What am I doing here?
You wanted to know how the service we offer works with regard to personal data – and in particular IP addresses – that it centralizes and lists to enable you to ensure the security of the IS of CrowdSec members.
In accordance with applicable regulations (EU Regulation 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data – hereinafter, “GDPR”), it aims to explain to you for what purposes and under what conditions we (CrowdSec) collect and process IP addresses and related data for the implementation of our IP reputation service.
In particular, we have investigated how we can best protect your data, the so-called IP addresses, and to this end we have carried out a specific data protection impact assessment (PIA).
Is my IP address processed by CrowdSec solutions? Am I on the exclusion list?
The CrowdSec ecosystem identifies IP addresses involved in the occurrence of security incidents and keeps track of the context of this involvement. This information comes to it either directly from you (by connecting to its honeypots, etc.), from members of its ecosystem or from publicly available sources.
CrowdSec disseminates this information in order to enable the rest of the ecosystem to ensure its security more effectively.
This is indeed an exclusion list of “problematic” IP addresses. This list contains only the relevant data: you will never be added to the list without a proven security incident involving your IP address. In addition, this list of IP addresses is regularly updated by CrowdSec.
CrowdSec is aware that the reliability of an address can change over time. Do not hesitate to inform us if you feel that you have been included on this list by mistake or abusively. You can also ask us at any time to justify the reasons for your registration.
Who is responsible for putting IPs on the list?
The processing of your IP address is under the so-called “joint” responsibility of CrowdSec and the members of its ecosystem when it is integrated into our products and services. This means that we all determine – jointly – “why” and “how” the personal data that IP addresses are to be processed.
In contrast, it is the members of CrowdSec’s ecosystem and its customers who determine the consequences for the security of their information system of the use of IP addresses on our lists. They are therefore solely responsible for the choice of measures they implement thereafter, which may include:
- Pure and simple blocking of access to an information system;
- A limitation of rights or access speed;
- The presentation of a CAPTCHA; or
- The addition of dual authentication or multi-factor authentication.
Moreover, CrowdSec is solely responsible for the processing that enables its APIs, platforms, etc. to function properly.
The members of the CrowdSec ecosystem are responsible for the other processes that ensure their own security.
What kind of personal data does CrowdSec process?
The type personal data processed by CrowdSec and the members of its ecosystem within the framework of the service provided, are only contextualized IP addresses (date, time, and type of security incident involved). No data directly nominative or allowing the direct identification of an individual is processed on this occasion and is not included in these lists.
CrowdSec’s solution uses advanced computer techniques to profile IP addresses, determining their reliability, and thus automatically decide whether or not to include an IP address on its exclusion list. You may object to this use of profiling at any time.
If you exercise your rights, your contact data will be kept by us to respond to you and take into account your request, but this data will not be transmitted to our members and will not appear in the lists of contextualized IP addresses.
The application of any negative measures identified by members of the CrowdSec Ecosystem can also be qualified as automated decision making within the meaning of Article 22.1 of the GDPR if such measures will produce legal effects for the users of the IP addresses concerned or will affect them in a similarly significant way. As stated above (cf. supra, para. 1) it is CrowdSec’s clients who carry out these fully automated decisions and are therefore solely responsible for such processing.
Why are my personal data processed? On which legal basis?
Personal data is collected only for legitimate and relevant business purposes, and all reasonably necessary steps are taken to ensure that personal data processed by CrowdSec is protected, accurate and up-to-date. Your data will only be processed in order to ensure the security of the members of the CrowdSec ecosystem.
Ensuring the security of their information systems is in the so-called legitimate interest of these members, except in the case of certain clients and/or partners of CrowdSec, who carry out such processing in the context of the performance of a task in the public interest or for whom such processing falls within the exercise of the public authority vested in them.
To whom may my data be communicated?
The personal information that you may provide may be consulted by our company’s staff, the departments in charge of control (in particular the statutory auditors) and our subcontractors within the strict framework of the purposes that we have presented to you.
The contextualized IP addresses that we process may also be transmitted to our members and partners as part of our joint processing.
