top | item 33093690

(no title)

seqastian | 3 years ago

In the "Top 30 of 10484 Total Sites" section there are hosts and IPs.

If they remove the end of IPs and first part of hosts its considered 'anonymised' by matomo or goaccess. But you still are collecting IPs in the server logs and need a gdpr statement documenting it.

discuss

dspillett|3 years ago

Has it not been successfully argued that an IP address is not sufficiently identifying (in various court cases wrt piracy)? If so then the source host's name, either given directly in the protocol or returned from an rDNS query, shouldn't be either.

warpspin|3 years ago

> Has it not been successfully argued that an IP address is not sufficiently identifying (in various court cases wrt piracy)? If so then the source host's name, either given directly in the protocol or returned from an rDNS query, shouldn't be either.

No. For purposes of the GDPR, IP addresses are considered personally identifying information.

https://curia.europa.eu/juris/document/document.jsf?text=&do...

A bit of a background: It had long been accepted in EU law, that a statically assigned ip address is PII. For years, it has been contested if dynamically assigned ip addresses also fall under this, as the owner of a website has no means to actually trace that ip address back to a natural person. Here the highest EU court basically decided, that as long as even a third party (the internet provider assigning the dynamic ip address) is able to identify the person using an ip address at a certain time, also dynamically assigned ip addresses have to be considered PII, and therefore all ip addresses.

mypetocean|3 years ago

Another thing to consider is that in many PII laws, data which can be combined with other data to reconstruct a complete instance of PII will itself count as PII.

So if a full hostname or IP counts as PII, then a _partial_ hostname or IP also counts.

Karunamon|3 years ago

If accurate, the fact that you need a GDPR statement to cover the default logging configuration of every HTTP server created in the last 30 years strikes me as ridiculous. Wouldn't your own analytics/abuse prevention/optimization count as legitimate interest and not need a statement or consent?

I'm serious, the practical effect of what you described would be the internet equivalent of a California prop 65 warning that is on basically everything. I.e. meaningless. Everything in California causes cancer, everything on the internet has your IP address. And the "informed" person is not one bit better off as a result.

dariosalvi78|3 years ago

collecting IPs can be perfectly lawful without consent [0], if you justify it for security or performances, but you need to make sure to get rid of logs when they don't fulfil those purposes any longer.

[0] https://law.stackexchange.com/questions/28603/how-to-satisfy...