Michael Grote Posted May 14, 2018 Posted May 14, 2018 Hello, at the moment the software records every IP address in full length. Users who joined a couple of years ago have a huge history of these addresses logged. With the new GDPR this may become an issue as we have to assure that personal data (and IP addresses are personal data) have to stored in an economical way and only on a "must have" basis. What I suggest to implement is a function to make those IP addresses anonymous that are older than an adjustable threshold (e.g. all IP adresses older than 90 days, 6 months, 1 year ago or similar) The best would be a background task that is doing this job every night, every week or so. I was looking for such a tool but I didn't found one. Today the only way to get rid of old IP addresses is to purge the users - but this can't be the solution. So I create this enhancement request. Regards Michael
ptprog Posted May 14, 2018 Posted May 14, 2018 The best I got was a suggestion from IPS staff to contact support in order to obtain the SQL queries to delete IP addresses from the database. But I agree that this kind of feature should be included in IPS core. (BTW, I'm not sure what you mean by "purge the users", but at least deleting a user is not enough to remove its IP addresses from the database.)
Aiwa Posted May 15, 2018 Posted May 15, 2018 I suggest reading Matt's recent blog post about GDPR. I understand the ask... But from everything I've read about GDPR, completely unnecessary.
Michael Grote Posted May 17, 2018 Author Posted May 17, 2018 This request may be unnecessary from the US point of view. But for forums located in the EU it's very relevant as the europen and local laws and courts declared IP addresse as personal data As far as I understood Matts blog this feature is part of 4.3.3 Thank you very much for the very fast implementation of this request Regards Michael
bfarber Posted May 18, 2018 Posted May 18, 2018 Some more tools for handling IP addresses will be included in 4.3.3
jair101 Posted May 18, 2018 Posted May 18, 2018 What about IP obfuscation? I.e. , to hash each IP - this way you can still have the benefit of identifying people using the same IP address, but without actually knowing the IP address. I believe even the most GDRP paranoid will be happy with that.
Aiwa Posted May 18, 2018 Posted May 18, 2018 Hashing can still be reverse engineered. Sure, it'll take time, but it's possible... The only fool proof solution is to delete them. Also, if you're looking for ban evaders, you'll have to be able to reverse engineer them to compare with new, unhashed, IP's. So.... All said and done, you've accomplished nothing...
jair101 Posted May 18, 2018 Posted May 18, 2018 15 minutes ago, Aiwa said: Hashing can still be reverse engineered. Sure, it'll take time, but it's possible... The only fool proof solution is to delete them. Also, if you're looking for ban evaders, you'll have to be able to reverse engineer them to compare with new, unhashed, IP's. So.... All said and done, you've accomplished nothing... I am not really that knowledgeable in cryptography, but aren't there hashes that are virtually impossible to reverse? And you can hash all IPs, there is no reason for the new IPs to stay unhashed. I can't think of a use case where I need the actual IP. I guess some communities might need the geographical information coming with the IP, some might need the ISP data, but for the majority of admins IPs are simply used to track possible multiple accounts.
ptprog Posted May 18, 2018 Posted May 18, 2018 31 minutes ago, jair101 said: I am not really that knowledgeable in cryptography, but aren't there hashes that are virtually impossible to reverse? And you can hash all IPs, there is no reason for the new IPs to stay unhashed. I can't think of a use case where I need the actual IP. I guess some communities might need the geographical information coming with the IP, some might need the ISP data, but for the majority of admins IPs are simply used to track possible multiple accounts. Hashes are not difficult to reverse when you have a small set of possible unhashed values (the number of IPv4 addresses is small enough that you can hash all of them quickly, to create a lookup table; for IPv6 may take a little longer, though). Also, actual IPs may be useful in proofs of consent (to prove somebody subscribed a newsletter, for example). In case you don't need actual IPs in any case, you can easily anonymize IPs adding a few lines of code your constants.php file, I believe. (I had this kind of solution in place, until I realized I needed actual IPs in some cases.)
Dll Posted May 18, 2018 Posted May 18, 2018 Most IP anonymisation that I've seen simply removes the final 4 numbers from them. That can't be reverse engineered, or linked to personal info.
TDBF Posted May 18, 2018 Posted May 18, 2018 9 hours ago, bfarber said: Some more tools for handling IP addresses will be included in 4.3.3 Any chance of displaying IP addresses which have been used more than once for registrations within the members profile?
derpunker Posted June 1, 2018 Posted June 1, 2018 On 5/17/2018 at 10:07 PM, Michael Grote said: But for forums located in the EU it's very relevant as the europen and local laws and courts declared IP addresse as personal data I can confirm that this is a probleme with the european laws and even with IPS 4.3.3 ALL IP addresses are available in the AdminCP (and Database). The new Setting in IPS 4.3.3. removes only the IP addresses form content/posting and not from the member's record. I have already contacted the IPS support and they see no need to implement features related to the IP addresses stored in the member record.
Fosters Posted June 2, 2018 Posted June 2, 2018 We have an app in the pipeline which is going to remove ALL ip addresses + some other (un)necessary stuff which some people think that it's required for GDPR and others don't. We're not going to take the responsibility for anything, we'll just provide a feature set:) Should be released later today
derpunker Posted June 3, 2018 Posted June 3, 2018 On 6/2/2018 at 7:54 AM, Fosters said: We have an app in the pipeline which is going to remove ALL ip addresses + some other (un)necessary stuff which some people think that it's required for GDPR and others don't. We're not going to take the responsibility for anything, we'll just provide a feature set:) Should be released later today Is the app already available in the marketplace?
Fosters Posted June 3, 2018 Posted June 3, 2018 26 minutes ago, derpunker said: Is the app already available in the marketplace? No not yet, I'm just finishing the last parts:)
Recommended Posts
Archived
This topic is now archived and is closed to further replies.