Compliance With EU's 'Right to be Forgotten' Law

[compumike08]

I was wondering, has anyone at Keybase had done any research into whether or not Keybase can comply with European Union privacy laws, such as the "Right to be Forgotten"? Even if a company is not located in the EU, if it does business with any EU citizens (such as Keybase users who live in the EU), it must comply with EU laws and regulations. Google recently lost a case in the EU where they said that, in certain cases, EU citizens have the right to make Google remove information about them from Google's search results. Of course, Keybase is an entirely different sort of application compared to a search engine. I'm not a lawyer, and I don't know whether or not Keybase would be subject to the EU's "Right to be Forgotten" law (the right is not absolute, and the EU courts have to decide on a case-by-case basis if the right applies in any particular case), but since the EU has a lot of member countries and if any Keybase users live in a member country than Keybase might be subject to EU jurisdiction in matters like this. Given that removing someone from the history of Keybase would be severely difficult (and now that the data is being pushed to the Bitcoin blockchain, completely impossible), it might be prudent for Keybase to have a lawyer who is experienced with EU 'Right to be Forgotten' law look over how Keybase works and let you all know if there are any potential legal issues that you might encounter if any of your users reside in the EU.

Has Keybase had a lawyer knowledgeable in EU law look into this before? If so, did they have any concerns?

@zQueal @gabriel @songgao

[strib]

CC: @malgorithms

[plttn]

IANAL: From my interpretation of the DPD, generally speaking it only applies to outdated info. Since Keybase isn't really keeping any information that goes further than "here's a link to their other social profiles", I imagine there wouldn't be much conflict between DPD and Keybase.

Again, I'm not a lawyer and I could also be completely wrong.

[ghost]

@plttn Keybase is storing a lot more than current info, especially not only the links to social profiles.

Every changeset a user does is added to their own sigchain and added permanently into a blockchain. The blockchain is the main issue here since it conflicts with EU law (see here. Once information is added to the blockchain the only way to remove data from them is to take down the entire blockchain.

Keybase is not pushing user data to the bitcoin blockchain, only a hash of their Merkle root (see here, but this is enough to corrupt their whole policy should data removal be requested - either by an individual user or law enforcement. Complying would mean removing parts of their sigchain which renders all following changes invalid and marks the server as invalid and compromised. Not complying would mean BIG trouble with law enforcement.

[compumike08]

@strib @malgorithms

Please see the first link in @dtiersch's comment above, as it explicitly discusses the legal issues that technologies involving blockchains are encountering in the EU, as apparently it does violate the EU's "right-to-be-forgotten" law. If Keybase currently has any users in the EU, Keybase should probably discuss this issue with their lawyers ASAP.

[zQueal]

Keybase should probably discuss this issue with their lawyers ASAP.

Things move pretty slow at Keybase because it's a startup--most likely the only reason this hasn't been responded to yet is because either it hasn't been seen (very unlikely) or they're currently in talks with legal council and won't comment until they know the whole story including what they intend to do if such an event happens.

One of the easiest workarounds for this right now to stay out of legal trouble (if there is any to be had) is to restrict Keybase usage to non-UK (EU?) residents. Which would obviously suck--and who knows how feasible it is considering how long Keybase has been open.

[ManuRS]

I opened an issue with one concrete problem I found related to the 'Right to be Forgotten'. https://github.com/keybase/keybase-issues/issues/3309