GDPR: Storing of IP Addresses / PI

[christopherdarling]

Because we're storing the IP address of a logged in member (not just CMS members), has GDPR compliance been considered? I would have thought we should have a warning somewhere about this new functionality, maybe even just in the changelogs so people can update their privacy policy accordingly...

PRs

• https://github.com/silverstripe/silverstripe-framework/pull/10844/
• https://github.com/silverstripe/silverstripe-session-manager/pull/161
• https://github.com/silverstripe/silverstripe-session-manager/pull/150

[maxime-rainville]

Off the top of my head, I don't remember us pondering this question. There is a task to periodically purge old sessions ... however I'm not sure to what degree this mitigates GDPR concerns.

This modules is somewhat CMS user focus. We didn't look at how this would impact users, that don't have back end access.

If your use case requires users to register to gain access to front end features, you probably have broader GDPR concerns that go beyond just logging IP addresses.

Our general approach has been to put compliance with local laws back on project owners ... which is admittedly unsatisfying. At the same time we are not lawyers and we can't possibly foresee all the possible interactions of use cases.

Steps we could take:

• Provide explicit documentation to let project owners know about the IP address tracking implication of using this module,
• Provide some alternative middleware that allows users without CMS access to bypass the session manager logic
• Use a one way hashing function to hash the IP address before we store it in the DB. That might still be problematic because it allows us to finger print the user ... which is the entire point of storing the IP in the first place.

[lekoala]

Ah i missed that one as well, never realized there was a task to clean this up... just added that feature in my simple-jobs module https://github.com/lekoala/silverstripe-simple-jobs

I think it would be great to have at least a configuration option to avoid storing the ip, or allow anonymization of the ip (eg: https://symfony.com/blog/new-in-symfony-4-4-ip-address-anonymizer)

[GuySartorelli]

@lekoala Have you had a chance to look at creating a new PR for the anonymisation of the IP address? I'm happy with the IPUtils PR but I'm not going to merge it until there's something in a core or supported module that wants to use it.

[lekoala]

@GuySartorelli yes it would go something like https://github.com/silverstripe/silverstripe-session-manager/pull/161 didn't fully reviewed, but you can check if that suits you

i think it's less urgent than:

• fixing the currently broken unit tests https://github.com/silverstripe/silverstripe-session-manager/pull/155
• fixing LastAccessed being updated on each requests, creating quite a slow down https://github.com/silverstripe/silverstripe-session-manager/issues/149
• fixing GarbageCollector not collecting everything (crashing for large number of records, not collecting permanent sessions not linked to a remembermeloginhash) https://github.com/silverstripe/silverstripe-session-manager/issues/154 & https://github.com/silverstripe/silverstripe-session-manager/issues/160 & https://github.com/silverstripe/silverstripe-session-manager/issues/153