existing IT infrastructure
> > to move to a more secure method of communication.
>
> And, for those people and businesses who have to do business with the
> EU, the GDPR is worth complying with even when it's not strictly
> enforceable. For instance, United States airline companies that fly
> into the EU voluntarily comply with the GDPR for EU citizens flying
> within the United States, because if they don't they might find their
> access to European airports restricted.
>
> But if you're an American without EU ties, the GDPR is yet another piece
> of foreign legislation we don't need to pay attention to. And when

Not quite. It cares about personal data from people residing in
Europe at the time said data was collected. And even then, you need to
be targeting EU/EEA residents. So, if a German citizen goes to FL and
needs to stop at the emergency care to have a shark bite taken care
of, that data now is owned by the hospital forever, which will figure
out how to make money with it without asking permission.

> Europeans baldly say "the GDPR applies worldwide, you must follow it,"
> what we hear is "the EU overrides your silly Constitution."

One can argue that the US has done the same. Some of it -- if
you want to do business in the US, you better follow American rules --
makes sense though, but we are difressing here.

> At which point we tell you to have that argument with the Marines,
> please. That position you're pushing is a thoroughly silly one, and it
> deserves to be called out as such.
>
> I don't hate you. I don't dislike you. I don't hold you in contempt.
> In fact, I don't even *know* you. You said something many Americans
> find very silly, and we laughed. That's all that happened. :)
>
> > (a) Unfortunately, OpenPG email encryption is incompatible
> > with GDPR and should not be used by those that either want
> > or need to be GDPR compliant.
>
> No, it's quite possible to be GDPR compliant, as evidenced by the fact
> the German government has adopted it. I'm pretty sure the German
> government has a number of lawyers specializing in EU regulation, and
> they're fine with it.
>
I not only agree but also would add that The Bundesamt für
Sicherheit in der Informationstechnik (German Federal Office for
Information Security) itself, which handles computer and communication
security -- critical infrastructure protection, internet security,
certification of security products -- for the German government, uses
it. Badly at times[1], but that is another bag of cats.

> Perhaps you might want to ask, "how is the German government complying
> with GDPR?"
>
Better than the Irish government, but once again I digress.

> > (c) GPG and OpenPG appear to be very much US-centric
> > endevours.
>
> It's not.

I agree. Given that it is open source, you can run your own
setup completely independently, including web of trust. Therefore, you
can control data lifetime.

[1] https://www.somethingofdoom.com/2021/11/german-federal-office-for-information.html

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

On Samstag, 29. Januar 2022 17:38:24 CET jonkomer via Gnupg-users wrote:
> Posting the question was worthwhile, as I have learned
> that:
>
> (a) Unfortunately, OpenPG email encryption is incompatible
> with GDPR and should not be used by those that either want
> or need to be GDPR compliant.

I disagree with this conclusion. For example, you could use OpenPGP keys with
pseudonymous user ids or even with identical user ids. Obviously, this would
make using OpenPGP more difficult because the email clients couldn't easily
map OpenPGP keys to email addresses. OTOH, some email clients actually support
mapping of OpenPGP keys to contacts. Maybe even the company's internal address
book could be used for this. This way uploading those OpenPGP keys to
keyservers wouldn't leak email addresses. Arguably, the OpenPGP keys
themselves could still be considered as person identifiable information. In
this case, you might want to use symmetric encryption (which OpenPGP also
supports). But that makes using encryption even more difficult because now you
have to share the passwords used for symmetric encryption and, at the same
time, make sure that those passwords are kept secret.

> (b) GDPR appears to be a topic that, for some strange reason,
> elicits emotional reactions by the OpenPG creators and
> maintainers.

I don't know who you mean by "the OpenPGP creators and maintainers". Neither
Phil Zimmermann, the original author of PGP, nor Werner Koch, the original
author and maintainer of GnuPG, have participated in this thread. OTOH, some
people who have replied to you are also on the mailing list where the future
of the OpenPGP standard is discussed.

> (c) GPG and OpenPG appear to be very much US-centric
> endevours. That fact ought to be taken into account by the
> new users.

I find it ironic that you are accusing GnuPG of being a US-centric endeavor.
You really need to do some more research before jumping to such absurd
conclusions.

Regards,
Ingo

(changing back the thread subject)

On 2022-01-29 at 09:38 -0700, jonkomer wrote:
> I was the one to suggest to them to use e-mail and OpenPG
> encryption. The reasons were two-fold: first to avoid one of
> those centralized, web-browser based, single-point-of-failure,
> essentially insecure communication setups so common today;
> the second was to make their member's communication
> interoperable with general Internet population in order
> to increase organization's visibility and promote wider
> adoption of encrypted e-mail. I posted my original question
> only in order to find out some technical details on how to
> do that.
>
> Posting the question was worthwhile, as I have learned
> that:
>
> (a) Unfortunately, OpenPG email encryption is incompatible
> with GDPR and should not be used by those that either want
> or need to be GDPR compliant.

