[Nextgrid]

If the algorithm for turning an IP address into a visitor ID is reversible then that ID is equivalent to the IP address as far as the GDPR is concerned.

[_the_special_]

I could not easily find it on the website, but I remember reading about how they do it, basically the ID is generated by hashing the IP + user-agent + a salt key that is changing on a daily basis.

So, no, I do not think it is deterministic.

[markosaric]

We generate a daily changing identifier using the visitor’s IP address and User Agent. To anonymize these datapoints, we run them through a hash function with a rotating salt.

hash(daily_salt + website_domain + ip_address + user_agent)

This generates a random string of letters and numbers that is used to calculate unique visitor numbers for the day. Old salts are deleted to avoid the possibility of linking visitor information from one day to the next.

Full details are here: https://plausible.io/data-policy

[jonahbenton]

It depends on whether they retain or can reproduce the salt for a given date.

The rule in effect is- a person knows the IP their ISP granted them on the dates they were granted. They ask- do you have any records of me from these IPs on these dates.

Assuming Plausible keeps the record of salt by date, the answer is yes, we have records of you, because they can retrieve the salt, recreate the ID, and locate the records.

If they do not retain the salt, in contrast, they cannot respond to individual requests for their records and that would also imply they are not able to do day over day returning visitor calculations.

[markosaric]

Old salts are deleted to avoid the possibility of linking visitor information from one day to the next. So yes, there's no way for us to know whether the same person returns to a website on another day. See https://plausible.io/data-policy

[jefftk]

That is deterministic, but the key thing is that it is not reversible

[wizzwizz4]

Technically, you could enumerate all four billion IP addresses (multiplied by all common user agents) to reverse it. This is, however, prohibitively expensive for tracking, so I think it does the job.

[jaywalk]

Not without the salt, which they delete every day. Pretty much impossible.

[Nextgrid]

Is the salt key stored, or is it discarded?

[markosaric]

Old salts are deleted to avoid the possibility of linking visitor information from one day to the next. See https://plausible.io/data-policy

[kevincox]

Note that anything deterministic on IPs is reversible. There are only 4 billion IPv4 addresses so brute forcing is trivial.

It is more complicated for IPv6 but enough of the internet is IPv4 that you can't ignore that case.

[gspr]

Nitpick: if it's reversible, determinism doesn't matter.

[Nextgrid]

Yep indeed, deterministic isn't really the right word here. Reversibility is all that matters, although am I correct in saying that it would imply determinism?

[gspr]

> am I correct in saying that it would imply determinism?

I don't know, because neither "reversibility" nor "determinism" are precisely defined (this is not criticism of your comment in any way).

Here's one semi-reasonable interpretation of the two words for which reversibility would not imply determinism: Imagine a "process" (I, too, am being imprecise and calling this a "process" instead of a function) that takes as input an integer between 1 and 6 inclusive. Its output for the input n is a dice roll with a dice that is biased in favor of n, but is otherwise fair. Now, this is not a deterministic process, but if you are allowed to feed it the same input multiple times, you can probablistically reverse it.

Anyway, sorry for the tangent – your original point was the important one.

[donohoe]

The point to note here is "if". Happily, they (Plausible) don't.

[dbbk]

It's not reversible, it's hashed with a daily salt.