This goes back to responsibility in hosting code that deals with sensitive or personal user information. I understand application development is more accessible now. But I will say again, that some amount of experience and research is required to responsibly maintain a public website where data is collected. You can't just collect user information, IP addresses, user agents, and behavior without disclosure. And you definitely can't just send user PII off to third parties unencrypted without consent. I'm not just saying that morally, but legally.
Describe the Issue
The visitor stats service collects raw visitor IP addresses, persists them to disk in plaintext JSON, and transmits them in batch to http://ip-api.com over unencrypted http for GeoIP resolution with no user consent, no privacy notice, and no opt-out mechanism
Why this is a problem.
IP addresses are classified as personal data under GDPR and as personal information under CCPA. Transmitting them to a third party without consent has been ruled a GDPR violation. there are examples of this online turning into legal cases, and people have been fined in the past for this exact issue.
Second to the legal issue, this is a user privacy violation. Every visitor to openhamclock.com has their IP collected, and sent to a third party without their knowledge. There is no privacy banner, consent message, or opt-out.
On top of the legal, and privacy issues, it is also a security issue. Storage of IP addresses in plaintext is a no go. Its liability for no reason when they could be hashed or encrypted when collected and stored. Then the transmission of them over http adds the possibility of interception, and snooping. If that endpoint were compromised, there is no verification for who you are sending them to without some ssl/tls certificate.
This is all around just bad news.
Recommended Changes:
Replace ip-api.com with a local GeoIP database (e.g., MaxMind GeoLite2), eliminates third-party data sharing entirely
Hash IPs before storage which preserves unique visitor counting without storing recoverable PII.
Never persist raw IPs to disk.
Add a privacy notice.
Add a data retention policy.
Remove user-agent storage from session tracking (not needed for functionality)
This goes back to responsibility in hosting code that deals with sensitive or personal user information. I understand application development is more accessible now. But I will say again, that some amount of experience and research is required to responsibly maintain a public website where data is collected. You can't just collect user information, IP addresses, user agents, and behavior without disclosure. And you definitely can't just send user PII off to third parties unencrypted without consent. I'm not just saying that morally, but legally.
Describe the Issue
The visitor stats service collects raw visitor IP addresses, persists them to disk in plaintext JSON, and transmits them in batch to
http://ip-api.comover unencrypted http for GeoIP resolution with no user consent, no privacy notice, and no opt-out mechanismWhy this is a problem.
IP addresses are classified as personal data under GDPR and as personal information under CCPA. Transmitting them to a third party without consent has been ruled a GDPR violation. there are examples of this online turning into legal cases, and people have been fined in the past for this exact issue.
Second to the legal issue, this is a user privacy violation. Every visitor to openhamclock.com has their IP collected, and sent to a third party without their knowledge. There is no privacy banner, consent message, or opt-out.
On top of the legal, and privacy issues, it is also a security issue. Storage of IP addresses in plaintext is a no go. Its liability for no reason when they could be hashed or encrypted when collected and stored. Then the transmission of them over http adds the possibility of interception, and snooping. If that endpoint were compromised, there is no verification for who you are sending them to without some ssl/tls certificate.
This is all around just bad news.
Recommended Changes:
Replace ip-api.com with a local GeoIP database (e.g., MaxMind GeoLite2), eliminates third-party data sharing entirely
Hash IPs before storage which preserves unique visitor counting without storing recoverable PII.
Never persist raw IPs to disk.
Add a privacy notice.
Add a data retention policy.
Remove user-agent storage from session tracking (not needed for functionality)