GDPR and ZeroTier

Hi all!

Do any of you use ZeroTier with my.zerotier.com in Europe, for connecting your customers to networks / services that you host?

If so, how do you deal with the GDPR, with regard to the US server storing your customers’ IP, last connected time, etc?

I am not a GDPR expert; I’m looking to hear about other users’ experiences. In particular I am considering it for use to serve customers, but, this GDPR question is a sticky one.

Cheers from Germany! :beers:

I think you’re “over thinking” it, every time you visit a website, your IP, Time and so on are stored,

While the ID used in zerotier is unique, it’s not enough to personally identify a user.

I wouldn’t worry about it

Thanks for your reply Chris! :slight_smile:

GDPR (DSGVO / RGPD) does not allow to store the user IP without proper reason as this is a personal data. And the reason has to be explained. Zerotier does not explain why, where (third party hosting companies involved? If yes, which one and what is stored there?) and how long IPs are stored so Zerotier is not GDPR compliant:
https://www.zerotier.com/privacy/

some of which may be collected and stored by us.

Public IP addresses of web browsers and API clients accessing ZeroTier web sites and services.
Public IP addresses of devices running ZeroTier network virtualization software.

One solution could be to ask the user every time before he connects to a network, if he allows storing his IP address on the ZeroTier Central server as long the connection will be active.

In addition the web service is not GDPR cookie consent or CCPA compliant as it stores user data without asking / informing the user:

Web browsing patterns on ZeroTier web sites such as pages visited, page visit order, referring links, etc.
Web browser or client versions, operating systems, and other general statistics as revealed in request headers or via other in-band sources.

Finally Zerotier needs to provide a GDPR-compliant Data Processing Addendum/Agreement (DPA).

@zt-grant @zt-joseph
I like to see Zerotier becoming GDPR compliant in the future :slight_smile:

1 Like

+1

It’s difficult for us to offer ZeroTier at the moment, because of this lack of GDPR compliance. I can keep using it personally but deploying it for our customer use poses problems.

I’m afraid we will have to delve into this one and clarify.

If any storage of IPs is not allowed, then we can’t ever be GDPR compliant. Some caching of IP information is required to allow peer to peer connectivity. By this reasoning anything that uses WebRTC, most games that utilize any form of P2P, SIP phones, and virtually anything else with third party brokered NAT/firewall traversing P2P connectivity violates GDPR. You basically couldn’t have anything that does anything networking related that involves any kind of connectivity brokering.

If you only mean the web site, then we use both Google Analytics and Matomo. These AFAIK respect the do-not-track header, but I will have to check.

1 Like

Thinking about this a bit more… if GDPR prohibits storage of IP addresses then any form of VPN or virtual network is non-compliant. Any time you communicate with something online, including another peer, you implicitly reveal your IP, and it must be cached to enable continuous communication. The only way to avoid this is to go through Tor or some other onion routing type anonymity layer, which comes with a large performance penalty.

1 Like

It isn’t that drastic! :slight_smile: it’s more about declaring what is recorded and where, and permitting users to access and have deleted their private data.

It’s definitely not something to be solved on a forum, but it’s absolutely doable, and I wanted to flag it with you - in Europe the GDPR has claws, and especially in Germany.

This is one of many articles about GDPR compliance, but IANAL etc

Where are you all getting the idea that storing an IP is a breach of GDPR?

Think about what you’re asking!
An IP address is not a piece of information that can be used to “Personally Identify” a person!

Zerotier does NOT breach GDPR.

1 Like

Hey Chris :slight_smile:

I really appreciate the passion you’re coming at this topic with! It’s super refreshing, because it’s pretty dry subject matter :slight_smile:

I think that IP addresses actually are considered personal data under GDPR - see for example this article - https://www.fieldfisher.com/en/services/privacy-security-and-information/privacy-security-and-information-law-blog/can-a-dynamic-ip-address-constitute-personal-data (and others.)

But I would caution against making assumptions here about what constitutes private data and so on - professional advice is absolutely required!

My goal is that ZeroTier.com provides a GDPR-Compliant service, so I can easily offer it to German clients. That’s probably (IANAL!) going to mean engaging the services of someone knowledgeable and writing a few policies, and being prepared to offer some extra services to European customers (like data requests and such.)

It’s all doable, I promise :smiley:

1 Like

From my understanding, IP addresses are only considered personal data if and only if the IP address can be tied to a specific individual. ZeroTier cannot do that. We can tie an IP address to a ZeroTier Identity.

