[curryst]

> Did any one of these 10 IP addresses view the article in the time period. Much more specific and likely easier to justify.

It is, but it also leaks information. Now people know you're looking at those IP addresses. If you were going to leak that, a major news outlet is probably not the place you want it to leak to.

You might be right and it might be an easy cover for a fishing expedition, but it doesn't seem inherently malicious on its face.

[weird-eye-issue]

They could hash them if that really was the problem.

[nucleardog]

That's only 4 billion hashes to search the entire IPv4 address space. I don't think the entire search space is big enough for that really to provide much privacy while still being functional. Whatever you put in the way, that's somewhere in the neighbourhood of cracking a 6 character lowercase+number password.

[happytoexplain]

But this is a rare case where you can use a derivation-extension function like PBKDF2 to make the hashing take practically any amount of time you want. You could probably make each run take a full minute on USA Today's hardware and still have your results in a reasonable amount of time.

[zapdrive]

How about adding a salt? Check your records and if sha256([salt] + ipaddress]) matches this hash, let us know. Where salt is a long random string.

[vardump]

You could still enumerate every option in practically no time.

[zapdrive]

Oh yes, you are right. Obviously, do not hire me for any kind of information security. Lol.

[alisonkisk]

Subpoenas leak IP addresses all the time. It's not a big deal if the org being subpoenaed isn't a suspect.

[nashalo_nighly]

Maybe a technique like « give us the IPs that start with xxxxx » be a compromise between the two?

[the_biot]

That is not a compromise, it's giving away information about people who read an article.