[rrdharan]

Skimming through that discussion, it seems like the developer is also somewhat naively optimistic and possibly underinformed regarding how much of his own and his customers/users' effort will be required to comply with the GDPR while gathering this data.

[josteink]

A server-installation data is not data about a particular user. It’s a information about a piece of running software.

GDPR does not regulate information you can store about software components. It merely ensures that companies can only store information about people which the person has given explicit and implicit consent for, and that they can account for this consent.

Log-data from a running service disconnected from any identifiable personal data is in no way covered by GDPR.

[TimothyBJacobs]

It sounds like it is collecting User Agent strings which depending on who you ask is personal data.

[josteink]

That identifies browser version and operating system combinations in a way which is aggregated and 100% decoupled in a irreversible way from the actual browsing session as conducted by the user(s), given by the browser, automatically, to everyone by default on every request.

You won’t find a single lawyer anywhere who considers this to be privacy sensitive and definitely not covered by the GDPR.

[rrdharan]

I'm not convinced.

https://www.iubenda.com/blog/device-fingerprinting-and-cooki...

My understanding is that anything that enables fingerprinting is potentially covered.

[EDIT] So, here's a better link that specifically discusses fingerprinting and user agents in a post-GDPR world:

https://www.connectedpath.com/all-posts/2018/3/3/gdpr-and-fi...

My assumption was that the GDPR was attempting to be sufficiently broad such as to cover these kind of fingerprinting techniques but I guess not?

At least the second link makes it sound like at least some portion of people are likely to turn more towards device fingerprinting techniques specifically because they are GDPR-safe.

[josteink]

I think trying to frame something you give away to everyone, always, without anyone asking for it can legally be framed as privacy sensitive information. That would simply be absurd.

The GDPR regulations largely represents common sense and decensy and this über-paranoid consideration about what “may” be covered or not is not really productive use of time.

Example: if you explicitly email someone, according to the GDPR the recipient has been given an implicit right to store your email and email-address. Because there’s no way for them not to. Because that’s just how email and computers works.

I can’t imagine a fucking user-agent string shared by billion of other users enjoys higher protection.

The GDPR is not insane. Chill.

[rouzh]

> I think trying to frame something you give away to everyone, always, without anyone asking for it can legally be framed as privacy sensitive information. That would simply be absurd…The GDPR is not insane. Chill.

Isn't it? Just one particularly absurd example: logging IP addresses in your httpd's access logs can be considered a violation of GDPR. [1][2][3]

[1]: https://www.whitecase.com/publications/alert/court-confirms-...

[2]: https://www.gdpr360.com/gdpr-ip-addresses-and-classification...

[3]: https://www.smashingmagazine.com/2018/02/gdpr-for-web-develo...

[Whitestrake]

IANAL, but I could set my own completely custom user agent - I don't even need much technical expertise, a simple browser add-on would suffice - and by logging that string, I could be (depending on how unique I made my own user agent) uniquely identified.

Out of all the metrics Caddy plans to collect, it's the only one I think has some merit to its complainants. It might be simpler to only keep user agents that conform to common browser standards. But this has all been discussed in the Caddy forum thread itself, and we'd welcome your input there!

[detaro]

Which of "this data" do you see as relevant under GDPR?

[rrdharan]

Per the sibling thread - User Agent strings.