Hi.
Thank you all for this valuable info.
If the police comes and asks for logs for a specific topic reply, which Discourse logs exactly should forum owner provide?
Well, in Finland a log that only ISP has, because IP we see isn’t proving anything and never tells person.
The police would still want an IP from you because they would then go to the ISP to ask which house that IP is registered to, or was registered to on the date the alleged offence took place if it’s a dynamic address.
Even the ISP can’t link it absolutely with an individual in most cases. I suspect that in most of the world an IP address is linked to an account holder but is used by everyone using the router for that account. So in my case the ISP would give my name, but my router is regularly used by at least 10 different people, some family members and some visiting friends.
Whilst an IP address wouldn’t necessarily link to a specific individual it can give the police a line of enquiry to follow. If the police want to use the information in a meaningful way then they would also need to provide a lot more evidence to conclusively prove that a certain person made a specific post on your forum.
No they don’t. Because most of the world don’t use IP addresses that way. And that is one of the several reasons why police here in Finland (apply at least whole Nordic) is not interested about IP — it is useless and doesn’t prove anything and doesn’t pinpoint a person.
And if in your direction ISPs are using IP-addresses differently then I’m not suprised IP4-space is so full.
Of course logging IP like every second is possible. But it is waste of resources for nothing. You should doublechek if demand of that is real, not what you are afrading of.
I can’t speak for Finland (other than noting that there are 3 IPv4 addresses assigned for every member of the Finnish population and in the UK we only have 2 per person) but in the UK every domestic router I’ve looked at in recent years has a real world routable (non-private address space) WAN IP address (mostly DHCP assigned).
Prior to retirement I worked with some very serious investigative organisations and I can assure you that they like to know about IP addresses. I’m not saying that an IP address is used the sole item of evidence that has has been used to convict someone, but they are definitely used as part of the investigative process in some parts of the world outside Finland, or at least they were 3.5 years or so ago.
I’ve not seen anyone suggest that. The question was about the IP address of the poster of a message. Unless you have a very busy forum then you’re probably not seeing a new post per second!
What it can be used for/how useful is the info aside…
Your Discourse site stores a user’s registration IP address for as long as the user exists on the site. It also stores a user’s ‘last IP address’, which is updated each time a user logs into the site. These IP addresses are removed from the site when a user is deleted or anonymized, though can be retained in the logs if the log anonymizer details site setting is left enabled.
IPs are also stored in the topic_views table, but only for anonymous users. That table also only records when a user/ip first views a topic, and not any subsequent ones.
In addition to what @JammyDodger said, in a standard install you would provide the nginx logs, that contain the IP address of every request that reached your server and can easily be correlated to both the request that made the reply, and to the specific ISP customer that pays for the internet connection. Provided that the request isn’t old enough to have been rotated out of the logs.
This depends first about if the police have a search warrant, and/or if an administrator wishes to share information voluntarily.
I.P. can help to identify a person or their location.
I don’t know about this, maybe in general there is truth in that but not as an absolute.
I.P. addresses that are tied to a physical location can be masked through annother network, that may be what you are talking about?
Thank you all for your replies.
I was kind of expecting Discourse to log any forum content modification action (such as creating, editing, or deleting posts). So whenever forum content gets modified in any way possible, there is a log file with an IP used. This seemed the most logical thing to expect, but obviously, it isn’t so. No problem there, of course.
So, in case a problem happens and the police come with a warrant or court order, I guess they will go after web server logs in this case nginx logs that will match the forum post timestamps?
Is my understanding correct?
Yes they do. In case IP addresses are dynamically allocated, every ISP keeps a log of which customer got which IP address at which moment. So an IP address-datetime tuple will uniquely identify a customer.
That is probably correct, I’m no expert about this though.
This brings up a question I had about discourse hosting, I don’t know with forums hosted on their servers if they ever get requests for records directly how those are dealt with?
There are a few different categories of events where cops or lawyers may call, one would be if classified government documents are published what to do about those.
Logs of a server tells my IP is 37.219.108.36. So to what house or address is it related? Do you want to guess how many is using same IP right now? We talking about value of logged IP of servers, and if somewhere police is interested in server logs and comes to home of an admin asking it, I would be… afraid isn’t right feeling, but confused.
Fun and totally unrelated fact: because of totally unneeded IP-logging I can’t edit Wikipedia-pages.
I’m intrigued to know how the police in Finland operate. Let’s say someone stores ‘dodgy’ data on your server and it’s reported to the police. Do they just throw their hands up in the air and say “All we’ve probably got to go on is the IP address of the uploader and those who accessed it, so there’s no point investigating this any further?”
Yes, in some cases, IP addresses aren’t useful, but in other cases they are, so IMO they’d be stupid to completely ignore them just because sometimes they’re not useful. CCTV pictures are often useless but they’re still used round the world as a source of information because sometimes they are helpful in finding the person who committed a crime.
We can’t trace you from your IP address because we aren’t the police, but their next step would probably be DNA (your ISP?) to ask who used the address on the dates in question. Then in some countries, can’t speak for Finland, they’d get a search warrant for the location and probably remove all electronic devices for forensic examination to find out which of them had been used to upload/access the dodgy data. All of this goes towards evidence of who was involved. Like most investigations, there is rarely just one piece of evidence that identifies a suspect, so it all paints a picture that will be put to a jury to decide whether it was you or someone else who did the dirty deed.
For me I.P. address is directly tied to street address, and local internet provider has 24/7 staffing so if police ring their doorbell at any time with a search warrant for street address of specific I.P. numbers they would probably hand that over right away.
With emergency services another category is for if someone say posts there is a medical emergency or some kind of domestic issue where they may want for cops or an ambulance to stop by but haven’t yet or are unable to call emergency dispatch, then if someone else can report that to a dispatcher they may be able to identify location some other way faster than contacting internet provider.
I’m thinking we need a place for when someone says trigger words like ‘IP’ or ‘GDPR’ and the topic inevitably starts to drift away from the original question. 
Lol, that is a good idea.
One good feature with Discourse is that it does notice if multiple accounts are using the same I.P. address there is an alert about that.
I think the original question has been asked and answered. Let’s close this off.