Abstract
The General Data Protection Regulation (GDPR) demands the use of various protection levels to ensure that personal data meet information security requirements. One of the techniques the GDPR recommends to protect personal data is pseudonymization, which consists of replacing real data with pseudonyms. Although databases and documents contain much of the personal data that should be protected, several types of log files contain data (like IP addresses, e-mails, and usernames) that may lead to the (direct or indirect) identification of a person. Therefore, log files must also be processed to achieve regulatory compliance with the principle of accountability imposed by the regulation. In this work, we deal with the pseudonymization of log data. We identify and discuss pseudonymization strategies in terms of the log processing phase and management architecture. We experimentally evaluate such strategies using three implementation alternatives, providing conclusions and helpful insights on their usage.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Bolognini, L., Bistolfi, C.: Pseudonymization and impacts of big (personal/anonymous) data processing in the transition from the directive 95/46/EC to the new EU general data protection regulation. Comput. Law Secur. Rev. 33(2), 171–181 (2017)
Chuvakin, A., Schmidt, K., Phillips, C.: Logging and Log Management: The Authoritative Guide to Understanding the Concepts Surrounding Logging and Log Management. Syngress Publishing, Rockland (2012)
Gerhards, R.: The syslog protocol. RFC 5424, pp. 1–38 (2009)
Ghiasvand, S., Ciorba, F.M.: Assessing data usefulness for failure analysis in anonymized system logs. In: 17th International Symposium on Parallel and Distributed Computing (ISPDC-2018) (2018)
Hallam-Baker, P.M., Behlendorf, B.: Extended log file format: W3C working draft WD-logfile-960323 (1996). https://www.w3.org/TR/WD-logfile.html. Accessed 04 Apr 2021
Ham, J., Davidoff, S.: Network Forensics: Tracking Hackers Through Cyberspace. Prentice Hall, Hoboken (2012)
Harper, A., VanDyke, S., Blask, C., Harris, S., Miller, D.: Security Information and Event Management (SIEM) Implementation. McGraw-Hill, New York (2010). https://doi.org/10.1036/9780071701082
Kasem-Madani, S., Meier, M., Wehner, M.: Towards a toolkit for utility and privacy-preserving transformation of semi-structured data using data pseudonymization. In: Data Privacy Management, Cryptocurrencies and Blockchain Technology, pp. 163–179 (2017)
Kent, K., Souppaya, M.P.: SP 800-92. guide to computer security log management. Technical report, Gaithersburg, MD, USA (2006)
Krawczyk, H., Bellare, M., Canetti, R.: RFC2104: HMAC: keyed-hashing for message authentication (1997)
NXLog Ltd. NXLog community edition reference manual (2018). https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html
Neumann, G.K., Grace, P., Burns, D., Surridge, M.: Pseudonymization risk analysis in distributed systems. J. Internet Serv. Appl. 10(1), 1–16 (2019)
Portillo-Dominguez, A.O., Ayala-Rivera, V.: Towards an efficient log data protection in software systems through data minimization and anonymization. In: Proceedings - 2019 7th International Conference in Software Engineering Research and Innovation. CONISOFT 2019, pp. 107–115 (2019)
Sonntag, M.: Pseudonymizing log entries with time-selective disclosure. In: Workshops der INFORMATIK 2018 - Architekturen, Prozesse, Sicherheit und Nachhaltigkeit, Köllen Druck+Verlag GmbH, Bonn, pp. 119–127 (2018)
Tachepun, C., Thammaboosadee, S.: A data masking guideline for optimizing insights and privacy under GDPR compliance. In: Proceedings of the 11th International Conference on Advances in Information Technology, pp. 1–9 (2020)
The European Parliament and the Council of the European Union: Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46. The Official Journal of the European Union 59, 1–88 (2016)
Turnbull, J., Matotek, D., Lieverdink, P.: Pro Linux System Administration. Apress, New York (2009). https://doi.org/10.1007/978-1-4302-1913-2
Acknowledgements
This work is partially funded by National Funds through the FCT (Foundation for Science and Technology) in the context of the project UIDB/04524/2020.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Varanda, A., Santos, L., Costa, R.L.d.C., Oliveira, A., Rabadão, C. (2021). The General Data Protection Regulation and Log Pseudonymization. In: Barolli, L., Woungang, I., Enokido, T. (eds) Advanced Information Networking and Applications. AINA 2021. Lecture Notes in Networks and Systems, vol 227. Springer, Cham. https://doi.org/10.1007/978-3-030-75078-7_48
Download citation
DOI: https://doi.org/10.1007/978-3-030-75078-7_48
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-75077-0
Online ISBN: 978-3-030-75078-7
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)