Ok, as far as I can see, removing last_sign_in_ip and current_sign_in_ip from users doesn't hurt mastodon at all. Can you confirm, @Gargron? Because then I'm just going to start a cronjob that wipes these columns every five minutes or so, and then we'll be as close to not storing IP addresses on chaos.social as we can be.


@rixx Sorry but isn't there a German law that even requires you to store IPs for a time? In any case, with shared and dynamic IPs, they are hardly PII. Yes, you could wipe those columns but if you ever get a vandal making alt accounts it'll be harder to deal with that.

@Gargron @rixx only if you're an ISP afaik and even then only if you're of a certain size #IANAL

@Gargron Registrations are closed, so vandals are not an issue currently.
If mastodon gave me an option to store anonymised IP addresses instead, I'd consider it, but I'm very sure I'm not legally bound to store IP addresses.
Running a cronjob against the database is obviously not optimal, but it's better than nothing.

@rixx OK. Check the Security page too though, the IPs of logged-in sessions are important to the end-user, I believe.

@Gargron Important how? I deleted mine with no issues occurring, and I can't see that they are accessed in any meaningful way in the code.

@rixx Important as in I wanna know who logged into my account from where to be sure that it's all me - a lot of other services provide similar information.

@Gargron Ohhh, so mastodon logs way more than just last_sign_in_ip and current_sign_in_ip.

I feel that this feature should be based on a per-user decision, with the options "log", "don't log" and "anonymize".

@Gargron I get the desire to have this information available, but I also get that people don't want this (why would Mastodon need to retain the IP address I used on some browser a year ago, they say) – so at least offering an opt-out would be good.

@rixx If you're not using a session you can revoke it from that same page and its data is gone instantly.

@Gargron Right, and that's good, but if I'm a user who doesn't want past session IPs saved, I need to check that page on every login, which isn't good – a setting to avoid this would be very appreciated.

@rixx but then you'd only be able to use mastodon from one device (the latest one)

this isn't a login history, these are active sessions

@Gargron But why do sessions need to be IP bound? I mean, if I take my device to a different network, I don't need to sign in again, so IP addresses can't be a distinguishing feature for sessions.

If I were to manually remove only the IP addresses from the sessions, I'd still be able to use that session, no?

@Gargron @rixx Users that (have to) connect over Tor (or other anonymization tech) will change their appearing IP regularly.
Same for mobile devices on GSM networks as they move between cells. (The time where we had a single legacy IP per device are long gone.) Today carriers use Carrier-grade-NAT, IP pools, etc.
Changing IPs are the norm.

In my personal opinion, IPs as part of the session information cause unnecessary logouts → bad UX. Negligible security gain.

@MacLemon @Gargron No, this is not the case – the IP address is only there as additional information, the log in is not bound to it.

@rixx @Gargron Ok, then I see even less than no need to store it anywhere. Thanks for the detail.

With regards to IPs being PII, the GDPR views IPs explicitly as such. (There's no need in arguing that this doesn't make a lot of sense from a technical point of view in most cases.)
Since GDPR and other related laws also mandate data storing minimalism (for more than 20y) and there's not technical reason to keep it, there's no legal requirement to keep it, get rid of it.

@MacLemon @Gargron Also, for non-technical users IP addresses are not helpful at all. Other services mostly show/store geo information, which is way less identifiable. Would that be an alternative for you? Seeing a "session x, last used 4 months ago, from Vienna, Austria" would be more helpful and less identifiable.

@rixx @Gargron That could also take into account, for example Tor, as a separate country. (Country = “Non disclosed location”). (Would require hourly updates of the Tor network IPs to be accurate, but that's hardly a problem.)

@MacLemon @rixx @Gargron Idea: Implement a button in the profile to switch on/off super-privacy mode. It could then refrain from saving IPs at all for that user, and we make this the default?

@xpac Why not make that super-privacy mode the default, call it normal and name the other mode that leaves an IP trail “IP tracking mode”?
Privacy should be by design and by default for everyone as a respecting sane choice. Why force instance operators to store information they don't want, have no legal grounds, and no technical necessity to store them at all?
@rixx @Gargron

@Gargron @rixx For this kind of check, it would be enough to store and show a prefix of each IP address – as done by Matomo, or even GoogleAnalytics if you use the anonymizeIP option: support.google.com/analytics/a

@rixx @Gargron plus, you could store hashed IP addresses. That would still let you potentially deal with vandals, while protecting user privacy.

@rysiek @Gargron Especially considering that IPv4 addresses are easily enumerable, I feel that hashing wouldn't add much value.

@rixx @Gargron I currently do something like this with exim, because the only other alternative is recompiling the package. Not storing IP addresses unless you absolutely have to is a good idea.

@Gargron That German law (Vorratsdatemspeicherung, or VDS) is currently on hold after high courts of the EU and Germany decided that it is, well, unlawful. @Digitalcourage and others have taken this to the constitutional court to reach a final verdict which is expected this year. Currently, no German ISP we know of practices VDS.

Sign in to participate in the conversation

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!