If that identity is joined to a network controller that we host, we know the Identity is in use on a network owned by bob@test.com. We have no way of knowing if it is Bob using ZeroTier on the the machine, his wife, his friend, or whoever. We don’t even know if it’s Bob’s personal machine, his wife’s, friend’s, etc. To us, it’s just a machine joined to a network that we host.

You also don’t have to use our hosted controllers to use ZeroTier. Mac/Windows/BSD/Linux versions of ZeroTier are all capable of being network controllers themselves. https://github.com/zerotier/ZeroTierOne/tree/master/controller

If that identity is joined only to user hosted network controllers, all we know is that Node A has IP address X.X.X.X, and what other machines running ZeroTier it needs to find to communicate with. We cannot derive any other information than that.

Without storing an IP address mapped to a ZeroTier Identity, ZeroTier has no way to operate. Period. We do not tie that data to individuals in any way. The data we do collect is listed in our privacy policy and is all in aggregate only and never tied to individuals, and is never sold. Data is not shared with anyone outside the organizations and its contractors, with the exception of Stripe.com for payment processing for our hosted network controller service, and where required by law. If you’re a free user of our hosted controllers, your data is not even shared with Stripe until you set up payment and subscribe. We’re not in the business of collecting and selling user data, nor do we ever plan to be.

If you request your data from us, all we could give you is what’s already available when you log in at https://my.zerotier.com because that’s all we collect about individuals. If you log in to https://my.zerotier.com and delete your account, then that’s it. The data is removed from the database. Full stop.

1 Like

Hey Grant,

I hope my messages haven’t given you the impression that I don’t trust your approach to security and privacy - I do, based on your openness and approach and history. None of this is about trusting ZeroTier to do the right thing. If I didn’t trust that, I wouldn’t even be writing this, and I wouldn’t have been using your service for years.

“All” I am asking for, is an official position from ZeroTier about GDPR compliance for their EU customers, because my customers will be asking for it.

Do you think that’s a possibility? (Do you think it’s necessary for ZT to make such a statement about GDPR? Maybe it’s just not needed. My impression so far is that it is, but I’m not an SME…)

(If you have a look at Stripe.com’s site, you can read about how they’ve approached GDPR: https://stripe.com/en-de/guides/general-data-protection-regulation)

IP address can be a piece of personal information, and as such it must be treated that way. Doesn’t matter if it makes sense for you, lawyers and courts know better.

I’m sure OP would agree that it doesn’t mean that you can’t store or process IP addresses. That would be daft. It means that you have to clearly explain what/where/why is stored and get an explicit permission for that.

1 Like

Our company lawyer (just 1 person) approved it. @zt-devs Please do not exclude EU - just because of these stupid GDPR rules - like some newspapers.
Especially in lockdown, zt has saved our company, jobs (livelihood) etc.
(note I am not against privacy but some rules are wierd)

1 Like

That’s really promising to hear! Thanks for your feedback Herrmann :slight_smile:

I too would be very happy if Zerotier would look into this and produce a valid GDPR statement that admins / service providers can use.

BTW GDPR is no way a “stupid” thing - it is a win in an ongoing fight for more user privacy rights and internet freedom in general - this is something you should be very interested in, as I believe your product can very well be an important part of realizing more privacy and it seems that you are very ok with that.

Also this is an issue where only people with real knowledge should comment on - no “gut feelings” or guesses please - this is an important detail and Zerotier should invest in clarification for European customers - all important US companies do that, so it is possible.

Thanks!

2 Likes

You are both wrong:
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&rid=3
“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

It’s absolutely allowed to store IPs, but you need to stick to the rules (I’m not a data protection officer, this is only my state of knowledge):

  • inform the user about location, involved companies and timeframe
  • do not store longer as needed
  • maybe: store only on servers located in the EU (needs further investigation)
  • B2B: Data Processing Addendum required

Because of conflict of interest a company should never have a lawyer which is the data protection officer at the same time:
https://anwaltsblatt.anwaltverein.de/de/anwaeltinnen-anwaelte/ethik/alles-aus-einer-hand-gibt-es-grenzen

And: An answer of a lawyer depends on your input. A data protection officer asks you all relevant questions I mentioned above. Starting with reading ZeroTier’s DDA, which does not exist. So how can your lawyer approve this?!

3 Likes

Thank you for your reply @mgutt! It’s really informative :slight_smile: