New Member
Posts: 13
Registered: ‎06-08-2016
Kudos: 51

There's a big question for Unifi USG in Europe: is Unifi USG compliant with the new GDPR laws?

In Europe starting from 25 May 2018, the new GDPR regulation ((General Data Protection Regulation - regulation UE 2016/679) will become operative.

 

Fra le altre cose, leggendo il regolamento, si apprende che è necessario adeguarsi per avere la protezione da attacchi esterni tramite Firewall perimetrali in grado di rilevare e bloccare attacchi esterni.

 

Organizations found in non-compliance with GDPR will face heavy fines:  €20 million or 4% of their global revenues per incident. This could mean millions, or even billions of dollars in fines for large companies.

 

This can be made trough USG?

 

 

Emerging Member
Posts: 72
Registered: ‎11-16-2017
Kudos: 80
Solutions: 2

Re: There's a big question for Unifi USG in Europe: is Unifi USG compliant with the new GDPR laws?

Well...if you run all things locally, it's up to you. I don't see any issues to not be GDPR compliance. All you need to do is documenting what and where personal data is stored (e.g. when you are using guest accounts).

 

Why do you think that there could be a problem with GDPR?

Emerging Member
Posts: 89
Registered: ‎03-28-2013
Kudos: 7
Solutions: 1

Re: There's a big question for Unifi USG in Europe: is Unifi USG compliant with the new GDPR laws?

GDPR states that the user of a IT system should have insight to the data relevant for him, unifi has no export function of this kind of data.
if your user of your system request export of his data you have to provide it. UniFi makesit difficult to do that..

Emerging Member
Posts: 72
Registered: ‎11-16-2017
Kudos: 80
Solutions: 2

Re: There's a big question for Unifi USG in Europe: is Unifi USG compliant with the new GDPR laws?

Okay, but what personal data is captured? Only I could think of if DPI - so maybe you need to turn off DPI to be GDPR compliant. Because there is no relevant use why this personal data is captured.

Regular Member
Posts: 546
Registered: ‎03-31-2016
Kudos: 159
Solutions: 15

Re: There's a big question for Unifi USG in Europe: is Unifi USG compliant with the new GDPR laws?

This law was introduced so a user can request what data you have collected from them and how that data was potentially processed.

 

So unless you are collecting this data and / or processing this data then the law doesn't apply.

 

If you are using Facebook to auth a user, then that data capture would come via Facebook not Ubiquiti.

 

Or is there something else you want to cover?

Emerging Member
Posts: 89
Registered: ‎03-28-2013
Kudos: 7
Solutions: 1

Re: There's a big question for Unifi USG in Europe: is Unifi USG compliant with the new GDPR laws?

MAC address is collected and the hostname of the device connecting.

 

If you use facebook auth, how are you going to auth a user if you cant send information about that user to facebook?

you can use facebook auth for this purpose, you just need to get a CLEAR consent with a opt-in system for each user.

 

Regular Member
Posts: 546
Registered: ‎03-31-2016
Kudos: 159
Solutions: 15

Re: There's a big question for Unifi USG in Europe: is Unifi USG compliant with the new GDPR laws?

See: https://www.itgovernance.eu/blog/en/how-the-gdpr-will-affect-wi-fi-providers/

 

So if you use Facebook as a way to authenticate, then the compliance burden passes onto Facebook. So if you implement a similar FIM method of authentication then you have passed on the compliance burden to a third party.

Emerging Member
Posts: 89
Registered: ‎03-28-2013
Kudos: 7
Solutions: 1

Re: There's a big question for Unifi USG in Europe: is Unifi USG compliant with the new GDPR laws?

No this is not correct.

New Member
Posts: 13
Registered: ‎06-08-2016
Kudos: 51

Re: There's a big question for Unifi USG in Europe: is Unifi USG compliant with the new GDPR laws?

That's not the problem I'm looking into...

 

The new regulation tends to impose on the managers the adoption of ANTI-INTRUSION systems capable of detecting and documenting any attacks, issuing notices to the managers so that they have time to intervene and protect the data.

Is there a way to do this with the Unifi USG Firewall series?

Regular Member
Posts: 546
Registered: ‎03-31-2016
Kudos: 159
Solutions: 15

Re: There's a big question for Unifi USG in Europe: is Unifi USG compliant with the new GDPR laws?

Currently in beta is IDS/IPS implementation.

