As I mentioned in general GDPR topic (https://decisions.typo3.org/t/making-typo3-gdpr-ready/306), some important action should be done to make TYPO3 GDPR-ready.
Here's what I would like to propose about IP anonymization implementation. Please tell me, what do You think about it. If it's a good way of doing, I could take care about the implementation. If You have some advices, better propositions, I'll be happy to read Your propositions.
Implement IP anonymizer.
We could use https://packagist.org/packages/geertw/ip-anonymizer or implement some internal fork / development of it, if there are any special needs. Personally, I prefer to use specialized external modules, so it'll be easier to move further, all together.
It should be possible to configure it from TYPO3_CONF_VARS (masks, etc).
$GLOBALS['TYPO3_CONF_VARS']['SYS']['IpAnonymizer']['ipv4NetMask'] = "255.255.255.0";
$GLOBALS['TYPO3_CONF_VARS']['SYS']['IpAnonymizer']['ipv6NetMask'] = "ffff:ffff:ffff:ffff:0000:0000:0000:0000";
Implementation should be done in a transversal way, so the anonymization could be called in any time in any place by any extension, which uses private data.
Implement optional anonymization it in all places, where it's stored in the DB sys_log:
- TYPO3 will be GDPR compliant and will allow IP anonymization.
- Will be harder to implement security rules, currently based on IP.
- Should be done carefully with TYPO3 Security Team control, so no potential holes in current TYPO3 security model.
Topic Initiator: fedir