That's a non-sequitur from the thread. Your GDPR issue is with
people uploading keys to the PGP keyservers without consent, not
with OpenPGP (which doesn't need keyserver nor even specify the
use of keyservers, although they are related technology).

Think about it: If you sent me a physical letter full of personal
information, and I then publish it on the newspaper, with no legitimacy
to do so, in violation of GDPR. Would that make snail-mail incompatible
with GDPR?


Regarding your problem, I would suggest not to include the first/last
name in the key. Only the email address. (Yes, the name part is
optional).

So instead of
John Smith <john.doe@example.org>

if would simply be
<john.doe@example.org>


The name part is inherently unreliable, since it cannot know if the
owner is *the* John Smith you want to write to (assuming the user is
actually named John Smith!). On the other hand, the key can be easily
matched with the provided email address.

Of course, a member wanting to correspond with John Smith needs to find
out that their email is john.doe@example.org but that was likely
already the case before, and something which is probably solved through
that "internal verification mechanism" (which I'm a bit wary about, I
would recommend that the keys were provided signed by the domain owner,
so members would only need to trust(sign) that key to know that they
have a valid example.org pgp key. They could be published through WKD.
This doesn't preclude that access to the keys could require
authentication).

A second issue on having the users rely (and the owner needing to
assert) on the name displayed on the key would have been what to do
when a second John Smith wanted to become a member.



Best regards



PS: I guess by the "emotional reactions" you mean Robert J. Hansen
mails, since replies by other people seem much more technical in
nature. You shouldn't generalize from one person to "all creators and
maintainers". In fact, I think -but have not checked- that most of
GnuPG code will have been written inside the EU. There are lots of
OpenPGP users inside the EU, under GDPR, including Government entities
(as Robert J Hansen noted).



_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

On 1/29/2022 at 5:39 PM, "Mauricio Tavares via Gnupg-users" wrote
Not quite. It cares about personal data from people residing in
Europe at the time said data was collected. And even then, you need to
be targeting EU/EEA residents. So, if a German citizen goes to FL and
needs to stop at the emergency care to have a shark bite taken care
of, that data now is owned by the hospital forever, which will figure
out how to make money with it without asking permission.

=====

This is NOT true,
(but may make sense to someone who has never been a hospital patient
in the US.)

Every hospitalized patient is given a consent form prior to treatment,
which they may edit or refuse to sign.
-It allows release of medical information to the Insurance Carrier,
-to the Patient's private Physician,
-to a third party designated by the patient as a 'next-of-kin-with
medical proxy', should the patient not be in a condition to make
decisions,
-or to a third party statistical group following the frequency and
outcome of a particular condition requiring hospitalization.

The patient can choose any, all, any combination, or none of them.
And still get treatment.
Vedaal

On Sat, Jan 29, 2022 at 10:17 PM vedaal via Gnupg-users
<gnupg-users@gnupg.org> wrote:
>
> On 1/29/2022 at 5:39 PM, "Mauricio Tavares via Gnupg-users" <gnupg-users@gnupg.org> wrote
>
>
> Not quite. It cares about personal data from people residing in
> Europe at the time said data was collected. And even then, you need to
> be targeting EU/EEA residents. So, if a German citizen goes to FL and
> needs to stop at the emergency care to have a shark bite taken care
> of, that data now is owned by the hospital forever, which will figure
> out how to make money with it without asking permission.
>
> =====
>
> This is NOT true,
> (but may make sense to someone who has never been a hospital patient in the US.)
>
> Every hospitalized patient is given a consent form prior to treatment, which they may edit or refuse to sign.
> -It allows release of medical information to the Insurance Carrier,
> -to the Patient's private Physician,
> -to a third party designated by the patient as a 'next-of-kin-with medical proxy', should the patient not be in a condition to make decisions,
> -or to a third party statistical group following the frequency and outcome of a particular condition requiring hospitalization.
>
1. I myself have been told in more than one occasion by floor
supervisors I would not get service at a certain state-owned medical
institution unless I signed the consent form. I believe that is also
the case with covid vaccines.
2. I sat in a presentation by a certain university owned hospital
about how to get access to their patients' data for research. They did
state once the data is in their system, it is theirs. Yes, since they
are a *medical* organization (this is a subtle detail most people are
not aware of) they are subject to HIPAA, but the data is now theirs.
And that while a patient could oppose to have his data used, he would
have to fill out the forms for each and every single research data,
which meant he had to be aware that the data was going to be used in
the research. That was one of the questions *I* asked. I also asked
about GDPR, to which they replied "oh, we have no European data." I
did get an earful from my boss because of those questions, but hey.
3. Note the data offered was not necessarily deidentified. Let me
rephrase it: deidentification of data per HIPAA, FERPA, the Privacy
Act of 1974 (and its revisions), and NIST sp 800 series is at best
pseudoanonymized data per GDPR. So, to quote
https://www.theverge.com/2021/6/23/22547397/medical-records-health-data-hospitals-research,
it is a "privacy placebo." (I really like that term)
4. https://www.nejm.org/doi/full/10.1056/NEJMp2102616 talks about
"deidentified" EHR data being aggregate and sold.