 

It will be brought to the fore soon

New Member
Posts: 13
Registered: ‎06-08-2016
Kudos: 51

Re: There's a big question for Unifi USG in Europe: is Unifi USG compliant with the new GDPR laws?

[ Edited ]

Is this Beta downloadable?

Emerging Member
Posts: 89
Registered: ‎03-28-2013
Kudos: 7
Solutions: 1

Re: There's a big question for Unifi USG in Europe: is Unifi USG compliant with the new GDPR laws?

For this kind of tasks UBNT equipment is NOT the way to go. Look into something like this: https://www.securelink.be/trends/gdpr-compliance/

 

Cisco also has systems for this that conforms to the requirments, it will be expensive if you go over the 72 hour limit.

Regular Member
Posts: 546
Registered: ‎03-31-2016
Kudos: 159
Solutions: 15

Re: There's a big question for Unifi USG in Europe: is Unifi USG compliant with the new GDPR laws?

Yes, join the beta community in your profile and you can grab the latest cloud key and usg betas

Regular Member
Posts: 546
Registered: ‎03-31-2016
Kudos: 159
Solutions: 15

Re: There's a big question for Unifi USG in Europe: is Unifi USG compliant with the new GDPR laws?

Don't necessarily believe a company trying to sell you something.

 

Have a read of https://arstechnica.com/information-technology/2016/08/public-wi-fi-forget-the-scare-stories-read-th...

 

I still think public wifi implementing FIM won't require to retain anything as the upstream provider like Facebook is already retaining this information and what you have would be a duplicate of said data. Therefore, it becomes redundant and not required.

New Member
Posts: 13
Registered: ‎06-08-2016
Kudos: 51

Re: There's a big question for Unifi USG in Europe: is Unifi USG compliant with the new GDPR laws?

Is it possible to have a feature listo of IDS in USG?
Veteran Member
Posts: 5,043
Registered: ‎06-13-2015
Kudos: 1356
Solutions: 235

Re: There's a big question for Unifi USG in Europe: is Unifi USG compliant with the new GDPR laws?

@sersis I noticed this thread quite late. Disclaimer: I am not a specialist in legal mattrs regarding GDPR, I have however done my due diligence with regard to GDPR as it relates to parties providing public network services.

 

Based on what I have learnt I have to agree with you that GDPR applies to UniFi networks when these are offered to the general public (e.g. public guest WiFi). GDPR clearly states that it applies to those processing personal information and it is has been made clear that from a GDPR perspective IP addresses (...) are regarded as personal information. This and other specific cases in the EU lead me to believe that even MAC addresses are regarded as personal information.

 

Therefore any company running a public guest network that is available to EU citizens will have to comply with GDPR, which among many other aspects, requires them to offer the "objects” whose personal information is being collected and processed (e.g. when looking up the device vendor) the following:

  • insight into their information as collected by the UnFi controller ( @wizard155: which in the case of Facebook auth includes their email address since that is also stored on the controller’s database), basically to meet their legal “Right of access”
  • a method to download their data as collected, to meet their legal “Right to data portability”
  • a method to request deletion of all (or a selection of) their data as collected by the UniFi controller, to meet their legal “Right to be forgotten”

Currently you can implement the first two by building a custom solution which integrates through the controller API, however the last requirement cannot be met in any way with the current UniFi controller versions; there is no way to delete a specific client device, all its stats, sessions etc. nor to delete a specific transaction from the HotSpot manager.

 

I have spoken to several UBNT staff members who say they will support their clients to comply with GDPR by May 25 when the regulations come into effect. But, with roughly 4 weeks left, there is still no sign of what they will be exactly implementing and how...

Art of WiFi
Check out our UniFi API browser tool on GitHub. The PHP API client which it uses, can be found here on GitHub.
The thread on our UniFi Device Search tool can be found here, also check out our Captive Portal solutions for UniFi.
Veteran Member
Posts: 4,842
Registered: ‎03-11-2013
Kudos: 1571
Solutions: 91

Re: There's a big question for Unifi USG in Europe: is Unifi USG compliant with the new GDPR laws?

I am pretty sure that there will be more legal clarificationas to what is and isn't personal information in terms of GDPR.

 

IP addresses are a grey area. Even if public IP addresses are static/fixed/unchanging they may not be uniquely personal data. A public IP address may be unque to an individual, or to a group of individuals, the possibilities are endless.

 

There may well be valid legal differences between IPv4 and IPv6 IP addresses, because of the manner in which they are used.

