Why are you logging IPs?¶
The default on most systems is for services to log useful information, included in that information is often IP logs, identifying the individual who are using the service. You keep this data on your systems until it is rotated. This information is useful for debugging, analysis, dealing with abuse and finally for law enforcement who are looking for evidence of crimes.
You do not need to keep this data, but if you do have it, you can be legally compelled to turn it over to the authorities on request. You actually rarely need this data, and when you do need it, you can often temporarily enable it so you can debug a problem and only when that problem happens. Rather than storing this data, acting as a deputized agent of the state, collecting and storing these digital trails, why are you logging IPs?
It turns out it is very easy to stop logging IPs! See below for different ways to do this.
Different types of services¶
Different services require you to take different actions to add an anonymization/privacy layer. What action you take depends what services you are providing, and what your policy perspective is.
Note: We do not provide any techniques for writing data to disk, and then scrubbing it later. This technique is dangerous because the window between writing that data to disk, and then scrubbing it is one where you are taking a significant risk with your user’s privacy.
System Logging¶
Here are patches and details for how to configure various system loggers (syslog-ng, dsyslog, etc.) so that they will strip out personally identifying information before they are written to disk. This allows you centralized, fine-grained control over all system logging. Using this technique is one of the most effective, broad strokes that you can take to anonymize many disparate parts of your system all at once.
Mail¶
In the mail section, we provide both patches as well as configuration options for Postfix and Qmail to allow authenticated SMTP without including the user’s home IP address in outgoing mail, as well as for Postgrey to add the capability to store the IPs and emails in the greylisting database using a one-way SHA-1 hash function instead of clear-text tuples.
Apache¶
Information about how to keep Apache from logging IP addresses (it is harder than you might think).
Webmail¶
Patches to IMP and Squirrelmail to prevent them from including the user’s home address in outgoing mail. As well as a security plugin for Squirrelmail.
Mailman¶
How to anonymize Mailman a bit.
Postgrey¶
A way to enhance postgrey to store the IPs and emails in the greylisting database using a one-way SHA1 hash function, instead of in clear-text. This will defeat straight-forward attempts to retrieve mail user behaviors. The goal is to give the system administrator the means to implement their site-logging policies by allowing them easier control over the privacy behavior of what information postgrey gathers.
See also / References¶
- EFF’s Best Practices for Online Service Providers
- EPIC’s International Data Retention Page
- Working paper on Usage Log Data Management from the Computers, Freedom, and Privacy conference