Keyservers and GDPR

Kristian Fiskerstrand kristian.fiskerstrand at
Wed May 23 12:03:32 CEST 2018

On 05/23/2018 11:27 AM, ilf wrote:
> tl;dr: Keep calm and keep running keyservers.
> Vincent Breitmoser:
>> (cross-posting on all the cool pgp lists)
> (I wonder, if this really needs to be an all the four lists. I think
> sks-devel@ might be the most appropriate. Having said that, I'm only
> replying to gnupg-devel@ because I'm not subscribed to sks-devel at . Feel
> free to relay my message.)

As I think this has a valuable viewpoint I'm posting it to sks-devel.
And yes, this is mostly in line with my own thinking, I don't expect the
need for radical changes unless we see actual attempts to go after the

>> My personal conclusion is that keyservers that support user id packets
>> are, quite simply, incompatible with GDPR law.
> There is a ton of FUD about the GDPR out there right now. Most of it   
> frivolous. (Actually, a lot of it is deliberate fearmongering by people
> who happen to sell legal advice on the GDPR.)
> First of all, the GDPR is not completely new. All EU member states
> already have data protection laws, some - like Germany - already very 
> strong ones. The concepts (PII, responsibilities, technological and
> organisational measures, information and documentation obligations) have
> already been in place with the old Data Protection Directive from 1995,
> which the GDPR is updating. I admit that the GDPR can be read and
> interpreted in a fatalist way. But most people leaning that way seem to
> not have read the older laws.
> Laws are not set in stone. Laws include leeways, deliberate or
> unintended. Laws do not depend on their interpretation by laypeople.
> There is a huge dedicated system for its interpretation, conflict
> resolve, judgement and enforcement.
> In the case of the GDPR, the very first step of that system are National
> Data Protection Authorities (DPA). They have the power - and the
> responsibility - to investigate possible violations of the GDPR. They
> have been understaffed for years, in many countries dangerously so. They
> are getting a lot more powers and responsibilities with the GDPR, but
> their resources are growing way slower than their tasks. They are simply
> understaffed and overworked. So from all the possible GDPR violations
> they will be notified about, they will work off the biggest and most
> obvious ones first. Their focus will be on the Facebooks - and not on
> small nerd projects or personal websites. They have the power to say "we
> don't care about this weird thing called keyserver" - and the probably
> will.
> Now even if someone found data protection law infringements with a
> keyserver, filed a specific and well-worded legal complaint with a DPA,
> and a DPA found the resources to look into it, and the DPA found some
> violation of the GDPR (four big IFs!) - the DPAs will not go around and
> issue sanctions and fine people. First of all, their job is not to
> generate revenues by fines. Their job is to enforce data protection law.
> If a DPA did find an issue with a keyserver - or the very concept - they
> would reach out and talk to the people running the servers. They would
> hear their perspective, learn more about the very concept - and try to
> work out a viable solution to provide the service without possible data
> protection infringements. This is their job and their goal.
> The most feared sanction of some undefined GDPR violation is a fine. As
> I layed out, DPAs don't want to issue fines, they want to stop privacy
> violations. And they will not blindly issue a fine without talking to
> you first. That being said, they obviously do have the power to issue
> fines. After due process. However, this power is also not new, it has
> also existed in many countries. And DPAs don't run around and fine
> people left and right (you would have heard about that), they exercise
> their power in a balanced way. And fines are always in relation to the
> economic and personal circumstances of the - then guilty and obstinate -
> data protection violators. I guess most keyservers are run by 
> non-profit individuals or institutions. Even if a company runs a
> keyserver, it doesn't make money with that service. Therefore, I think
> the chance of *any* fine is negligible - and the chance of an
> unreasonably high fine is almost zero. And if it ever came to this, the
> community and public alarmed by public outcry would probably donate more
> than the fine issued.
> To sum up: Keep calm and keep running keyservers. You'll be fine.
> More elaboration in German:
> Disclaimer: IANAL. This is not legal advice.
> _______________________________________________
> Gnupg-devel mailing list
> Gnupg-devel at

Kristian Fiskerstrand
Twitter: @krifisk
Public OpenPGP keyblock at hkp://
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
"I disapprove of what you say, but I will defend to the death your right
to say it."
Evelyn Beatrice Hall (summarizing Voltaire

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Gnupg-devel mailing list