Please consider providing a Privacy Policy

[o-]

While reading https://www.qubes-os.org/news/2016/01/14/qubes-counter/ I couldn't help but wonder about the fact that you seem to retain PII of your users for a significant amount of time.

Maybe this is wrong and you actually convert ip addresses to pseudononymous identifiers. But i could not find out, therefore please consider publicly documenting your data retention policies.

Good advice on the subject by the EFF https://www.eff.org/wp/osp e.g. states:

• Collect the minimum amount of information necessary to provide OSP services.
• Store information for the minimum time necessary for operations.
• Effectively obfuscate, aggregate and delete unneeded user information.
• Maintain written policies addressing data collection and retention.

For pointers on how to perform meaningful measurements while preserving user privacy I would recommend http://freehaven.net/anonbib/#wecsr10measuring-tor

[woju]

We rotate web server logs (which do contain IP addresses) monthly and keep 2 files. However here in Poland IP addresses are not considered PII, so technically we don't "retain PII" and therefore we are not subject to any data protection requirements. However, you are right we can write that somewhere. /cc @joanna, @mfc, @marmarek

[woju]

We rotate web server logs (which do contain IP addresses) monthly and keep 2 files. However here in Poland IP addresses are not considered PII, so technically we don't "retain PII" and therefore we are not subject to any data protection requirements. However, you are right we can write that somewhere. /cc @joanna, @mfc, @marmarek

[woju]

/cc @rootkovska

[woju]

/cc @rootkovska

[rootkovska]

We make a statement in each of our canaries that the infrastructure should not be trusted:
https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-006-2016.txt#L32-L37

This means that even if we decided not to retain access logs, there is about a trillion of other entities (e.g. your ISPs, IXs, datacenter where the servers are hosted, etc) who might still decide otherwise and keep preserving the logs/traffic dumps for another millennium. Thus I think any statement from our side on this topic would be rather meaningless and potentially even misleading.

We do offer, however, an option for users to connect to the updates servers via Tor. As Wojtek wrote in the above mentioned post in Qubes 3.1 this could even be enabled at the installation wizard (= so very easy).

[rootkovska]

We make a statement in each of our canaries that the infrastructure should not be trusted:
https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-006-2016.txt#L32-L37

This means that even if we decided not to retain access logs, there is about a trillion of other entities (e.g. your ISPs, IXs, datacenter where the servers are hosted, etc) who might still decide otherwise and keep preserving the logs/traffic dumps for another millennium. Thus I think any statement from our side on this topic would be rather meaningless and potentially even misleading.

We do offer, however, an option for users to connect to the updates servers via Tor. As Wojtek wrote in the above mentioned post in Qubes 3.1 this could even be enabled at the installation wizard (= so very easy).

[mfc]

hey o-, thanks again for bringing this to our attention. let us collect this information woju and joanna mention, format it in a way the EFF highlights, and present it on the website.

[mfc]

hey o-, thanks again for bringing this to our attention. let us collect this information woju and joanna mention, format it in a way the EFF highlights, and present it on the website.

[andrewdavidwong]

@mfc: Any update on this?

[andrewdavidwong]

@mfc: Any update on this?

[mfc]

it would be helpful if someone with some legal experience could contribute.

[mfc]

it would be helpful if someone with some legal experience could contribute.

[andrewdavidwong]

I have used PrivacyPolicies.com to generate a standard Privacy Policy and added it to the website. I have also added Cookie Consent. I am neither a lawyer nor a privacy expert. The Privacy Policy should be reviewed and modified or replaced as needed by legal and privacy experts as soon as possible.

[andrewdavidwong]

I have used PrivacyPolicies.com to generate a standard Privacy Policy and added it to the website. I have also added Cookie Consent. I am neither a lawyer nor a privacy expert. The Privacy Policy should be reviewed and modified or replaced as needed by legal and privacy experts as soon as possible.

[marmarek]

About cookie consent - we don't have any user login (session cookies) or specific traffic analyzers using cookies. In fact all site is static htmls (generated by jekyll), so there is no server-side processing of any cookies. We also avoid as much as possible using 3rd-party scripts - specially downloading them directly from 3rd-party servers.
It looks like the only cookies on the www.qubes-os.org are from Cloudflare. Those are impossible to disable, but there are opinions that those are exempted from consent requirement.

[marmarek]

About cookie consent - we don't have any user login (session cookies) or specific traffic analyzers using cookies. In fact all site is static htmls (generated by jekyll), so there is no server-side processing of any cookies. We also avoid as much as possible using 3rd-party scripts - specially downloading them directly from 3rd-party servers.
It looks like the only cookies on the www.qubes-os.org are from Cloudflare. Those are impossible to disable, but there are opinions that those are exempted from consent requirement.

[andrewdavidwong]

About cookie consent - we don't have any user login (session cookies) or specific traffic analyzers using cookies. In fact all site is static htmls (generated by jekyll), so there is no server-side processing of any cookies. We also avoid as much as possible using 3rd-party scripts - specially downloading them directly from 3rd-party servers.
It looks like the only cookies on the www.qubes-os.org are from Cloudflare. Those are impossible to disable, but there are opinions that those are exempted from consent requirement.

