key question

MFPA expires2010 at ymail.com
Sat Feb 27 04:52:02 CET 2010 

Hi Robert


On Friday 26 February 2010 at 9:14:58 PM, you wrote:



> You are asserting that (a) the person who created the public key owns
> the information, 

Actually, I am asserting that the public key is likely to contain
personal information appertaining to the person who created that key.
That person is the "data subject."

"Ownership" of personal information is an odd concept. Who "owns" your
date of birth or your bank account number, for example?



> (b) the person owns the information has the right to
> control how it is disseminated, and 

The data subject does have various rights concerning the personal
information that is about him.



> (c) that if someone shares the
> information in violation of the owner's wishes they are doing something
> morally and/or legally wrong.

In many cases, yes. I've given an example in an earlier message in
this thread of "legally wrong." As for morality, sharing somebody's 
personal information in violation of their wishes is, at best, a 
breach of trust.



> [...]

> And you are asserting (c).  You're dressing it up in polite rhetoric
> about the right to privacy, but at the end of the day you're asserting
> that people are doing something wrong if they violate the information
> owner's wishes.

It would probably be difficult to talk about violation of Data
Protection laws and principles without also talking about the right to
privacy.



> In other words, you're in the same boat as the MPAA.  Looks like a duck,
> swims like a duck, quacks like a duck: it's a duck.

I was not aware that the MPAA had anything to do with safeguarding
people's personal information.



>> The reasonable expectation that somebody will extend the common 
>> courtesy of checking with the owner before publishing their key
>> falls somewhat short of the owner having total control over their
>> key.

> You are presupposing the expectation is reasonable.  I am not willing to
> grant that as a given.

Reasonable or otherwise, expecting that somebody will check with you
first does not amount to your having "total control," IMHO.



>> I think personally-identifiable information, including an
>> individual's openPGP key, should not be made public without the
>> consent of the individual ... I think it is a reasonable expectation
>> that the key owner would have uploaded their key to the keyservers
>> themselves if they wanted it to be there.

> Again, you are begging the question.  We're trying to figure out whether
> it is reasonable to expect people to keep public keys secret without the
> owner's permission.  What you're saying here is, "it's reasonable
> because I think it is reasonable."  You're assuming the truth of the
> proposition in question, and using it to try and establish the truth of
> the proposition in question.

We are discussing two things here: the public key itself and the
personal information that is often found in the User-IDs on the public
key. 

Assuming the presence of personal information, depending on the
relationship between the parties involved and the circumstances under
which the key was supplied, there are legal issues to consider. Of
course, one of those legal issues could well be whether the data
subject failed to properly safeguard their own personal information
when they included it in the UID on their key (-; 

A more difficult question in the absence of personal data. I think -
my opinion only; other opinions are also available - that if somebody
chooses not to use the keyservers, that is their choice and they
should not be forced to use them. (A bit like not being forced to have
your phone number listed in the phone book.) 



>> If the key is not already on the servers, that is a pretty strong
>> indicator that the key owner wants it that way.

> It's an indicator the key owner has not uploaded it to that network.
> For instance, what if the key has been uploaded to PGP's keyserver
> (which, last I checked, did not sync with the network, but is publicly
> accessible), but not the global network?  Is that evidence the key owner
> wants it publicized, but just not publicized on the global network?
> Etc., etc.  There are a *ton* of edge cases here.

You would need to ask the key owner. The key does not remain in
perpetuity on the PGP directory, for a start, and UIDs are removed if
you don't reply to confirmation emails every few months. These
substantial differences could well lead to somebody wishing their key
to be on one and not the other. 

Alternatively, they may prefer to share it directly, to distribute it
from an email auto-responder, to post it on their own website, to post
it on BigLumber, or whatever. They might indicate this preference in
their email headers or signature, in the comment field at the top of
messages, in a signature notation...

Sharing the key widely does not have to include the use of keyservers.



> The absence of a key on the keyserver network is, itself, only evidence
> that it's not there.  It doesn't show motive, any more than my having a
> shotgun in my closet shows my motive to commit murder.

OK, you got me.



>> I don't understand your comment. It's not unlawful for the
>> individual to share their own information. It would be unlawful for
>> the recipient of that information to share it with others without
>> consent from the individual

> I am unaware of your qualifications to talk about universally-applicable
> law.  

My use of the phrase "in some places may be illegal" in Message-ID 
<205633239.20100226162320 at my_localhost> earlier in the thread 
indicates I am not talking about "universally-applicable law," 
whatever that might be. 

My "qualification" is through experience and research both as a consumer 
forced to deal with such issues and through being required to handle 
customers' personal information in compliance with the relevant legal 
requirements. 



> I cannot accept your expert opinion on this subject without it
> first being established that you are an expert.

I have made no claim to be an "expert" and would not expect anybody to
accept the words of an anonymous stranger without doing a modicum of
their own research.

Specifically, I was referring to UK law, although equivalent
safeguards are in place in every country in the EU and the EEA.
Similar principles are applied in the laws of many other countries.

References include:- 

http://www.rogerclarke.com/DV/PaperOECD.html

http://ec.europa.eu/justice_home/fsj/privacy/instruments/oecdguideline_en.htm

http://www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_1

http://www.ico.gov.uk/

http://en.wikipedia.org/wiki/International_Safe_Harbor_Privacy_Principles

http://www.accurateinformationsystems.com/downloads/International_Data_Protection_Laws.pdf

And Google or similar will find you many more.

-- 
Best regards

MFPA                    mailto:expires2010 at ymail.com

If you can't convince them, confuse them.

More information about the Gnupg-users mailing list