Caveat: security & privacy
6 November 2009 Comments Off on Caveat: security & privacy
This post is intended for the information of all users of this site. Its contents have been divided into three sections:
- internet browsers (ex. Chrome, Firefox, Internet Explorer, Opera, Safari)
- internet service providers (ex., here in Canada: Bell, Rogers, Shaw, Telus; and UBC’s “visitor” and “secure” services)
Last revised/updated: 2013-04-09.
1. INTERNET BROWSERS
- Internet Explorer:
- Safari privacy and security: including blocking cookies by default, accepting them only from sites you visit; a “do not track” feature; and a “remove all website data” feature (all in the “Privacy” panel, once you’re using Safari)
2. SERVICE PROVIDERS
2A. GENERAL LEGAL CONSIDERATIONS
All the service providers with which I am familiar and/or have dealings collect IP addresses. Some collect more information. This is usually part of your Terms Of Service: that is, the contract that you have entered into with your service provider; by which they provide you with a service, and in return you pay them money and do not engage in illegal behaviour. The collection of IP addresses is a legal measure, and (in theory etc.) a measure against criminal activities; be that preventative or for use in evidence if and when a crime has been committed, warrants issued, etc. “Legal” = applicable Canadian federal, provincial, and local laws and statutes, including:
- Criminal Code of Canada
- B.C. Civil Rights Protection Act
- B.C. Freedom of Information and Protection of Privacy Act
- B.C. Human Rights Act
There are legal limits to the collection, storage, use, and sharing of data: both personally-identifying data (your name, address, date of birth, photo, etc.) and IP addresses. Here in British Columbia, such activities are governed by the B.C. Freedom of Information and Protection of Privacy Act (FIPPA) and the Personal Information Protection Act (PIPA):
- Freedom of Information and Protection of Privacy Act [RSBC 1996] Chapter 165; this Act is current to March 13, 2013
- Personal Information Protection Act [SBC 2003] Chapter 63; this Act is current to March 13, 2013
- Office of the Information & Privacy Commissioner for British Columbia
- B.C. Ministry of Citizen’s Services and Open Government: Guide to the B.C. Freedom of Information and Protection of Privacy Act
In other jurisdictions, other laws apply.
2B. UBC IT
If you are at UBC and using either the UBC Visitor wireless network or the UBC Secure one (faculty, staff, students): UBC IT acts as an intermediary here, on behalf of an external service provider. At the time of writing, this was Telus. Use of the UBC internet service is subject to terms and conditions, in addition to the usual internet provider ones. This includes the recording of IP addresses and the tracking of internet use / websites visited. How this information is used, for how long it is kept, and its archiving are unknowns at the time of writing; for further information, please contact UBC IT directly. In the act of using UBC’s internet service(s), you have agreed to conditions of its use. (Tangential side-note: for linguists, philologists, and philosophers: this is conceptually/academically interesting.) In the words of UBC IT’s page on Appropriate Use—excerpts, as most of the rest of that page is intended for system administrators and others who run and maintain websites (such as O’Brien here, for her teaching sites on UBC Blogs and Connect)—:
Your acceptance is implicit in your use of Virtual Server Services. […]
The user bears the primary responsibility for the material that he or she chooses to access, send or display. The computer facilities may not be used in any manner which contravenes the above policies, laws or statutes.
Those who do not adhere to these guidelines may be subject to suspension of computing privileges.
From UBC IT’s page on Appropriate Use:
The computing and communications facilities and services provided by UBC are primarily intended for teaching, research, and administrative purposes. Their use is governed by all applicable University policies, including:
From UBC IT’s Information Security Office: Security Policies page and their Privacy page—University Policies #104 & #106 are the key items here—:
UBC Policy #104 Responsible Use of Information Technology Facilities and Services
This policy applies to faculty, staff and students and is intended for the general support of and to provide a foundation for responsible use of UBC’s information technology facilities.
UBC Policy #106 Access to and Security of Administrative Information Systems
This policy applies to the use [of] and access [to] Administrative Systems and Administrative Data by faculty, staff, and students.
Email and Privacy Legislation
View responses (PDF) to the questions that have been asked with respect to the Freedom of Information and Protection of Privacy Act (“FIPPA”) and email.
Learn more about Information and Privacy by visiting the Privacy section of the Office of the University Counsel
Some more on the terms of service/use for the UBC internet services:
- PDF of what scant and not particularly useful extra information is provided (further to policies #104 & 106) for UBCSECURE
- the UBC ResNet Service agreement
This site is hosted by WordPress. It is possible that WordPress may collect (limited) statistical data on views of this site. Further information follows below, cited verbatim from WordPress’s own documentation (last retrieved: 2013-04-09).
