Jump to content

Community

IP Address anonymisation


Recommended Posts

Hello,

at the moment the software records every IP address in full length. Users who joined a couple of years ago have a huge history of these addresses logged.
With the new GDPR this may become an issue as we have to assure that personal data (and IP addresses are personal data) have to stored in an economical way and only on a "must have" basis.

What I suggest to implement is a function to make those IP addresses anonymous that are older than an adjustable threshold (e.g. all IP adresses older than 90 days, 6 months, 1 year ago or similar)  
The best would be a background task that is doing this job every night, every week or so.

I was looking for such a tool but I didn't found one. Today the only way to get rid of old IP addresses is to purge the users - but this can't be the solution.
So I create this enhancement request.

Regards
Michael

 

Link to comment
Share on other sites

This request may be unnecessary from the US point of view.
But for forums located in the EU it's very relevant as the europen and local laws and courts declared IP addresse as personal data

As far as I understood Matts blog this feature is part of 4.3.3

Thank you very much for the very fast implementation of this request

Regards
Michael

 

Link to comment
Share on other sites

What about IP obfuscation? I.e. , to hash each IP - this way you can still have the benefit of identifying people using the same IP address, but without actually knowing the IP address. I believe even the most GDRP paranoid will be happy with that. 

Link to comment
Share on other sites

Hashing can still be reverse engineered.  Sure, it'll take time, but it's possible...  The only fool proof solution is to delete them.

Also, if you're looking for ban evaders, you'll have to be able to reverse engineer them to compare with new, unhashed, IP's.  So.... All said and done, you've accomplished nothing...

Link to comment
Share on other sites

15 minutes ago, Aiwa said:

Hashing can still be reverse engineered.  Sure, it'll take time, but it's possible...  The only fool proof solution is to delete them.

Also, if you're looking for ban evaders, you'll have to be able to reverse engineer them to compare with new, unhashed, IP's.  So.... All said and done, you've accomplished nothing...

I am not really that knowledgeable in cryptography, but aren't there hashes that are virtually impossible to reverse?

And you can hash all IPs, there is no reason for the new IPs to stay unhashed. I can't think of a use case where I need the actual IP. I guess some communities might need the geographical information coming with the IP, some might need the ISP data, but for the majority of admins IPs are simply used to track possible multiple accounts. 

Link to comment
Share on other sites

31 minutes ago, jair101 said:

I am not really that knowledgeable in cryptography, but aren't there hashes that are virtually impossible to reverse?

And you can hash all IPs, there is no reason for the new IPs to stay unhashed. I can't think of a use case where I need the actual IP. I guess some communities might need the geographical information coming with the IP, some might need the ISP data, but for the majority of admins IPs are simply used to track possible multiple accounts. 

Hashes are not difficult to reverse when you have a small set of possible unhashed values (the number of IPv4 addresses is small enough that you can hash all of them quickly, to create a lookup table; for IPv6 may take a little longer, though).

Also, actual IPs may be useful in proofs of consent (to prove somebody subscribed a newsletter, for example).

In case you don't need actual IPs in any case, you can easily anonymize IPs adding a few lines of code your constants.php file, I believe.  (I had this kind of solution in place, until I realized I needed actual IPs in some cases.)

Link to comment
Share on other sites

9 hours ago, bfarber said:

Some more tools for handling IP addresses will be included in 4.3.3

Any chance of displaying IP addresses which have been used more than once for registrations within the members profile?

Link to comment
Share on other sites

  • 2 weeks later...
On 5/17/2018 at 10:07 PM, Michael Grote said:

But for forums located in the EU it's very relevant as the europen and local laws and courts declared IP addresse as personal data

I can confirm that this is a probleme with the european laws and even with IPS 4.3.3 ALL IP addresses are available in the AdminCP (and Database).
The new Setting in IPS 4.3.3. removes only the IP addresses form content/posting and not from the member's record.

I have already contacted the IPS support and they see no need to implement features related to the IP addresses stored in the member record.

Link to comment
Share on other sites

We have an app in the pipeline which is going to remove ALL ip addresses + some other (un)necessary stuff which some people think that it's required for GDPR and others don't.
We're not going to take the responsibility for anything, we'll just provide a feature set:)
Should be released later today

Link to comment
Share on other sites

On 6/2/2018 at 7:54 AM, Fosters said:

We have an app in the pipeline which is going to remove ALL ip addresses + some other (un)necessary stuff which some people think that it's required for GDPR and others don't.
We're not going to take the responsibility for anything, we'll just provide a feature set:)
Should be released later today

Is the app already available in the marketplace?

Link to comment
Share on other sites

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

We use technologies, such as cookies, to customise content and advertising, to provide social media features and to analyse traffic to the site. We also share information about your use of our site with our trusted social media, advertising and analytics partners. See more about cookies and our Privacy Policy