[josteink]

That identifies browser version and operating system combinations in a way which is aggregated and 100% decoupled in a irreversible way from the actual browsing session as conducted by the user(s), given by the browser, automatically, to everyone by default on every request.

You won’t find a single lawyer anywhere who considers this to be privacy sensitive and definitely not covered by the GDPR.

[rrdharan]

I'm not convinced.

https://www.iubenda.com/blog/device-fingerprinting-and-cooki...

My understanding is that anything that enables fingerprinting is potentially covered.

[EDIT] So, here's a better link that specifically discusses fingerprinting and user agents in a post-GDPR world:

https://www.connectedpath.com/all-posts/2018/3/3/gdpr-and-fi...

My assumption was that the GDPR was attempting to be sufficiently broad such as to cover these kind of fingerprinting techniques but I guess not?

At least the second link makes it sound like at least some portion of people are likely to turn more towards device fingerprinting techniques specifically because they are GDPR-safe.

[josteink]

I think trying to frame something you give away to everyone, always, without anyone asking for it can legally be framed as privacy sensitive information. That would simply be absurd.

The GDPR regulations largely represents common sense and decensy and this über-paranoid consideration about what “may” be covered or not is not really productive use of time.

Example: if you explicitly email someone, according to the GDPR the recipient has been given an implicit right to store your email and email-address. Because there’s no way for them not to. Because that’s just how email and computers works.

I can’t imagine a fucking user-agent string shared by billion of other users enjoys higher protection.

The GDPR is not insane. Chill.

[rouzh]

> I think trying to frame something you give away to everyone, always, without anyone asking for it can legally be framed as privacy sensitive information. That would simply be absurd…The GDPR is not insane. Chill.

Isn't it? Just one particularly absurd example: logging IP addresses in your httpd's access logs can be considered a violation of GDPR. [1][2][3]

[1]: https://www.whitecase.com/publications/alert/court-confirms-...

[2]: https://www.gdpr360.com/gdpr-ip-addresses-and-classification...

[3]: https://www.smashingmagazine.com/2018/02/gdpr-for-web-develo...

[Whitestrake]

IANAL, but I could set my own completely custom user agent - I don't even need much technical expertise, a simple browser add-on would suffice - and by logging that string, I could be (depending on how unique I made my own user agent) uniquely identified.

Out of all the metrics Caddy plans to collect, it's the only one I think has some merit to its complainants. It might be simpler to only keep user agents that conform to common browser standards. But this has all been discussed in the Caddy forum thread itself, and we'd welcome your input there!