Dear Povl,
Thank you for sharing your thoughts.
I have one comment and two clarification questions:
- Wouldn’t logging based /20-/22 nullify the interest to log source ports for
investigations? Multiple subscribers may be assigned the same port in the /20
or /22 range.
- GeoIP (whatever that means) is broken when CGNs are in use.
- How and under which conditions an IP address + port can be used to
point to “ONE physical person” especially when address sharing is in use?
Cheers,
Med
De : Int-area [mailto:[email protected]] De la part de Povl H. Pedersen
Envoyé : mercredi 25 avril 2018 09:55
À : [email protected]
Objet : Re: [Int-area] WG adoption call: Availability of Information in
Criminal Investigations Involving Large-Scale IP Address Sharing Technologies
Where I work, we keep the firewall logs with port numbers completely separate
from the webserver logs.
Looking at article 25 of GDPR, it is clear that IP addresses are pseudonymized
data in the firewall logs, as there are only 2 ways to connect the IP address
to a physical person.
1. Court order to ISP etc.
2. have the web people look up the IP address in their systrem, trace requests,
and see if they can associate it with a known user identity.
So firewall logs, unless the web people have access to them, are pseudonymized
data. So secure by design (article 25). And we can keep them for statistics, or
investigation purposes.
Now, the question then is, how can we keep enough data in the webserver etc log
to be able to to actually do enough investigation ? A /16 shortening was
suggested. I think this is too large gruping. Can not even be used for
country/city statistical purposes. But of course we can enrich data with that
from the likes of MaxMind, when throwing away trailing bits.
I think we need a minimum /20-/22 and source port in the logs to, with some
degree of confidence, go from events in the webserver logs back to the firewall
log to have necesary information for investigation/authorities. If we have a
/20-/22 and GeoIP data, we might have a few candiates. Then this is good enough
to ensure we can not get back to ONE physical person.
I think, that updating RFC6302 might be a bit early, and we risk that it has to
be revised after the first court makes a decision.
If we keep RFC6302 as is, then companies can defend themself, by saying they
use best practise.
We have another obligation as dataowners/processors. We should keep enough data
to verify a suspected data breach, and judge the impact. If I can not see if
10000 profiles was downloaded by the same IP, or from 10000 different IPs (out
of 65535), I might not be able to fulfill some of the other requirements in
GDPR.
I think the big question here is how the data is stored/processed, and it must
be governed by organizational measures (policies and training). It would likely
be illegal to use to logs to profile a person.But there can be other interests
allowing us to keep the logs, disassociated from user profiles or other things
that allows us to map an IP to an individual.
_______________________________________________
Int-area mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/int-area
