What about the peer ID? Does it count as personal data under GDPR?
The Peer ID is created when the IPFS node is initialized and is essentially a cryptographic hash of the node’s public key.
On a more broader stance I am wondering how does GDPR apply at all when it comes to collecting data when every user is a host and not the company itself?
I surely understand that the developer is responsible for the legal matter of activity on the app but when it comes to data everybody owns a replica of everything whereas GDPR was created based on the premise that the company owns the data.
IPFS leaks a fair amount of information:
- Your peer ID is persistent, by default.
- IPFS discovers and advertise your addresses. You’d want to run your IPFS node inside a container (or, even better, a VM) that only knows about the VPN interface.
- The content stored by a node can be used to fingerprint it.
- DHT records stored by a node can definitely be used to fingerprint it.
Does that mean that by just using IPFS itself to host your app you are already liable for this information even if you don’t use it in your app?
While a long string of letters and numbers may not be a “Johnny Appleseed” level of human-readable specificity, your PeerID is still a long-lived, unique identifier for your node. Keep in mind that it’s possible to do a DHT lookup on your PeerID and, particularly if your node is regularly running from the same location (like your home), find your IP address.