👉🏾 According to @RobertJBateman obtaining IP addresses & even usernames (via Federation‽) sans consent could violate #EuropeanUnion 🇪🇺 law 😱
👉🏾 A privacy policy may or may not be enough
👉🏾 If not compliant, I will migrate my #Mastodon, #Misskey & #Pixelfed instances out of #Europe.
@darnell@RobertJBateman Cool blog post, Darnell! WRT your question "Is keeping records of IP addresses (without consent) to thwart nefarious actors from taking down my sites (via DDoS) a violation of GDPR‽" I'm not an expert, but GDPR has a requirement for users to be notified in the event of a security breach, so collecting IP addresses for security monitoring must be allowed somehow.
@ejrowley@darnell@RobertJBateman You won’t use the IP to notify a user as such, but you are correct in that good logs can help investigate issues such as leaks or cases of mistaken authentication, so that you can inform affected users, and are therefore within the “legitimate interest” of a site to keep, at least for a reasonable time.
To simplify a bit: The key is to have an an answer as to why a particular PII is kept. If you cannot even say why, then you shouldn’t keep the data.
@darnell@RobertJBateman All in all, most if not all of what GDPR requires are pretty reasonable things, that we should do with or without the legal requirement.
After all, we are not Meta, we are the good guys. Aren’t we?
@darnell@RobertJBateman Moving a server out of the EU isn’t really a good solution, unless you blatantly doesn’t give shit about following the law. And maybe not even then. Countries with a framework agreement or an EU data protection equivalency decision, have means for EU citizens to appeal mistreatment. Chances you would be a target is admittedly small, but for Mastodon as a whole it’s better if we are compliant.
@darnell@RobertJBateman As for IP addresses, yes together with other data, they can be considered PII, but only if you can connect them to a user record or session. And only if you keep them. Ask yourself, do I need to retain IP addresses? If not, just purge them after 24 hours, 30 day or something like that. Or make sure that log cannot be tied to an individual user by masking parts of it.
Note that GDPR does not constitute a ban on PII, only that there is a reason and/or consent for it.
For an average internet service, "PII is needed to run the service" applies to the username and possibly e-mail (art 6.1b). Legitimate interest (art. 6.1f) is generally accepted to process IP's and álso covers e-mail for fraud/abuse prevention, generally being able to run a healthy service, etc.
This does not exempt you from further obligations. E.g.: informing your users what you store, why and for how long, what their rights are, etc - and allowing them to exercise those rights.
The first (informing) is covered with a privacy policy (the default mastodon one does a good job) and the second part (allowing users to exercise those rights) is actually built into Mastodon. Makes sense, it's a European product after all.
I'm not familiar with the other two, so you'd have to take a look at that yourself - but noticed pixelfed had a privacy policy (though it's hard to click because new posts keep loading 😅) but couldn't find one on your misskey instance.
@darnell Since you're running a solo instance, the only potential PII that you gather is usernames and/or what people put in their posts.
Both are published at the source by their owner (which can be considered consent, which is art 6.1a) and can be removed trough the source - and are therefore - in short: "not your problem".
I opted to use PII because it was shorter and assumed everyone who read along would understand that in GDPR-context it was to be interpreted as personal data (since the acronym basically literally also means something very similar to it).
I’m used to the Dutch version of the GDPR, so other terms might have also been loosely/incorrectly translated to English as its I’m unfamiliar with the English legal terms and definitions.
@darnell@RobertJBateman Good post, and a good discussion to have. Some legal advice on Mastodon level would be good, so as not to leave individual server operators alone.
Now, is GDPR intended to make it near impossible to run a site or service? Applying Occam’s razor to that question, the answer is clearly no. I know we need a little more than that, but it is good to keep in mind.
Add comment