Page MenuHomePhabricator

How should access to IPs of temporary accounts be logged?
Closed, ResolvedPublic

Description

Background

We currently log access every time an IP address is revealed. This log is stored in the logging table and accessible via the wikis. This was done via T325658: Log access to IP addresses of temporary accounts, due to legal requirements.

Logging in this way already presents a security concern with read requests causing this kind of log entry, meaning that any requests causing a log need to not be considered read requests: T310393.

We are now considering a auto-reveal feature, where IP addresses are revealed if a temp user appears on the page, without a user clicking a button. This presents further challenges, including:

  • Pages that are currently read pages creating this type of log on first load (rather than via a separate API request)
  • Creating a lot of noisy logs as users browse the site without necessarily meaning to patrol
  • Violating the privacy of these users, whose page visits unrelated to patroller work could be reconstructed from the log

See also T358853#9602129.

Do we need to log when a user reveals an IP?

It's not clear how these logs would be used (we've heard feedback that a similar log in IPInfo is not used).

We discussed a proposal to only log who has access, rather than logging when an IP address is accessed, with Legal. This was not considered enough information.

This task is to figure out a solution.

Proposal

Our proposal is to use the event logging platform to log whenever an IP address is accessed. The log would be the same as the current log, just accessible via event logging rather than via the wiki.

Questions:

  • Could we do this?
  • How long would this log need to be stored for?

Event Timeline

Thanks @kostajh for the proposal in the task description

Our proposal is to use the event logging platform to log whenever an IP address is accessed. The log would be the same as the current log, just accessible via event logging rather than via the wiki.

From a discussion with Legal, it sounds like using eventlogging would be problematic in that Ombuds access to the logs wouldn't be directly available.

We are now considering a auto-reveal feature, where IP addresses are revealed if a temp user appears on the page, without a user clicking a button. This presents further challenges

I would propose that we wait to deal with that issue if/when we decide to implement auto-reveal.

IMO I think keeping the existing usage of logging table is OK, along with using the job queue to handle logging on GET requests.