[jimmaswell]

Exactly. The most basic/outrageous example: anyone in the EU who installs Apache and leaves it in its default configuration which logs all page visits indefinitely is now a criminal.

Spin up a DO/Linode/etc. instance and apt-get install apache2? You're now theoretically liable for a 20 million Euro fine.

[malka]

Your point is that apache default config is horrendous regarding log keeping policy ? I agree.

[jimmaswell]

Nobody would have said this a year ago. How are people getting so swept up in this privacy zeitgeist that they think web admins keeping logs is horrendous?

[Spivak]

At my company doing this would be in complete violation of our data retention policy (not GPDR related). Where are companies running production services without handling logging of sensitive information? Regulation or not that kind of data is a huge liability for our legal department.

[ryanwaggoner]

I know! Just imagine...your (likely dynamic) IP address exists in forgotten log files all over the web. The horror!

One of the most annoying things about the GDPR fandom is the black and white nature it seems to inevitably take. If your log files store IP addresses, you're clearly evil and shady and are violating human rights, just as bad as if you're recording people's conversations at home with the intent to deprive them of insurance or publish their sexual histories or whatever.

What possible "horrendous" harm is there from apache's default config storing IP addresses? Can you give me an actual harm that has befallen someone as a result of this that isn't some freak one-in-a-billion example?

[malka]

you can log ip adresses. keeping them forever is bad.

It means that any future government, no matter how evil it is, could query your log and know precisely what I am doing on the internet right now. I might not want that.

[ryanwaggoner]

Oh, it's much worse than that :)

Do the same, but from any country in the world, and make sure your welcome page has multiple languages, including some EU ones. Now you're specifically targeting EU users and you're liable for up to $20 million euros.

The response from GDPR fans is that: a) regulators would never levy such a fine, or b) they can't enforce it, or even c) that of course you should be fined because you're a filthy scammer who is stealing people's data and violating their human rights!

But all that misses the point: in what universe is it reasonable to even make such a claim to begin with? And why should I have to trust that the regulators will be more reasonable than the law requires, or that they won't be able to enforce what they'd like to do? And why should I have to comply because you sent me your info voluntarily??

Is there something that makes the internet different here? If someone in the EU puts some personal info in an envelope and mails it to me and I never get around to opening it and it just sits on a stack with other junk mail, am I now violating their human rights by keeping the info they voluntarily sent to me?

[jimmaswell]

> If someone in the EU puts some personal info in an envelope and mails it to me and I never get around to opening it and it just sits on a stack with other junk mail, am I now violating their human rights by keeping the info they voluntarily sent to me?

Everyone I've tried to make this point to has ultimately said something to the effect of "yes, you're violating their rights by not throwing out the letter." It's baffling.