Anonymize the PIIs shown in Wordfence to be compliant with GDPR?

It is not necessary to anonymize IPs to be compliant with GDPR. Anonymizing IPs is one method companies use to remove IPs as PII and be compliant with GDPR. Wordfence is not able to anonymize IPs as it would break the security on the sites it protects such as brute force login protection no longer working. Privacy policies should indicate the data collected (per our data processing agreement) is collected for a legitimate interest (to provide security to the site). The attack data collected and sent to Wordfence is kept until it’s no longer useful. Generally that is 90 days but if the data is still malicious, it is kept active until it is no longer malicious.

And that is exactly the point: Defiant (or “processor” according DPA) is compliant with GDPR because collecting IPs is a “legimate interest” in this case. BUT: a company who uses the plugin Wordfence (“customer” according DPA) must also be compliant with GDPR. The only problem is, the customer can’t come here with the argument “legimate interest” when seeing all the IPs in the backend, because the customer himself doesn’t need to see all the IPs to provide security for his site with your plugin. This issue becomes even more critical if you consider that not only malicious data are to find in the backend but also normal website users’ PIIs! To be compliant with GDPR the customer should get these users’ consent first since – as mentioned – there is no “legimate interest” to see these PIIs at this stage.

Look, my webhoster collects also IPs and logfiles but he gives me an opportunity to deactivate this feature, so that even if he collects the data because of the “legimate interest” I can decide wether I want to have this data and statistics or not. So, to be on a save side in terms of GDPR I can use this opportunity. From my point of view, Wordfence should offer such a feature as well. Because the customer should not be liabe for Wordfence’s collection of the data.

Besides, under the point 6.1. of DPA is written “Processor will enable Customer and/or End Users to delete Customer Data during the Term…” So, what is the exact procedure? It isn’t explained in the DPA and the Defiant hasn’t answered this my question, yet. The point 9.1. hasn’t still been cleared either.

Hi,

“the customer himself doesn’t need to see all the IPs to provide security for his site with your plugin”

Actually you do. You need to be able to manage IPs you have blocked, be able to manually view attacks in live traffic, and so on. You as a site owner perform security functions using Wordfence and need to be able to see and manage IPs.

“To be compliant with GDPR the customer should get these users’ consent first”

This is incorrect. Providing a security function is a legitimate interest. Please see Recital 49 of the GDPR: https://www.privacy-regulation.eu/en/r49.htm

I would caution against looking at features that a vendor is providing, Google Analytics in this case, and using them to infer how the GDPR works. GA is a marketing tool and so falls into a very different category, compared to Wordfence which provides a security function.

If security companies could no longer store IPs in order to block attackers, they would not be able to protect you. That is why GDPR Recital 49 says that security “constitutes a legitimate interest of the data controller concerned”.

Mark.

Hi,

if the security plugin is very good, why should I block IPs manually? The plugin should know better than me about different digitals attacks. Or another way: If I should block and manage IPs manually, why do I need a security plugin? All the matters around a website could be solved without any plugins using php functions, java scripts and other tools..But plugins allow a quick (though not allways the best solution) without a lot of special IT-knowledge. This is the advantage of WordPress. So, I don’t understand why “the customer” should deal with all the IPs collected, it’s your job, when your plugin is used on a website. The customer receives an overview and interferes only if it comes to problems which have been indicated (again!) by wordfence.

On a few pages using wordfence in Germany I have already found the following passage about wordfence in the privacy policy: “We have disabled the live traffic view for data protection reasons”. Do you think the website owners are also bad informed about GDPR compliance? And if they need “manually view attacks in live traffic” as you say, so why have they disabled this feature then?

My statement “To be compliant with GDPR the customer should get these users’ consent first” comes from my assumption that the customer doesn’t have legimate interest in data collection, like the processor (Defiant) does (that is why I’ve signed the DPA in order YOU can process the data). And I’m pretty sure that that is the case. That is why you can’t claim it’s incorrect.

One more logical thing justifying my statement: If it’s known that all the IPs (humans, bots etc..) are to be found by worfence customer in the backend, how can the customer prove on request that he doesn’t abuse them for marketing purposes? It would be more cumbersome than having anonymized IPs from the beginning.

“If security companies could no longer store IPs in order to block attackers, they would not be able to protect you.” I have never said that YOU are not allowed to collect the IPs! Read again my postings, please.

I find it very sad that after several request, neither you nor your collegues can deliver me an answer on point 6.1. and 9.1. of you DPA. So, if I want to delete the IPs stored in the backend and you don’t react on my request, than you can’t maintain that you are GDPR compliant.

Per 6.1 and 9.1 of the Defiant DPA, your site customers normally contact you and then you contact us. You submit data requests to the same email address that you submit the dpa which is included within the dpa.