Hostname-Logging and GDPR
-
Hi,
I have read this thread.
Yet, when one switches on “GDPR Compliance”, under “Login Security”, while the IP address as such then is not shown, but replaced through the remark “GDPR Compliance On”, the hostname is shown. In one instance, when I used a VPN to see how the results would look, instead even an IP address was shown.
But is not the hostname just as easily usable to identify a certain computer or even person (if one has the access…) as the IP address, so should it not be treated in the same way as such, replacing also the hostname, together with the IP address in the logs in order to make it easier for users to comply with the GDPR? For should not the hostname be regarded as “personal data” under the GDPR as much as the IP address?
Furthermore, one question: Would it not be possible to auto-delete both the data shown under “Login Security” as well as the security log after e.g. 7 days, i.e. to enable that somewhere in the backend? They seem already to be deleted after they are e-mailed after a certain size is reached. Could they not, in the form of a selectable option, also be simply deleted after e.g. (that seems to be, for now, a safe number of days under the GDPR even by stricter standards) 7 days (or a selectable number of days)?
(I am using the free version and would, of course, wish for these options to be implemented in that… But thank you for providing your plugin in any case.)
Thank you in advance for any reply!
-
First you want to rule out that the Security Log entries are current and not old entries before you changed/set the GDPR option setting. Check the time/date stamp and see if that is what is going on. As far as a VPN goes that would not be the root problem. I would suspect some kind of Proxy/Reverse Proxy configuration issue/problem.
Your hostname is your actual host server, which is typically shared. ie Shared or VPN hosting. A hostname may include an IP address in the server name, which would be the IP address of the host server. In any case I have not come across any information that states that a hostname is out of GDPR compliance. Personally I don’t believe that an IP address should be considered as a GDPR compliance issue, but that is just my opinion. See this GDPR forum topic that I created > https://forum.ait-pro.com/forums/topic/bps-gdpr-compliance/ As you can tell I spent quite a lot of time researching the GDPR standards, rules, etc.
To be frankly honest with you since BPS/BPS Pro are in GDPR compliance then I don’t really want to do addtional unnecessary extra work for what I consider to be a non-issue as far as IP addresses go. ??
Also wanted to mention this since yeah the penalties for not being in GDPR compliance are very serious: The way BPS/BPS Pro are logging static text IP addresses and hostnames in a static text file, the data would not be usable if the worst case scenario happened, your website was hacked.
So if you are worried about BPS/BPS Pro being in GDPR compliance then you have nothing to worry about regarding the BPS/BPS Pro plugins. ??
Thank you for your response. I am not sure whether I perhaps have misunderstood something of what you wrote (or hostnames), but as for IP addresses it is simply a fact that those are viewed as data through which it is possible to identify a person and therefore to be treated at least like personal data (I am not so sure about the correct legal terminology in English, but in German they are considered to fall into the category of “personenbezogene Daten”). One might like it or not, but if one does not want to be in the danger to pay… Which leads me to: I have not found hostnames discussed either. However, if you look at my chain of arguments (i.e. they can serve to identify a single user as much as an IP address can, can they not? For you can even find the IP address from a hostname, right? ), I do not see how they could be treated differently. If there is a difference, I would be glad to learn about it.
This is not about the question whether BPS is in compliance with the GDPR (and I am not questioning it at all): The point is, that if IP addresses and (according to my line of argument) hostnames are not anonymised / if they are stored, then one has to take that into account when formulating one’s privacy declaration. I have set my webspace to deleting all server logs after 7 days, that should be safe, but if I cannot also do that with IP addresses and hostnames in security plugins, then… well…. I would need to think about what to do, and perhaps not find a legally satisfying solution. Therefore I prefer it if no personal data (or “personenbezogene Daten”) are stored at all, and if it is unavoidable, that at least there is a way to easily have them be deleted after 7 days.
