Can you ensure that you won't expose user emails in future? about keyserver HOT 13 CLOSED

ok, this is pointless.

from keyserver.

If you want this guarantee you need to run the server yourself in an environment you trust.

from keyserver.

I think the advertised intent of the project is equivalent to any casual agreement you would get from them on a github issue tracker (neither carries legal binding).

from keyserver.

Are you nuts??

It's a PUBLIC EMAIL DIRECTORY.

It's basically a phone book, for Christs sake!

Here is you, calling the phone company, and asking them to publish your phone number, but not your name.....

Think about that. Get back to us when you figure out what German law says about publishing a phone number with no name in a phone book.

On a serious note, if you ACTUALLY have a 'Secret' level clearance with the government or the military, or you're an activist in a toxic country.. MAYBE you shouldn't be publishing your email address in a public directory. Maybe. Let's just throw it at the wall and call it a 'best practice', m'kay?

p.s. I'm posting this on a zombie thread, because in this day and age I can TOTALLY see other people reading this thread and getting confused about what a 'phone book' is, and what it's used for.

from keyserver.

@crogonint Tone and language of your comment are not appropriate for this forum.

Our privacy policy has been updated since this thread was created and reads now as:

By uploading a key to the key server you give us your revocable consent to store the key (which may contain personal information like your real name and your email address) on the key server so that we can serve it to other users who are addressing encrypted messages to your email address.

@dreamflasher

So if you at any point would decide to change your terms, then I guess that would be legal, too?

Still according to GDPR usage of the data is bound to a certain purpose and it would violate GDPR if we sell this data to some random third party. Just publishing the complete data on the website would violate the integrity and confidentiality principles of the GDPR.

from keyserver.

This question is not about servers getting hacked and keys thus exposed, but about a commitment of the project owners to not add this functionality, or at least before they add this giving users the options ot opt out/remove their keys.

from keyserver.

Could you please quote the intent about not exposing user emails in future? Couldn't find any.

from keyserver.

I think that should be covered by our privacy guidelines: https://www.mailvelope.com/en/privacy-policy

from keyserver.

@toberndo Do you mean it is already covered or that it should be added?
I kinda see this here "We will not share your personal data with third parties unless you have given your prior explicit consent or such sharing of data is prescribed by law or legally permissible. We will not sell your data to third parties, nor market them in any other manner." -- but you also write that you can change the privacy policy any time, and it would be kind of nice having such a thing as Absichtserklärung (intention declaration) for the future.

from keyserver.

@dreamflasher I thought is is covered with:

1.1. We shall comply at all times with the applicable data protection laws, in particular the stipulations in the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) and the German Telemedia Act (Telemediengesetz, TMG).

from keyserver.

Maybe it is? I'm unsure about it, because keyservers currently work the way that you share your key and then it's possible to sync with them to get a list of all keys and thus of all emails. So I would think that these keyservers are complient with German law? I am not a legal expert, but I would guess if there is something in the AGB saying "by uploading your keys, you are willing that your email addresses are publicly available" then I would guess that is legal?
So if you at any point would decide to change your terms, then I guess that would be legal, too?

from keyserver.

Nonsense. Get your facts straight.
This is not a public email directory. Also as a side note, yelling (capslock) is not supporting your argument; facts would, but those are missing in your post – you're just rambling around.
So let's look at the facts together:

• mailvelope is not a public email directory, other keyservers are
• a keyserver is not a phonebook, those are two conceptually different things
• mailvelope provides a service to look up keys, given an email – and users upload der keys based on this premise. A better comparison would be: Whatsapp has the phone numbers of you and your friends, and it allows you to add everyone as a contact whose number you have. It would go against laws if they would publish everyone's phone number.
• this thread is about preventing publishing email addresses that are currently private

from keyserver.

• mailvelope is not a public email directory, other keyservers are

If that's true, I wasn't aware of it.

Oh, wait.. so you CAN'T search this keyserver at all?? It's strictly for mailvelope to serve keys?

Well that's annoying. How do I share my mailvelope generated keys out to a public keyserver?

If what you say is true, I apologize for being completely out of line. I still don't see why a spammer would want to raid a keydirectory, though. There's got to be a million other ways to get a qualified email address (one that they know someone is looking for a loan, or looking to buy a car, etc.). Still, I suppose some spammers just send out ridiculous nonsense to just about anybody.

You might consider using Yahoo email, they had an INSANE spam filter back in the day. Personally, I'm going to give GMX a try for a while. They basically have all of the features I like in gmail, except they're not Google, spying on everything I do. ;)

from keyserver.