Privacy is becoming an increasingly important topic, especially with recent GDPR updates and daily news of big tech companies that grossly overstep their boundaries and abuse our data. As a European company, we've always taken privacy very seriously and allowed our customers to process as little information about their end-users as possible.
These days, we're pushing in this direction stronger than ever to make sure that your, as well as your customer's data remains their own. Until recently, our method to address this was to automatically anonymize all IPs with all log requests and simply not log anything that wasn't absolutely needed. While we do allow logging to be turned off entirely, this may pose other challenges and isn't really a solution. So we thought we could do better.
The issue with IP anonymization
By default, bunny.net anonymizes IPs by removing the last octet from the address. For example, the IP 220.127.116.11 would be transformed to 18.104.22.168 prior to being stored in our logging system.
While this is a decent solution, it's quite easy to distinguish a specific person simply based on a few requests. With some simple techniques alongside recent developments in machine learning, it's relatively easy to use this information to tie back requests to a specific user or session.
Even only combining user-agent strings, request access times, and an anonymized IPs leaves little guesswork about who is who in many real-world scenarios. Removing a single octet simply doesn't work anymore, or perhaps never really properly did.
In fact, let's make it simple. This might be equivalent to putting a horn on a bunny and identifying who the the rhino is. While both of them a have a horn, it's pretty clear who is who.
Removing IPs altogether
We knew we needed to do better to help build an internet where privacy is built into its core. While many use-cases do require specific IPs to be logged and processed for reasons such as security, we wanted to bring our users the power to take privacy to the next level.
To do so, we decided to allow our customers to select between different levels of anonymization and select a single octet to be stripped, or all the IPs to be replaced by 0.0.0.0 instead.
This can now be toggled with a simple dropdown and applies both for our real-time log forwarding as well as standard logging.
When enabled, the logs are no longer displaying the IPs, but they do retain the country information.
Building a more private internet.
We believe everyone should have the right to privacy and to browse the internet in a safe manner. We want our users to be able to do the same.
It's our goal to help build a fast internet without invading privacy and also help fellow EU companies better comply with recent GDPR regulations. With almost a million websites powered by bunny.net, we believe we can truly help make a difference and we're actively working on other projects to take this even further.
Help us make the internet a better place!
If you like our mission of building a faster internet, and want to help with our goal to do this in the most privacy friendly way, make sure to check our careers page. We are currently looking for multiple different positions to help expand bunny.net and solve even more global problems on a massive scale.