Re: Privacy policy for Tux Paint; ideas?

From: Javier Fernandez-Sanguino <jfs(at)debian(dot)org>
To: Roger Dingledine <arma(at)mit(dot)edu>
Cc: spi-general(at)lists(dot)spi-inc(dot)org
Subject: Re: Privacy policy for Tux Paint; ideas?
Date: 2016-12-08 08:36:20
Message-ID: CAB9B7UucsTL6AW2BWpqbp69-=j+GGA-5nG=Da3+yfL4pRghP7g@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox
Thread:
Lists: spi-general

On 8 December 2016 at 06:49, Roger Dingledine <arma(at)mit(dot)edu> wrote:

> Careful! Bill said the website doesn't require logins or the like,
> and Josh summarized that for him as the website does not collect any
> user-identifying information. If I read this privacy policy and then
> later learned that the tuxpaint website collects default apache logs,
> with IP address and user-agent and so on, I might be pretty upset.
>

Agreed.

> You might argue that IP addresses aren't user-identifying, and you'll
> find judges in the US who agree with you, but you'll find judges in
> Europe who do not agree.
>

I thought I might chime in and give an "Europe" perspective which might, or
might not, apply to TuxPaint. Since TuxPaint (the service) is provided from
the US this might or might not apply, but maybe the information I provide
here is useful. Please bear with me and keep in mind that IANAL :)

*European Data Protection directive*

In Europe, the data protection directive, which entered in force this year
but will not be fully applicable until 2018 [1] defines personal data as:

‘personal data’ means any information relating to an identified or
identifiable natural person (‘data subject’); an identifiable natural
person is one who can be identified, directly or indirectly, in particular
by reference to an identifier such as a name, an identification number,
location data, an online identifier or to one or more factors specific to
the physical, physiological, genetic, mental, economic, cultural or social
identity of that natural person;

Note: This definition is already existing in the data protection directives
(in different countries) that this directive will replace.

*Is an IP address personal data?*

The most important part of the definition is that it data can "identify or
be used to identify" somebody. A license plate of car, for example, is
considered personal data in most cases (unless it is a company car). Also a
telephone number (because there is a contract signed by somebody that
"ties" to that number). Following that thread, an IP address has been
considered personal data by Data Protection Agencies in the past. For
example, see this note [3] (in Spanish only sorry) from the Spanish Data
Protection Agency which states than an IP address *is* personal data
because in many cases it can be used to identify persons.

Note that the possibility of identifying a person does not have to stay in
the hands of the one holding the data itself. You could argue that: "hey, I
have an IP address in a log but there is no way that I can determine who is
it". That is not relevant, the definition does not say that the service
provider can use it to tie it to somebody, an IP address is personal data
because somebody (i.e. the Internet Service Provider) can use that data to
make you identificable.

I do not want to start a debate on whether an IP address is or not personal
data, I just want to highlight that a lawyer and a judge might consider it
personal data and, consequently, somebody could pursue a service provider
on the basis of it holding this information.

*Privacy Policy for Tuxpaint*

Consequently, for Tux Paint's website I would suggest to describe in the
privacy policy what technical information is stored (if any) as a
consequence of website use.

In addition, you have also to consider TuxPaint as a "service provider" and
define a privacy policy that takes into consideration some other aspects of
the project. Not just the website, maybe also the mailing lists and other
means of contacting the project (i.e. email).

I would suggest googling a little bit for "privacy policy" in different
projects/websites and looking into how others have defined their website's
privacy policies.

I have done this (5 minutes, not much) and looked at some privacy policies
of websites of some EU sites. Maybe something along this lines could be
useful (or not):

PRIVACY POLICY

We respect the privacy of internet users and visitors to our website. As a
matter of principle, we do not collect, store or exploit personally
identifiable information of its visitors, unless the storage is for the
processing of necessary direct assignments or enquiries, and explicit
consent for utilisation and storage exists. Enquiries that reach us through
the voluntary stating of name, address and/or e-mail are deemed to be
approval of the storage of the data. On no account will personally
identifiable information be made available to a third party.

[INSERT Contact information from New Breed Software, For example the
following:
NewBreed Software
1335 Alder Place, Davis (California)
US 95618
info(at)newbreedsoftware(dot)com ]

Cookies

Our website does not make use of so-called cookies in order to recognize
repeat use of our website by the same user/internet connection subscriber.

Server data

For technical reasons, data such as the following, which your internet
browser transmits to us or to our web space provider (so called server log
files), is collected: – type and version of the browser you use – operating
system – websites that linked you to our site (referrer URL) – websites
that you visit – date and time of your visit – your Internet Protocol (IP)
address. This anonymous data is stored separately from any personal
information you may have provided, thereby making it impossible to connect
it to any particular person. The data is used for statistical purposes in
order to improve our website and services.

MAILING LIST

Our website offers you the opportunity to subscribe to our mailing list.
The mailing list provides you periodically with information about TuxPaint.
To receive our newsletter, we require a valid email address. We will review
the email address you provide for the purpose of determining whether you
are in fact the owner of the email address provided or whether the actual
owner of said address is authorized to receive the newsletter. When
subscribing to our mailing list, we will store your IP address as well as
the date and time you subscribed. This serves to protect us in the event a
third party improperly and without your knowledge makes use of your email
address to subscribe to our newsletter. We will not collect any other data.
The data thereby collected is used solely for the purpose of receiving our
mailing list. No data is transferred to third parties. Nor is any of this
information matched to any information that other components of our website
may collect. You may cancel your subscription to the mailing lists at any
time. You will find additional details in the email confirming your
subscription as well as in each mailing list.

Contacting Us

On our website we offer you the opportunity to contact us, either by email
and/or by using a contact form. In such event, information provided by the
user is stored for the purpose of facilitating communications with the
user. No data is transferred to third parties. Nor is any of this
information matched to any information that may be collected by other
components of our website.

Information/Cancellation/Deletion

On the basis of the European Data Protection Rules (Regulation (EU)
2016/679 / Directive (EU) 2016/680), and the Data Protection laws of the
different EU countries, you may contact us at no cost if you have questions
relating to the collection, processing or use of your personal information,
if you wish to request the correction, blocking or deletion of the same, or
if you wish to cancel explicitly granted consent. Please note that you have
the right to have incorrect data corrected or to have personal data
deleted, where such claim is not barred by any legal obligation to retain
this data.

Note:
- Of course, this should be adapted to TuxPaint a little bit better.
- Even if the website is configured to not store IP address I would still
highlight the possibility to store that information.

I guess you might also think "he said the website, not the webserver",

> but I hope we'd conclude that's still problematic.
>

For non-IT guys, its the same thing. The regulation does not talk about
technical components, EU regulation talks about "service providers". Those
are the ones that are responsible for managing properly personal data and
it includes all their services, not just the website itself.

I hope the above is useful food for thought.

Best regards

Javier

[1] http://ec.europa.eu/justice/data-protection/reform/index_en.htm
[2]
http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf
- Article 4
[3]
https://www.agpd.es/portalwebAGPD/canaldocumentacion/informes_juridicos/otras_cuestiones/common/pdfs/2003-0327_Car-aa-cter-de-dato-personal-de-la-direcci-oo-n-IP.pdf

Responses

Browse spi-general by date

  From Date Subject
Next Message Ian Jackson 2016-12-11 11:51:06 Re: Privacy policy for Tux Paint; ideas?
Previous Message Roger Dingledine 2016-12-08 05:49:12 Re: Privacy policy for Tux Paint; ideas?