Anton Luka Šijanec:
Hans-Christoph Steiner <h...@guardianproject.info> @ Wed, 13 Jan 2021 10:27:42
+0100:
The standard log_formats store detailed information which falls under
data regulations like the EU's GDPR and California's CCPA. This merge
request adds a suggested "privacy" log_format that generates logs that
cannot be used to identify users. This has been developed and used by
Tor Project, Guardian Project, and F-Droid.
IANAL, so: Are there any exceptions in EU's GDPR that allow short-stored logs
of user-identifiable information? That would seem useful, as *some* logging is
useful when detecting and reporting fraudalent activities and for detecting
spam. Logs are rotated and are sometimes useful when a data breach happens.
I've also seen some examples of ISPs having to store info, that would be
classified as user data, for 6 months for detecting illegal activities. See [1].
Again, IANAL, but [0] describes some allowances regarding log data. I agree
with adding the privacy option, but is that really a must when dealing with EU
customers?
Both GDPR and CCPA allow log data to be gathered, stored, and used. Those are
regulated though, that means they must be considered when a user requests you
give them their data, to delete all references to a user, etc. You must also
consider the legal definition of "for no longer than is necessary for the
purposes for which the personal data are processed" in the context of your
business activities and data you're gathering. These are all non-trivial.
The goal of the "privacy" log mode is to guarantee that the log files do not
fall under GPDR/CCPA regulation, but still provide useful information. Then
those log files can remain outside of GDPR/CCPA reviews.
IANAL, I am a researcher focused on privacy and metadata. Those log files do
not contain Personally Identifying Information (PII) and also do not contain
enough info to identify someone. They might contain enough data to identify
someone in combination with other large data sets, like all of a user's browsing
data.
.hc
--
PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
