Hello everybody,
in germany we have very strict data privacy rules. One of these rules that we should follow as webmasters is, that we should not store complete IP adresses if it's not absolutely necessary.
I did use a custom plugin for the MyBB 1.6 series to replace the last two digits of each user IP adress with .0.0
So 112.106.3.4 would become 112.176.0.0 and 67.45.2.1 would become 67.45.0.0
That mostly worked (multiple registrations with one IP checks failed of course) with IPv4 and MyBB 1.6. With the new hashing system in 1.8 and IPv6 access this does no longer work and my new custom solution sucks performance wise (rewriting tables with cronjob).
I'd like to have a setting in MyBB ACP wether to collect (and store in DB) IPs or not or just store an anonyme version of IP adresses.
Here is a discussion about this issue in the official german MyBB support forum:
https://www.mybboard.de/forum/thread-15585.html
Here is a plugin that works similar but adds extra load:
https://www.mybboard.de/erweiterungen/16.../ip-ghost/
The issue is important because you can not legally run MyBB in germany at the moment. At least that's my understanding of the current legal situation. Different open source software like Piwik does use shortened IPs to provide data privacy to the users.
I hadn't heard of this law, but obviously it must be a country specific one rather than a European law. Disabling storing the full IP would also have to disable certain features such as IP searching and IP banning too. I'm surprised none of our other German dev/users haven't brought this up before.
On a side note, how does the law deal with things such as server access logs, which store IPs for every single request made to that server? Sometimes I don't understand lawyers and lawmakers...
There are actually a lot of laws in the european area that are ignored by MyBB admins - for example the new cookie bar that should be used for european sites (not in germany yet).
In germany, it's critical if you can identify a user. And identifying a user via IP is easy.
Out V-Servers are not storing any IP adresses and we are not using tracking tools beside Piwik (which as mentioned takes care of shortening IPs).
Since internet laws in countries belonging to the EU are valid for all EU countries, technically, if you run a MyBB in EU and you get visitors from germany, you can be sued too.
Piwik discussion:
http://forum.piwik.org/read.php?2,1810
Here is a similar thread for the Drupal platform:
https://www.drupal.org/node/1895140
Discussion at Wordpress:
https://wordpress.org/ideas/topic/option...-ip-adress
Woocommerce:
https://wordpress.org/support/topic/plug...ip-address
I'm aware of the problems with IP searching and IP banning (see my first post) but it's better to miss these features then to get mail from lawyers
So please - push this to github and implement this into 1.8 somehow.
(2015-01-18, 04:28 PM)dragonexpert Wrote: [ -> ]My two cents, but the registration agreement says that your IP address is recorded, therefore, by continuing the sign up process you waived your rights at that moment.
Reference File: https://github.com/mybb/mybb/blob/featur...ng.php#L82
That's actually against german law as far as I know. The sentence has no effect therefor. Law > registration agreement.
The US Constitution protects against unreasonable searches and seizures. If a police officer asks if he can search your vehicle and you agree to it, you waived your rights. If the officer then finds something illegal, you are responsible. This is the same thing. You are being presented with information that will occur if you give your consent by continuing the registration process.
The major difference between Piwik and MyBB is that Piwik tracks all visitors of the website while MyBB just stores the IP when you register and post. This makes a difference since there accept an agreement when registering (Google, Facebook, Wikipedia and other sites tell in their privacy policies that they record IPs).
(2015-01-18, 04:49 PM)StefanT Wrote: [ -> ]The major difference between Piwik and MyBB is that Piwik tracks all visitors of the website while MyBB just stores the IP when you register and post. This makes a difference since there accept an agreement when registering (Google, Facebook, Wikipedia and other sites tell in their privacy policies that they record IPs).
MyBB does also get the IP of guests for who's online display for example. If you deliver cached sites, you'll technically already have a saved IP adress. Also IP banning means you are saving an IP - with or without existing account.
MyBB also saves (depending on config) data about visitors - think of mobile plugins for 1.6 for example.
EDIT: Enable guest posting - guest IP recorded without registration agreement.
If you have privacy policies that do properly explain what is saved and what is it good for, you can do that. But for a forum it'll be quite hard to explain and writing a complete privacy policy for every forum individually will cause a lot of work. A simple setting would be a better solution here in my opinion. I'm not a lawyer. I do have an imprint and a data privacy statement on all of my sites but my sites do also not record IPs usually. Stefan, you might know the german "Verhältnismäßigkeitsprinzip" when collecting data. That is not given for MyBB here I think - also compared with Drupal/WP and so on.
Bump. Opinions / Questions?
I don't think we should touch the IP storage method in 1.8 for compatibility reasons, may be good to include it in 2.0 though.
We would not touch the storage way itself, just disable it if an admin decides to.
Wrong IP adresses (like 127.0.0.1) do not hurt upgrading or compatibility in any way I think and would be a satisfying solution aswell.