 

The IP address of a mobile device is yet another complication.

 

If all this seems confusing, that is entirely normal. Try meeting the conflicting data retention standards of many individual states (you get prosecuted by one department if you haven't deleted the records within x  weeks, and prosecuted by another department for not retaining the the records for longer than 15 times that period). There are ways of meeting both requirements.

 

Personally, I try not to keep any user data. Mostly this sort of data is not very reliable, it is of zero value to most people, so no need to keep it. Don't harvest user information.

Veteran Member
Posts: 5,043
Registered: ‎06-13-2015
Kudos: 1356
Solutions: 235

Re: There's a big question for Unifi USG in Europe: is Unifi USG compliant with the new GDPR laws?

@Uberseehandel I’m with you wrt the IP address discussion and also the fact that you should not collect unnecessary personal data. Thing is that businesses are looking for ways to cover the expenses for operating public WiFi networks and asking people to subscribe to a newsletter is one example how to achieve that. If implemented and managed well I believe this can even be of added value to the guest as well.

 

Regarding the MAC address discussion; in the Netherlands there was an interesting issue between the Privacy Watchdog and a company offering WiFi tracking services based on the passive collection of MAC addresses (not sure whether your Dutch is good to read this without the use of Google Translate Icon Wink):

https://autoriteitpersoonsgegevens.nl/nl/nieuws/ap-legt-wifi-tracker-bluetrace-last-onder-dwangsom-o...

 

Based on this and other information I’ve collected over the past year or so I’m assuming GDPR will also regard MAC addresses as personal information. This implies anyone running a public WiFi network that is accessed by EU citizens, even without collecting other personal data, is potentially at risk after May 25th.

Art of WiFi
Check out our UniFi API browser tool on GitHub. The PHP API client which it uses, can be found here on GitHub.
The thread on our UniFi Device Search tool can be found here, also check out our Captive Portal solutions for UniFi.
Veteran Member
Posts: 4,842
Registered: ‎03-11-2013
Kudos: 1571
Solutions: 91

Re: There's a big question for Unifi USG in Europe: is Unifi USG compliant with the new GDPR laws?


@slooffmaster wrote:

@Uberseehandel I’m with you wrt the IP address discussion and also the fact that you should not collect unnecessary. . . .

 

Regarding the MAC address discussion; in the Netherlands there was an interesting issue between the Privacy Watchdog and a company offering WiFi tracking services based on the passive collection of MAC addresses (not sure whether your Dutch is good to read this without the use of Google Translate Icon Wink):

https://autoriteitpersoonsgegevens.nl/nl/nieuws/ap-legt-wifi-tracker-bluetrace-last-onder-dwangsom-o...

 

Based on this and other information I’ve collected over the past year or so I’m assuming GDPR will also regard MAC addresses as personal information. This implies anyone running a public WiFi network that is accessed by EU citizens, even without collecting other personal data, is potentially at risk after May 25th.


It does depend which MAC address is being collected.

 

Despite having worked in Holland (and for Shell International), I don't really do Dutch, but my German helps me through most of Scandinavia as well as Netherlandish speakers (Flemish). One of my hobbies is European film-noir and crimi, and I'm currently watching a Flemish krimi (script needs development). So I'll give it a go. By a coincidence, my son informs me that because of the uncertainties around Brexit, my grandsons now have 4 passports each - NZ, UK, Dutch and Israeli (their mum is a Dutch Jodin), I better start working on my Dutch.

Member
Posts: 143
Registered: ‎04-18-2018
Kudos: 34
Solutions: 1

Re: There's a big question for Unifi USG in Europe: is Unifi USG compliant with the new GDPR laws?

[ Edited ]

Although the USG may collect information like IP addresses and mac address... I would argue that information is not "personal data" as it does not personally intentify the user.  If you dont collect names of the users you cannot personally identify them.  In this case, CDPR would not apply.

 

Here's a court rulling that declares IP addresses are personal data only in some cases... when the user also provides additional information that personally identifies themselves (such as name or email).  I dont think users provide this information to USG.

 

https://www.whitecase.com/publications/alert/court-confirms-ip-addresses-are-personal-data-some-case...

If this was useful, please like this post. Please also mark this post solved if it solved your problem.

My UniFi equipment: Cloud Key, Cloud Key 2+, Gateway (USG), PoE Switch (US-8-150W), Access Point (UAP-AC-Pro), UniFi G3 Flex