This site carries no advertisements; Juliet O’Brien personally pays filthy hard lucre every year for this “ad-free” premium.
- The email address used to create a blog
- The IP address from which the blog was created
- The date and time when a blog was created
- The IP addresses from which blog posts have been published
- The email and IP addresses of anyone who has left a comment on a blog
Most of the information here relates to people who administer sites and/or write them—i.e. Juliet O’Brien, for ex. writing this present post—and comment on them—ex. commenting on this present post. I have excerpted the information that pertains to other readers and users of a WordPress site; for the full version, please clink the underlined highlighted “legal guidelines” link above.
These guidelines are intended for lawyers or government officials who seek information about a WordPress.com user or action against a resource hosted on our network.
What User Information Does WordPress.com Track?
The verified information we collect is:
- The email address that is currently assigned to a site owner
- The IP address from which a site was created
- The date and time (UTC) at which a site was created
- The PayPal transaction information for any upgrades that are purchased for a site (this does not include credit card, bank account, or address information)
- IP address and user-agent for any post or revision on a site
- Email address and IP address for any comment posted on a site
Before revealing any of this information to a party that is not the owner of the account, we require either a validly issued subpoena, warrant or court order that specifically requests it. More information on our requirements for releasing private user information can be found below. […]
NB: please note that IP addresses and other non-personally-identifying information is only collected for people writing on a site: i.e. Juliet O’Brien and any commenters.
For people visiting, viewing, and reading the site, the following information is collected: the browser type, language preference, referring site, and the date and time of each visitor request.
As before, I have excerpted information pertaining to “passive” site visitors: you, gentle reader.
Your privacy is critically important to us. At Automattic we have a few fundamental principles:
- We don’t ask you for personal information unless we truly need it. (We can’t stand services that ask you for things like your gender or income level for no apparent reason.)
- We don’t share your personal information with anyone except to comply with the law, develop our products, or protect our rights.
- We don’t store personal information on our servers unless required for the on-going operation of one of our services.
- In our blogging products, we aim to make it as simple as possible for you to control what’s visible to the public, seen by search engines, kept private, and permanently deleted.
If you have questions about deleting or correcting your personal data please contact our support team.
Automattic Inc. (“Automattic”) operates several websites including automattic.com, wordpress.com, gravatar.com,intensedebate.com, and akismet.com. It is Automattic’s policy to respect your privacy regarding any information we may collect while operating our websites.
Like most website operators, Automattic collects non-personally-identifying information of the sort that web browsers and servers typically make available, such as the browser type, language preference, referring site, and the date and time of each visitor request. Automattic’s purpose in collecting non-personally identifying information is to better understand how Automattic’s visitors use its website. From time to time, Automattic may release non-personally-identifying information in the aggregate, e.g., by publishing a report on trends in the usage of its website.
Automattic also collects potentially personally-identifying information like Internet Protocol (IP) addresses for logged in users and for users leaving comments on WordPress.com blogs. Automattic only discloses logged in user and commenter IP addresses under the same circumstances that it uses and discloses personally-identifying information as described below, except that blog commenter IP addresses are visible and disclosed to the administrators of the blog where the comment was left.
Gathering of Personally-Identifying Information
Certain visitors to Automattic’s websites choose to interact with Automattic in ways that require Automattic to gather personally-identifying information. The amount and type of information that Automattic gathers depends on the nature of the interaction. For example, we ask visitors who sign up for a blog at WordPress.com to provide a username and email address. Those who engage in transactions with Automattic – by purchasing access to the Akismet comment spam prevention service, for example – are asked to provide additional information, including as necessary the personal and financial information required to process those transactions. In each case, Automattic collects such information only insofar as is necessary or appropriate to fulfill the purpose of the visitor’s interaction with Automattic. Automattic does not disclose personally-identifying information other than as described below. And visitors can always refuse to supply personally-identifying information, with the caveat that it may prevent them from engaging in certain website-related activities.
NB: this present site has been set up so that there are no such “website-related activities” that require someone to provide any such information, with one exception: contacting the ERS, leaving general comments on the virtual feedback form, and subscribing to automatized updates. On all of which, see: About the Cluster.
NB: please note that this means that WordPress does record IP addresses for all users, including all readers: from occasional visitors to regulars…
An IP address is your address on the internet and is used to route all traffic between your computer and the websites and other internet services that you use. When you use WordPress.com we record your IP address, whether you are adding a post, a comment, or just reading an article.