Things that make you go hmmm: Do crypto key servers violate GDPR?
One does not simply 'remove' data from key servers
Cryptographic key servers are in "direct violation" of the EU's General Data Protection Regulation, a software developer has claimed.
Michael Drahony (AKA yakamok) has written a program (on GitHub) designed to highlight the potential compliance issues posed by use of PGP as an email encryption utility.
"Currently you cannot remove data from the key servers on request," Drahony told El Reg in an email. "Any data posted to them propagate to other key servers, making the data immortal in a sense."
Drahony's contention has sparked a spirited debate among security experts.
Users make a conscious decision to place a public PGP key on a key server, but might the fact data can't be deleted still be an issue?
The glorious uncertainty: Backup world is having a GDPR momentREAD MORE
The requirement to delete or remove data on request, per GDPR, "only applies when it is practical", said Martijn Grooten, editor of industry journal Virus Bulletin. "One could maybe argue that it isn't in this case [of PGP key servers]."
Professor Alan Woodward, a computer scientist and cryptographer from the University of Surrey in England, said that there's an implied consent to disclose personal information and to be contacted through encrypted email when someone shares their public PGP key.
"If your UID is your name then your name, email and key are visible – it's kinda the point so can't imagine ICO would complain," he commented.
These considerations apply even if an "anonymous" email address is associated with a PGP key. An email address is unique to a person. "It's still personal data even if you can't find out who is the person behind it," Grooten added.
Other experts were inclined to view the whole business as something of a non-issue.
Brian Honan, infosec consultant and founder of Ireland's CSIRT, commented: "I am not sure what the issue the reader is trying to highlight is. Firstly PGP public keys are on the server and placed there by the key owners. Secondly any server on the internet can be used to host stolen data."
Drahony disagreed with Grooten on the practicality of deletion exemption point: "If a person has involuntarily had their information submitted, it's a violation of the GDPR Article 17/7 and must be easy to remove, which in this case it's not," Drahony said.
"Also a person must be able to withdraw consent as easily as they gave it at any point; this means that data must be removed from the public eye without undue delay."
The issue is far from clear cut.
Andrew Cormack, a legal expert in academia, said: "It seems to me that continued publishing is 'necessary in relation to the purposes for which they were collected'. Don't claim processing by consent'." ®