For our dating site, which of course has to deal with many prinses, Nigerian or otherwise, when we manually verified an account to be a scammer, we reject logins with a message stating that the IP address has been blocked. Scammers will usually go through all of their VPNs/bots in order to try to login, allowing our system to flag them all.
We'll manually review all accounts that use (more than one of) those ip addresses. Works like a charm! :-)
Yes, although I would add an attention threshold too, as it's not entirely unknown for hired manual review to just spam the "guilty" button so they can get to lunch. In any case: your false positive rate needs to be massively low if you want to be a massive asshole to the people it flags -- or else you are just an asshole.
If you can afford to get the FPR down, sure, have fun, but if not, please have the decency to not pretend.
You can implement a jury trial system - have a pool of moderators, select a few at random and have them look at the account, only flagging it if there is a consensus that it’s a scam account
Admittedly, there is the occasional false positive. For such cases, we display an email address right underneath the error message. Scammers rarely dare to complain, and when they do, they are usually not very convincing.
So, the problem I see here is when spammers abuse someone else's machine to conduct activity like this, and all those random people get their IP addresses blocked by your system.
And how would the legitimate owner of that IP address ever know how to contact you to get removed from your blacklist?
You can just anonymize stuff, right? dbo.naughty_ips does not need to be linked to any real people and I do not need to keep records of why any IP address got placed on that table.
Indeed. Dating sites have a legitimate (and I'd say moral) need to protect their customers from all kinds of nasty business. If the only way to do that is through the use of PII, and that use is well-documented in the privacy statement, and the data is not being used for unrelated purposes, this should be well within the bounds of GDPR.
In the past three and a half years I have witnessed four cases in which this exact method (cross-linking remote IP addresses to detect spammers/attackers/bots/etc.) has been an issue with GDPR, but I am sure those downvotes and the general tech-centered HN'y wave-off as misinformation have a better standing in EU courts these days since the fear-mongering GDPR hype is mostly over as it seems.
People can claim it all day long but it was determined that IP addresses are only PII in the hands of an entity who can actually associate it with a person, like an ISP.
Yes, you are right. No way for a dating site for example (as stated by the original comment) to make a relation between an IP address and the person behind it. It's all fake profiles or some other strawman argument anyway, right? Like who uses his real name, address or even picture for something like that?! That'd be just ridiculous ...
It sounds like that's what they're doing, in order to find other spam accounts:
> We'll manually review all accounts that use (more than one of) those ip addresses.
Obviously only vanviegen knows what they're doing, but here is what I'd do (IANAL!):
1. Identify offender (scammer/spammer) using other methods like manual review
2. Block offender as described, and only now start logging the IPs for them (claim: at that point it's legitimate interest)
3. If another user now uses one of the IPs, assume their also offenders and log their IPs as well to weed out false positives (claim: they use the known offender IPs, so there is a good chance their also offenders -> leg. int.)
4. Ban all actual offenders and delete associated IPs for false positives.
It's possible they're doing this flow and just simplified it for posting here.
Saving the IP/geolocation could also be legitimate interest to identify altered locations. E.g. say you're US based and suddenly login from $abroad they could send you a 2FA mail to secure your account.
Even with all that, the IP address itself still doesn't represent a person in the hands of that dating site.
An ISP can identify which IP address has been assigned to your phone, at what time, on what tower and exactly what points in time that IP addressed changed. It can also associate the device itself with the IP address.
An IP address on a cable modem can be associated with a particular account for a house or a business office, but even it can't positively identify the person in the house or at the business who was using it to connect to a particular website.
And yes, as you said, anybody can create a fake profile. A coworker could create a fake profile on a dating site of you if they wanted to and that IP address still doesn't positively identify you.
The name, address, photo...all of that is absolutely PII and covered by GDPR.
The IP address isn't and is also used for legitimate security purposes. People trying to get them scrubbed under GDPR are overreaching on a piece of data they have no right to have scrubbed.
We'll manually review all accounts that use (more than one of) those ip addresses. Works like a charm! :-)