Recent Topics

Full IP address sent by replying to contact mail

Started by on Mar 08, 2018 – Contents updated: Mar 16, 2018

Mar 08, 2018 17:29    

Hello,
In addition to a GDPR data mishap mentioned in another thread concerning IP addresses in replying to a commentator (http://forums.b2evolution.net/avoid-sending-senders-ip-adress-an-e-mail) , the IP address also shows up in the notification mail by contact. In case I reply (as suggested) to this notification mail, the notification content with the full IP address will also be delivered. But data protection does not allow - not just since GDPR - tracing full IP addresses. (see fig. below)

So in making b2e GDPR compatible this should be considered. (As mentioned, for me as admin the IP is a great information to be able to stop spamming, but this should be kept under covers ;-)

Regards, Will

Please do not publish this comment.

Mar 08, 2018 23:17

Can you provide any link to any law that says it's illegal to record the IP address of a visitor to a website?

If so, we will need to shut down all web servers on the planet because they all record IP addresses in their log files.

And the next step/question would be: can you provide any link to any law that says it's illegal to show their IP own address to someone who wrote to you on your website.

Mar 09, 2018 09:42

@fplanque this is a question of jurisdiction in Europe. Jurisdiction beyond Europe' is beyond my scope. You know, that e.g. European users of Google analytics have to make IP addresses anonymous, also Matomo (Piwik) does not provide full IP addresses because of legal matters. IP addresses are meant to be personal data (ErwG Nr. 26 EU-Datenschutzrichtlinie 95/46/EG). (See e.g. https://www.bna.com/ip-addresses-protected-n57982079024/); see also EU's Article 29 Working Party Opinion 4/2007 (https://www.clinicalstudydatarequest.com/Documents/Privacy-European-guidance.pdf) In upcoming e-Privacy Regulation this is expected to become toughened.
In e.g. Austria one has also to consider §3 TKG, too, According to $13 Abs. 1 TMG Data subjects must expressively agree to collecting their personal data by full IP address. … Similar laws exist in Germany (see above link, that quotes a Jurisdiction of the Court of Justice of the EU, addressed by the German Federal Court of Justice) and I suppose also in other European countries collecting full IP addresses is a matter of law regulation.
After DSGVO and E-Privacy Regulation will be effective there will be legal proceedings, which will resolve open questions (but I don't want to become an example, nor do most of us ;-)
I am sure that lawyers of IT Laws and international right could give you more detailed information to specific laws an regulations.

PS: See how Matomo prepares: https://github.com/matomo-org/matomo/issues/12600
PPS: It is not my intention to snub you or to annoy you. I am trying to take responsibility for my public blogs

Mar 15, 2018 16:20

If we remove all info from the email, there will be now way to find it for spam management.

Shall we replace it with a session ID? Shall we make it clickable to go directly to backoffice? (will only work if you have permission to view sessions)

Mar 15, 2018 19:14

@fplanque … that's what I meant in a previous comment (http://forums.b2evolution.net/avoid-sending-senders-ip-adress-an-e-mail). I appreciate having access to full IP addresses for fighting against Spammers! That is my personal view.
The challenge is, to reduce the risc to come in the focus of data protection authorities. In case nobody despite the admin or anyone with rights at level 10 has access to full IP addresses it could be kept under covers (more or less)

It would be helpful to delete the line showing the IP address in the body of push mails and messages, e.g. of someone who commented or sent a contact mail / message. As admin I can go to the dashboard to see the IP address if needed and the IP could be blocked if necessary as usual. This could IMHO be realized with less effort

I see no necessity to communicate and publish an IP address in push mails, or in mails at all. What do you think?

Mar 16, 2018 02:27

No, it's a lot of effort to find the correct line in the logs if we delete everything from the emails.

Mar 16, 2018 19:15

a first step could probably be set in commenting out those lines:

skins_email\contact_message_new.html.php
Lines 93-95:


/* show sender IP address
$ip_list = implode( ', ', get_linked_ip_list( NULL, $recipient_User ) );
echo '<p'.emailskin_style( '.p' ).'>'.sprintf( T_( 'This message was typed by a user connecting from this IP address: %s.' ), $ip_list ).'</p>';
*/

skins_email\contact_message_new.txt.php
Lines 58-59:


/* show sender IP address
echo sprintf( T_( 'This message was typed by a user connecting from this IP address: %s.' ), implode( ', ', get_ip_list( false, true ) ) )."\n\n";
*/

or to create a new variable instead of %s (full IP address) e.g. %sm (anonymized IP address like "86.32.00.000"

I am no developer, I am a user and maybe this is not an appropriate work around — it works for me at the first.


Form is loading...

CMS software – This forum is powered by b2evolution CMS, a complete engine for your website.