wiki:gdpr/logging_policy

Logging Policy

Background

Since I2P now is a legal entity in Norway in form of a ideologic non-profit organization much alike US's 501©, we'll have to follow the rules of European Union’s General Data Protection Regulation (GDPR). This document describes our policy which is expected to be implemented and followed by our service providers. This includes the main webpage, download mirrors, reseed servers and other servers (like this, trac) ran in the name of the organisation which are all expected to comply with the policy. Webserver logs contain information classified as personal data by default under the European Union’s General Data Protection Regulation (GDPR). The new privacy regulation comes in effect from May 2018. Just about everyone needs to take action now to become compliant.

Implementation

The default configuration of popular webservers including Apache Web Server and Nginx collect and store at least two of the following three types of logs:

  • Access logs
  • Error logs (including processing-language logs like PHP, Python, Ruby and such)
  • Security audit logs (e.g. ModSecurity?)

All of these logs contain personal information by default under the new regulation. IP addresses are specifically defined as personal data per Article 4, Point 1, and Recital 49. The logs can also contain usernames if your web service uses them as part of their URL structure, and even the referral information that’s logged by default can contain personal information (e.g. unintended collection of sensitive data; like being referred from a sensitive-subject website).

If you don’t have a legitimate need to store these logs you should disable logging in your webserver. You’re not even allowed to store this type of information without having obtained direct consent for the purposes you intend to store the information for from the persons you’re storing information about. The less end-user information you store the lower the risk to our organization. You can’t collect and store any personal data without having obtained, and being able to document that you obtained, consent from the persons you’re collecting data from. You can, however, still collect and store personal data in your server logs for the limited and legitimate purpose of detecting and preventing fraud and unauthorized system access, and ensuring the security of your systems.

Article 6, Paragraph 1, Point F

“The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, […] by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.”

TLDR, Summary

Logs can be kept for 1 day, 24hrs in the purpose of detecting crawlers, DOS attacks and such, beyond that it should be deleted as the service is ran in the name of the organization.

Misc

Disclaimer: I’m not a lawyer and I’m not providing you legal advice. Contact your legal counsel for help interpreting and implementing the GDPR.

Last modified 6 weeks ago Last modified on Oct 1, 2019 8:06:07 AM