[PATCH] conf/nginx.conf: add example "privacy" log_format

Hans-Christoph Steiner hans at guardianproject.info
Wed Jan 13 11:50:31 UTC 2021

Anton Luka Šijanec:
> Hans-Christoph Steiner <hans at guardianproject.info> @ Wed, 13 Jan 2021 10:27:42 +0100:
>> The standard log_formats store detailed information which falls under
>> data regulations like the EU's GDPR and California's CCPA. This merge
>> request adds a suggested "privacy" log_format that generates logs that
>> cannot be used to identify users. This has been developed and used by
>> Tor Project, Guardian Project, and F-Droid.
> IANAL, so: Are there any exceptions in EU's GDPR that allow short-stored logs of user-identifiable information? That would seem useful, as *some* logging is useful when detecting and reporting fraudalent activities and for detecting spam. Logs are rotated and are sometimes useful when a data breach happens.
> I've also seen some examples of ISPs having to store info, that would be classified as user data, for 6 months for detecting illegal activities. See [1].
> Again, IANAL, but [0] describes some allowances regarding log data. I agree with adding the privacy option, but is that really a must when dealing with EU customers?

Both GDPR and CCPA allow log data to be gathered, stored, and used.  Those are 
regulated though, that means they must be considered when a user requests you 
give them their data, to delete all references to a user, etc.  You must also 
consider the legal definition of "for no longer than is necessary for the 
purposes for which the personal data are processed" in the context of your 
business activities and data you're gathering.  These are all non-trivial.

The goal of the "privacy" log mode is to guarantee that the log files do not 
fall under GPDR/CCPA regulation, but still provide useful information.  Then 
those log files can remain outside of GDPR/CCPA reviews.

IANAL, I am a researcher focused on privacy and metadata.  Those log files do 
not contain Personally Identifying Information (PII) and also do not contain 
enough info to identify someone.  They might contain enough data to identify 
someone in combination with other large data sets, like all of a user's browsing 


PGP fingerprint: EE66 20C7 136B 0D2C 456C  0A4D E9E2 8DEA 00AA 5556

More information about the nginx-devel mailing list