Privacy Policy
With much discussion, FUD and concern about GDPR and the Right to Privacy on the Internet, I thought it appropriate to set out the steps I’ve taken on this site to maximise the privacy of people who choose to visit my little corner of the internet. This isn’t a legal document, more a note of the technical choices I’ve made and implemented here, and I hope that someone finds it all useful.
Cookies and Tracking
This site does not use cookies, nor does it attempt to fingerprint users in any way.
Log files
All logs are anonymized, using the following regex and log_format in nginx.conf
map $remote_addr $anon_remote_addr {
~(?P<ip>\d+\.\d+)\. $ip.0.0;
~(?P<ip>[^:]+:[^:]+): $ip::;
default 0.0.0.0;
}
log_format combined_anon '$anon_remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_user_agent"';
As a result, all ip addresses in the logs just show the first two bytes of an ipv4 address, and the first two hextets of an ipv6 address’ Global Prefix. In addition, all log files are deleted after 10 days. I chose 10 days as this is the logging level used by the EFF’s DNT Guide.
Data Transfer
This site exclusively serves all data over the HTTPS protocol, encrypting all data between the browser and the server. Your network provider will still be able to see that you are downloading data from ascraeus.org, but they will not be able to see the content.
Do Not Track
If your browser’s Do Not Track flag is set, then this site doesn’t log your visit at all. In addition, this site uses the LetsEncrypt Certificate Authority, which is itself DNT-compliant and does not log your browser checking the validity of this site’s HTTPS certificate.
Analytics
This site does not use any analytics, at all. The reasons why are better set out in this post of mine: Tracks in the Dust.
Referrer Header
This site’s webserver, nginx, has been configured to set a Referrer Policy Header as follows (again, in nginx.conf
):
##
# Referrer Policy
##
add_header Referrer-Policy "no-referrer";
This means that any time you follow a link to an external site from this one, that external site does not know that you have arrived there from here. This is a simple improvement to privacy on the internet which is trivial to implement.
Webmentions
When you send a webmention to this site, you are explicitly providing metadata in your site’s markup, and this information is used to display your comment/reply on this site. This information consists of:
- Your name, or username
- A profile picture or avatar, if you have set one on your site
- The url of your site, and the specific url of your comment/reply
- The content of your comment/reply
All of this is information made public by you, and no information other than information you have made public can be captured by this process.
GDPR
It is my position that all activity on this site is covered by the general exemption of Article 2 (2)© of the GDPR, and by the specific conception of inapplicability contained in Recital 18.2: Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. This is a personal website, an attempt by me to maintain and control my online identity and presence outside the silos and walled gardens of avaricious corporate entities; there is no advertising here, no tracking, no cookies, no corporation.
That said, the principles of natural persons’ rights which underline the GDPR are good ones, and are to be welcomed. As a result, if you wish to obtain information about any data about you which this site might hold, then please make contact, and I shall make every attempt to assist you. Likewise, if you wish to have anything shown on this site, which you regard as personal information, deleted, then please make contact and I shall endeavour to assist you as much as possible. If you are a citizen of the European Union, then you are entitled to register a complaint with your national Data Protection Authority.