Is CrowdSec acting against european privacy regulations?

In my point of view the sending of IP addresses, without a proper approval by the user is obviously a violation of in the EU applicable law. The main Problem is that the Data is shared with a third party, CrowSec who store the data on their servers and that the user ip could get send there without the users approval. In no way i can believe that this GDPR complying. There should be a payed model at least where you can opt-out sending the ip-addresses. I’d be happy about a discussion below!

In certain cases sharing ip-addresses may be allowed but i don’t think using crowdsec for security is one of them.

Hey :wave:

We already provide a paid model to users to opt out and users can already disable sharing if they wish out of the box by deleting to CAPI credentials that are default installed (Note we want to provide installation arguments to allow users to default opt out, however, we need to clearly state to users doing this without the paid model will not allow you to benefit from the community blocklists).

Location of CAPI credentials per OS:

  • Linux /etc/crowdsec/online_api_credentials.yaml
  • Freebsd /usr/local/etc/crowdsec/online_api_credentials.yaml
  • Windows c:/programdata/crowdsec/config/online_api_credentials.yaml

We are currently switching our static model to a flexible model to allow more users to enjoy this as a feature. We are aware this is NOT currently advised on our site and are working to provide that within the following weeks since we are in the middle of changing models.

I am not a lawyer or expert on GDPR so I cannot go into those specific details if you wish to discuss in further or I can can get someone in contact whom can, please send an email to and I can help the best I can.

CrowdSec doesn’t export the log, just some meta: timestamp, attack type, aggressive IP.

An IP is considered a private data as per the GDPR standard if it can help identify the user behind it. Here, the GDPR recital 49 makes it very clear that in the context of defensive tools, it is allowed to handle them.

Nevertheless, after 6 months (instead of 1 year allowed by the GDPR), we “blur” the IP in a range (ie → and do the same for the timestamp (is 12:34:56 → 12:00 - 13:00).

The combination of time and IP “blurring” is enough for CrowdSec to render its service, yet it’s a way to protect privacy even further than demanded by the GDPR regulatory framework.

Moreover, if you’re in a stricter regulatory framework even, you can disable IP sharing entirely. As well, remember that