1) Am I legally required to keep logs?
2) If I delete IP logs from myBB, will the host still be able to identify the forum accounts of each IP?
I'm trying to keep my users as anonymous as possible.
1) No, although it's a great idea to keep them in case there's ever a security issue with your forum and you need to find out what happened (the request they made, who made it, from where, etc.).
2) Technically there will always be a way for them to, but if you at least have your forum HTTPS-enabled with a strong ciphersuite, you should be okay. The host could always backdoor your HTTP server binary to dump plaintext after decryption to another server, but if you're worried about that, then you need a lot more than standard hosting.
(2016-09-20, 10:10 PM)Josh H. Wrote: [ -> ]1) No, although it's a great idea to keep them in case there's ever a security issue with your forum and you need to find out what happened (the request they made, who made it, from where, etc.).
To further add:
Logs can be insanely useful to see how people use your site. Yes, there are tools like Google Analytics, but the logs are substantially better as it shows *everything*. Then you can cut it down to be desktops, tablets, etc by user-agent, etc.
It's really useful, IMHO.
(2016-09-20, 10:54 PM)Ben Cousins Wrote: [ -> ] (2016-09-20, 10:10 PM)Josh H. Wrote: [ -> ]1) No, although it's a great idea to keep them in case there's ever a security issue with your forum and you need to find out what happened (the request they made, who made it, from where, etc.).
To further add:
Logs can be insanely useful to see how people use your site. Yes, there are tools like Google Analytics, but the logs are substantially better as it shows *everything*. Then you can cut it down to be desktops, tablets, etc by user-agent, etc.
It's really useful, IMHO.
I have user anonymity in mind. To me that is more important than tracking them.
(2016-09-20, 10:10 PM)Josh H. Wrote: [ -> ]2) Technically there will always be a way for them to, but if you at least have your forum HTTPS-enabled with a strong ciphersuite, you should be okay. The host could always backdoor your HTTP server binary to dump plaintext after decryption to another server, but if you're worried about that, then you need a lot more than standard hosting.
How would they know what user account is being used by which IP? Surely the logs on their end don't have profile data too?
(2016-09-21, 01:03 AM)t.h.96 Wrote: [ -> ] (2016-09-20, 10:54 PM)Ben Cousins Wrote: [ -> ] (2016-09-20, 10:10 PM)Josh H. Wrote: [ -> ]1) No, although it's a great idea to keep them in case there's ever a security issue with your forum and you need to find out what happened (the request they made, who made it, from where, etc.).
To further add:
Logs can be insanely useful to see how people use your site. Yes, there are tools like Google Analytics, but the logs are substantially better as it shows *everything*. Then you can cut it down to be desktops, tablets, etc by user-agent, etc.
It's really useful, IMHO.
I have user anonymity in mind. To me that is more important than tracking them.
Ok; just bear in mind that anonymity breeds contempt.
Does anyone know of a way to make sure the host doesn't know which profiles go with which IP?
Can someone explain how they would know?
The host - unless they're a mod/admin/have database access, won't know. IE: If you're running a dedicated/VPS/Colo, they won't be able to access it.
(2016-09-21, 01:08 AM)Ben Cousins Wrote: [ -> ] (2016-09-21, 01:03 AM)t.h.96 Wrote: [ -> ] (2016-09-20, 10:54 PM)Ben Cousins Wrote: [ -> ] (2016-09-20, 10:10 PM)Josh H. Wrote: [ -> ]1) No, although it's a great idea to keep them in case there's ever a security issue with your forum and you need to find out what happened (the request they made, who made it, from where, etc.).
To further add:
Logs can be insanely useful to see how people use your site. Yes, there are tools like Google Analytics, but the logs are substantially better as it shows *everything*. Then you can cut it down to be desktops, tablets, etc by user-agent, etc.
It's really useful, IMHO.
I have user anonymity in mind. To me that is more important than tracking them.
Ok; just bear in mind that anonymity breeds contempt.
(2016-09-21, 01:34 AM)Ben Cousins Wrote: [ -> ]The host - unless they're a mod/admin/have database access, won't know. IE: If you're running a dedicated/VPS/Colo, they won't be able to access it.
Therefore as long as I delete the IP logs then they should be anonymous? I want user privacy.
However, if there is a way to have user privacy while also avoiding muti-accounting, I'm all ears.
(2016-09-21, 01:36 AM)t.h.96 Wrote: [ -> ]Therefore as long as I delete the IP logs then they should be anonymous? I want user privacy.
a) User IPs are stored in mybb_sessions (I think)
b) User Registration IPs are stored in mybb_users.
So, no, deleting the logs will not do that.
Quote:How would they know what user account is being used by which IP? Surely the logs on their end don't have profile data too?
If you run a server on their hardware, they can always reboot the box into single-user mode and do whatever they want to your system to establish any logging they want, and then reboot it before you know something's up.