Removed language about session cookies and tracking.

[andrewdavidwong]

About cookie consent - we don't have any user login (session cookies) or specific traffic analyzers using cookies. In fact all site is static htmls (generated by jekyll), so there is no server-side processing of any cookies. We also avoid as much as possible using 3rd-party scripts - specially downloading them directly from 3rd-party servers.
It looks like the only cookies on the www.qubes-os.org are from Cloudflare. Those are impossible to disable, but there are opinions that those are exempted from consent requirement.

Removed language about session cookies and tracking.

[marmarek]

Ok, I've switched off cloudflare for www.qubes-os.org. And enabled https on github pages there (provided by lets encrypt). Now, entering https://www.qubes-os.org/ leaves no cookies in the browser :)
(you may need to remove those old ones from cloudflare)
Can we remove that annoying message?

[marmarek]

Ok, I've switched off cloudflare for www.qubes-os.org. And enabled https on github pages there (provided by lets encrypt). Now, entering https://www.qubes-os.org/ leaves no cookies in the browser :)
(you may need to remove those old ones from cloudflare)
Can we remove that annoying message?

[andrewdavidwong]

Done.

[andrewdavidwong]

Done.

[andrewdavidwong]

Here are some questions about the Privacy Policy:

We may also collect information about how the Service is accessed and used ("Usage Data"). This Usage Data may include information such as your computer's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

I know we count IPs for the Userbase Estimate, but what about the other things mentioned here? I doubt we monitor time spent of pages, for example, so could that be removed?

The Qubes OS Project uses the collected data for various purposes:

To provide and maintain the Service
To notify you about changes to our Service
To allow you to participate in interactive features of our Service when you choose to do so
To provide customer care and support
To provide analysis or valuable information so that we can improve the Service
To monitor the usage of the Service
To detect, prevent and address technical issues

Can or should any of these be removed?

[andrewdavidwong]

Here are some questions about the Privacy Policy:

We may also collect information about how the Service is accessed and used ("Usage Data"). This Usage Data may include information such as your computer's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

I know we count IPs for the Userbase Estimate, but what about the other things mentioned here? I doubt we monitor time spent of pages, for example, so could that be removed?

The Qubes OS Project uses the collected data for various purposes:

To provide and maintain the Service
To notify you about changes to our Service
To allow you to participate in interactive features of our Service when you choose to do so
To provide customer care and support
To provide analysis or valuable information so that we can improve the Service
To monitor the usage of the Service
To detect, prevent and address technical issues

Can or should any of these be removed?

[jpouellet]

The "customer" and "service" language does not seem fitting. Perhaps "user" and "Qubes OS"? IANAL, standard disclaimers apply.

also:

To allow you to participate in interactive features of our Service when you choose to do so

I am not aware of anything interactive on the site.

[jpouellet]

The "customer" and "service" language does not seem fitting. Perhaps "user" and "Qubes OS"? IANAL, standard disclaimers apply.

also:

To allow you to participate in interactive features of our Service when you choose to do so

I am not aware of anything interactive on the site.

[andrewdavidwong]

I am not aware of anything interactive on the site.

One concern is that a lawyer could argue that any current or future JavaScript-based functionality is "interactive" or that a reasonable layperson might interpret it as such.

[andrewdavidwong]

I am not aware of anything interactive on the site.

One concern is that a lawyer could argue that any current or future JavaScript-based functionality is "interactive" or that a reasonable layperson might interpret it as such.

[marmarek]

Even if those parts (automatic ToC generation, anything else?) are interpreted as "interactive", they do not send any data to the server, it's purely client-side, so we don't collect anything there.

[marmarek]

Even if those parts (automatic ToC generation, anything else?) are interpreted as "interactive", they do not send any data to the server, it's purely client-side, so we don't collect anything there.

[andrewdavidwong]

Even if those parts (automatic ToC generation, anything else?) are interpreted as "interactive", they do not send any data to the server, it's purely client-side, so we don't collect anything there.

The policy says that we use collected data to allow those things, not that we collect data by means of them.

But I guess we probably don't use any collected data to allow those things, so that part can probably be removed.

[andrewdavidwong]

Even if those parts (automatic ToC generation, anything else?) are interpreted as "interactive", they do not send any data to the server, it's purely client-side, so we don't collect anything there.

The policy says that we use collected data to allow those things, not that we collect data by means of them.

But I guess we probably don't use any collected data to allow those things, so that part can probably be removed.

[andrewdavidwong]

The "customer" and "service" language does not seem fitting. Perhaps "user" and "Qubes OS"? IANAL, standard disclaimers apply.

The "Service" is the website, not Qubes OS. However, I do think "user" is more accurate than "customer."

[andrewdavidwong]

The "customer" and "service" language does not seem fitting. Perhaps "user" and "Qubes OS"? IANAL, standard disclaimers apply.

The "Service" is the website, not Qubes OS. However, I do think "user" is more accurate than "customer."

[andrewdavidwong]

Updated.

[andrewdavidwong]

Updated.