This looks great for GDPR and a good way to get in compliance by pushing the problem way upstream as to not have to figure out delegations at the app layers.
I prefer to look at it the other way around. Why would you need to log IPs? It’s like asking people for their social security number (USA) just to have a unique identifier—this is more info than you need.
With more difficulty. I can hardly use hashes to blacklist IP ranges in my firewall, even if it could, the performance would suck due to the necessary hashing.
2) Your product is user privacy related and you want to state truthfully you do not record user IP addresses anywhere on your end (such as nginx logs that you may still need to debug issues in production).
I’m sure laws differs between countries, but isn’t there a law in Europe that forces you to log IP for eventual police investigation ?
It was true some years ago in France (a law from 2011 says you must keep 1 year of logs for user posting content on your website [1]), and it’s the big question I am asking myself for several months with GPRD comming.
Everyone I ask had its own way of seeing it and I’m confused.
In some countries in europe (e.g.: Germany) they are pretty strict against maintaining logs that associate employee web traffic with the employee. Plus,GDPR will introduce some concerns like you mentioned.
For that law you referenced,I am not sure it would apply for a network provider as it would for a site-owner (e.g.: VPN or CDN provider vs a website)
With the original IP, addresses are fairly expensive. With IPv6, even home users are assigned a /64 subnet at the smallest, so a malicious actor can iterate through many addresses. Generally for things like per-IP ratelimiting, you treat a whole IPv6 /64 subnet like you would treat a single IP address.
17 comments
[ 3.1 ms ] story [ 45.3 ms ] thread“You can use this hash to link requests from the same source, without identifying your users by IP address”
So perhaps it is/will be possible to take actions against bad IPs.
2) Your product is user privacy related and you want to state truthfully you do not record user IP addresses anywhere on your end (such as nginx logs that you may still need to debug issues in production).
It was true some years ago in France (a law from 2011 says you must keep 1 year of logs for user posting content on your website [1]), and it’s the big question I am asking myself for several months with GPRD comming.
Everyone I ask had its own way of seeing it and I’m confused.
[1] https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFT... (in French, article 3)
Edit: found the law
For that law you referenced,I am not sure it would apply for a network provider as it would for a site-owner (e.g.: VPN or CDN provider vs a website)
I’m not too familiar with IPv6 but would love to improve support for it if the project is deficient somehow.