keybase / client

Keybase Go Library, Client, Service, OS X, iOS, Android, Electron
BSD 3-Clause "New" or "Revised" License
8.92k stars 1.23k forks source link

Is Keybase GDPR Compliant? #12816

Open compumike08 opened 6 years ago

compumike08 commented 6 years ago

Is Keybase GDPR compliant? Keybase is a great service, and I'd hate to see it shut down by the massive fines that a company can get by violating GDPR. Even though Keybase is a U.S. based company, it can still be fined by the EU for violating GDPR if it has even a single EU citizen as a user. There is precedent in international law for enforcing judgements on foregin countries, and U.S. courts have enforced fines from foreign counties on U.S. companies before (see LICRA v. Yahoo! for a prominent example).

What policies and procedures has Keybase put into place to ensure it is GDPR compliant?

dabura667 commented 6 years ago

What policies and procedures has Keybase put into place to ensure it is GDPR compliant?

Keybase doesn't collect personal data on users.

Any personal data is shared in the public by the user with their full understanding, so even if someone "hacked" them and "stole" all the personal data they have... they could have "stolen" all that data by just visiting keybase.io and looking at every profile...

compumike08 commented 6 years ago

Keybase collects e-mail addresses which are not necessarily shared publicly.

Sent from my iPhone

On Jul 14, 2018, at 9:16 PM, Dabura667 notifications@github.com wrote:

What policies and procedures has Keybase put into place to ensure it is GDPR compliant?

Keybase doesn't collect personal data on users.

Any personal data is shared in the public by the user with their full understanding, so even if someone "hacked" them and "stole" all the personal data they have... they could have "stolen" all that data by just visiting keybase.io and looking at every profile...

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

dabura667 commented 6 years ago

e-mail addresses are not sufficient to be considered Personally Identifiable Information.

Japan has similar laws and it has precedent in court that e-mails are NOT PII alone. They can be mixed with other data to become PII, but if the only data being held privately by the company is email they should be fine.

If you want to pay a lawyer $500,000,000 an hour to figure out whether email by itself is PII, then you are welcome.

Instead of worrying about "the letter" of the law, worry about "the intent" of the law.

GDPR is set out to punish all the stupid companies that ask for tons of private info, store your passwords in plaintext, get hacked 50 times over 5 years and cover it up, and then sell all your info without your permission to 100 different companies.

Keybase only collects and stores email addresses. Passwords are heavily hashed and salted before storing in the database (we know this because it's open source) and EVERYTHING that is meant to be private is encrypted end to end and Keybase could never possibly see it.

Going by the "intent" they get AAA+++

Going by the "letter" they get whatever some judge decides to give them in the event someone files a complaint... but to be honest, they would look at it, notice the complaint is bollocks and not even bother moving forward. You can argue that all day if you want... but tbh you could still argue it if Keybase hired a full time Data Protection Specialist or something... they would still not be protected from a judge deciding to make some bollocks decision.

I do not represent Keybase at all, but if anyone at their company spent more than 5 seconds worrying about GDPR before they remembered "oh yeah, we don't store customer data. k that solves that." than they're already wasting more time.

tl;dr email is not PII on its own... unless your email is my_full_name_is_xxx_yyy_and_I_live_at_1234_E_something_ave@gmail.com in which case, there is no guarantee that this info is the PII of that account user... so it still wouldn't be PII.

compumike08 commented 6 years ago

Actually, the GDPR explicitly recognizes e-mail address as PII. It also considers IP address to the PII.

Sent from my iPhone

On Jul 15, 2018, at 7:36 AM, Dabura667 notifications@github.com wrote:

e-mail addresses are not sufficient to be considered Personally Identifiable Information.

Japan has similar laws and it has precedent in court that e-mails are NOT PII alone. They can be mixed with other data to become PII, but if the only data being held privately by the company is email they should be fine.

If you want to pay a lawyer $500,000,000 an hour to figure out whether email by itself is PII, then you are welcome.

Instead of worrying about "the letter" of the law, worry about "the intent" of the law.

GDPR is set out to punish all the stupid companies that ask for tons of private info, store your passwords in plaintext, get hacked 50 times over 5 years and cover it up, and then sell all your info without your permission to 100 different companies.

Keybase only collects and stores email addresses. Passwords are heavily hashed and salted before storing in the database (we know this because it's open source) and EVERYTHING that is meant to be private is encrypted end to end and Keybase could never possibly see it.

Going by the "intent" they get AAA+++

Going by the "letter" they get whatever some judge decides to give them in the event someone files a complaint... but to be honest, they would look at it, notice the complaint is bollocks and not even bother moving forward. You can argue that all day if you want... but tbh you could still argue it if Keybase hired a full time Data Protection Specialist or something... they would still not be protected from a judge deciding to make some bollocks decision.

I do not represent Keybase at all, but if anyone at their company spent more than 5 seconds worrying about GDPR before they remembered "oh yeah, we don't store customer data. k that solves that." than they're already wasting more time.

tl;dr email is not PII on its own... unless your email is my_full_name_is_xxx_yyy_and_I_live_at_1234_E_something_ave@gmail.com in which case, there is no guarantee that this info is the PII of that account user... so it still wouldn't be PII.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

maxtaco commented 6 years ago

Thanks @dabura667!

