[Boulth]

I've read the new policy. Are they really disabling all server logs? Maybe that's just me but that seems a bit extreme.

[typomatic]

GDPR is a bit extreme. This isn't an observation on the goodness of it, simply that it requires extreme measures (relative to the status quo) for compliance.

[stoolpigeon]

If it's extreme it's because the status quo swung so far away from anything reasonable in terms of what people can expect.

What can be kept for legitimate business interests, security, etc. is quite extensive. Really the key is being transparent about it and making sure that people have the ability to know what is being kept and why.

[beberlei]

that is not true being that extreme.

as per GDPR 6(1) grounds for processing can be (b) performance of contract, (c) compliance with legal obligations (d) vital interests of data subject - which can all cover logging ip addresses and user agents for network security reasons (for a short amount of time) to protect the user, which log files are often used for. (IANAL)

[jiveturkey]

yup. lots and LOTS of misunderstanding about GDPR out there. there are plenty of “escapes” for stuff like this. you just have to be mindful, and do things deliberately, which is a good thing. bigger companies will want formal review processes as CYA.

[CosmicSteve]

Hi Boulth,

We chose to disable all server logs because we feel that it's the right thing to do.

We felt that our website should reflect the same mantra that we carry along with our products: we don't want your data.

We do not wish to track you. We wholeheartedly believe that our users have a right to a strong degree of digital privacy.

GDPR increases that, but we wanted to go a step beyond for this digital security component of our site.

[Cenk]

Yes, why not just disable IP logging?

[TylerE]

Because a browser User-Agent string is almost unique.

[craftyguy]

Not just user-agents, but the browser 'fingerprint'.. which includes how the thing is configured (along with user-agent).