Feature request: enable Audit log without Wordfence Central

Hi Karl, (Edited for formatting)

You posted on our blog and I replied there but I’ll share the reply here too for any others coming across this question.

OK here’s the EU update. Yes you can use Wordfence Central and the Audit Log if you’re based in the EU. I’ve included a short summary of why and how this works, and a longer explanation below that for the legal nerds in the audience. So to fully answer your original post, with the Wordfence Audit log, the data is end-to-end encrypted, the data is encrypted at rest on our servers, and you are legally allowed to log data to our servers if you’re in the EU and the text below explains why.

Here’s the short version:

Chapter 5 of the General Data Protection Regulation (GDPR) provides multiple mechanisms for organizations to transfer personal data lawfully between the EU and US. Two of these mechanism are the EU-US Data Privacy Framework (an adequacy decision under Article 45) and the EU Standard Contractual Clauses (an appropriate safeguard under Article 46). The validity of the Data Privacy Framework (DPF) is currently being challenged in the EU Court of Justice (the predecessor framework to the DPF, the Privacy Shield, was invalidated under a similar challenge). In the interest of maintaining a valid lawful method of transferring data from the EU to the US, Defiant has opted to use the EU Standard Contractual Clauses.

Here’s the long version:

Chapter 5 of the EU General Data Protection Regulation (GDPR), addresses the lawful transfer of personal data from the EU to other countries. Among the Articles that address lawful data transfer are: Article 45 – (Transfers on the basis of an adequacy decision) and Article 46 – (Transfer subject to appropriate safeguards). The EU-US Data Privacy Framework is authorized under Article 45 which states:

“A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection.” (GDPR Ch. 5, Art. 45(1))

Countries that have “an adequate level of protection” are known to have been issued an “adequacy decision” by the EU Commission. (A list of countries with adequacy decisions is available here: Adequacy decisions). The United States has received an adequacy decision, but only for “commercial organisations participating in the EU-US Data Privacy Framework.” The EU-U.S. Data Privacy Framework (DPF) is an agreement between the EU and US designed to facilitate the transfer of personal data while ensuring compliance with EU data protection standards. Companies participating in the DPF must adhere to a set of privacy standards administered by the US Department of Commerce (DoC), file an annual registration with the DoC, submit to arbitration regarding EU privacy complaints, among other requirements. The DPF replaces the previous Privacy Shield arrangement, which was invalidated by the European Court of Justice under a ruling commonly known as Schrems 2.

Alternatively, companies that do not seek to comply with the DPF may rely on Article 46 for lawful transfers of personal data form the EU to the US. Article 46 allows for the lawful transfer of personal data where:

“the controller or processor has provided appropriate safeguards” which “may be provided for, without requiring any specific authorisation from a supervisory authority, by … (c) standard data protection clauses adopted by the Commission.” (GDPR Ch. 5, Art. 46(1 – 2))

These “standard data protection clauses” are commonly known as the Standard Contractual Clauses” or “SCCs.” (The Standard Contractual Clauses are available here: Standard Contractual Clauses). Controllers and processors of EU personal data can comply with their legal obligations under for lawful data transfer under Chapter 5 of the GDPR by entering into the Standard Contractual Clauses.

While both the DPF and Standard Contractual Clauses are currently valid lawful data transfer mechanisms under EU law – Defiant has chosen to use the Standard Contractual Clauses under Article 46. Given that the predecessor of the DPF, the Privacy Shield, was invalidated in July of 2020 and the DPF is currently being contested on similar grounds to the Privacy Shield, Defiant has selected the Standard Contractual Clauses as a lawful method of data transfer more likely to remain valid in the future.

Regards,

Mark Maunder – Wordfence Chief Technology Officer

• This reply was modified 1 week, 6 days ago by Wordfence Security.

Thanks for sharing the reasoning behind your decisions. Can you please confirm that the data is actually end-to-end encrypted, not just encrypted in transit and at rest (i.e., Defiant don’t have access to the decryption keys and no technical access to logged data, e.g., logged IP addresses)?

The reason I’m asking for a confirmation is because that would make it a whole other situation than if the data is just TLS encrypted in transit and encrypted at rest. I would have no issue relying on the SCCs in that case. Otherwise, I have a hard time seeing us being able to rely on them, just going by what happened to the former SCCs when Privacy Sheild was invalidated. ?

For bypassing readers: please note that I’m not a lawyer. My questions are not legal advise. I’m just trying to find a way for us to use another great feature of this plugin without worrying about GDPR compliance issues.

What we do is end to end encryption and then encryption at rest, but we have the keys so that the data is, for example, indexable for performance reasons. This is standard in SaaS systems that comply with applicable EU and US privacy laws.

If you’re interested in researching the feasibility of a system like you’re describing I’d suggest researching homomorphic encryption and the challenge of indexing and performing computation on encrypted data.

Again there is no legal or privacy constraint preventing you from using Wordfence Central and the Audit Log from the EU, beyond your own preferences.

Just a side note: it occurred to me that you may be looking at the recent press around Telegram. We’re not a messaging service and what we’re storing isn’t blobs of data. Instead it needs to be searchable and indexable. I’d also draw a distinction between what we’re doing and a backup service which can also have a single key holder and doesn’t need to be indexed beyond the metadata.

As a simple practical example: The Wordfence Care and Response team would have no idea they need to respond to an incident on your site, or the ability to view forensic data, if you were the only key holder. Same with alerting you. How would we parse the data if we can’t see it?

Hope that helps.

Regards,

Mark

Thanks for the reply. It was exactly with your Care and Reponse team in mind I drew the conclusion that the data couldn’t be end-to-end encrypted.

The indexing and searchability could be solved the same way as with Proton Mail (local indexing built in the browser), but storing the data in the WordPress database and just passing end-to-end encrypted copies to your servers for backup purposes would make more sense. It wouldn’t give your Care and Reponse team access to the data, but that’s also exactly what I’m trying to avoid. I do however understand why you want your Care and Reponse team to have access since that benefits all your customers who aren’t affected by the implications of FISA 702 and EO 12 333.

Thanks for taking your time to reply, and I hope you consider adding support for storing the logs locally (only uploading end-to-end encrypted copies to your servers) in the future. That would make an already great plugin even better.

Thanks for your feedback.