GDPR compliance?

(What I wanted to say is: I hope I'm wrong and it's GDPR compatible even in free mode ;D)

Well, I'm a strong advocate of the GDPR. I get upset if others do not respect my privacy, and often even hold them accountable. So, you don't need to defend why this might be an issue.

However, in this case, there are 2 reasons why I believe that this is GDPR compliant even in the free tier:

• All the processing happens locally, and only if an attacker is identified, will they be blocked and reported. As the victim of an attack, I should be allowed to report that as a matter of defence.
• This is happening only to protect the site, so it's under the clause of operationally necessary data processing. Even more so, this is not to track visitors, it's only to keep the site up and running.

I might be wrong, since I'm not a lawyer. But that's common sense. However, if you have arguments that prove this wrong, I'm happy to discuss this and do something about it.

This module integrates with the CrowdSec API using their PHP SDK to verify the IP address of each request getting to your Drupal site against their block list and should an IP be listed for being banned, those requests will be rejected and responded with a 403 HTTP response status code.

No worries, the block list is cached locally, and no performance implications are expected.

Do I understand correctly that the IP addresses of incoming requests are only checked against a local block list and are not transmitted to CrowdSec or other third parties? So the transmission to Crowdsec only takes place for suspected bad IPs in order to share them with the community?

Do I understand correctly that the IP addresses of incoming requests are only checked against a local block list and are not transmitted to CrowdSec or other third parties? So the transmission to Crowdsec only takes place for suspected bad IPs in order to share them with the community?

Yes, that's exactly right.

Here is a thread about this topic in crowdsecs support forum: Is CrowdSec acting against european privacy regulations?. It supports Jürgen's argument in #2 that the IPs may be transmitted for security purposes (see also https://www.privacy-regulation.eu/en/recital-49-GDPR.htm). If in doubt, you can also deactivate the transmission (this may only be possible in the paid version).

GREAT! Thank you both for the quick and comprehensive reply. Would it then perhaps make sense to put a heading "Privacy and compliance" on the project page, linking to this issue and the forum link?

I have updated the project page and added a chapter about privacy and compliance.

The text come from the README.md file in the repository. So, if there are any requests for changes or amendments, please open an MR with the proposed changes in that readme file.

Thank you very very much for the clarifications @jurgenhaas!

Automatically closed - issue fixed for 2 weeks with no activity.