GDPR compliance and storage of IP addresses



  • The GDPR states that IP addresses should be considered personal data. In the latest nodebb version 1.9.1 I do not find this adressed. In the account information in my forum, I can see a list of recent IP-addresses for all my users. I do not find settings to limit the storage duration, remove this data, etc. Do I overlook something in the ACP?

    Any help and guidance would be much appreciated 🙂 !


  • Admin

    Hi there @frgilb -- IP addresses are considered personal data, that is fine. We do collect that as part of administration and moderation data, and so registered users who post and share this information will need to provide their consent to have this information tracked.



  • 🤔 I am not sure it is that easy. It think the GPDR requires, that the purpose of the collected data is clearly documented, and duration of the storage is "for no longer than is necessary for the purposes for which the personal data are processed".

    Both I am currently not able to describe in the declaration of data protection of my forum. Can you help me out on that?



  • For a GDPR compliance, you must clearly obtain the user's consent. You cannot preselect the answer or "hide" the question in a bunch of text, it must be absolutly clear.
    And a user who want to remove all data about him must ask for it or do it himself.


  • Admin

    @frgilb We store and process the IP address data as part of moderation tooling, and to my knowledge there's no issue with it as long as users are aware that this data is stored.

    The full list of what we do store in NodeBB (not counting plugins) is outlined in our DPA: https://nodebb.org/gdpr

    All users upon registration (and existing users can be required to provide consent as well, via plugin, to be released tomorrow) will review their rights and consent before being granted an account.



  • @julian Many thanks for your answer and pointing out the DPA. I really appreciate, that the GDPR is professionally addressed by you guys 🙂 !

    Nevertheless, I am not an data protection expert. I also might want to "over-fullfill" the GDPR, but as IP addresses need to be considered as personal data, I feel the need to somehow have control over this data. Limiting the storage duration and/or remove this data on request, seem to me like a requirement to be fully GDPR compliant. Is it planned to make this possible?


  • Admin

    @frgilb To my knowledge, we are compliant on that front insomuch that you are able to delete your account in order to remove consent. The process to remove your content in addition to your account would require an administrative step, but this is perfectly fine and in accordance with GDPR. An administrator removing your account and content will remove the IP addresses associated with your account and posts (as the posts themselves are scrubbed from the database).



  • @julian I still have some doubts, but I need to dig deeper into this topic 🤔 . I will export the database of my forum and check what is stored there and do some code reading in the nodebb sources. I will come back to you, if I still have concerns after that.



  • Hey, i would also like to disable (or anonymize) ip storage and delete already logged ip's in my database. If you find the place in the source code/database where they get stored, it would be great if you let me know 🙂 Unfortunately I don't have a lot of experience with mongodb and couldn't find anything yet.



  • @julian I inspected my database export as well as the source code in github. I found a couple of occurences where IP addresses are stored into the database. According to many articles (e.g. https://www.ctrl.blog/entry/gdpr-web-server-logs) this is critical and should be minimized. I can not judge if this is compliant to the GDPR or not. Maybe only a lawyer can finally clarify, but I would like to avoid any kind trouble and reduce the risk for my forum.

    My analysis might not be right. Please correct me, if my view and understanding of the source code is not correct!

    IP Address of visitors is recorded to calculate the total Visitor Count

    IP address is stored in:
    https://github.com/NodeBB/NodeBB/blob/12337302a7e746e36cd4fb5bd0e48fbb3707fae6/src/analytics.js#L40

    Used by:
    https://github.com/NodeBB/NodeBB/blob/12337302a7e746e36cd4fb5bd0e48fbb3707fae6/src/controllers/admin/dashboard.js#L84

    Deleted:
    never

    IP Address of registered users is logged on each Login

    IP address is stored in:
    https://github.com/NodeBB/NodeBB/blob/12337302a7e746e36cd4fb5bd0e48fbb3707fae6/src/user/admin.js#L16
    and
    https://github.com/NodeBB/NodeBB/blob/12337302a7e746e36cd4fb5bd0e48fbb3707fae6/src/user/admin.js#L20

    logged by:
    https://github.com/NodeBB/NodeBB/blob/12337302a7e746e36cd4fb5bd0e48fbb3707fae6/src/controllers/authentication.js#L324

    Used by:
    https://github.com/NodeBB/NodeBB/blob/v1.9.x/src/user/approval.js

    Deleted:
    Only on user deletion in https://github.com/NodeBB/NodeBB/blob/12337302a7e746e36cd4fb5bd0e48fbb3707fae6/src/user/delete.js#L206

    IP Address is stored on events.log() call

    IP address is stored in:
    many lcode locations

    Used by:
    Admin panel Event History

    Deleted:
    From Admin panel

    Summary

    Out of above IP address usage, the first seem to me as most critical regarding GDPR compliance, as the IP address of visitors is stored forever without consensus. The purpose (counting unique visitors) from my perspective does not justify the storage. As a solution, a hash function could be applied to the IP address and the hash is stored in the database. With this you can still calculate the unique visitors, while not storing the IP address for visitors at all.

    The two other usages can justified to some extend, but from my understanding the storage duration should be limited to appropriate time which depends on the purpose. The current policy to delete on request only, does not look compliant to me. I propose to introduce a mechanism, which deletes the login IP addresses as well a the event log after a certain period of time, configurable via ACP.

    What do you think?


 

| |