Client IP is seen even with "Prevent Storing of IP Addresses"


#1

In my organization settings I have “Prevent Storing of IP Addresses” ON,
but on the event page I still can see Client IP under SDK section (though
Raven.js doesn’t send IP address as I found out).

In project settings this option is inherited and ticked.

Sentry early adopter is ON
Raven is 3.8.1
Server: sentry.io, not self hosted


#2

This has come up before – we need to decide what to do here. Sentry needs to store IPs of the sender for various purposes (auditing, abuse), and I have reservations around dropping the data due to random privacy laws.


#3

Could you at least hide it from developers, so I can tell my clients that I don’t see/know their IP (and can’t make associations between reports and users)?


#4

Would be interested to know what you guys decided on this? With GDPR coming up and IP addresses being PII this shoots up in the list of concerns


#5

The IP is only available to superusers. It doesn’t have relevance to GDPR for us as we have a valid business case for capturing and storing it.

We’re also only capturing IP of the sending device.


#6

Any advice towards businesses that use you on how to handle with our customers?
Theoretically we’d have to disclose that we’re collecting their IP address for error monitoring, question is if we’d actually need to get consent to do so.

Would be great to hear if you have any thoughts / experience / previous discussions around this?


#7

I believe all you should need to do is declare Sentry as a subprocessor and agree to our DPA. If you’re explicitly collecting email or IP you’d need to disclose that. I don’t recall off hand if you actually have to disclose what you’re sending to an individual sub processor.

Lastly, the IP we collect is the client IP. That is, we collect it on our server when the event reaches our server. That’s not really any different than declaring that you lot IP addresses of web requests except in this case Sentry (the company) has the ability to see them associated with your events as well as to draw conclusions.

I also forget off hand (I’m not at a desk) if IP on its own is considered PII. If it’s not then you don’t need to worry unless you’re sending other identifying data.

That said, it’s probably safest just to declare that you process IPs as you certainly want that information attached to the event for your own use.


#8

Aside we’ll work on more “correct and official” answers to these questions.


#9

Sorry for more noise, but in case you missed this:

(this is just our first step towards compliance and education on this topic)