GDPR Compliance, use hashed IP addresses / user names

[bpcurse]

Congratulations to another very interesting and sophisticated app in the nextcloud ecosystem! Thank you for your efforts.

But it might be objected that this app is not GDPR compliant at the actual development stage, regarding Art. 5(1)(c).

After what I could see from the database entries, this app saves usernames, IP addresses (both unhashed) and login dates. As long as it is technically possible to work with hashed IP addresses and probably hashed usernames, too, I do not think it is legally compliant in the means of ‘data minimisation’.

[rullzer]

It is not really possible to work without hashed ips. As the algorithm uses the actual ip layout to learn the structure.

For now your only option is then to not enable the app.

[bpcurse]

@rullzer Thanks for your fast reply :)

ip addresses

From a legal view: If it is technically impossible or if there is no other way to reach the desired outcome or if it takes extreme effort to use hashed ip addresses for this purpose, it should be ok to use unhashed ip adresses, as long as the privacy statement is consequently altered to reflect the situation and inform the user (assuming a typo in "It is not really possible to work without hashed ips.").

Alternate proposal: Would it be possible and sufficient to simply strip the last octet on ipv4 addresses?

user names

Although hashing the user names would have only a limited effect at first (an admin could compare all hashes taken from the user table) it should be done from a legal compliance view and it would have the advantage, that after deleting a user, the data could probably remain stored for training purposes as it is de facto anonymized (assuming the user name is consequently wiped from all db tables - including other apps - after account deletion).

[j-ed]

It is not really possible to work without hashed ips. As the algorithm uses the actual ip layout to learn the structure.

For now your only option is then to not enable the app.

I thought this app should be a tool for an administrator to identify suspicious logins so that he's able to block this attempts or lock a problematic account etc. How should this be possible without knowing the ip addresses or a user name? Without valuable output this app would only provide a nice graph without further value.

[ChristophWurst]

Nope, it's for the users. They get the notification. In any case you can still hash the UIDs if you also hash the UID when a user logs in. Of course this assumes that a hash function is used that always produces the same output for a given input.

[rullzer]

Of course if you hash then uniquely enough. But if it is unique enough then guessing/calulating the ips is not to hard.

Take ipv4 as an example.
If you hash this with md5 already. It is very likely that for the majority of the servers there are no collisions.

For me to iterate all ip addresses (or likely ip addresses) to see if they match up. Is not that hard. Takes some time but is rather straight forward.

The 'easier' thing is to maybe have a setting in the admin. Where you can chose. You could drop the least significant octet Or (or just a few bits?) without losing all functionality. And still anonymizing a bit more.