View Issue Details

This bug affects 1 person(s).
 14
IDProjectCategoryView StatusLast Update
15997Feature requests_ Unknownpublic2023-02-08 17:15
Reporterollehar Assigned Topstelling  
PrioritynoneSeverityfeature 
Status resolvedResolutionfixed 
Summary15997: Anonymize IP address
Description
Create option: "Anonymize IP address" below Save IP address.
Anonymize IP address should be available in survey global settings, as well as in survey group settings and for every single survey (sidemenu settings "Notification & data")
Inheritance has to work
This function works only if "Save IP address" is enabled.

This should anonymize an IP address to a /24 subnet (IPv4) or a /64 subnet (IPv6)

For instance, the IPv4 address 192.168.178.123 is anonymized to 192.168.178.0.

The IPv6 address 2a03:2880:2110:df07:face:b00c:0:1 is anonymized to 2a03:2880:2110:0:0:0:0:0 (changing the last 5 blocks to 0)

TagsNo tags attached.
Bug heat14
Story point estimate
Users affected %

Users monitoring this issue

There are no users monitoring this issue.

Activities

pstelling

pstelling

2020-04-03 11:23

developer   ~56923

New Feature 15997: Anonymise IP address

ollehar

ollehar

2020-04-07 14:40

administrator   ~57006

Test

jelo

jelo

2020-04-07 14:47

partner   ~57007

Depending on how the IP Anonymize feature is promoted, it might need some further thinking.
The removement of the last numbers will not be anonymous enough to be valid under GDPR.
You might need to extend the feature to just "Hash IPs". That way you have the same hash for the same user, but not a IP fragment to be identified. Think about a survey where the users are saved with IP-Blocks (which are owned by companies). Or fixed IPs in Logfiles.

So be a bit cautious about promoting that feature ;-)

c_schmitz

c_schmitz

2020-04-07 16:58

administrator   ~57008

How will this not be anonymous enough to be valid under GDPR? Do you have any reference for this?

Anonymized IP's pointing to a company block is still not personal information, only a single ip address is.

Hashing IPs is also not anonymization, but pseudonymization - as it is not safe because you can use rainbow tables to revert it.
To make it safe you would need to include a salt which defies the whole process as you cannot compare two salted hashs as they would be different for the same IP address

jelo

jelo

2020-04-07 18:08

partner   ~57012

I was pointed to that ticket as description of the Anon IP functionality. And I should comment directly.
I still don't know the usercase in a surveyproject. You currently can save the IP or not.
Now you allow saving IPs with certain parts removed.

Anonymized IP's pointing to a company block is still not personal information, only a single ip address is
If you have e.g. a survey project with only one person per company, the connection is pretty clear.

I don't like wasting everybodies time. You introduce a IP address obfuscation in LS 4.2 via removing last octet of the IP address.
The survey conductor is responsible to recognize such cases, where the IP address without last octet is still offering enough information to identify the person. Survey data is very hard to clean of clues about a person. A lot harder than e.g. data for Google Analytics.

pstelling

pstelling

2020-04-21 15:11

developer   ~57289

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=29894

ymca

ymca

2020-04-23 01:13

reporter   ~57328

"192.168.178.123" What each number signify?
Is 192 the country number?

From what I've seen here in mamoto it has the option of selecting how many numbers to clear,
and the recommended is "1".
So how much numbers do we need to clear for GDPR, one is good?

jelo

jelo

2020-04-23 02:09

partner   ~57329

@ymca: 192 is no country number. The IP addresses have no concept of special identifier data embedded.
The whole IPv4 space is divided in blocks. A such netblocks can be part of an AS (autonomous system).
which can be identified via databases of the organizations which organized the IP ranges.
There are private databases which try to collected infos about every IP to e.g. geolocate them.
That sometimes work great, but not always.

Some IP-ranges are for special purpose.
Your example 192.168.178.123 is part of the range 192.168.0.0 - 192.168.255.255 and is only for local usage.
You will never find a webserver over the internet with such an IP-address.

