top | item 24868398

(no title)

doesn't the GDPR protect against storing "Personally identifiable information"? Plausible does use the IP address for the visitor to create a unique visitor ID, but it does not store it, so I am not sure how can you use that information to link it to an individual.

discuss

M2Ys4U|5 years ago

The GDPR regulates the use of "personal data", which is broader in scope than "personally identifiable information":

"‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person"

Nextgrid|5 years ago

If the algorithm for turning an IP address into a visitor ID is reversible then that ID is equivalent to the IP address as far as the GDPR is concerned.

_the_special_|5 years ago

I could not easily find it on the website, but I remember reading about how they do it, basically the ID is generated by hashing the IP + user-agent + a salt key that is changing on a daily basis.

So, no, I do not think it is deterministic.

kevincox|5 years ago

Note that anything deterministic on IPs is reversible. There are only 4 billion IPv4 addresses so brute forcing is trivial.

It is more complicated for IPv6 but enough of the internet is IPv4 that you can't ignore that case.

gspr|5 years ago

Nitpick: if it's reversible, determinism doesn't matter.

donohoe|5 years ago

The point to note here is "if". Happily, they (Plausible) don't.

dbbk|5 years ago

It's not reversible, it's hashed with a daily salt.