Question New EU rule GDPR

[B4c4rd1]

First of all, it is not a criminal offense, but - if it comes to a court rule - a civil rights case. Second, "who has suffered" means that only if storing log files causes a damage to a person a processor CAN be held liable. It is not a pre-requisite, neither does it mean that hosting provides must discontinue to store log files.

I did not write that! Thank you for your own personal opinion! I only speak about the log files that the customer can access.

Regarding your second argument - "if they are required for security", and that is exactly the case. They are, because else it becomes impossible to block brute force attacks. There is no section in GDPR that log files under /var/www/vhost/system are not permitted.

Exactly that is not your responsibility. You are the processor. The customer has to tell you exactly that.

Further, what an "adequate" storage period is, is not defined either. If it is necessary for other purposes such as tax laws, criminal prosecution, security and others, "adequate" can be longer than 14 days, for example 30 days or even longer if required. "Adequate" only means that the log files ought not be stored longer than adequate.

But you mix a lot here. This is all about visitors. Not about customers in any way. The visitor has not yet signed a contract and may only be logged if it becomes necessary and you can not decide that, because it is not your visitors but the customer's. So he is responsible for what may be logged and what not.

You are welcome to share your opinion and live by your opinion.

If you can not talk constructively about this topic, please stay put.

Howeer, most others won't, including the Big A data centers that are hosting millions of accounts, including all well-known brands across Europe. And for the part of log file deletion: Current log file rotation options enable you to delete log files as early as you like. You are also free to not to store log files at all.

Look at 1and1. Here the log files of the customers are anonymized after 14 days. Stand BDSG not GDPR. Have a nice day!

 

[Bitpalast]

Sounds to me like a lot of German Angst and more rumors.

Once again: There is NO definition in GDPR or other laws what an adequate storage period is. One of the major changes the GDPR brings about is that the hosting customer and the provider share a common responsibility for user data within the commissioned data processing of a web hosting contract. The parameters of such are defined by the commissioned data processing contract that is concluded between customer (responsible person) and hosting provider (processor). Within and by that contract the customer delegates data processing to the processor. From that point on a joint responsibility comes into effect. It is not the customer who decides when and for how long to store log files, but the hosting provider (processor). If a customer wanted to decide this by himself he does not need a processor (a shared web hosting provider) but his own dedicated sever. If a customer does not trust the provider to handle log data correctly, he can choose another provider or lease his own dedicated server to host his data.

It is perfectly correct to continue to store log files, and it is perfectly correct to do it for more than 14 days, if required. An additional, explicit agreement between the customer and his website visitors is not required by law. It is sufficient to inform website visitors about the site''s privacy policy on the fist page that he accesses. And even a link to the privacy policy is sufficient.

 

[Bitpalast]

In the change log we are seeing "GDPR related improvements." on May 7th. I am wondering what exactly are these improvements?

 

[Joachim_Weisse]

Yes, its nice to read it - but what exactly is changed ?

 

[Janko1000]

And now?
Ready or not?

 

[Joachim_Weisse]

Is it realy so hard, to become a simple answer ?

 

[IgorG]

I can only assure you that Plesk will be fully GDPR compliance. Details will be a little later.

 

[Janko1000]

Little Later?
25.5 is D-Day

 

[BeBored]

Sounds to me like a lot of German Angst and more rumors.

Once again: There is NO definition in GDPR or other laws what an adequate storage period is. One of the major changes the GDPR brings about is that the hosting customer and the provider share a common responsibility for user data within the commissioned data processing of a web hosting contract. The parameters of such are defined by the commissioned data processing contract that is concluded between customer (responsible person) and hosting provider (processor). Within and by that contract the customer delegates data processing to the processor. From that point on a joint responsibility comes into effect. It is not the customer who decides when and for how long to store log files, but the hosting provider (processor). If a customer wanted to decide this by himself he does not need a processor (a shared web hosting provider) but his own dedicated sever. If a customer does not trust the provider to handle log data correctly, he can choose another provider or lease his own dedicated server to host his data.

It is perfectly correct to continue to store log files, and it is perfectly correct to do it for more than 14 days, if required. An additional, explicit agreement between the customer and his website visitors is not required by law. It is sufficient to inform website visitors about the site''s privacy policy on the fist page that he accesses. And even a link to the privacy policy is sufficient.

I strongly disagree. GDPR is pretty clear about one thing: It is forbidden to claim any personal data (ip adress is one of them) from users of the eu unless it is absolutly necessary (which i doubt for logfiles, because there are strikt rules too) or prescribed by law.

 

[King555]

I would like to participate in this thread, because I'm currently trying to make all my websites GDPR compliant and my server uses Plesk 17.5.

When you read the blogs of German lawyers or the information in privacy policy generators, there is always a maximum recommended storage time for logfiles of 7 days or 14 days maximum. If I see correctly, Plesk does not allow a value under 1 month. I guess it's the second option on the "Server settings" page (although it only speaks of web and traffic statistics). I'm convinced that most website owners within the EU need the possibility to auto-delete logfiles after a specified number of days. So if this will not be implemented, usage of Plesk within the EU is not possible anymore. The same applies to IP anonymization (at least we need an option).

