@samueljohnson @kravietz It's not been decided by a court, but:

- SSH port is open to anyone.
- Anyone who connects to it - and be it by entering http://ipaddress:22 in the browser address bar - will cause log lines to be written.
- The logging includes the source IP address, which is generally considered PII.

As such, it quite obviously falls into the scope of the GDPR.

As for the logging of the IPs itself, that clearly falls under "legitimate interest" as per Article 6(1) GDPR - so that is fine per se.

Art. 13 GDPR is the real problem with SSH - the right to be informed. The protocol doesn't even provide a _way_ for the connecting individual to be informed about these things.

Clearly the authors of the GDPR did not _intend_ to place 20 million EUR penalties on private individuals who happen to run a vserver with SSH access. And I also presume it won't actually be _applied_ like that. But ultimately it depends on whether someone will file a GDPR compliant, and how the DPA will treat that report. I suppose unless a wild #Gravenreuth appears, people should be safe.