Where I work, we keep the firewall logs with port numbers completely separate from the webserver logs.
Looking at article 25 of GDPR, it is clear that IP addresses are pseudonymized data in the firewall logs, as there are only 2 ways to connect the IP address to a physical person. 1. Court order to ISP etc. 2. have the web people look up the IP address in their systrem, trace requests, and see if they can associate it with a known user identity. So firewall logs, unless the web people have access to them, are pseudonymized data. So secure by design (article 25). And we can keep them for statistics, or investigation purposes. Now, the question then is, how can we keep enough data in the webserver etc log to be able to to actually do enough investigation ? A /16 shortening was suggested. I think this is too large gruping. Can not even be used for country/city statistical purposes. But of course we can enrich data with that from the likes of MaxMind, when throwing away trailing bits. I think we need a minimum /20-/22 and source port in the logs to, with some degree of confidence, go from events in the webserver logs back to the firewall log to have necesary information for investigation/authorities. If we have a /20-/22 and GeoIP data, we might have a few candiates. Then this is good enough to ensure we can not get back to ONE physical person. I think, that updating RFC6302 might be a bit early, and we risk that it has to be revised after the first court makes a decision. If we keep RFC6302 as is, then companies can defend themself, by saying they use best practise. We have another obligation as dataowners/processors. We should keep enough data to verify a suspected data breach, and judge the impact. If I can not see if 10000 profiles was downloaded by the same IP, or from 10000 different IPs (out of 65535), I might not be able to fulfill some of the other requirements in GDPR. I think the big question here is how the data is stored/processed, and it must be governed by organizational measures (policies and training). It would likely be illegal to use to logs to profile a person.But there can be other interests allowing us to keep the logs, disassociated from user profiles or other things that allows us to map an IP to an individual.
_______________________________________________ Int-area mailing list Int-area@ietf.org https://www.ietf.org/mailman/listinfo/int-area