Welcome! Log In Create A New Profile

Re: [PATCH] conf/nginx.conf: add example "privacy" log_format

Forum List Message List New Topic Print View

Hans-Christoph Steiner

January 13, 2021 06:52AM

Anton Luka Šijanec:
> Hans-Christoph Steiner <hans@guardianproject.info> @ Wed, 13 Jan 2021 10:27:42 +0100:
>> The standard log_formats store detailed information which falls under
>> data regulations like the EU's GDPR and California's CCPA. This merge
>> request adds a suggested "privacy" log_format that generates logs that
>> cannot be used to identify users. This has been developed and used by
>> Tor Project, Guardian Project, and F-Droid.
>
> IANAL, so: Are there any exceptions in EU's GDPR that allow short-stored logs of user-identifiable information? That would seem useful, as *some* logging is useful when detecting and reporting fraudalent activities and for detecting spam. Logs are rotated and are sometimes useful when a data breach happens.
>
> I've also seen some examples of ISPs having to store info, that would be classified as user data, for 6 months for detecting illegal activities. See [1].
>
> Again, IANAL, but [0] describes some allowances regarding log data. I agree with adding the privacy option, but is that really a must when dealing with EU customers?

Both GDPR and CCPA allow log data to be gathered, stored, and used. Those are
regulated though, that means they must be considered when a user requests you
give them their data, to delete all references to a user, etc. You must also
consider the legal definition of "for no longer than is necessary for the
purposes for which the personal data are processed" in the context of your
business activities and data you're gathering. These are all non-trivial.

The goal of the "privacy" log mode is to guarantee that the log files do not
fall under GPDR/CCPA regulation, but still provide useful information. Then
those log files can remain outside of GDPR/CCPA reviews.

IANAL, I am a researcher focused on privacy and metadata. Those log files do
not contain Personally Identifying Information (PII) and also do not contain
enough info to identify someone. They might contain enough data to identify
someone in combination with other large data sets, like all of a user's browsing
data.

.hc

--
PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[PATCH] conf/nginx.conf: add example "privacy" log_format	Hans-Christoph Steiner	345	January 13, 2021 04:28AM
Re: [PATCH] conf/nginx.conf: add example "privacy" log_format	Hans-Christoph Steiner	136	January 13, 2021 06:08AM
Re: [PATCH] conf/nginx.conf: add example "privacy" log_format	sijanec	145	January 13, 2021 06:38AM
Re: [PATCH] conf/nginx.conf: add example "privacy" log_format	Hans-Christoph Steiner	119	January 13, 2021 06:52AM
Re: [PATCH] conf/nginx.conf: add example "privacy" log_format	Maxim Dounin	158	January 13, 2021 12:48PM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 309

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018