Recipe: PII redaction policy + implementation

Strip personally identifiable information from telemetry and logs before they leave the endpoint. Policy-first, code-second.

Policy

1.Never collect raw IPs, MACs, machine SIDs, or BIOS UUIDs in plaintext.
2.Hash all hardware-derived identifiers with HMAC-SHA256 before transmission.
3.Redact usernames, hostnames, and file paths from crash dumps client-side.
4.Audit every telemetry field against this policy in code review.

Implementation sketch

// C++ loader-side redaction before telemetry flush
void RedactTelemetry(TelemetryPacket& pkt) {
  // Replace raw HWID with HMAC
  uint8_t raw[32];
  GetHardwareFingerprint(raw);
  uint8_t key[32];
  DeriveSessionKey(key);
  crypto_auth_hmacsha256(pkt.hwid, raw, sizeof(raw), key);

  // Strip username from crash path
  wchar_t user[256];
  DWORD len = 256;
  GetUserNameW(user, &len);
  std::wstring path = pkt.crash_path;
  size_t pos = path.find(user);
  if (pos != std::wstring::npos)
    path.replace(pos, len, L"<REDACTED>");
  wcscpy_s(pkt.crash_path, path.c_str());
}

Verification

Run the telemetry payload through a regex audit before every release. Flag any field matching IPv4/IPv6 patterns, SID structures, or UNC paths. The CI pipeline fails if a new unredacted field is introduced.

← Back to docs