Post AcsHIu9DFAB2Ud5jma by kly@fosstodon.org
(DIR) More posts by kly@fosstodon.org
(DIR) Post #AcsFFMRXto2xBSqiS8 by brewsterkahle@mastodon.archive.org
2023-12-16T17:26:54Z
0 likes, 0 repeats
Is a user's IP address personally identifiable information (PII)? If IP addresses are personally identifiable (often are), then almost all websites collect 'PII', and even send it to 3rd parties like google analytics.(The @internetarchive takes measures to not collect IP addresses for this reason, but we are an exception)If IP addresses are PII, then many many well meaning websites are not accurate in their privacy policies. For instance: https://www.arlingtoncemetery.mil/#/What should we do?
(DIR) Post #AcsGHnJX46Ob3UpE6i by gabehcuod@ioc.exchange
2023-12-16T17:30:18Z
0 likes, 0 repeats
@brewsterkahle @internetarchive Yikes.
(DIR) Post #AcsHIu9DFAB2Ud5jma by kly@fosstodon.org
2023-12-16T17:40:07Z
1 likes, 0 repeats
@brewsterkahle @internetarchive We find that even "anonymized" ip addresses usually need to be treated as pii. Though quantity and duration matters a lot as to how sensitive it really is. For example, if all you know is when an IP is active over a period of time, it's not difficult to correlate that with real life behaviour and it doesn't matter if it's "hashed"/"anonymized" or not.I feel there's a surprising amount of nuance here, and it's usually best to err on the side of caution.
(DIR) Post #AcsIKXaECwpx2p4W5w by aeinstein@infosec.exchange
2023-12-16T17:50:10Z
1 likes, 0 repeats
@brewsterkahle @internetarchive Indeed.That's the reason why websites in Europe should NOT use services like:GoogleCloudFlareAkamaiFacebook integration or pixelX/Twitter integrationand so on.But they do.Including States' institutions.Because regulators AND web devs are idiots and incompetent.Cheers.
(DIR) Post #AcsPj0YcpkBzXFw6TY by kravietz@agora.echelon.pl
2023-12-16T19:25:09.680053Z
0 likes, 0 repeats
@brewsterkahleIn EU legal discussions whether IP is PII is largely context-dependent and usually defined functionally: that is, an IP is a PII if this particular IP can be linked to a particular person. In such interpretation, keeping the client IP alone in your web server logs for a week wouldn’t constitute PII processing simply because you are unable to link a random publicly routable IP to a person based on its request to /articles/how-to-boil-eggs alone. And it is context-dependent, because it would a different case if a single IP continuously makes requests to /users/john-smith1/login…@internetarchive
(DIR) Post #AcsQT1bnG2vg7GMQ0e by darkware@infosec.exchange
2023-12-16T19:25:29Z
0 likes, 0 repeats
@brewsterkahle @internetarchive even for services like yours that claim to not collect IPs, I by default assume that said statement is not true even if it is true and then act accordingly in terms of whether or not I hide myself.
(DIR) Post #AcsQwZQ6cu7fNWyx8a by dave_cochran@infosec.exchange
2023-12-16T19:26:06Z
0 likes, 0 repeats
@brewsterkahle @internetarchive "Is a user's IP address PII?" I don't think we can answer that with a blanket yes/no the way we used to be able to. Cell phone IP? probably PII. laptop/tablet? mixed odds. desktop? way more likely, but still not a guarantee. non-traditional-computer "device" (fridge, roomba, thermostat, etc)? ....probably not.
(DIR) Post #AcsRFriYovWjd6oZwu by pascaline@mastodon.nl
2023-12-16T19:26:22Z
0 likes, 0 repeats
@brewsterkahle Yeah... It's quite bad with Google analytics as a ubiquitous annoyance. Years ago I understood our school is kind of a unicorn for not using it and never using it in the past. Privacy is important to us and no information has ever been shared or sold. Some clients are very private and work for high-end companies so that's a safe bet. Especially in Europe 😊@internetarchive
(DIR) Post #AcscAc9wL08ZQMJtr6 by dalias@hachyderm.io
2023-12-16T21:35:49Z
0 likes, 0 repeats
@brewsterkahle @internetarchive As site operators, set logfile=/dev/null.
(DIR) Post #AcscgsYut6TtYzO5SK by dalias@hachyderm.io
2023-12-16T21:34:20Z
0 likes, 0 repeats
@dave_cochran @brewsterkahle @internetarchive Cell phone IPv4 is a CGNAT gateway and has very low PII content - it's shared by a large number of users and changes often. Laptop/desktop is likely real DHCP provided IP that's effectively static (long lease) unless you turn off your router for extended periods, thus is very much PII.
(DIR) Post #AcscgtXXFiyEazkUwS by dave_cochran@infosec.exchange
2023-12-16T21:45:44Z
0 likes, 0 repeats
@dalias @brewsterkahle @internetarchive PII is by definition and necessity able to be used to identify a single person. If more than one person has access to/uses a laptop/desktop computer, it ceases to be (guaranteeably) PII. Reasonable arguments can be made ("Okay so it was either the six year old or the 30 year old who was looking up [list of bad things here], which do we think is more likely?"), but if it can't immediately identify A person, it's not PII anymore.
(DIR) Post #AcscguGYYKz0qcoS7E by dalias@hachyderm.io
2023-12-16T21:48:30Z
1 likes, 0 repeats
@dave_cochran @brewsterkahle @internetarchive That is *not* the definition of PII.That aside - even if we grant your wrong definition - you don't know if more that one person uses it, so you have to assume not. Moreover, even if more than one person does, additional data you also possess, like time of day, may uniquely identify a person.
(DIR) Post #AcscgvancYlmxhI8J6 by dalias@hachyderm.io
2023-12-16T21:41:40Z
0 likes, 0 repeats
@dave_cochran @brewsterkahle @internetarchive With that said, however, mobile carriers *may* be keeping CGNAT mapping logs, in which case IP+port+timestamp could be used to de-anonymize with carrier's cooperation.
(DIR) Post #AcscxQpjEhYoUF906a by KasTasMykolas@river.group.lt
2023-12-16T21:41:12Z
0 likes, 0 repeats
@brewsterkahle @internetarchive *sigh* in some countries (maybe the most?) the police treats IP address and PII. And even more, as a concrete evidence and precise way to identify the person. Which... sometimes leads to really shitty cases and totally unrelated people being brought to judge while their personal computing devices being taken and locked as an evidence for months *sigh*