Skip to content

PII logged in plaintext at DEBUG level across all services in production #196

New issue
New issue
Open
Open
PII logged in plaintext at DEBUG level across all services in production#196
Labels
bugSomething isn't workingsecurity
@rubin110

Description

@rubin110
rubin110
opened on Mar 22, 2026

All 16 services have dhs_logging.py hardcoded to level=logging.DEBUG, and there is no mechanism to change the log level per environment. This means production logs contain full member PII in plaintext.

Critical: Birthday data

Birthday/date of birth is highly sensitive PII and must never appear in production logs. It is currently logged in:

  • code/DHMemberPortal/app.py:213logger.debug(f"Identity data to be sent for signup: {identity_data}") (identity_data contains birthday)
  • code/DHService/v1.py:157logger.debug(f"In update_member_identity with {data}") (data contains birthday)
  • code/DHService/db.py:189logger.debug(f"Adding/updating member identity: {identity_dict}") (identity_dict contains birthday)

Other PII that should be redacted

The following are also logged in full via debug-level data dumps across DHService, DHMemberPortal, and DHAdminPortal:

  • ID check fields (id_check_1, id_check_2 in forms data) — may contain information from a member's government-issued ID
  • Email addresses — should be redacted in logs (e.g. ro**@example.com)
  • Phone numbers — logged via connections data
  • Full names — logged via identity data

Affected log statements

DHMemberPortal app.py (signup flow, lines 212-220):

  • Logs all 8 data sections (identity_data, connections_data, status_data, forms_data, notes_data, access_data, authorizations_data, extras_data) in full

DHService v1.py (every POST endpoint, lines 157-295):

  • Logs full {data} payload on every update: identity, connections, status, forms, access, extras, notes, authorizations

DHService db.py:189:

  • Logs full identity dict on insert/update

Suggested remediation

  1. Make LOG_LEVEL configurable via environment variable (defaulting to INFO in production, DEBUG in dev)
  2. Remove or redact PII from debug log statements — birthday should never be logged at any level, other fields should show only partial values (e.g. first 2 characters of email, masked phone)
  3. Consider a log sanitizer utility that can be applied consistently across services

Related

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingsecurity

    Type

    No type

    Projects

    Deep Harbor Roadmap

    Status

    Backlog

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions