As I mentioned in general GDPR topic (Making TYPO3 GDPR-ready), some important action should be done to make TYPO3 GDPR-ready.
Here’s what I would like to propose about IP anonymization implementation. Please tell me, what do You think about it. If it’s a good way of doing, I could take care about the implementation. If You have some advices, better propositions, I’ll be happy to read Your propositions.
Implement IP anonymizer.
We could use https://packagist.org/packages/geertw/ip-anonymizer or implement some internal fork / development of it, if there are any special needs. Personally, I prefer to use specialized external modules, so it’ll be easier to move further, all together.
It should be possible to configure it from TYPO3_CONF_VARS (masks, etc).
Note that at least for sessions the locking already “masks” those IPs, so only the first parts (/24) of an IPv4-address are saved in DB fir you set lockIP to 3 (default) etc.
For logging that is true of course.
Maybe we can use part of what is there to “anonymize” IPs in the locking-parts also for logging, exceptions etc. (There is a patch targeting locking for IPv6 in review currently.)
For other tools like log-analysis afaik IPs aren’t just “masked” to the /24-boundary or so but instead mapped, so that you can still correlate which accesses came from the same IP but don’t know the actual IP itself. The key to anonymize that IP would change once per day or so. Such more complex solutions try to find a way between de-personalisation and still not breaking logfile-analysis completely. Hmm …