https://forum.ait-pro.com/forums/topic/bps-gdpr-compliance/
The BPS and BPS Pro WordPress plugins have a feature called “Security Log”. The BPS Security Log logs these HTTP Status Code errors: 400, 403, 404, 405, 410 and 503 errors to a plain text file, which contain a website visitor’s IP address in the Security Log entry. BPS and BPS Pro do not save IP addresses in the WordPress Database. The GDPR considers IP addresses as Personal Data. The majority of Security Log entries are going to be logged for blocked hackers and spammers (99%), but a minority of Security Log entries could be logged for a normal website visitor if something legitimate is being blocked by BPS in another plugin or theme (1%) and an error log entry is written to the Security Log file. BPS does not log all visitors to a website and only logs errors (400, 403, 404, 405, 410 and 503 errors).
So yeah I am not negating the value or seriousness of capturing or collecting IP address data. What was most important to achieve was complete GDPR compliance in BPS and BPS Pro so that a website owner would not get in trouble or be at fault or get penalized.
Another solution that someone can choose is just turn off BPS Security Logging altogether. ??
So what does all of this GDPR stuff mean in relation to the BPS and BPS Pro plugins and what are your options?
Since the BPS and BPS Pro Security Log text files are used by the BPS and BPS Pro plugins to perform some internal automated plugin tasks and is also used by Users for troubleshooting and is not used for any other sort of nefarious or unscrupulous data processing then logically your legal responsibility would be to not use the Security Log personal data for any reason other than what it is intended for and probably do not distribute BPS Security Log text files to anyone else. If you are still worried that logging visitor’s IP address in the Security Log plain text file will get you in trouble then you can turn off/disable BPS and BPS Pro Security Logging…Yes, thank you. But when I switch off security logging, under “Login Security” the hostnames are still shown.
Therefore, according to the line of argument I brought above, and as, as mentioned, it can happen that the hostname may allow to make conclusions about the IP address, I do not really see how that would help webmasters to to run into a trap.
By enabling the setting “GDPR Compliance on” for IP addresses, but not for hostnames, the website owner does not get set free from having to mention that he is storing hostnames in my eyes. So if your aim is not to put the website owner into trouble, my suggestion would be to enable replacing the hostname, too. [I understand that other security plugins do not do this at all, but as you have taken the first step, I think it would be just logical – and helpful – to do the second.]
This would be only something to consider, though, if my argument about having to treat hostnames in the same way as IP addresses would be correct.
Well, to my knowledge, Art. 4 I defines the term, however, not in that form that it would name everything that is to be considered personal data by name… On the contrary, the term appears to be meant to be rather encompassing, cf. https://gdpr-info.eu/issues/personal-data/.
What you then need to do is to take the norm, have a look at all the factors used for interpreting legal norms (which may include, history, motives, of course the wording etc., just the standard tools you use) and then, thus, subsume.
My conclusion would be that I would not see a way around having to see hostnames as personal data, but I am not an expert in IT law, and I have not dived into motives, history of the norm etc. But in reading it, and having a look at the explanation in the link above, well… Of course, I would not be unhappy if my assumption would be proven invalid, one problem less to take care of…
In any case, thank you for all your replies. If you disagree, I can only recommend to have a look at whether this topic would be decided by court one day, or whether somewhen someone will write an article about it in a legal journal. – Thank you for your patience, and all the best.
Thanks! (If you some day you should feel you have waited long enough, let me know, and I can send you the data or give you access privately – of course, I still do hope to bring it all online again some day…). You would definitely find Eckhart Tolle there. I have watched so many of his videos over the years, and was also able to take part in some of his more recent online courses. As for NDEs, I have not read so much about that subject, probably rather books about the “life after death”, in any case a while back (which does not say much as such – I recently noticed with other books I had read quite a while back and revisited, that they were really, really good… there is so much one may have already read, if one would only have lived by it, if true… ). They can certainly pave the way for people to be more open minded about other levels of existence. I have also heard, if people have them themselves, that they can leave them feeling much more preaceful. Another one to look at might be Mario Mantese. Books very different from Eckhart, but impressive.
- The topic ‘Hostname-Logging and GDPR’ is closed to new replies.