I would like to let the server delete the logs after 7 days, but keep statistics for a year or more, but without IPs! Will this dream be ever fullfilled?

EDIT: Oh, I just saw that I'm already able to set the maximum number of log files... Sorry, my fault. But we still need IP anonymization.

 

[Bitpalast]

I agree that it would be nice to have a feature where log storage could be limited to a certain number of days instead of months.

The 7 to 14 days period however is nothing but an invention that someone came up with and others started to copy. There is no such definition in the law, neither have court rulings defined a period. Instead GDPR explicitely states an "adequate" storage period. What can an adequate period be? Adequate can be much longer than 14 days.

For example, if you are a one man show business and go on vacation for three weeks, you will want to have the possibility to check your log files after you return. And it is not said that you will have the time to go through the logs immediately on the day of your return. So why not store the log files 30 days?

Another example can be legal conflicts over a webspace contract, for example who uploaded or downloaded what at a certain time. It cannot possible be illegitimate to store log files for purpose of proof - and GDPR explicitely allows storing them for example for security reasons.

GDPR is about finding the right balance, to prevent abuse of log data, but it does not completely prohibit log data, neither does it define specific periods when log data must be erased. But the more people unnecessarily start repeating that a period should be "7 days", the more likely courts will rule "7 days". When the masses think it should be "14 days", courts will start ruling "14 days". The problem with Germany is, that the mostly left-wing influenced public opinion tends to see Orwell's 1984 behind each corner. The only single one high court ruling on log file storage and that this is considered "personal data" was based on a single case where the government, that had the possibility to findout who the person behind an IP address really is, was sued. For the average Joe things are a lot different, because we can't find out the true person behind an IP address from the start, because we don't have the executive power that police or other agencies have. That makes a big difference. IP addresses for average users are more or less just numbers that cannot be linked to individuals.

 

[IgorG]

Thank you for your input, guys.
Here is a generic GDPR overview for various Plesk versions - Plesk GDPR Compliance

 

[BeBored]

The 7 to 14 days period however is nothing but an invention that someone came up with and others started to copy.

The others are in this case the DPAs.

For example, if you are a one man show business and go on vacation for three weeks, you will want to have the possibility to check your log files after you return. And it is not said that you will have the time to go through the logs immediately on the day of your return. So why not store the log files 30 days?

Another example can be legal conflicts over a webspace contract, for example who uploaded or downloaded what at a certain time. It cannot possible be illegitimate to store log files for purpose of proof - and GDPR explicitely allows storing them for example for security reasons.

The GDPR forbids any processing of personal data, unless ... If you have no really good reason to store the IP addresses longer than absolutely necessary, then the period should be as short as possible. Otherwise you have to explain it with good reasons and maybe a laywer, so i would prefer not to let it happen.

The problem with Germany is, that the mostly left-wing influenced public opinion tends to see Orwell's 1984 behind each corner.

Well... that was proven more than one time.

For the average Joe things are a lot different, because we can't find out the true person behind an IP address from the start, because we don't have the executive power that police or other agencies have. That makes a big difference. IP addresses for average users are more or less just numbers that cannot be linked to individuals.

Here is another problem, you can identify an inidvidual with an ip adress. Maybe not on your website but when you have multiple sites and one of them is maybe a forum, it would be easy. But that is not important, it is only important that the GDPR (well, it was way before) declared the ip adress as a personal data.

So please, do not tell others that they can store ip adresses as long as they want or for a much longer time. If you do not have a really good reason, you will get in trouble. And if you are a business man who can only look at the logs once a month, please anonymize them or you will get in touble if you do not have a really good reason.

 

[King555]

and GDPR explicitely allows storing them for example for security reasons

Where is this written? I highly doubt that this is allowed as a reason. Because then everybody could store IPs forever. It's easy to says that it's for security purposes. I would like to store IPs and I did before, but now there is the fear of lawsuits. I don't have a really good reason to store IPs (more than a couple of days).

 

[Bitpalast]

Let me share some more thoughts, and @IgorG please feel free to remove this post, if you believe it is inappropriate at this place.

When I read discussions like this, I feel that most of us are not aware, that the real danger to an Orwell scenario is not at all coming from the billions of websites and thousands of web hosting providers. It is coming from the data protection agencies, because now they have gained an instrument of strict control over Internet businesses and publication platforms, like the fireman of Fahrenheit 451 who lay fires instead of fighting them. My opinion is that we should not so easily accept overly strict new rules on data handling.

DPAs have gained an instrument to prosecute any business and any individual at their own discretion, posing threats and eventually excerpt an enormous pressure on individual behavior that did not exist before. It is already working to perfection. The threat alone that one could be involved in a legal dispute lead to the deactivation of websites in anticipatory obedience, in non-EU businesses locking EU users out, in many U.S. newspapers, including major news sources, now blocking free access to formerly free information … What a fantastic new instrument for dictators to control their people. Simply make a law that makes it illegal to store this or that data and you can ruin people’s lives whenever you like. Al Capone was not prosecuted for murder, but for tax evasion. I see a similar future for John and Jane Doe in a world where data protection rules. We have seen cases here where people start asking others in a phone call whether they are allowed to take notes of what is being discussed. How stupid is this? Privacy regulations start to regulate what we as humans are allowed to think, to speak and most important to remember.This is wrong to do.

