Saving IP-Addresses: Option to disable it!

[IPBSupport.de]

A big suggestion for all IPS Products:

Option to disable saving IP-Addresses - COMPLETE!

Why i suggest it?

In Germany, and i think in some other countries as well, we may not be allowed to save IP addresses from members (they are "personal data").

For example what our german lawyers have to say about saving IP-Addresses:

http://translate.google.de/translate?hl=de&sl=de&tl=en&u=http%3A%2F%2Fwww.frag-einen-anwalt.de%2Fforum_topic.asp%3Ftopic_id%3D31496
http://translate.google.de/translate?hl=de&sl=de&tl=en&u=http%3A%2F%2Fwww.frag-einen-anwalt.de%2Fforum_topic.asp%3Ftopic_id%3D31690

(translated via Google in english)

[Fishfish0001]

I've never head that before o.O

Wouldn't it more or less be determined by where your Server is. I also think without IP's the functionality of the board would be limited and would make it hard to stop issues and such.

[Robulosity2]

An IP address is not personally identifying data, you cannot use it to identify the person unless you happen to work for the ISP or contact them to request it. Even then privacy laws would forbid them from releasing it to you... So no idea who in their right mind would consider it that


In addition

[color=#24282C][font=Arial, Helvetica, sans-serif]2nd IP addresses may be stored by a website operator only if the consent of the user, or there is a legal basis for storing[/font][/color]

[font="Arial, Helvetica, sans-serif"][color="#24282C"]

When in doubt, put it in your Terms of Use stating that IP Statistics are collected to protect security and prevent abuse, that is after all the ONLY reason this information should be kept.. Also ensuring that only Administrative members have access to it.

Thus, resolving that loophole as well

[IPBSupport.de]

An IP address is not personally identifying data, you cannot use it to identify the person...

Thats true. But the "Data Protection Act" (or privacy law?) is so strong (in germany)... Its a fact that we not be allowed to save IP Adresses from the members, that say also my own lawyer.

I'm not happy with those laws, but i cant change it and make the best of the situation...

[Ikadon]

Is this EU-law or german-law? What the hell is this stupid european union for? To strengthen the strong and weaken the weak? I mean, let's assume someone did a crime on your forums (e.g. saying something not allowed like something about nazis... YOU are the guilty one, not the one who said it... it's so insane it's not even funny anymore)

[Biker.GA]

I would check with a lawyer that has experience in technical aspects dealing with networking. As has been stated, IP addresses are not considered as data that is personally identifying. Knowing an IP address has absolutely nothing to do with privacy, and any lawyer claiming otherwise doesn't know jack about networking and the underlying technology.

[Robulosity2]

Exactly, an IP does not reveal that information.. Plus as a website owner you have the legal right (and responsibility) to log who visits your site in case there is abuse so you have a way to track and report it.


You need to speak with counsel that has specific qualifications regarding Digital Data Rights

[bfarber]

I am not aware of any plans at this time to stop storing IP addresses in IP.Board and our first-party addon applications.

[Ikadon]

@everyone: Okay, you know that an IP adress doesn't reveal anything, I know the same... does it affect the law in any way? No! So to not violate the law we must have the ability to turn this function off in some countries ;)

It shouldn't be a discussion about wether this is good or bad... it's simply the law in some countries, so our personal opinion doesn't matter at all.

[Biker.GA]

Been doing some reading on this, and it appears you have a bunch of morons in Europe trying to dictate policy in the worst way. I feel for you guys. As it stands, it depends on who you speak to and what their interpretation is, but it does appear that most hold that IP addresses fall under the privacy rules. However, there is no rule that it must be deleted immediately from a server.

[Fishfish0001]

That would pretty much imply that every website in Germany is probably illegal :|

You could just get a host outside of Germany, and you're ready to go. Adding this option would slow down IPB most likely as you would have to check every step of the way, is the IP disabled? Yes or no? It isn't really feisable, and IPB needs IP address to work as far as I can tell. Without them you could easily brute force a session hack.

[Mat Barrie]

To be honest, you already store people's email which is a hell of a lot more personally identifiable than their IP address. Just write it into your privacy policy.

[Biker.GA]

Doesn't work that way in the EU unfortunately. They're dead bent on making it so you can't do much of anything there. The laws and rulings are becoming asinine, effectively making it all but impossible for the hobby sites to comply with the idiocy.

[Mark]

I'm not sure what legislation says this, but I would say anyone who thinks it is possible to operate a website without knowing the IP addresses of visitors doesn't quite understand how the internet works.

[Guest]

Don't forget that even if we removed this functionality from IP.Board, your web server software (Apache, IIS, nginx, etc) would still record it in your access logs. It would be a bit of a pointless exercise.

Plus, if the EU were really trying to ban the storage of such data, would we not have heard about a law suit/lobbying effort from the big boys like Google, Microsoft, etc. whose businesses use that data in a big way?

[Biker.GA]

The EU has Google and MS running in circles with other issues. Namely Google's inadvertent capture of clear wireless traffic and Microsoft's inclusion of other browsers. Both companies are regularly in the news dealing with EU privacy issues.

