Currently,
IP address of all user are save when registering and when log in etc …
There are a lot of good reason to not register IP address in any database :
1. It's a personal information,
2. When you don't need something : don't save it
3. Database can goes to bad user (any database can be leaked, question is when it was).
Then : why not adding an option to not save IP address in core ? Or save only the 1st part (like matomo does for example).
Are there an existing plugin to didn't save IP address
If not : i see i can force $_SERVER information to send "" for IP address when save it start, but where i can touch only on the saved IP address ?
datahandler_user_insert and datahandler_user_update or there are some other place ?
[edit]
Quick plugin :
$plugins->add_hook('pre_session_load', 'noipsave_session');
function noipsave_session($event) {
$event->ipaddress = "";
$event->packedip = "";
}
There are no way to disable only saving of IP, then need to fix it in session.
IP address is not a personal information, and I think that you have to keep a log of IP during a legal delay: you provide a communication space, if there is official investigations I think you have to give the IP of the incriminated poster, as ISP must too.
I'm not a lawyer and I don't think the legislation is the same everywhere, but this is a reason to save IP.
(2022-01-24, 03:27 PM)Crazycat Wrote: [ -> ]IP address is not a personal information,
False : «
The CCPA’s definition of personal information expressly contemplates including IP addresses.» and same in RGPD in Europa
Quote:I think that you have to keep a log of IP during a legal delay:
1.it is not my responsibility, but that of the hoster (point of discussion)
2. Yes , in France for example it's one year, after
you have to delete it according to RGPD (different law with contradiction).
I found a way to do it, but clearly : with CCPA and RGPD : mybb save more value than needed …
(2022-01-24, 03:55 PM)Firnus Wrote: [ -> ] (2022-01-24, 03:27 PM)Crazycat Wrote: [ -> ]IP address is not a personal information,
False : «The CCPA’s definition of personal information expressly contemplates including IP addresses.» and same in RGPD in Europa
Quote:I think that you have to keep a log of IP during a legal delay:
1.it is not my responsibility, but that of the hoster (point of discussion)
2. Yes , in France for example it's one year, after you have to delete it according to RGPD (different law with contradiction).
I found a way to do it, but clearly : with CCPA and RGPD : mybb save more value than needed …
I mean in all honesty, you are technically the webmaster of a website that you launch that allows communication between people which would make you the hoster of that website.
You may not host the website on your own servers, but you do host the website, as if you didn't host it on a webhost, then that website wouldn't exist.
Pretty much how DMCA works, Your webhost isn't responsible for the DMCA takedown notice, You are as the webmaster. Your host can't take that specific content down, only the entire website. It is your responsibility as the webmaster to handle that request & remove the offending information because you are the host of that content.
Additionally, if a legal issue arose where you were required to provide logged information (datestamped & IP addresses) that would be YOUR requirement as the webmaster NOT your webhost. Your webhost doesn't have access to that information, only you do. Unless they violate their own TOS & basically hack your website by inserting their own administration account through the database to get access to that information, then that's not their responsibility & I don't know of any host that would do that in order to acquire that information because that isn't their problem. It's your problem, If a legal issue arose then it's your problem to provide the required data, not your host.
IP might represent no specific user and thus might be considered as non-personal information. But under the same rationale it can be argued it is reasonable to think IPs might not necessarily assist into any criminal manner at all.
Regardless of the opinion, I think administrators are entitled to decide what is or not valued information worth storing for their specific use.
I think the forum script can work properly without storing IPs but I won't be sure that it is necessary to add this feature by default.
Instead, I think there should be hooks within the core to assist into creating plugins for it. Feel free to suggest such hooks so it might be considered in the future.
Unfortunately, as far as the EU are concerned, for GDPR purposes they do class an IP address as personally identifiable information. I know it makes no sense, but unfortunately laws like this and the cookie policy law were made by people who probably still get viruses from opening emails and think the internet comes on AOL CDs.
(2022-02-02, 10:39 AM)Matt Wrote: [ -> ]Unfortunately, as far as the EU are concerned, for GDPR purposes they do class an IP address as personally identifiable information. I know it makes no sense, but unfortunately laws like this and the cookie policy law were made by people who probably still get viruses from opening emails and think the internet comes on AOL CDs.
Why does it not make sense? IP address is how many MANY webmasters/data brokers identify you. Yes, they have TONS of other ways of identifying people but IP address is the lowest hanging fruit. Reverse IP lookup is easy for anyone not even very tech savy.
(2022-02-17, 04:28 AM)Metallix Wrote: [ -> ] (2022-02-02, 10:39 AM)Matt Wrote: [ -> ]Unfortunately, as far as the EU are concerned, for GDPR purposes they do class an IP address as personally identifiable information. I know it makes no sense, but unfortunately laws like this and the cookie policy law were made by people who probably still get viruses from opening emails and think the internet comes on AOL CDs.
Why does it not make sense? IP address is how many MANY webmasters/data brokers identify you. Yes, they have TONS of other ways of identifying people but IP address is the lowest hanging fruit. Reverse IP lookup is easy for anyone not even very tech savy.
You can use it to identify returning users, sure, but not an individual human being based on IP address alone, not unless you have deeper access to the the ISP's network. Reverse IP lookups are often inaccurate anyway, I've just looked mine up, got results ranging from 2-12 miles away, to London, Birmingham and Wales (100-300 miles away). So closest they give you is my city which is on my profile anyway.
And at the end of the day, even if MyBB didn't store the IP address, and your server logs didn't store the IP address, it's still
sent to the server without anything I can do to stop it, so could still easily be tracked by the server owner if they wished, which is why, to me, it doesn't make sense. I have a choice on whether my phone number or residential address is sent to your server, but I physically have no ability to stop my IP address being sent to your server, so to treat unavoidable network data as personally identifiable information essentially means the underpinnings of the internet would need to be changed to fully eradicate that as a "privacy" issue.
Currently,
i use a plugin to disable ip_save :
$plugins->add_hook('pre_session_load', 'noipsave_session');
$plugins->add_hook('get_ip', 'noipsave_get');
function noipsave_get($ip_array)
{
$ip_array['ip'] = null;
}
function noipsave_session($event) {
$event->ipaddress = "";
$event->packedip = "";
}
I think i need only noipsave_get but stay with both.
I prefer to keep session IP for login restriction and other security part, but since i can only remove it in user tabe and post table : i remove whole.
admin log need an event, same for poll, maybe others ?