Hi, We do absolutely no marketing or data share with other companies. Period. We feel strongly about this because it's the right thing to do. Therefore, we never allow other companies to see any PII about keybase users that isn't already public to all. One exception is our hosting provider, AWS. They theoretically can infer PII like email addresses and IP addresses if they are in violation of data privacy laws.

For the most part, we don't allow other users on Keybase to see the connection between an email address and a user. There are two exceptions worth mentioning: (1) you can tell if an email has been registered for a Keybase account via the "recover passphrase" flow, though that doesn't reveal who it is registered for; and (2) if bob invites alice@gmail.com into team foo, and alice@gmail.com accepts as Keybase account alice, now bob has confirmed alice's email address. We scrub email addresses from our database on account deletion after 30 days. We delete database backups after 45 days.

We delete logs after 15 days. We store IP addresses in logs, but never write IP addresses to our databases.

kirushik commented 6 years ago

I believe (IANAL) that Keybase under their default privacy policy is possibly not GDPR compliant.

For example, the Section 1 in there states that

When you access or use the Service, we automatically collect and store information about your browsing habits and your use of the Service (“Usage Information”), including:

a. Your computer’s IP address <…> Logs of this information may persist for an indefinite period.

From the GDPR point of view, IP address is clearly Personal Data (see UK's ICO FAQ on the topic).

This means that all the GDPR Principles should be applied to handling and storing IP addresses, and that includes Storage limitation as one of the principles, so the "may persist for the indefinite period" most likely won't cut it.

This is certainly not the only possible contradiction between the said Privacy Policy and GDPR, so it clearly takes a separate Data Protection Agreement with Keybase to get its usage GDPR-compliant.

kirushik commented 6 years ago

We delete logs after 15 days. We store IP addresses in logs, but never write IP addresses to our databases.

Oh, that's interesting. @maxtaco can you please clarify this? Your Privacy Policy says something different, that those logs can be stored indefinitely.

maxtaco commented 6 years ago

We're working on updating that. But for now, what I wrote is true.

kirushik commented 6 years ago

@maxtaco cool, thanks!

Would you be so kind to post an update in this issue when the new Privacy Policy will be ready? I'll start deploying Keybase in my company right after it's made GDPR-compliant (in a legal sense, I'm pretty sure you're doing better than most from a technical data protection standpoint).

compumike08 commented 6 years ago

In addition to IP address, things like e-mail address (which is required to sign up), are also considered personally identifying information under GDPR. It is important to make sure that all the required options and notices are given to all users. The GDPR is a VERY complex law, Keybase probably needs a dedicated professional to analyze their operations to make sure they are compliant. In addition to technical regulations, there are also organizational and administrative requirements. For example, the company needs to have someone in the company appointed as the official Data Protection Officer (DPO). That position has very specific requirements about the powers and responsibilities that position must hold, so simply assigning someone to be the privacy officer at the company without thoroughly researching what the GDPR requires for the DPO position and making sure you are in compliance is not going to be sufficient.

There are also very specific reporting requirements that the company needs to understand and adhere to in order to be GDPR compliant.

Basically the point I’m trying to make is that becoming GDPR compliant isn’t as simple as deleting logs every 15 days (also, the fact that you delete them after 15 days doesn’t actually mean you are GDPR compliant, as you are still collecting it in the first place. You have to make sure your systems meet GDPR compliance for all personally identifiable information regardless of how long it is stored). In order to ensure compliance, Keybase needs to research the GDPR and throughly review all their technical systems, as well as their organizational structure and business procedures, to ensure compliance, and to make any changes necessary to become compliant.

Also, if Keybase isn’t fully compliant, any business that uses Keybase could share the fines, even if only Keybase is at fault.

Sent from my iPhone

On Jul 23, 2018, at 6:02 PM, Kirill Pimenov notifications@github.com wrote:

@maxtaco cool, thanks!

Would you be so kind to post an update in this issue when the new Privacy Policy will be ready? I'll start deploying Keybase in my company right after it's made GDPR-compliant (in a legal sense, I'm pretty sure you're doing better than most from a technical data protection standpoint).

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

LeBaux commented 5 years ago

There are more problematic parts of ToS when it comes to GDPR, such as:

  1. CONTENT When providing Keybase or the Service with content, such as your name, username, photos, social media names, data or files, or causing content to be posted, stored or transmitted using or through the Service (“Your Content”), including but not limited to the Registration Data and any other personal identification information that you provide, you hereby grant to us a non-exclusive, worldwide, perpetual, irrevocable, royalty-free, transferable (in whole or in part), fully-paid and sublicensable right, subject to the Privacy Policy, to use, reproduce, modify, transmit, display and distribute Your Content in any media known now or developed in the future, in connection with our provision of the Service. Further, to the fullest extent permitted under applicable law, you waive your moral rights and promise not to assert such rights or any other intellectual property or publicity rights against us, our sublicensees, or our assignees.

Correct me if I am wrong, but this does not sound like GDPR compliant.

maxtaco commented 5 years ago

We are doing final review of large updates to these docs and hope to post them shortly. So expect large changes in the verbiage