1. 27
  1. 8

    I haven’t read the GPDR. According to this post, Article 17 requires a data deletion mechanism.

    Did anybody tell the various blockchains about that?

    1. 8

      The decentralized chains don’t really have a “controller” per se.

      ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data

      1. 2

        Regarding the nature of the chains, of course.

        Regarding that insight, thank you!

        1. 3

          Wouldnt that just impose these rules on the block chain participants?

    2. 7

      Yeah, I know someone who runs a keyserver and they are getting absolutely sick of responding to the GDPR troll emails.

      Love the idea to use activitypub (the same technology involved in mastadon) for keyservers. That’s really smart!

      1. 16

        Offtopic: Excuse me.

        I think it depends on some conditions, so not everybody is going to see this every time. But when I click on medium links I tend to get this huge dialog box come up over the entire page saying some thing about registering or something. It’s really annoying. I wish we could host articles somewhere that doesn’t do this.

        My opinion is that links should be links to some content. Not links to some kind of annoyware that I have to click past to get to the real article.

        1. 11

          Use the cached link for Medium articles. It doesn’t have the popup. Just the content.

          1. 1

            Could you give an example? That sounds like a pleasant improvement, but i don’t know exactly what you mean by a cached link.

            1. 3

              There is a’ cached’ link under each article title on lobste.rs

              1. 1


          2. 7

            I started running uMatrix and added rules to block all 1st party JS by default. It does take a while to white list things, yes, but it’s amazing when you start to see how many sites use Javascript for stupid shit. Imgur requires Javascript to view images! So do all Square Space sites (it’s for those fancy hover-over zoom boxes).

            As a nice side effect, I rarely ever get paywall modals. If the article doesn’t show, I typically plug it into archive.is rather than enable javascript when I shouldn’t have to.

            1. 2

              I do this as well, but with Medium it’s a choice between blocking the pop-up and getting to see the article images.

              1. 6

                I think if you check the ‘spoof noscript>l tags’ option in umatrix then you’ll be able to see the images.

                1. 1

                  Nice trick, thanks!

            2. 6

              How timely! Someone at the office just shared this with me today: http://makemediumreadable.com

              1. 4

                From what I can see, the popup is just a begging bowl, there’s actually no paywall or regwall involved.

                I just click the little X in the top right corner of the popup.

                But I do think that anyone who likes to blog more than a couple of times a year should just get a domain, a VPS and some blog software. It helps decentralization.

                1. 1

                  And I find that I can’t scroll down.

                  1. 3

                    I use the kill sticky bookmarklet to dismiss overlays such as the one on medium.com. And yes, then I have to refresh the page to get the scroll to work again.

                    On other paywall sites when I can’t scroll, (perhaps because I removed some paywall overlay to get at the content below,) I’m able to restore scrolling by finding the overflow-x CSS property and altering or removing it. …Though, that didn’t work for me just now on medium.com.

                    1. 1

                      Actually, it’s the overflow: hidden; CSS that I remove to get pages to scroll after removing some sticky div!

                2. 3

                  What is the keyserver’s privacy policy?

                  1. 5

                    I run an SKS keyserver, have some patches in the codebase, wrote the operations documents in the wiki, etc.

                    Each keyserver is run by volunteers, peering with each other to exchange keys. The design was based around “protection against government attempts to censor keys”, dating from the first crypto wars. They’re immutable append-only logs, and the design approach is probably about dead. Each keyserver operator has their own policies.

                    I am a US citizen, living in the USA, with a keyserver hosted in the USA. My server’s privacy statement is at https://sks.spodhuis.org/#privacy but that does not cover anyone else running keyservers. [update: I’ve taken my keyserver down, copy/paste of former privacy policy at: https://gist.github.com/philpennock/0635864d34a323aa366b0c30c7360972 ]

                    You don’t know who is running keyservers. It’s “highly likely” that at least one nation has some acronym agency running one, at some kind of arms-length distance: it’s an easy and cheap way to get metadata about who wants to communicate privately with whom, where you get the logs because folks choose to send traffic to you as a service operator. I went into a little more depth on this over at http://www.openwall.com/lists/oss-security/2017/12/10/1

                    1. 5

                      Thanks for this info.

