My ban on EU website traffic has been lifted.

Due to concerns about my legal responsibilities around compliance the European Union General Data Protection Regulations, I configured my Wordfence web application firewall (WAF) to block all traffic origination in EU member countries. While some people think this was an extreme move, a lack of clarity around what is expected of small website operators and that I operate an information technology related consultancy, left me feeling vulnerable. Until I could understand what/if I needed to do to comply with GDPR's "right to be forgotten", I simply did not want the risk.

Today, I have removed the WAF rules that restrict traffic originating in the EU. Automattic, the company behind and the supporters of, have updated/are updating JetPack and other properties to comply with the GDPR. Currently, my self-hosted WordPress uses the Jetpack plug-in to handle things like comments and website traffic analysis. This moves some of the risks off to Automattic. They will be the data controller for information collected via comments and website analytics.

Automattic has provided information on what information JetPack collects for comments and how that data is used. They have done the same for website analytics. Click on those links to find out more.

I have added "Do Not Track" code to my WordPress config via JetPack. According to Automattic.

Any piece of data explicitly identifying a specific user (IP address, ID, username, etc.) is not visible to the site owner when using this feature. For example, a site owner can see that a specific post has 285 views, but he/she cannot see which specific users/accounts viewed that post.

Stats logs — containing visitor IP addresses and usernames (if available) — are retained by Automattic for 28 days and are used only for the purpose of powering this feature.

Comments on my blog will be restricted to what JetPack and Webmentions provide. I expect that JetPack comments will soon have the ability for commenters to delete comments, allowing compliance with GDPR requirements. I expect that people using Webmentions understand how they work and understand that they can delete a comment by sending another Webmention to do so.

I do not intend to collect any information on visitors or commenters to this website other than what JetPacks collects.

I am basing my decision to remove the WAF rules based on the changes that Automattic is making and also on guidance in this post. Also, Wordfence has applied "for the Privacy Shield certification program for both EU-US and Swiss-US and will soon have available a Data Processing Agreement" for EU customers who need one.

I guess what's really pissing me off is that although I live in the United States of American, some fucking European law can reach across the ocean and potentially affect me. That, that pisses me off!!

Geography of the visitors to Island in the Net.

Author:Khürt Williams

A human who works in information security and enjoys photography, Formula 1 and craft ale.

5 thoughts on “My ban on EU website traffic has been lifted.”

  1. Nice one...
    There are many ways to create a website but however with certain restrictions. Best way I would like to suggest is to know the basics of web designing with html and css and then start creating the website of you choice.

  2. First of all I am so happy to be allowed to follow this website !!!

    Second, even if it could seem strange the rest of the world has undergone laws and regulations of U.S.A. for decades, expecially on the software side… If we wanted (or want) to use some services based in the States we have to obey to USA laws.

    But things are scarier than this… IIRC if I will ever want to come to Princeton and hug you and your family, and go to dinner I will have to give all my social networks passwords, if I buy an airplan ticket with my credit card there's the faculty of being fully investigated on my bank account and so on.

    The real problem is… we're living in an interconnected world, but even if we're on the "same side" of economics and political view of the world, still we can't find a unique and shared way to make laws protecting people with a sane dose of respect, privacy and ‘politeness’ to my good-will.

    I don't know if I have managed to express myself. Technical writing is more easy for me than this colloquial conversation. Let me know if I've done something wrong…

    1. I agree that the USA customs laws are idiotic. They are based on fear and in some respect seem fascist. But you have to travel here for that silly law to affect you.

      But under USA law a company ca make it’s own rules (within USA law) and you can choose no to use their service. If you choose not to use their service then the rules don’t reach.

      However, I am sitting in my house at home and EU law affects me. I have not travelled to Europe but the law affects me. That’s a problem.

  3. Pingback: Nicola Losito

Comments are closed.