Provide a more privacy-focused configuration (not capturing detailed devices info)

[dmakarenko]

Dear Ory community, in my team we have been using a self-hosted version of Kratos for over a year and it has been quite a successful endeavour (kudos to the whole Ory team 🙇).

We are now looking at the privacy aspects of it and trying to minimise the amount of personal data we are capturing (in fact we want to capture none of what could be qualified as PII). What we have noticed that there is a list of devices associated with Sessions which currently stores an ip_address and a user_agent properties. A pull request implementing it is #2715 (by @kelkarajay).

I am wondering if Kratos has a configuration setting allowing not to capture those details.

Alternatively if anybody sees a way to anonymise this information I would also appreciate any pointers & suggestions.

Thanks a lot.

Update: asked the same question via Ory Slack here

[vinckr]

Hello @dmakarenko

Can you elaborate a bit more on the privacy issue?

AFAICT the devices property is only visible to the user themselves and Ory Network (the latter could not serve the user without knowing their IP). The data in devices is not stored anywhere longterm and it is part of the payload you send in any kind of request to any kind of website as well.
Also I think there is no "hard" PII exposed, as IP address is not quite PII. The only sensitive info is probably the location? Which is not exact and based on the IP address.

I think its an interesting (and not easy) topic, so happy to start a conversation here!
(Also I am not a lawyer)

Edit:
Actually I was wrong and the IP is considered PII in the EU (and somewhat in the US):

The categorization of an IP address as Personally Identifiable Information (PII) can vary depending on the jurisdiction and specific legislation.

In the European Union, under the General Data Protection Regulation (GDPR), an IP address is considered PII as it is classified as an online identifier for an individual. The GDPR sets strict rules on how companies doing business in the EU or with EU citizens can handle PII, including IP addresses. This means companies are required to take reasonable precautions to protect such data from hackers and allow EU citizens to delete their data upon request csoonline.com.

However, in the United States, guidance on whether IP addresses are considered PII is more fragmented and varies by specific statutes in federal circuits. Businesses are advised to be cautious in making conclusions about their collection and use of IP addresses, as it varies by business type, data type, and legal jurisdiction lexology.com.

Given that IP addresses could potentially be used to identify an individual, particularly when combined with other pieces of data, they should be treated with a similar level of security as other sensitive PII to avoid potential data privacy law violations upguard.com.

[dmakarenko]

Hi Vincent,

We are currently relying on a self-hosted deployment of Ory Kratos. And our goal is to avoid storing any user's Personal Data as in some territories/countries we could only store & process PII on servers located physically within the borders of those countries (e.g. the People's Republic of China). And in such cases in order to be compliant but still have an option of hosting our servers in those countries we believe could be achieved if we stop processing any personal data in Kratos.

It might still be a bit of a grey area as it's quite obvious that as long as an IP packet reaches our servers one could say that we are already processing an IP address on our servers.

[vinckr]

Hey Dmitry,
that makes sense though! We also offer professional services, maybe that could be an option to book some time with an Ory engineer to go through the details and what a good solution woudl be.

And yea I agree it's a grey area, so I guess legal opinion from an expert would be good too.

[Pedr0Rocha]

Hi,
I found this discussion while looking for a way to prevent kratos (self-hosted) from storing session_devices.ip_address, session_devices.user_agent and session_devices.location.

I need to drop those fields for privacy reasons and I understand there's no dedicated configuration for this. Is this something achievable by a pre/post login hook?

Is adding a property to handle this in the configuration file something we can consider?

Thanks!