To track people via IP you not always need the complete IP-address.
A newer paper about IP-addresses and tracking is "Don’t count me out: On the relevance of IP addresses in the tracking ecosystem
https://hal.inria.fr/hal-02435622

You won't find a clear rule to remove a certain amount of digits. If I have only a few people in a panel from around the globe, a few digits can help me identify them in certain circumstances. It depends on the survey and how much information about respondents is available upfront.

ymca

ymca

2020-04-23 02:47

reporter   ~57330

Thanks jelo.
I'm just worried about users that vote from countries that don't have freedom of vote...

uibklime1

uibklime1

2021-08-04 21:30

reporter   ~65846

Documenting this because it might help someone.... There is a way in Apache 2.4 to pseudonimize IPs and Cookies so that they are logged as hashes. I provided an answer to the relevant question. It's semi-optimized for LimeSurvey. https://serverfault.com/a/1073563/238998

holch

holch

2022-09-13 14:29

reporter   ~71703

I think this feature should not be a different setting to "Save IP address:". Actually it should be just an option of "Save IP address":

  1. Yes
  2. Shortened
  3. No

It is confusing for users to have "Save IP address:" and "Anonymize IP address:". At the very least, if "save ip address" is set to "no", "Anonymize IP address:" should be greyed out / non functional.

uibklime1

uibklime1

2022-09-15 11:53

reporter   ~71763

The point of the truncation feature is to prevent the survey-administrator or site-administrator from blatant GDPR violations and exposure. Any truncation of more than a few subnet-mask bits is sufficient.

But what is the point of the feature to record IPs in the first place?

  1. Geo-tracking. Fine, then generally speaking, truncation to 22 or 24 bits is sufficient.
  2. Participant abuse detection -- a simple way of identifying multiple entries. For this, a cryptohash (with per-survey salt) is best.

I would argue 2 is pointless. If the SA wants to prevent that abuse, they must use tokens.
I would also argue 1 is pointless. Have limesurvey perform the geotracking at the beginning of the survey and record that information and discard the IP address. Geo info is not PII per se.

ollehar

ollehar

2023-02-08 17:15

administrator   ~73758

Hm any new database columns that should be documented?

Related Changesets

LimeSurvey: master dcabf886

2020-04-03 11:06:39

pstelling

Details Diff
New Feature 15997: Anonymise IP address Affected Issues
15997
mod - tests/unit/models/IpAddressAnonymizerTest.php Diff File

LimeSurvey: master 34ad9d1c

2020-04-03 11:06:39

pstelling

Details Diff
New Feature 15997: Anonymise IP address Affected Issues
15997
mod - tests/unit/models/IpAddressAnonymizerTest.php Diff File

LimeSurvey: master df4bffb5

2020-04-06 12:18:33

pstelling

Details Diff
New Feature 15997: Anonymise IP address Affected Issues
15997
mod - application/helpers/update/updatedb_helper.php Diff File

LimeSurvey: master 9f728b4b

2020-04-06 12:18:33

pstelling

Details Diff
New Feature 15997: Anonymise IP address Affected Issues
15997
mod - application/helpers/update/updatedb_helper.php Diff File

Issue History

Date Modified Username Field Change
2020-03-18 12:33 ollehar New Issue
2020-03-18 12:33 ollehar Status new => assigned
2020-03-18 12:33 ollehar Assigned To => pstelling
2020-04-03 11:18 pstelling Description Updated
2020-04-03 11:23 pstelling Status assigned => resolved
2020-04-03 11:23 pstelling Resolution open => fixed
2020-04-03 11:23 pstelling Note Added: 56923
2020-04-07 14:40 ollehar Note Added: 57006
2020-04-07 14:41 ollehar Status resolved => ready for testing
2020-04-07 14:47 jelo Note Added: 57007
2020-04-07 16:58 c_schmitz Note Added: 57008
2020-04-07 18:08 jelo Note Added: 57012
2020-04-21 15:11 pstelling Changeset attached => LimeSurvey master df4bffb5
2020-04-21 15:11 pstelling Changeset attached => LimeSurvey master 9f728b4b
2020-04-21 15:11 pstelling Changeset attached => LimeSurvey master dcabf886
2020-04-21 15:11 pstelling Changeset attached => LimeSurvey master 34ad9d1c
2020-04-21 15:11 pstelling Note Added: 57289
2020-04-23 01:13 ymca Note Added: 57328
2020-04-23 02:09 jelo Note Added: 57329
2020-04-23 02:47 ymca Note Added: 57330
2021-08-04 21:30 uibklime1 Note Added: 65846
2021-08-04 21:30 uibklime1 Bug heat 10 => 12
2022-09-13 14:29 holch Note Added: 71703
2022-09-13 14:29 holch Bug heat 12 => 14
2022-09-15 11:53 uibklime1 Note Added: 71763
2023-02-08 17:12 ollehar Status ready for testing => resolved
2023-02-08 17:15 ollehar Note Added: 73758