22 May 2018, 07:35

Within a few days, the General Data Protection Regulation (GDPR) will take effect. Hiawatha collects and stores the visitor's IP addresses. Since an IP address is personal data, it's possible that you must comply to the GDPR for that. One of the first things you must to is to determine the lawfulness of the processing. Recital 49 of the GDPR states that ensuring network and information security constitutes a legitimate interest, as defined in article 6 (1) lit f.

So, in normal English, you are allowed to store the IP address of a visitor for the purpose of securing your webserver. However, you still have to comply with the rest of the GDPR. That means that you should not keep IP addresses for longer that necessary (use logfile rotation), secure the logfiles well, be clear to your visitors what information your collect, for what reason and how you keep that information (privacy policy on your website) and stick to that.

The visitor, or the data subject to speak in legal terms, has the right to see what information about him/her is being processed. Of course, that person has to prove that he/she is indeed the owner/user of that IP address and also for what period of time. Otherwise, you have a data breach. That it's very hard or even practically impossible to prove that, is not your problem.

It’s easy to make plausible that the information in the system, exploit and garbage logfile is necessary for information security. It might be a bit more tricky for the information in the access and error logfile. You can use Hiawatha’s AnonymizeIP option to deal with that. The manual contains an error. It says that it also anonymizes IP's sent to the Hiawatha Monitor, but the Monitor doesn't collect IP addresses. It used to do so in an earlier version, but I forgot to remove that remark from the manual.

After reading all this, you may ask yourself: do I really need to go through all this hustle for just a personal website? No, article 2 (2) lit c clearly states that the GDPR does not apply to the processing of personal information in the course of a purely personal activity.

22 May 2018, 10:57
Thank you Hugo.
This is very useful information. We have been really busy in terms of the web application that I didn't even realized that the web server is also involved in it
22 May 2018, 19:44
I would be careful with the last statement. What is a “purely personal activity” is a matter of interpretation, and the legal definition differs significantly from the one of common sense. In Germany, we had the same discussion with the infamous Impressum. Literally thousands of people received cease-and-desist letters from lawyers (and were liable to pay their “costs”) although they viewed their website as personal – but the lawyers thought differently.
Hugo Leisink
22 May 2018, 19:46
What lawyers think is not relevant. Only what judges think matters.
22 May 2018, 21:35
If the judges wouldn't have agreed with the lawyers, I wouldn't have mentioned this affair. But that's basically a purely German problem since we are the only country in the EU (to the best of my knowledge) that allows lawers to demand four digit figures for an impressum that requires two clicks to reach.
30 May 2018, 02:16
Hi Hugo, thanks so much for Hiawatha! I am trying to use the AnonymizeIP feature, but it does not seem to be working. Looking at anonymized_ip_to_str() in ip.c, it seems like it is truncating an ipv4 address at 24 bytes. But, ipv4 addresses are not usually longer than 15 characters, plus terminator, correct? And similarly for ipv6?
30 May 2018, 02:47
My mistake, that function seems to be working correctly and anonymization is now happening correctly. It was not, if I put the "AnonymizeIP = yes" line in a certain place in the configuration file, I was able to reproduce once, but not again. Still looking into it.
30 May 2018, 03:01
Oh, Hugo, you and your trusty software. I cannot reproduce the problem
Hugo Leisink
31 May 2018, 13:28
Well, what can I say? Good to hear it works.