Dear Censys Support,
Thank you for your response.
I am fully aware of what Censys does. That is precisely the issue.
Your opt-out model is not compliant with GDPR. Under Article 6 of Regulation (EU) 2016/679, any processing of data — including the active probing of private infrastructure — requires a valid legal basis. "Legitimate interest" (Article 6.1.f) is explicitly conditional: it cannot override the rights and interests of the data subject when those are clearly asserted. I am asserting them now, in writing, for the second time.
To be unambiguous:
- I did not opt in to your scanning program.
- I am not required to opt out of something I never consented to.
- The burden of compliance is yours, not mine.
I also note that my server logs show repeated connection attempts from multiple Censys-operated IP ranges over an extended period (July–August 2025, and again April 2026). This is documented and timestamped.
I expect the following within 5 business days:
1. Permanent cessation of all scanning targeting my infrastructure.
2. Deletion of any data collected from my systems, with written confirmation.
3. Identification of the legal basis under which my infrastructure was scanned without prior consent.
Should I not receive a satisfactory response, I will file a formal complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés) and escalate to ANSSI. I will also share this correspondence publicly as a documented case study on GDPR non-compliance in the security scanning industry — a topic of considerable interest to the professional community.
This is not a threat. It is a factual description of my next steps.
Regards,
Mike