                      Fundamentally, GDPR is about giving the right to individuals to censor content related to themselves.

                      A system set out to thwart any censorship will fall afoul of GDPR, based on this interpretation

                      However, people who use a keyserver are presumably A-OK with associating their info with an append-only immutable system. Sadly , GDPR doesn’t really take this use case into account (I think, I am not a lawyer).

                      I think what’s important to note about GDPR is that there’s an authority in each EU country that’s responsible for handling complaints. Someone might try to troll keyserver sites by attempting to remove their info, but they will have to make their case to this authority. Hopefully this authority will read the rules of the keyserver and decide that the complainant has no real case based on the stated goals of the keyserver site… or they’ll take this as a golden opportunity to kneecap (part of) secure communications.

                      I still think GDPR in general is a good idea - it treats personal info as toxic waste that has to be handled carefully, not as a valuable commodity to be sold to the highest bidder. Unfortunately it will cause damage in edge cases, like this.

                      1. 3

                        gerikson you make really good points there about the GDPR.

                        Consenting people are not the focus of this entirely though , its about current and potential abuse of the servers and people who have not consented to their information being posted and there being no way for removal.

                        The Supervisory Authority’s wont ignore that, this is why the key servers need to change to prevent further abuse and their extinction.

                        They also wont consider this case, just like the recent ICANN case where they want it to be a requirement to store your information publicly with your domain which was rejected outright. The keyservers are not necessary to the functioning of the keys you upload, and a big part of the GDPR is processing only as long as necessary.

                        Someone recently made a point about the below term non-repudiation.
                        Non-repudiation this means in digital security

                        A service that provides proof of the integrity and origin of data.
                        An authentication that can be asserted to be genuine with high assurance.

                        KeyServers don’t do this!, you can have the same email address as anyone else, and even the maintainers and creator of the sks keyservers state this as well and recommend you check through other means to see if keys are what they appear to be, such as telephone or in person.

                        I also don’t think this is an edge case i think its a wake up call to rethink the design of the software and catch up with the rest of the world and quickly.

                        Lastly i don’t approve of trolling, if your doing it just for the sake of doing it “DON’T”, if you genuinely feel the need to submit a “right to erasure” due to not consenting to having your data published, please do it.

                      2. 2

                        Thank you for the link: http://www.openwall.com/lists/oss-security/2017/12/10/1, its a fantastic read and makes some really good points.

                        Its easy for anyone to get hold of recent dumps from the sks servers, i have just hunted through a recent dump of 5 million + keys yesterday looking for interesting data. Will be writing an article soon about it.

                    2. 3

                      i totally agree, it has been bothering me as well, i am in the middle of considering starting up my own self hosted blog. I also don’t like mediums method of charging for access to peoples stories without giving them anything.

                      1. 3

                        I’m thinking of setting up a blog platform, like Medium, but totally free of bullshit for both the readers and the writers. Though the authors pay a small fee to host their blog (it’s a personal website/blog engine, as opposed to Medium which is much more public and community-like).

                        If that could be something that interests you, let me know and I’ll let you know :)

                        1. 2

                          lmao you don’t even get paid when someone has to pay for your article?

                          1. 1

                            correction, turns out you can get paid if you sign up for their partner program, but i think it requires approval n shit.

                          2. 2

                            hey @pushcx, is there a feature where we can prune a comment branch and graft it on to another branch? asking for a friend. Certainly not a high priority feature.

                            1. 3

                              No, but it’s on my list of potential features to consider when Lobsters gets several times the comments it does now. For now the ‘off-topic’ votes do OK at prompting people to start new top-level threads, but I feel like I’m seeing a slow increase in threads where promoting a branch to a top-level comment would be useful enough to justify the disruption.

                        2. 5

                          Actually, the way the keyservers were designed was just lazy. Even DNS has a mechanism for automatic expiration of worthless names. There are my 2 public keys from 2006 I have lost the private keys for a long time ago that are not helping anything. If the users were supposed to upload or prolong their keys every year or so, the situation would be much better. And take them down, provided they still have access to their private keys.

                          1. 1

                            Also very interesting would be the question what the Consequences of gdpr are on techniques like event sourcing.