Thanks @Juan-G -- I wanted to say as such to @frgilb but could not find the appropriate clauses 😄
Here are some additional clauses (thanks @Jay-Moonah for looking into this earlier this week):
“Processing shall be lawful only if and to the extent that at least one of the following applies: […] (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
-- Article 6, Paragraph 1, Point F
“The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, […] by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.”
-- Recital 49 (excerpt)
That said, where IP address is used in a fashion that isn't exposed to anyone of significance (regular users or admins), then I see no reason to utilise the IP, keep it for any lengthy period of time, or at least secure it properly.
To that end, please see gh#6539 (attached) to see how I've addressed the first point.
I would argue that the storage of IP addresses per user (via User.logIP()) is required in order to prevent unauthorized access or cyber-attacks, although I use that term fairly loosely. I've identified the following use cases:
Admin approval for registration (if an IP is already associated with a uid) -- useful for combating sockpuppetry
Get similar uids during admin approval stage -- again, sockpuppetry-mitigation
Search by IP -- used by moderators to find existing sockpuppets.
With GDPR consent required for all users, this is no longer an issue as they would be consenting to their storage of IP addresses for this purpose, and we do delete on user deletion, so this satisfies the "Right to be Forgotten".