nanog mailing list archives

Re: Whois vs GDPR, latest news

From: Sander Steffann <sander () steffann nl>
Date: Sun, 27 May 2018 22:28:05 +0200

Hi,

The way GDPR is written, if you want to collect (and store) so much as
the IP address of the potential customer who visited your website, you
need their informed consent and you can’t require that they consent as
a condition of providing service.


What we were told is that since security > GDPR, storing IPs in logs is obviously OK since it’s a legal requirement.


GDPR article 6.1c (legal obligation) and 6.1f (legitimate interests) would probably both qualify for logging HTTP 
requests.

In this context it's also not likely that the IP address is considered personal data at all. Personal data is defined 
as data related to "an identifiable natural person is one who can be identified, directly or indirectly, in particular 
by reference to an identifier such as a name, an identification number, [...]". If you have no way to determine who an 
IP address belongs to then it's not personal data to you.

This can actually be a tricky point: the ISP who provides connectivity to a customer obviously knows which IP address 
they provided, so to that ISP the IP address is definitely personal data. If you ask for someone's name on your website 
and you log the IP address together with answers then you suddenly turn that IP address into personal data, even 
regarding you web server logs.

To be safe, adding something like the following to the privacy notice on the website would be fine for this case: "In 
order to comply with law enforcement requirements and to be able to detect and investigate abuse of our website we log 
all requests in including the IP addresses of the requester. If our systems detect abuse they may block access to our 
services from that IP address. This data will be stored for up to 2 weeks and will then automatically be deleted.". Add 
boilerplate text for contact information etc and that should cover article 13.

Storing them in a database for targeting / marketing is not.

What is a gray area so far is any use of IDS/IPS…


Sounds like legitimate interests to me :)  But it really depends on what is done with that information. Just protecting 
your servers should be fine. The big change with the GDPR is that you have to tell your users that you do this.

Hmmm. It might be a good idea to write some boilerplate privacy policy text for common components like IDP/IDS, load 
balancers, web server logs, DDOS protection etc.

Cheers,
Sander

Current thread:

Re: Whois vs GDPR, latest news, (continued)
- - - Re: Whois vs GDPR, latest news Sander Steffann (May 27)
    - Re: Whois vs GDPR, latest news Anne P. Mitchell Esq. (May 28)
    - Re: Whois vs GDPR, latest news Dan Hollis (May 26)
    - Re: Whois vs GDPR, latest news Royce Williams (May 26)
    - Re: Whois vs GDPR, latest news Dan Hollis (May 26)
    - Re: Whois vs GDPR, latest news Owen DeLong (May 27)
    - Re: Whois vs GDPR, latest news niels=nanog (May 27)
    - Re: Whois vs GDPR, latest news Stephen Satchell (May 27)
    - Re: Whois vs GDPR, latest news niels=nanog (May 27)
    - Re: Whois vs GDPR, latest news Michel 'ic' Luczak (May 27)
    - Re: Whois vs GDPR, latest news Sander Steffann (May 27)
    - Re: Whois vs GDPR, latest news Dan Hollis (May 23)
    - Message not available
    - Re: Whois vs GDPR, latest news John Levine (May 23)
    - Re: Whois vs GDPR, latest news jeff murphy (May 24)
    - Re: GDPR outside Europe, was Whois vs GDPR, latest news John Levine (May 24)
    - Re: GDPR outside Europe, was Whois vs GDPR, latest news K. Scott Helms (May 25)
    - Re: Whois vs GDPR, latest news bzs (May 23)
    - Re: Whois vs GDPR, latest news Owen DeLong (May 23)
    - Re: Whois vs GDPR, latest news K. Scott Helms (May 23)
    - Re: Whois vs GDPR, latest news Mark Rousell (May 21)
    - Re: Whois vs GDPR, latest news Joly MacFie (May 21)

(Thread continues...)