GDPR for side-projects? Blocking all EU traffic with Nginx in 3 simple steps
medium.comBut for compliance many interpretations say it's EU /citizens/; I don't think there are 3 simple steps to block any EU citizen...
I'm sure many Governments would love to be able to so simply identify what their citizens do online though.
those interpretations are wrong. but even so, blocking eu traffic by IP isn’t sufficient.
> those interpretations are wrong.
Source?
Not a lawyer myself, but according to the regulation (https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...): "In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment"
So if the users are in the Union and you're not, you're still on the hook. If the users aren't in the Union, you're free and clear.
Also applies to EEA countries like Norway and Lichtenstein btw (source: am currently working on GDPR compliance in Norway).
Not from a regulator, but: https://www.linkedin.com/pulse/gdpr-does-apply-eu-citizens-g...
Unless your side project is a Bot-Net this article seems very FUDDY...
While this sounds like an overreaction, I question the breadth of this method (unrelated to the reliability of IP address origin).
> This tells nginx to assign the $allow_visit variable a 0 for any users the GeoIP database specifies as coming from the “EU” continent.
Europe is the continent. The EU does not encompass all European countries. Doesn't this needlessly block non-EU European countries?
Good point, it likely does. Alternatively, you could set up the rules using country and list out the 28 that make up the EU.
Geo IP blocking will not block the EU citizens that are not physically in the EU at the time.
Just for fun, I would add
server {
# snip....
access_log off;
error_log off;
return 307 https://www.google.com/search?q=gdpr;
}
Nor ones who use VPNs located in other countries.
Along with the author, I am hesitant to needlessly follow regulations which only apply to a small portion of global population of which I am not a part. Especially since there are simple ways to sidestep the liability.
This, however, does give me an idea. Does anyone have an interest in a web framework which provides user/data management in a gdpr compliant way?
This seems to be flawed logic, many EU devices have IP addresses from non EU address blocks.
Assuming there is any significant adoption of your proposed solution to avoid GDPR rules the likelyhood is EU citizens will use VPN or Proxy services to bypass the restrictions.
I don’t think the use of a VPN would remove the GDPR obligations on the data controller or data processor.
It pretty much does. Sites are not automatically subject to the GDPR, even if they happen to be accessible, there must be some evidence that they intend to be used by users in the EU. Blocking it seems pretty good evidence that they don't.
If you have a side project that siphons personal information from people for no reason, then maybe the gdpr isn’t the problem...
I don't have time to build user exporting, user deletion, user notifications, amongst other required features on top of the already big backlog of fearures to do.
I use third party tools to help worth logging and error tracking.
Its just not worth my time to support gdpr on a website that makes no money.
“I don’t have time to label and expire all the food I prepare on top of serving meals to customers”
“I don’t have time to do all those structural calculations on top of all the properties I have to build”
“I don’t have time for all this silly human safety testing on top of all the drugs I have to develop”
Your statement is equivalent to the above. If you are unwilling to meet a relatively straightforward level or privacy and security for your users’ data, then personally I’m really glad that you’re going to prevent users from accessing it.
Nice ridiculous examples. Now for some ridiculous examples on the other end of the spectrum:
"If you refuse to document every ingredient and possible allergic reaction when inviting friends over for dinner, then I'm really glad if you don't have any friends."
"If you don't create structural and safety calculations for your kids' tree fort, then I'm really glad when your kids fall out."
The point is, people need to be able to start small and then scale up if/when that makes sense. If everything has to start "big" (relatively speaking), then we will simply have fewer things, to the detriment of all.
Why are those examples ridiculous? They are all, like the GDPR, examples of regulation that says “demonstrate a basic level of care and attention when performing activities which may cause damage to users or customers”.
GDPR provisions are not onerous, are easy to follow, and are what we should expect every company handling personal data to already be doing.
The original parent examples were side projects that make no money. So while it seems reasonable to expect this of companies, GDPR also applies to nonprofits, charities, things you create just for your friends, some random thing you put on the internet when you're 15 years old and have no clue about GDPR, etc.
If it makes no money why spend money on storage?
Storage is cheap. Time is not.
Clearly it isn’t anymore.
Also realistically storage has never been cheap - it’s just that historically the only people for whom it was expensive were the users.
Ludic drive?
Exactly how hard is it to do
select * from x where user == “whoever”;
Or whatever the syntax is.
Alternatively: why are your personal projects storing that data in the first place? If you’re unwilling/unable to put the time into something as trivial as making an archive I’m assuming you also aren’t putting the time into making your data storage secure. Arguably securely storing data is harder than producing an archive.
Or are you saying that gdpr sucks because it actually requires you to care about user data?
Seriously if you think gdpr is “too hard” just. Do. Not. Store. User. Data.
This is not hard. Arguably it is easier and cheaper than any option, including filtering users.
This is an extremely naive bunch of statements. For side projects where there is only a single developer, it's not a matter of "not caring" but literally not having the time to do these things. Putting an archive system into a service may not be as easy as a DB query. It could be pulling images out of a file storage system, generating thousands of PDF documents or a million other ways data is stored. I hope you can realize that oversimplifying every application to a DB query is just absurd. Add on top of that, now the developer needs to support an entire separate system for pulling data out in addition to whatever the project is meant for. What if this system breaks? Does the developer have to guarantee uptime for this system?
Also, I fail to see how not having time to build an archive system equates to the developer not storing their data securely? That's just an accusation you decided to make which is irrelevant and accusatory.
The point of this post was to show an easy way to ensure you're compliant in 15 lines of code. Building the archive system and associated subsystems will be more than that, without question. Just because you don't like this solution doesn't mean it isn't a solution.
ok, I am going to be nice here:
* how are you structuring data such that it is available to you and your site, without also being able to pull it all out into an archive?
