Weblog

RSS

Hiawatha and the GDPR

22 May 2018, 07:35

Within a few days, the General Data Protection Regulation (GDPR) will take effect. Hiawatha collects and stores the visitor's IP addresses. Since an IP address is personal data, it's possible that you must comply to the GDPR for that. One of the first things you must to is to determine the lawfulness of the processing. Recital 49 of the GDPR states that ensuring network and information security constitutes a legitimate interest, as defined in article 6 (1) lit f.

So, in normal English, you are allowed to store the IP address of a visitor for the purpose of securing your webserver. However, you still have to comply with the rest of the GDPR. That means that you should not keep IP addresses for longer that necessary (use logfile rotation), secure the logfiles well, be clear to your visitors what information your collect, for what reason and how you keep that information (privacy policy on your website) and stick to that.

The visitor, or the data subject to speak in legal terms, has the right to see what information about him/her is being processed. Of course, that person has to prove that he/she is indeed the owner/user of that IP address and also for what period of time. Otherwise, you have a data breach. That it's very hard or even practically impossible to prove that, is not your problem.

It’s easy to make plausible that the information in the system, exploit and garbage logfile is necessary for information security. It might be a bit more tricky for the information in the access and error logfile. You can use Hiawatha’s AnonymizeIP option to deal with that. The manual contains an error. It says that it also anonymizes IP's sent to the Hiawatha Monitor, but the Monitor doesn't collect IP addresses. It used to do so in an earlier version, but I forgot to remove that remark from the manual.

After reading all this, you may ask yourself: do I really need to go through all this hustle for just a personal website? No, article 2 (2) lit c clearly states that the GDPR does not apply to the processing of personal information in the course of a purely personal activity.

Tags: logfileMonitor
by Hugo Leisink
Fred
22 May 2018, 10:57
Thank you Hugo.
This is very useful information. We have been really busy in terms of the web application that I didn't even realized that the web server is also involved in it
Hannah
22 May 2018, 19:44
I would be careful with the last statement. What is a “purely personal activity” is a matter of interpretation, and the legal definition differs significantly from the one of common sense. In Germany, we had the same discussion with the infamous Impressum. Literally thousands of people received cease-and-desist letters from lawyers (and were liable to pay their “costs”) although they viewed their website as personal – but the lawyers thought differently.
Hugo Leisink
22 May 2018, 19:46
What lawyers think is not relevant. Only what judges think matters.
Hannah
22 May 2018, 21:35
If the judges wouldn't have agreed with the lawyers, I wouldn't have mentioned this affair. But that's basically a purely German problem since we are the only country in the EU (to the best of my knowledge) that allows lawers to demand four digit figures for an impressum that requires two clicks to reach.
coder
30 May 2018, 02:16
Hi Hugo, thanks so much for Hiawatha! I am trying to use the AnonymizeIP feature, but it does not seem to be working. Looking at anonymized_ip_to_str() in ip.c, it seems like it is truncating an ipv4 address at 24 bytes. But, ipv4 addresses are not usually longer than 15 characters, plus terminator, correct? And similarly for ipv6?
coder
30 May 2018, 02:47
My mistake, that function seems to be working correctly and anonymization is now happening correctly. It was not, if I put the "AnonymizeIP = yes" line in a certain place in the configuration file, I was able to reproduce once, but not again. Still looking into it.
coder
30 May 2018, 03:01
Oh, Hugo, you and your trusty software. I cannot reproduce the problem
Hugo Leisink
31 May 2018, 13:28
Well, what can I say? Good to hear it works.
Kjartan
2 May 2019, 15:34
Dear Hugo,
Thank you so much for Hiawatha. I have used it for many years hosting domains/websites from various old computers at home. At first on Puppy Linux but lately on win10, regardless of OS it has always performed stable, fast and secure. (reading logfiles are fun ;-) because the bots/hackers never get anywhere) - I have had a LOT of fun, and also learned a lot from hosting websites using hiawatha, and am sorry to hear that you're putting it on the back-burner but also delighted that u WILL continue to tinker with it. (please do) I LOVE Hiawatha. AND YOU Hugo for creating it. Keep on rocking, you are truly a positive influence in the universe. (And if u ever find yourself in Valle / Setesdal valley in Norway - come by my farm and we'll have a jolly jam session with electric guitars)
https://youtu.be/RcdyGYWBz1o?t=209
Hugo Leisink
2 May 2019, 19:26
Hi Kjartan. Thanks for your feedback. I still use Hiawatha myself a lot, so it's not an abandoned project. And yes, I will keep on publishing the changes I make to Hiawatha. But release will not be as often as they used to be. Also because I think Hiawatha is more or less 'done', mature enough. And if I visit Norway some day, I will try to remember your offer. Back to practicing the solo of Pink Floyd's 'Poles Apart'.
Kjartan
3 May 2019, 23:17
Do. :-) Happy practicing and keep on rockin in this free world of ours which you helped keep free. You, my friend, are awesome.

All articles

All tags: Years:
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.