From: | Roger Dingledine <arma(at)mit(dot)edu> |
---|---|
To: | spi-general(at)lists(dot)spi-inc(dot)org |
Subject: | Re: Privacy policy for Tux Paint; ideas? |
Date: | 2016-12-08 05:49:12 |
Message-ID: | 20161208054912.GK10158@moria.seul.org |
Views: | Raw Message | Whole Thread | Download mbox |
Thread: | |
Lists: | spi-general |
On Wed, Dec 07, 2016 at 10:27:37AM -0800, Josh berkus wrote:
> On 12/07/2016 09:23 AM, Bill Kendrick wrote:
> > [...] the tuxpaint.org
> > website does not have any kind of user accounting (login, forums,
> > cloud storage, etc.) [...]
>
> Then that's your privacy policy:
>
> "The Tux Paint website does not collect or store any user-identifying
> information. The Tux Paint program does not communicate any user
> information online."
Careful! Bill said the website doesn't require logins or the like,
and Josh summarized that for him as the website does not collect any
user-identifying information. If I read this privacy policy and then
later learned that the tuxpaint website collects default apache logs,
with IP address and user-agent and so on, I might be pretty upset.
You might argue that IP addresses aren't user-identifying, and you'll
find judges in the US who agree with you, but you'll find judges in
Europe who do not agree.
I guess you might also think "he said the website, not the webserver",
but I hope we'd conclude that's still problematic.
Rather than trying to craft language to explain webserver log risks,
one solution would be to change the webserver config so it doesn't
keep scary logs, and then stick with Josh's text. For example, on the
Tor webservers we use a modified log format that writes 0.0.0.0 for
requests that arrive over http and 0.0.0.1 for requests over https,
and rounds down the timestamp to midnight. For example:
0.0.0.1 - - [04/Dec/2016:00:00:00 +0000] "GET /robots.txt HTTP/1.0" 200 23 "-" "-" -
The apache config line we use to generate it is:
LogFormat "0.0.0.0 - %u %{[%d/%b/%Y:00:00:00 %z]}t \"%r\" %>s %b \"%{Referer}i\" \"-\" %{Age}o" privacy
and then you use it with a line in your VirtualHost stanza like
CustomLog /var/log/apache2/$name-access.log privacy
For more motivation, see
http://seclists.org/nmap-announce/2004/16
You might think tuxpaint doesn't need to provide this sort of security
for its users -- and indeed I would hope that tuxpaint would be pretty
far down the "first they came for" list -- but these are trying times
we're living in, and you never know when things will change, so keeping
your users safe by default is good practice.
Hope this helps,
--Roger
From | Date | Subject | |
---|---|---|---|
Next Message | Javier Fernandez-Sanguino | 2016-12-08 08:36:20 | Re: Privacy policy for Tux Paint; ideas? |
Previous Message | Josh berkus | 2016-12-07 20:05:11 | Re: Privacy policy for Tux Paint; ideas? |