[GNC-dev] GDPR and terrorism

Geert Janssens geert.gnucash at kobaltwit.be
Wed May 23 04:54:46 EDT 2018 

Op dinsdag 22 mei 2018 20:51:30 CEST schreef John Ralls:
> > On May 22, 2018, at 11:42 AM, Frank H. Ellenberger
> > <frank.h.ellenberger at gmail.com> wrote:> 
> > Am 22.05.2018 um 19:21 schrieb Geert Janssens:
> >>> IRC includes IP addresses, which the GDPR explicitly mentions as
> >>> personal
> >>> information, in “joined” messages, and those get logged. ISTM those
> >>> messages aren’t important as they’re not part of the conversation and we
> >>> could easily stop logging them delete them from the existing logs.
> >> 
> >> Yes, I think we should do that.
> > 
> > It depends: most private used IPv4 are dynamic IPs - changing at least
> > daily. They are useless without the dial in protocol of the provider.
> > That is the reason, anti terror laws try to force them to store them.
> > Then again courts declare the anti terror law unconstitutional.
> > 
> > I don't know the current practice of providers with IPv6.
> > 
> > Question: How will you behave, if you see, last night XXX announced an
> > terror attack on our channel?
> 
> Even with dynamically-allocated IP addresses the ISP can identify which
> customer has an address -IPv4 and IPv6-given the address and the timestamp.
> IP addresses are specifically mentioned in article 30.
> 
> I would notify local law enforcement who will pass it up the chain to the
> appropriate level. Article 19 excludes criminal activity from being
> protected under the GDPR.
> 
> Regards,
> John Ralls

And to make the link with whether or not we should keep the IP addresses in 
our logs for that reason, I don't think so.

We don't host the irc service. It's hosted by universities coming together 
under the GIMPnet. In case of criminal activity I would expect law enforcement 
to request the logs directly from the owners of the servers running the 
service. If Derek were to host his own irc server then yes he should probably 
keep irc logs (off line) for the legally required time or at least the 
necessary meta data.

The ip data is not relevant for the gnucash project in any way so we should 
remove it. We're not making law enforcement more difficult by doing so but we 
would be in a better position with regards to the GDPR.

Geert

More information about the gnucash-devel mailing list