> The patient can choose any, all, any combination, or none of them.
> And still get treatment.
>
Can you provide which regulation states that? I could have used
it many times.

>
> Vedaal
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> https://lists.gnupg.org/mailman/listinfo/gnupg-users

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

On 1/29/2022 at 11:06 PM, "Mauricio Tavares via Gnupg-users" wrote:
> The patient can choose any, all, any combination, or none of them.
> And still get treatment.
>
Can you provide which regulation states that? I could have used
it many times.

=====

It's in the HIPPA act which requires the patient's consent to share
the date, and is in the pre-treatment or pre-hospittalization consent
form itself.
The worst the hospital can do, if the person refuses release to the
Insurance Company, is to bill the patient as self-pay.
The hospital cannot refuse treatment.
Can't speak about Covid, because *The Science* seems to vary between
conservative and liberal states.
There are many horror stories, but it is not for this mailing list.
Vedaal

Hi,

Am Sa den 29. Jan 2022 um 17:38 schrieb jonkomer via Gnupg-users:
> (a) Unfortunately, OpenPG email encryption is incompatible
> with GDPR and should not be used by those that either want
> or need to be GDPR compliant.

That is, simply to say, nonsense.

There is nothing related that GDPR law that is OpenPGP related.
(Independent, that the GDPR is stupidly made.)

When it comes to keyservers, with the same argument you could state that
bitcoin is illegal. (No information in the key chain can be removed. And
there is even child porn inside that key chain that could never ever
again be removed!)

There are more technologies out there where informations, once in, could
never removed again.

Regards
Klaus

Ps. By the way, I am neither a maintainer nor the creator of GnuPG or
the OpenPGP standard.
--
Klaus Ethgen http://www.ethgen.ch/
pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus@Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C

On 29-01-2022 18:58, Robert J. Hansen via Gnupg-users wrote:

> But if you're an American without EU ties, the GDPR is yet another piece
> of foreign legislation we don't need to pay attention to.  And when
> Europeans baldly say "the GDPR applies worldwide, you must follow it,"
> what we hear is "the EU overrides your silly Constitution."

However, the opposite also occurs: some US companies appear to be
shocked when I, as a European without any ties to the US, claim I won't
comply to a DMCA request because we don't have such a law here.

--
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

> However, the opposite also occurs: some US companies appear to be
> shocked when I, as a European without any ties to the US, claim I won't
> comply to a DMCA request because we don't have such a law here.

Yes! And when American companies are so foolish as to demand an EU
citizen comply with a DMCA takedown notice, I encourage you to laugh at
the silliness. :)


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Am 30.01.22 um 15:44 schrieb Johan Wevers via Gnupg-users:
> On 29-01-2022 18:58, Robert J. Hansen via Gnupg-users wrote:
>
>> But if you're an American without EU ties, the GDPR is yet another piece
>> of foreign legislation we don't need to pay attention to.  And when
>> Europeans baldly say "the GDPR applies worldwide, you must follow it,"
>> what we hear is "the EU overrides your silly Constitution."
>
> However, the opposite also occurs: some US companies appear to be
> shocked when I, as a European without any ties to the US, claim I won't
> comply to a DMCA request because we don't have such a law here.
>

With Directive 2001/29/EC, there is indeed a similar law in Europe, but
it does not have the same broad scope as the DMCA.

--
/¯\ No |
\ / HTML | Juergen Bruckner
X in | juergen@bruckner.email
/ \ Mail |

On 30/01/2022 10:12, Klaus Ethgen wrote:
>
> When it comes to keyservers, with the same argument you could state that
> bitcoin is illegal. (No information in the key chain can be removed. And
> there is even child porn inside that key chain that could never ever
> again be removed!)
>
> There are more technologies out there where informations, once in, could
> never removed again.

Yes, and this is both morally and legally terrifying. The fact that
nobody has yet been taken to court over this particular issue merely
makes the legality of it "untested".

A

I go away for the weekend, and my mailbox catches fire... ;-)

On 29/01/2022 16:38, jonkomer via Gnupg-users wrote:
> (a) Unfortunately, OpenPG email encryption is incompatible
> with GDPR and should not be used by those that either want
> or need to be GDPR compliant.

This is not so; the use of email encryption *improves* GDPR compliance.

> (b) GDPR appears to be a topic that, for some strange reason,
> elicits emotional reactions by the OpenPG creators and
> maintainers.

GDPR elicits interesting reactions in general! ;-)

> (c) GPG and OpenPG appear to be very much US-centric
> endevours. That fact ought to be taken into account by the
> new users.

On the contrary, Europe is (in my experience) over-represented in the
OpenPGP development community, and there has been extensive discussion
of its implications for PGP both in this group and elsewhere.

> If the ultimate goal of OpenPG is the wider adaption of
> encrypted e-mail, finding technical means to make it usable
> by those that *wish to be GDPR compliant* - without forcing
> such MO on everyone - appears to be a worthwhile effort.

Agreed in general, however I'm not sure what you mean by "forcing such
MO on everyone".

A