IP Address GDPR/PII Compliance

[9mido]

Noticed some other issues and pull requests on this package regarding IP address and tracking locations.

You might be able to ignore the encryption/decryption if your linux server is secured.

Although these are great ideas and helpful for security, IP address falls under GDPR / PII laws and just keeping this tracked in the database somewhere violates these laws. To resolve this, encrypting the IP address is needed or simply do not track it at all (give users the option to do it with a setting rather than doing it by default). Decrypting this would be needed for site administrators to do something specific with a suspicious hacker IP address.

The django-fernet-fields package encrypts and decrypts fields with the SECRET_KEY in settings. Others like django-pgcrypto-fields use the postgres pgcrypto extension to encrypt the field and users could decrypt it with a database query. It would be nice for this package to have this built in without needing to rely on these other packages and overriding the app.

You need to be able to get the real IP address of the client even if the server is behind cloudflare or a load balancer. You don't want to block people if they are behind the same cloudflare IP address then everyone on your site will be blocked/rate limited which is bad. There is also the issue of IP spoofing where a malicious user could fake their IP address.

These are just some ideas. Looking forward to hearing what everyone else thinks.

[dmpayton]

I was in the middle of writing a big ol' reply, when I realized I was just rambling. Suffice it to say that I'm not very up to speed on GDPR and have never had to really think about navigating it's rules.

Any encryption solution would need to be database agnostic. Most of us are probably using Postgres, but I don't want to limit us to just Postgres, ya know?

I think I might be in favor of a setting that controls whether or not IP addresses are logged in the database. LoginAttempt.ip_address is already blank=True, so there would be no need for a migration. Is that enough, or would it still be recommended to include some sort of en/decryption functionality?

Do you know of any resources that provide a solid tl;dr for GDPR and tracking IP addresses? Bonus points if it touches on logging IP addresses in security scenarios.

[9mido]

I agree. A setting for enabling/disabling logging of the IP address would probably be best.

Google Analytics is a good example of IP anonymization.

The top links are not tl;dr but some links like the checklist, stackexchange, and reddit are.

https://gdpr.eu/

https://gdpr-info.eu/

https://gdpr.eu/checklist/

https://www.gdpreu.org/

https://www.gdpreu.org/the-regulation/key-concepts/personal-data/

https://law.stackexchange.com/questions/28603/how-to-satisfy-gdprs-consent-requirement-for-ip-logging

https://www.cookieyes.com/ip-anonymization-in-google-analytics-for-gdpr-compliance/

https://www.reddit.com/r/gdpr/comments/rmf11b/is_storing_a_users_ip_address_to_prevent_spamming/

https://www.reddit.com/r/gdpr/comments/8icg2j/can_i_still_store_ip_addresses_in_a_database/

https://www.reddit.com/r/gdpr/comments/b3w5pt/ip_addresses_and_pseudonymisation/

https://www.reddit.com/r/gdpr/comments/8bku21/firewall_logs_contain_ip_addresses_counts_as/

[Carewen]

This might be worth getting a legal opinion on from a GDPR expert. I am no expert or lawyer, but I have worked quite closely with a couple of privacy frameworks in a professional capacity.

The reason I suggest this is that tracking IP data in this context should not qualify as PII (Personally Identifiable Information). In other words, this IP is not associated with customer/public information related to the services/products delivered by the web application.

On one hand, if this is not an issue (which would make sense) then no change is required. On the other hand, if this is an issue, then the law/policy itself is flawed. The notion of not being able to store (being required to encrypt) IP addresses of those attempting to hack your back-end admin login page really speaks to flawed legislation more than anything else.