* literally all of my experience has been that securing data is a much harder challenge than any other part of a web facing system.
Also, the thing that everyone seems he’ll bent on ignoring: you do not need an archive mechanism if you do not store data.
And given we’ve known gdpr has been coming for at least a year - aside from companies that tried to bribe it away I guess - new projects should have there data set up so that archiving isn’t a monumentally challenging task.
Not the parent poster but:
> how are you structuring data such that it is available to you and your site, without also being able to pull it all out into an archive?
I don't believe the point is that it cannot be pulled into an archive, but that collecting all the data that belongs in such an archive of an specific user (and that user alone) can easily be a very complex task for projects of certain size:available manpower ratio, to the point that showing a query to a relational database with a well defined schema as an example strikes me either as ignorance of the state of real world software development or a gargantuan middle finger.
> literally all of my experience has been that securing data is a much harder challenge than any other part of a web facing system.
Depending on the project that can easily be the case. There's of course the fact that no one can really claim all their stored data is safe from malicious actors, just reasonably secure according to their knowledge and what they're aware their software does; so comparing its difficulty to other things seems overly simplistic.
And sure, there's a lot of things that will be harder than an archival feature regardless of the data storage mess a project may be in, but it does not diminish the work required to implement archival on many of those.
> Also, the thing that everyone seems he’ll bent on ignoring: you do not need an archive mechanism if you do not store data
Congratulations if you happened to store absolutely no PII when building your product. You not only have the luxury of being able to provide any value at all without data, you happened to not store things that a lot of people often don't consider PII but that the GDPR does such as IP addresses.
> And given we’ve known gdpr has been coming for at least a year - aside from companies that tried to bribe it away I guess - new projects should have there data set up so that archiving isn’t a monumentally challenging task.
Can we really pretend with a straight face that the overwhelmingly massive cost of changing legacy software can be handwaved away and that all new projects are developed by people that not only are aware of the GDPR (that's an absurdly minuscule amount of all software developers) but that they are competent enough to fully comply with everything in it? I've worked on HIPAA-compliant software, I've seen people that have been working for years in the industry (both health and software) screwing up and/or making extremely close calls. This is not "escape user input in SQL calls", this is a sizeable piece of regulation without a clear course of action for compliance that will fall on the laps of developers of all skills around the world.
Yes, but my understanding is that you don't need to automate these features, so you would just do it all manually until your scale starts to make building tools worth it.
Maybe they don't want to spend time doing it manually...?
This is why I like the GDPR.
If you can't be bothered to care about people's personal information, then maybe you don't need it in the first place.
Statistically, we're not talking about a lot of requests here and they're most likely to be deletions which should be trivial.
Don't worry, people will build those tools open-source the same way that they've built other tools for other purposes. I'm sure if a Django library for doing all those things doesn't already exist, it will very soon. It will become a popular project too, because at some point it will become the default.
I meant, respecting the law has been a thing for many years, you know? GDPR isn't really different.
My reading of the GDPR says that the MINIMUM fine is 20,000,000 Euros, which I think would be a pretty big problem for an individual working on a side project.
I also think the 403 error page explaining that the GDPR is the reason the visitor can't access the page is a nice touch.
> My reading of the GDPR says that the MINIMUM fine is 20,000,000 Euros.
€20M is the minimum value for the upper limit of an Article 83(5) or Article 83(6) administrative fine; it's not a minimum fine, and a lesser value (€10M) applies as the corresponding base upper limit for some other violations.
Your reading of the GDPR is wrong. There is no minimum fine. There is a maximum fine of €20m or 4% of global turnover, whichever is greater.
You’re misreading the fine is in the range 0..max(20 million, .04*revenue).
Basically if you’re a small business your maximum fine is likely 20 million, if you’re a large one it’s 4% of your global revenue. The global revenue is needed because companies are perfectly happy moving their money around to minimize the amount of money they make in places that will fine and tax them. They’re also super good at manufacturing reasons that profit does not actually get recorded as profit. Also it’s generally accepted that fines and settlements are an expense, so you’d get a situation where ome fine would effectively discount another.
It's only a problem if you are fined, and actually pay it. The odds of an individual, unknown, low traffic side project facing these problems are effectively zero. Go play the lottery.
https://gdpr-info.eu/art-83-gdpr/
The wording says fines "up to 20,000,000 Euros"
"up to" usually implies a minimum, not a maximum.
> "up to" usually implies a minimum, not a maximum.
“Up to” literally means a maximum.
Errr...I typoed my previous message and accidentally flipped them.
The previous commenter said the fine was a 20m "minimum" fine. The GDPR text says it's "up to" 20m. I meant to say that that means it's a maximum.
Maybe they work in advertising ;)
What would be a GDPR-compliant yet useful access_log setting?
You could just use a log format that excludes or obfuscates IP addresses, I believe.
Truncate the IP, that's it.
HN crowd loves GDPR, so get ready for this never making to the front page.
The front page has had daily articles from mis-informed US tech startups collectively shitting themselves about GDPR for weeks.
How many former US startups such as Google or eBay do you use in the UK? And how many former UK startups does an average US user use? There gotta be a reason for this disparity. And the reason is regulatory capture in the EU.
Man, I think that's the first time I've seen someone compare the EU to the US unfavorably on regulatory capture. They both have it, but the US has basically perfected it. Just look at the FCC and it's current chair
No it’s not. The reason is a much more friendly funding environment in the US.
Do they? It's kind of a mixed bag. I see about 60% say "well, if your side project doesn't respect your users privacy, maybe you shouldn't have a side project.", and the remaining 40% saying "I'm too scared of the consequences from doing illegal stuff"
Shutting down your side project in the fear that the EU will shutdown your side project seems like a premature reaction.