Users of, please chime in:

We try our best not to log IP addresses to give you all the privacy we can. Mastodon, as a software, logs IP addresses in two ways: It saves the last IP address you used, and the IP address associated with each active session (you can review those here:

We can delete those IP addresses manually in both of these places, but this would reduce your ability to see where your active sessions come from. Opinions, preferences, thougths?

We can also strip addresses, but it's more of a hassle, and I'd need some help writing the postgres statement, as we have to take different actions for v4 and v6 addresses.

@rixx Personally, I never had much use for this kind of information, on any service, but it's probably interesting/important to some users. How about scrubbing part of the data to make it less precise? For example the last octet for IPv4 addresses and the host portion for IPv6.

@alexander Possible but harder ( Nobody really uses that part of the options menu, I think, so I'm pretty much for just dumping the data.

@rixx Fine with me! Would this interfere with your ability to handle abuse, or is this information not used for that?

@alexander It's not used for that, no, abuse is handled on a per-user basis.

@rixx I think I would love an option where I can throw away everything.

@kurzgedanke That's a software issue we can't resolve, as we're not the mastodon devs. The only thing we can offer is to go into the database as admins and change the data – but we can't feasibly do that on a per-user basis.

@rixx Okay, I get the problem.^^ Everything is fine as it is at the moment. So please no pressure.^^

@rixx In my opinion, the "last activity" column is sufficient to detect suspicious activity

@rixx I would prefer nuke from orbit, but I don't have a strong opinion either way and understand that the information might be useful for some users.
Long term a user level option wether to log would be nice.

@rixx not really using the feature you mentioned. as long as there's a "end all active sessions" option that i can use when in doubt, all is well :)

@hadez Yah, if we nuke the addresses, all that will change is that the column will be empty.

@rixx but sessions will persist? asking because i don't want to enter extra long passwords from my password safe all the time on mobile and multiple PCs ;)

@hadez They will, IP info isn't used and only meant to help users. Tried it with my own account and some others, no repeat-logins or anything else happened.

@rixx @hadez that'd be ideal IMO. IP-Addresses don't really help me to identify sessions that i want to erase as much as date of last activity and browser/device.

I'd say delete them all.

My thoughts about developing an alternative to this are:
There could be visible session IDs to the user. The clients should show which session ID is theirs to verify what sessions are actually yours.
Also a mail should be sent after creating a new session to be sure.

..nothing new tho.

@rixx delete it. I was worried that sessions might not work but since they do there is no reason to keep it.

@dkl It's been suggested, but it wouldn't add any value. Won't catch subnets that way, and v4 addresses are easily enumerated

@rixx I don't see any realistic scenario where privacy's increased by deleting a couple of IP addresses. The important thing is that what is logged is honestly reported and used for honest administration, not sold to governments. I'm happy with both Mastodon and Plenorama.

@malin Please note that this issue is under discussion for only this instance. And seeing as requests (more or less forceful) by the police and state for our data are en vogue, the less I know about my users the less I can tell them.

@rixx well, less sounds more then. And it seems I still need to get used to the fediverse's share settings.

@rixx I think a reasonable middle ground could be to fuzz these addresses, effectively limiting them to network addresses. E.g. kill the last byte for IPv4 and only store the `/56` for IPv6. This would still allow users to sanity check their log-ins without making single systems identifiable.

@marix Sure, but that's something better done on the software side. As administrator, I want a soliton that's as simple and maintainable as possible.

@rixx we have removed ip address from nginx. All the user on have the same ip

@admin Oh, huh, that would also be a solution. Do you have your nginx config available?

@rixx I'm not interested in seeing where my active sessions come from and would prefer the IP log to be regularly deleted (if that's the option).

@rixx I don't use this kind of information so I don't have any issues if you apply a scheduled nuking of that data 🙂

@rixx It would be nice if people could register without (verified) mail addresses.

Many IPs are meaningful for only a few days (or not at all, i.e. when using tor), but an anonymous mail address needs some more efford, especially when you do not want to trust a trash-mail service.

To the IP question: Showing session ids instead of IPs is a nice idea and having a PR for this so all instances can use it would be a good thing, if somebody has the time to code it.

@allo … all of this is kind of beside the point – the question was only about administrator actions we may or may not take on this instance. For mastodon development, you'll need to head over to the github issue tracker.

@rixx not a user but I don't like being reminded the other end sees my IP addresses. (If I were there, it could go away completely). Do you long anything with your webserver?

@saper We do! We retain error logs including IP addresses for a bit, to help with debugging, but they're regularly purged, and we do not have access logs at all.

@rixx cool! Hope you will not need a very short term access logging to fight some kind of abuse.

@saper Nah, we have registrations closed (but everybody can generate invites), so we're pretty safe on the abuse front/can handle abuse on a per-user basis. Thank you :)

@rixx I was thinking more about DDoS/Future ActivityPub protocol attacks, not just robotic registrations. Keep on tootin' !

@rixx I don't need that. IMHO removing tthe IP is preferrable.

@rixx deleting it would be good but not critical. I don't see the upside of it, since it is not enough to protect anonymity - measures that would protect, would already include useing a different IP than the ISP assigned one.

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!