[wp-trac] [WordPress Trac] #45889: Include Session Tokens as personal information in data exports and erasure (was: Include personal information from within the user_meta table in data exports)

WordPress Trac noreply at wordpress.org
Thu Jan 17 21:08:11 UTC 2019 

#45889: Include Session Tokens as personal information in data exports and erasure
-------------------------+-----------------------------
 Reporter:  lakenh       |       Owner:  (none)
     Type:  enhancement  |      Status:  new
 Priority:  normal       |   Milestone:  Future Release
Component:  Privacy      |     Version:  4.9.6
 Severity:  normal       |  Resolution:
 Keywords:               |     Focuses:  administration
-------------------------+-----------------------------
Changes (by garrett-eclipse):

 * focuses:  privacy => administration
 * component:  Users => Privacy
 * version:  5.0.2 => 4.9.6


Old description:

> #44161 raised some concerns about if we missed any personal data when the
> personal information export was released. Upon further investigation, the
> core-privacy team found multiple places in the user_meta table that still
> contains information that we should include in exports.
>
> The currently known ones are the following:
> - Session Tokens: Contains IP address and user agent
> - Community Events: Contains IP address
>
> The scope of this ticket isn't about removing/anonymizing this
> information, instead just including it within the current user export and
> erasure tools.

New description:

 #44161 raised some concerns about if we missed any personal data when the
 personal information export was released. Upon further investigation, the
 core-privacy team found multiple places in the user_meta table that still
 contains information that we should include in exports.

 The currently known ones are the following:
 - Session Tokens: Contains IP address and user agent
 - Community Events: Contains IP address
 *Community Events data will be handled via #43921

 The scope of this ticket isn't about removing/anonymizing this
 information, instead just including it within the current user export and
 erasure tools.

--

Comment:

 As #43921 already exists with an existing patch we'll continue work for
 the Community Events Location information through that ticket. As such
 I've updated this ticket to change it's focus to be specific to Session
 Tokens.

 And to answer my question from previous [comment:2 garrett-eclipse]:
 > One question I had about the use of IP in the Community Events is would
 an anonymized IP be sufficient to geolocate an area to surface community
 events from? If so we could avoid needing to include it in export and
 erasure by anonymizing it prior to storing in the usermeta table which
 would make it no longer PII. Just a thought.
 *This was answered on the other ticket indicating that the IP address is
 already partially anonymized as was indicated on this ticket comment;
 https://core.trac.wordpress.org/ticket/40794#comment:22

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/45889#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list