In this respect, we would like to point out that we have signed strict security clauses with our subcontractors, in compliance with Article 28 of the GDPR, specifying in particular the security objectives to be achieved.
We have rigorously selected our subcontractors according to the security of the hosting they provide (at the level of the strictest standards) and hardened both the infrastructures and the contracts concluded with them, taking into account the IP address processing service we operate.
Your data may be transmitted to the following recipients:
Do my data transit outside the European Union?
CrowdSec is committed to respecting the legal framework set out in the GDPR with regard to the transfer of data outside the European Union.
When the entity receiving a personal data flow is located outside the European Union, or in a country that does not have an adequate level of protection within the meaning of the Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data, such transfers of personal data are carried out on the basis of the standard contractual clauses of the European Commission.
How is my data secured?
Right from the conception of our services, we have taken to heart the security of the personal data that you will entrust to us.
We can therefore assure you that we have taken all appropriate organizational and technical measures, as well as all useful precautions to preserve the security of the information described above and, in particular, to prevent it from being distorted or damaged or from unauthorized third parties having access to it.
When setting up our services, the processes implemented have been studied in order to protect us against any breach of confidentiality of the data processed and to secure exchanges during data transmission by means of effective encryption solutions:
- All employee accesses to the various services require multi-factor authentication (whether for example for access to the source code versioning, or the various services hosted by AWS for data processing).
- The interfaces that we expose to our users, also favor multi-factor authentication when possible (for example the users’ back office).
- The signal processing mechanisms benefit from mechanisms to ensure that our data retention policies are correctly applied: old data are automatically archived to cold media (ie. glacier) which require a special procedure to extract the data (and a latency of several days).
- The mechanisms for signal processing and restitution of consensus decisions are based on best practices to ensure data integrity control.
- Where possible, automated data encryption is implemented.
However, we are not responsible for the security of the processing carried out by our members, their processing being carried out and secured under their own responsibility.
How long is my data kept?
Only IP addresses that have carried out an attack are kept for a maximum of 3 months as such.
After 3 months, we implement procedures in order to keep the maximum amount of information necessary related to the attack while degrading the personal character of the stored information. Thus, we apply a first double filter, reducing the accuracy of the IP address to a set of 16 possible IPs (for IP v 4, with a similar mechanism for IP v 6) while rounding the timestamp in a window of 6 hours.
After 6 months, we apply a second filter that further reduces the accuracy of the stored information: the IP address is amalgamated into a set of 256 possible IP addresses, reducing the accuracy of the IP address to a set of 16 possible IPs (for IP v 4, with a similar mechanism for IP v 6) while rounding the timestamp in a 24-hour window.
Ex: the address 126.96.36.199 was used to commit an intrusion on a system on December 3, 2020 at 14:55:12. After six months, the only information kept will be that an address between 188.8.131.52 and 184.108.40.206 was used to commit an intrusion on December 3, 2020.
After one year, a final treatment will be applied to avoid any risk of re-identification: the temporal degradation of the timestamp will be extended to one week.
In certain hypotheses of post mortem analysis of specific computer attacks or for training purposes, the retention period of certain IPs may, however, for these two purposes, reach one year before anonymization.
The reasons for this retention period are (non-exhaustive list):
- The distinction between a compromised machine and a machine whose owner is malicious. The dangerousness of an IP address is perishable information in the medium term: In many cases, a malicious IP address at a given time is in fact a machine that has been compromised and is used without the knowledge of its legitimate owner, until the latter is informed by a third party or becomes aware of the intrusion. Once the machine has been “cleaned up” the IP address will become harmless again. Data retention thus makes it possible to distinguish between a machine that has been compromised, a machine whose owner is malicious, and a machine whose owner does not take the necessary measures (leading for example to repeated compromises).
- Performing post-mortem analysis: The average time between the completion of a compromise, its identification and post-mortem analysis can be long (56% of successful attacks take months or more to be detected, with an average of 191 days), and the retention of the signal over a given period of time directly impacts our ability to perform post-mortem analysis. During a post-mortem analysis, being able to cross-reference event logs (i.e. server log files) with a history of attacks identified by source allows us to easily sort out false positives and false negatives.
