5

Is it possible to collect user information on our website without knowing any information (IP address, etc.) about our users?

For example, we've been presented a situation where we're supposed to collect information about possible security issues. And we're supposed to get that information without knowing anything about the user.

One option is a third-party host to collect the information, and then we get that information from that third party.

Is there another way?

schroeder
  • 129,372
  • 55
  • 299
  • 340
Bob Horn
  • 153
  • 4
  • 1
    I'm not exactly understanding the issue. Can you just choose to not record the identifying information, such as the user's IP address? – BooleanCheese Feb 03 '17 at 20:46
  • We could choose not to, but the fact that it's a choice is the issue. Regulations require that we collect this information without being able to know anything about the user. I don't see how it's possible without using a third party, but thought I'd ask just in case. – Bob Horn Feb 03 '17 at 20:56
  • 1
    I feel as though the use of a third party is just moving the issue to be somebody else's issue.

    It should be trivial to just never receive any identifying information, baring the IP, and I can see an argument as to why the IP address doesn't have to be seen as a privacy concern as long as it isn't stored, but I'm not at all experienced enough in this matter to know if there's a better way.

     – BooleanCheese Feb 03 '17 at 21:20
  • So, you want a process where it is impossible for you to ever have the choice to receive the personally identifying info? Then, yes, you need a 3rd party as a filter. But, is this truly a requirement? For most regulations, it is enough to perform an architecture audit to prove that you are not collecting the data, or that the data can't be correlated. Though, I know from experience that design reviews are more difficult than simply proving that you never receive certain data. – schroeder Feb 04 '17 at 11:35
  • What kind of "user information" are you talking about anyway? – Philipp Feb 04 '17 at 11:52
  • I'm not sure if it's truly needed as a requirement, but I was asked if it was possible, so I'm trying to find out. As far as user information, it's supposed to be completely anonymous. And if we have one customer in one part of the country, and it would be obvious by the IP address that it was that customer, then that's an issue. I think third party is the only way. – Bob Horn Feb 04 '17 at 14:13

1 Answers1

3

You can offer your service on a Tor .onion site, with instructions on how to connect to it on a standard website. This will enable anyone who wants to remain anonymous to connect to your survey (or whatever) over the .onion site, which will make it impossible for you to figure out who they are based on their IP.

If you only allow people to take the survey through your .onion site, you'll probably lose a large number of people because they won't want to download the Tor browser just to fill out your survey. So, if regulations allow for it, what I'd do is offer your survey, or whistleblowing report, or security issue report, or whatever it is, through both a normal website reachable over https:// and an .onion site.

This is how wikileaks and (I think) the New York Times do it.

Edit: Correction: It's the Guardian I was thinking about, not the New York Times. See https://securedrop.theguardian.com/

Out of Band
  • 9,293
  • 1
  • 23
  • 30