The previous poster has doubts that storing personal information for security reasons is allowed? What are the consequences if it was not? It only means that honest people will be subject to repeated fraud attempts, because they are no longer allowed to store the data of others who previously committed a crime against them. Because that would infringe the personal rights for data privacy of the culprits. It is unthinkable that this is what the EU intends by GDPR. It must and it will be possible to store data much longer than a few days, and luckily it is covered in Art. 6 GDPR with a lot of room for interpretation.

Nothing will change to the benefit of website users by anonymizing log files, but a lot will change for all of us as we have lost the freedom to invent and to link data that can be so valuable to discover new fields of business, new applications, new opportunities. And while in the rest of the world businesses continue to prosper and enjoy freedom of information, EU businesses spend billions on GDPR implementation, create tons of paperwork for one single outcome: Being controlled by their governments more intensive than ever before. Individuals are no longer free to store on their servers what they want to store, not longer free to store it how long they want to store it.

Many attempts have been made to gain control over the Internet, and finally, EU has found the perfect instrument: data “protection”. The Internet variant of “protective custody”.

I believe it is ridiculous that billions are sharing personal information on Facebook and personal homepages, not because they must, but because they want to, and at the same time their governments tell them they will not be allowed to do this as they used to, e.g. not allowed to share photos publicly on which others could possibly be identified (something that is now prohibited by GDPR regulations). At the same time we are here to discuss whether it is necessary to anonymize IP addresses in log files that none of us can link to individuals anyway, because we are all missing the executive power that a state agency has. However, the government keeps exactly this permission to store and access such data – the one institution where could really get risky for individuals. What a twisted regulation!

Fine, now we are anonymizing log file data. Just wait on it, wait on it that logging will be prohibited in general and the right to forget supersedes the right to remember.

I can only say that all the exaggerating warnings and fear that the majority is spreading is nothing good for a free society, but will lead into more control, less freedom and specifically a state controlled Internet as other countries already have it. As free users we should not want that, but rather stay free.

Like it or not, sure we all comply with the new rules, but it makes me sad how uncritically people are building their own jails by trying to interpret GDPR in a way that is much more strict than it needs to be.

 

[King555]

Peter, I totally agree with you. But as an owner of only personal (i.e. not commercial) websites (although there is no "personal" website, according to laws, if it's public) I don't want to risk anything at all. Even if there is only a 100 EUR penality for a wrong sentence in my privacy policy, this would hit me hard. That's why I'm doing what so many other owners of such websites do: store almost no personal data anymore, remove a lot of external services (image and video embedding, captchas, maps and so on), ...

I know, the Internet like we still know it destroys itself. But I do not make the laws.

 

[B4c4rd1]

Next to discuss what would be if, does not bring here. In the end, I only wished that there was a possibility to be able to implement one's own legal status, for whatever reason. So thanks to the Plesk team for the good work! Before the GDPR there was already a strong data protection law in Germany, of which before the GDPR the fewest have heard, which received until today no warning. I doubt this will change. But I stand by it! The less data the better.

 

[King555]

Can anyone tell me whether the IP anonymization affects the statistics (for example AWstats)? It does not affect the function of fail2ban, which is good, but the statistics should not contain IPs. I want to store the statistics for much longer than 7 or 14 days (at least a year), so they have to be IP free. Would be nice to have the possibility to anonymize only statistics.

And another question: I set the log rotation to daily and number of log files to 7. But there are 12 logfiles stored at this moment. The date of the oldest file is May 5th. Before last Thursday rotation was set to "Size" and the size was 8 MB, I think (can't remember exactly). By the way: I have set the rotation to daily and I think 30 days after installing Plesk a year ago and it seems like some update did a reset to the default value.

And I have set the statistics storage time to 12 months, but there are 13 months stored (my server was installed 13 months ago).

 

[Janko1000]

I want a button where the user can decide for themselves what happens to the logs.
Erase, anonymize or delete after xy days.
Some other providers implement this: Hetzner with KonsoleH, Domainfactory, AllInkl. or 1und1.

Datenschutz-FAQ – Hetzner DokuWiki
or in English:
Datenschutz-FAQ/en – Hetzner DokuWiki
https://www.df.eu/blog/presseanfragen-ip-nummern-in-logfiles/
All-Inkl.com macht Server-Logfiles nun DSGVO-konform

I think they are all Global Players and they make this not for Fun!

 

[King555]

But now you are able to do this in Plesk (after the latest update)! Log rotation ("daily", "number of logfiles=x" => delete after x days) can be set under each domain (I think it's called subscription) and the anonymization can be set under the server settings. And I guess erasing is done by setting the number of logfiles to zero, but I didn't test it.

But there is a bug, as I mentioned in post #38: If there were more logfiles once than the current number, the files which are over this new amount are not deleted.