October 28, 2025

Mask on? GDPR says mask off

Article URL →HN comments →

Why IP address truncation fails at anonymization

GDPR says your “masked” IP still points at you — the comments are chaos

TLDR: Regulators say chopping off IP bits doesn’t make people anonymous, so truncated addresses still count as personal data. Comments erupted: some cite audits saying the opposite, others accuse the post of AI vibes and call out that a reversible method is pseudonymization, not true privacy—buyers beware.

The post declares the popular trick of chopping off the end of an IP address isn’t real privacy, because regulators say truncated IPs are still personal data. Cue the fireworks: engineers vs compliance officers flooded the thread. One dev bragged a big telecom audit told them the opposite, basically yelling, “My paperwork beats your law!” Meanwhile, privacy nerds dragged the article for skipping K-anonymity, and the vibe turned spicy fast.

The tech crowd roasted any “easy fix.” One commenter suspected the author’s anti-HMAC stance was written by a robot, while another slammed the piece for pushing a reversible scheme (IPCrypt) and then calling it anonymization. If you can undo it, it’s not anonymous became the catchphrase. Meme-watch: “GDPR police pulled over your /24,” “masking vs mask-off,” and “IPv6 is a crime scene” were the mood.

Under the drama: the article says small company networks, timestamped logs, and public ISP data make “masked” IPs trivially traceable. Fans of hashing and HMAC argued you don’t need reversibility; critics shot back that vendors selling “GDPR-safe truncation” are selling vibes, not privacy. Verdict from the comments? No silver bullets, lots of side-eye at anyone claiming one.

Key Points

  • The article states that truncated IP addresses remain personal data under GDPR and do not achieve anonymization.
  • European regulators (CNIL, Garante, Austrian DPA) have ruled that truncated IPs can still identify individuals, especially when combined with other data.
  • IPv4 truncation (e.g., /24) can still reveal organization, ISP, and location via public data like WHOIS, enabling re-identification with timestamps.
  • Small subnets and limited active users mean truncation may not meaningfully increase anonymity within an organization’s allocated network.
  • IPv6 truncation is described as worse due to lack of standardization and retention of large identifying prefixes (e.g., /64, /48).

Hottest takes

“Was as part of a security audited by [insert big Japanese telecom] where the exact opposite was stated” — FrostKiwi
“Is it perhaps an AI-generated list of ‘reasons for not choosing HMAC’?” — probably_wrong
“If it’s reversible, it’s not anonymization, it’s pseudonymization” — invaliduser

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.