- Training of learning engines: A number of technological devices implemented by the company aim in particular at performing predictive analysis: being able to identify, for example, a group of machines that – even if they do not seem to have anything in common – work together (e.g. magecart). In order to carry out algorithm training, or even to be able to identify major changes, a minimum retention time is necessary.
- Detecting trend changes: If the IT security landscape is changing, it is vital to detect significant trend changes. What types of attacks are popular at any given time? Which regions or Internet operators are the main sources? What type of machine is most often compromised?
What are my rights?
In accordance with article 13 and articles 15 to 22 of the GDPR, CrowdSec reminds you that:
You have the right to request access to your personal data as well as information on the purposes of the processing, the category of personal data processed, the persons or categories of persons to whom they have been or will be communicated (with indication of the possibility that these persons are in third countries or international organizations), to the extent possible, the duration of the retention of personal data or the criteria used to determine this duration, the existence of your rights to rectify and/or erase personal data, to limit and oppose processing, the origin of the data, its existence and the logic applied in the event of automated decision-making. If you exercise this right and unless you indicate otherwise, you will receive an electronic copy of your personal data being processed.
You have the right to obtain the rectification of your personal data if they are inaccurate or incomplete. We have set up a teleservice specifically dedicated to the exercise of this right, so that you can inform us that your IP address has been wrongly associated with a security incident. It is through this means that you can report to us if you feel that you have been registered on this list by mistake or abusively;
You have the right to obtain the deletion of your personal data, if one of the conditions of Article 17 of the GDPR is fulfilled (for example: if your personal data are no longer necessary for the purposes for which they were collected, if you object to the processing and no other legitimate interest of the controller prevails, if your personal data are processed unlawfully) ;
You have the right to obtain the limitation of the processing of your personal data 1) for the time necessary for CrowdSec to verify the accuracy of your personal data (if you have contested it), or 2) if the processing of personal data is unlawful and you request the limitation of the processing of your personal data instead of their deletion, or 3) when CrowdSec no longer needs your personal data, but they are necessary for you to verify, exercise or defend a legal claim, or 4) for the time necessary to assess whether the legitimate motives of the controller may prevail over yours, if you have objected to the processing of your personal data in accordance with point f) below ;
You also have the right to object to the processing of your personal data if it is carried out in accordance with article 6.1, e) (i.e. for the performance of a public task entrusted to the controller) or Article 6.1, f) (to defend a legitimate interest of the controller) of the GDPR, unless the controller has legitimate reasons for processing the data, in accordance with Article 21 of the GDPR;
You have the right to define general or specific guidelines for the storage, erasure and communication of your personal data after your death; these guidelines are general or specific
You can lodge a complaint with the Commission nationale de l’informatique et des libertés (CNIL) ;
Any rectification or deletion of your personal data or any limitation of the processing carried out at your request will be communicated by CrowdSec to each recipient to whom your personal data may have been transmitted in accordance with this information, unless such communication proves impossible or requires disproportionate efforts;
In the event that your personal data is incorrect or out of date, you may inform CrowdSec so that the required corrections and/or updates can be made.
How can I exercise my rights? Who do I contact?
As joint data controller and in accordance with the contracts we enter into with our members, CrowdSec coordinates requests to exercise their rights by the holders of the IP addresses concerned and can rely on members of its ecosystem to assist it in this process.
We have appointed a DPO to ensure that your rights are respected and that we deliver on our commitments in this regard.
In order to exercise your rights and/or to obtain any type of information concerning this policy, you can contact CrowdSec at the following address:
– by email at firstname.lastname@example.org indicating the nature of the rights you wish to exercise
– Or, failing that, by mail to our attention at 20 rue Maurice Arnoux, 92120 Montrouge, also indicating the nature of the rights you wish to exercise.
If you feel that your rights are not sufficiently respected you have the right to file a complaint with the CNIL (Commission Nationale de l’Informatique et des Libertés).
What about the cookies placed on my computer? Are we talking about that?
Check our Legal Notices section.