Bob Mottram
So the mastodon.social privacy policy is ok, but if I were the maintainer I'd avoid recording any IP addresses. One thing to consider is that when you're a meganode both state and non-state organisations will become interested in your logs and will try to obtain them either explicitly, with goons showing up and making threats, or also less explicitly with implants and exfiltration or NSLs and gagging orders. If you don't record IPs then in the worst case there's not much that third parties can get.

Another factor to consider is that the demographic of fediverse folks probably includes a higher proportion of non-normative views and lifestyles than you might find in the silos. These non-normative people are precisely the groups which the really bad guys always seek to target. So as maintainer you should be concerned with your user's interests and practice metadata minimization which can limit any potential damage.
Apr 6, 2017 at 9:17amWeb
Show threadFrankie SaxxApr 6, 2017

@bob
It would be interesting to know how much IP info is used/recorded in an interaction with a non-home instance.

I can see some instances adamantly rejecting non-recording of IP data not just for logs and troubleshooting, but because they're heavily into social policing & want robust banning & blacklisting.

If the info isn't passed, then conceivably how much IP info is saved could be decided by each instance individually.

Show threadBob MottramApr 6, 2017
@frankiesaxx it all comes back to the problem of having too many users on one server. Users should be able to block whoever they want, but having the admin do that without agreement of the users is problematic. As the number of users on an instance increases the probability of affinity between the admin and any random user approaches 0.5
Show threadAcedia 🏴Apr 6, 2017
@bob yeah as a person with non-normative views, the potential to be safe for this kind of monitoring is what makes Mastodon so attractive.
Show threadSteffen ChristensenApr 6, 2017
@bob @five Plus limiting metadata and collected data generally is just best practice for hosts anyway. Can have stolen what you don't have! :) 👍
Show threadMunin, Keeper of LoreApr 6, 2017
@bob @puellavulnerata This is very true, though as yet I'm not -quite- sure what parts of the whole thing keep track of what addresses - so I'm loathe to change the policy until I understand my ability to do so in practical terms. nginx logs are easy enough to purge, but I'm not sure how far other things go.
Show threadRadiolaria Ⓜ️Apr 6, 2017
@bob I heard that the service was partially hosted by Online.net and if it's not their NL datacenter, it's their FR ones. And the French law says 1 year of IP logs retention :/
Show threadBob MottramApr 6, 2017
@radiolaria This is why self-hosting is a good idea. Also when there are laws pertaining to logs I would scrutinize them carefully to see precisely what is being mandated and for how long and under what conditions disclosure can take place. Often the people making those laws are technically incompetent and so don't really know what data they want.
Show threadantlersApr 6, 2017
@bob @Gargron ?
Show threadEugen RochkoApr 6, 2017
@masklayer @bob For the 20th time - I literally copypasted the privacy policy from the Discourse project, which in turn copypasted it from WordPress, because I am not a lawyer. So it's got a lot of CYA in it that doesn't *actually* apply to what we do
Show threadmalokiApr 6, 2017
@bob I think we are required to purge logs older than 60 days?
Show threadmalokiApr 6, 2017
@bob And from an anti-harasser pov, IP can be good to a certain extent.
Show threadBob MottramApr 6, 2017
@maloki it can be in some cases, but these days blocking the domain name is more reliable because few people have static IPv4 addresses anymore. On !Freedombone there's an option in the control panel to block domain names at the iptables level if that's required.
Show threadHishamApr 6, 2017
@bob wild guess: he might be required to keep them as per local laws? not sure why he would have added that otherwise
Show threadBob MottramApr 6, 2017
@hishamhm as @gargron said earlier, it's just a boilerplate privacy policy from elsewhere, and that's fair enough because rolling your own legal text is usually considered bad practice.

Data retention laws vary from one place to another, and may be an issue for some admins - especially if they have a lot of users.
Show threadDoc Edward Morbius ❌​Apr 7, 2017

@bob You can't disclose what you don't have.

Data are liability.