If you use the request data thingy, you’ll get a dump with months or even years of past IP addresses.
This is in opposition of the privacy policy, emphasis mine:
We generally store the above information for just a few weeks.
1 Like
Thank you for bringing this up. This seems very invasive to our privacy if it is true. I wonder if anyone on the @team can elaborate?
6 Likes
I wish it would be: “only days that country laws requires”.
1 Like
cat girl/boy calling out a serious flaw on a forum like privacy guides? crazy
in all seriousness @jonah, admin of the server, please elaborate on this or maybe update the policy.
3 Likes
No need to be rude!
This is most likely a mistake.
I bet they handle the logs fine, but Discourse is probably maintaining its own records in its database and was overlooked.
I’m sure they’ll fix it.
edit: I also wouldn’t be surprised if most other Discourse forums do this, so maybe check your exports on other sites and report to them if they do?
3 Likes
Good question! This data is used by Discourse (the software, not the company of course) to protect your account by detecting suspicious logins and to generate reports of suspicious logins for admins to view.
How this data is stored and for how long is detailed in our current privacy policy. Your IP address is stored as account data:
If you follow the link in this table for more information, account data is stored per this statement:
Privacy Guides stores this account data as long as your account remains open.
That is quite ambigious.
That doesn’t justify keeping IP addresses older than a year at all.
Can you please trim it down to at least six months maybe?
Also does this mean basically every Discourse forum is doing this indefinite logging? Why has PG never made a PSA about that?
2 Likes
I am bit confused here.
“as long as your account remains open” does not seem either ambiguous or indefinite.
3 Likes
it should explicitely state that every IP address ever used to signin is stored.
Obviously posts would stay forever, it doesn’t make that clear that IP addresses are too. Just because it says “Email Address, IP Address”, most people wouldn’t assume that they’re all stored for the same lengths of time.
edit: My biggest concern is that Discourse is a very heavy and complex web app.
It is inevitable that someone finds a security issue and uses it to dump the database of many instances. Years of IP addresses should be considered toxic waste and handled correctly.
eg. here is one: Potential Backup file leaked via Nginx · Advisory · discourse/discourse · GitHub
1 Like
You should assume everything listed in that table is stored for the amount of time stated in the privacy policy, which is why it is written 
All this being said, while it is documented and does serve a legitimate purpose, I do think on our end we will be fine with cleaning up most of this data, so I can make a change here…
This is default Discourse behavior, and other forums may have more complex needs than our own when it comes to spam prevention, so yes I would assume that other forums keep this data and will not be willing to[1] clean it up for active users like we are now doing.
or able to, if they’re one of the forums using Discourse’s cloud hosting service, but those forums probably didn’t care about your privacy anyways. ↩︎
7 Likes
It is hard for my smol autistic cat brain to understand these things when they aren’t spelled out. I hope it can be clarified for those who are in the same boat.
2 Likes
I don’t understand:
- Why it is acceptable to store IP addresses for a privacy forum? (to track where I live or lived)
- How does IP address help in any way for anything good rather than to track? One can change IP address anytime, so why do you need to know the past?
- Why software you are using have no options for administrators to opt out or limit the time of storage?
1 Like
The security threats on the internet do not change based on the type of content you serve:
It does:
I should additionally note that this change has already been made, which you should see reflected in your account data archives.
12 Likes
6 Likes