[Robulosity2]

The EU has Google and MS running in circles with other issues. Namely Google's inadvertent capture of clear wireless traffic and Microsoft's inclusion of other browsers. Both companies are regularly in the news dealing with EU privacy issues.

I think the main issue here is, IPS is not responsible for well.. unreasonable laws/policies in a foreign nation.

Everyone needs to keep in mind, with out IP address stores

Banning
SALTS
Cookie Sessions (server side)

And a few other Security options (including the Spam Service) would all fail (dependancies suck that way). And Microsoft views Privacy laws in every nation it works in at a higher level than the EU Browser issues. And being Microsoft has Data Centers around the UK/EU I'd be stuck dealing with a new privacy agreement over everything plus would have scripts to clear this data from everything.


Honestly, for the subset of customers on a law that will be changed within the future (thats a hint to Site/Server owners to actually petition against it since it leaves them open for attack by malicious users) it is pretty unreasonable to demand that IPS essentially re-code their entire security and services platform around it.

As Matt stated and so did bfarber, your Web Server already stores this information in a far more generic and less private function than IP.Board as well you are storing E-mail addresses.

[Joshua Hina]

Something anyone with a networking background knows. IPs are more often then not leased over and over again by x and y person or company. There not really personally identifiable at all. Even if you have a static IP your IP will mostlikely change at some point (maybe every like few years but still). IPs are not like Social Insurance numbers, drivers license numbers or any of that. All they do its point information to a system. That does not personally identify anything. Especially if you have a dynamic IP address; you IP would change every other day when its released and renewed.(whois can show you who owns the IP or is leasing it; thats not necessarily whos using it)

[IPBSupport.de]

*bump*

This part of IP.Board makes me still stomach ache and i still hope IPS will provide a function so we can disable storing all IPs in IP.Board and its applications!!!

For example, vB know the problem (that a lot of EU states say a IP adress is a part of "personal data") and have a function to disable it ... since years ... and it works fine.

And i know, People from US and/or UK will laugh about that / my / our "problem" and therefore close the eyes about that - but (for example in germany) the lawyers and/or the legislature have there own view about that, and at the end we have the problem and must pay and/or close our website / forum.

[Mat Barrie]

For example, vB know the problem (that a lot of EU states say a IP adress is a part of "personal data") and have a function to disable it ... since years ... and it works fine.

No they don't. They have the option to disable logging IP addresses on posting. It will still log IP addresses on registration. Which stands to reason, since it kind of needs it. In fact, that's the only difference from IPB. Disable guest posting, and suddenly there's no difference.

And i know, People from US and/or UK will laugh about that / my / our "problem" and therefore close the eyes about that - but (for example in germany) the lawyers and/or the legislature have there own view about that, and at the end we have the problem and must pay and/or close our website / forum.

Your lawyers are wrong. You cannot possibly believe that an IP address is considered such sensitive data that it cannot be stored, while an email address is somehow less individual. You're already collecting emails, which are at least 10 times more "personal data" than IP addresses, so to claim that you aren't allowed to keep email addresses is like claiming that users aren't allowed to register on your site - which means yeah, you may as well close up your website.

Actually, did you even ask a lawyer? Because you really should. Advice on the internet is not legal advice, even when it comes from a lawyer.

[Charles]

I know of no country that considers an IP address personal information. There are several reasons for this:

• It's not personally identifiable.
• You cannot even connect to a server without sending your IP - kind of the basic of the Internet there.
• Even if our software stopped logging IPs, your web server still would so what do you gain?
  

I think you are creating an issue where none exists.

[Enkidu]

I'm not sure what legislation says this, but I would say anyone who thinks it is possible to operate a website without knowing the IP addresses of visitors doesn't quite understand how the internet works.

they are good with engines ... not so much with internet :rofl:

[IPBSupport.de]

I notice that no one of you come from Germany and have a idea of the German situation with the privacy policy.

I think you are creating an issue where none exists.

Absolutely not! But we can handle it easily: If I get problems with a lawyer, I am sending this to you - then you will see the problem(s) in germany...

And believe me, i'm not happy with the situation in Germany!!! :dry:

And answers from lawyers i've given up already at starting this topic.

Also its not so easy to get the permission to save members IP adresses during the registration, because also IP adresses from guest saved, so you must get the permission to save a IP adress BEFORE a user can access the community.

But its okay, you (from US/UK) have your own view about that (and I would hope it was so easy in germany) and so we must hope no member ever will make trouble about that.

[Fishfish0001]

Except this is a US based company, so theres not much you could sue IPS for. Charles's post at the top of the page makes perfect sense, and if Germany still thought they were personally identifiable, then frankly, they are idiots.

***I am not a lawyer, and might be wrong about the first sentence.***

[rsyvarth]

I believe that you are reading the law incorrectly...

http://www.theregister.co.uk/2011/02/28/german_data_regulators_want_to_tighten_ip_laws/

If you read that it says that passing their IP to a 3rd party service is illegal. So IPB storing your IP address isn't affected at all.