[Ready for translating] Privacy policy page

Discussion on adblockplus.org website and translations
Wladimir Palant

[Ready for translating] Privacy policy page

Post by Wladimir Palant »

I created the first draft for a long overdue privacy policy page: en/privacy

Here the goal again is to be short but at the same time it should give a comprehensive overview of all the privacy-related stuff going on. I think that it mentions everything but I might have forgotten something of course. This page should be linked at the bottom of each page, next to "About Adblock Plus". I am also adding a link from the issue reporter to the specific section concerning the reporter. And I'll copy the text to addons.mozilla.org of course.

Comments? Suggestions? Corrections?
alberto
Posts: 65
Joined: Sun Jul 12, 2009 10:58 am

Re: Privacy policy page

Post by alberto »

On the issue reporter section, you may want to mention also images, email and list of extensions/plugins. These are optional and explicit in the wizard, but perhaps this can expand on usage/implications. For example:
- only the reduced / altered image is transmitted to the server (not the original image with potentially sensitive data)
- email to be contacted by maintainers (but not for automated notifications?).

Suggest to add this for clarity:
The processed reports can only be accessed by somebody who knows their unique address.
Wladimir Palant

Re: Privacy policy page

Post by Wladimir Palant »

Thank you, I extended this section.
mrbene
Posts: 173
Joined: Tue Apr 10, 2007 10:09 pm
Location: Seattle, WA, USA
Contact:

Re: Privacy policy page

Post by mrbene »

Greets
Cookies - Various parts of the Adblock Plus website use cookies to recognize logged in users or to store user's settings. Cookies are not evaluated beyond that and are in particular not used to track website visitors.
The "Members" URL provides a post-count associated with each user. This can be construed as "track website visitors". You may want to refine this section, or include a clause with regards to phpBB functionality.
In addition, if a subscription download fails several times in a row, AdblockPlus.org website will be requested to get the new address of the filter list.
Wording, it's more clear as "if a subscription download fails several times in a row, an updated location [or address] of the filter list will be requested from the AdblockPlus.org servers [or website].".
Adblock Plus 1.3 and higher allows sending in issue reports.
Consider: "Adblock Plus 1.3 introduced support for sending of issue reports to AdblockPlus.org [?]. This feature is available in all subsequent versions." It's a bit more verbose, but 'and higher' has the potential of being confusing if there ends up being a "1.10" version. Also, the sentence structure remains the same if the feature is removed - the second sentence becomes "This feature was available until version n."
Parameter values in all transmitted addresses are removed before sending to avoid unintentionally leaking private information.
I think I know what you mean here - but, given "domain.com/app.php?1283148&q=blue&go=&form=QBLH&qs=n&sk=" it could be interpreted as:
  • The URI-Query is not sent. "domain.com/app.php"
  • Name/Value pairs present on the URI-Query are not sent. "domain.com/app.php?1283148"
  • Values from name/value pairs present on the URI-Query are not sent. "domain.com/app.php?1283148&q=&go=&form=&qs=&sk="
It could even reference parameters within the URL. Consider using the accurate technical wording.
The processed reports can only be accessed by somebody who knows their unique address.
Publicly indicating security through obscurity is sketchy. Or am I reading this the wrong way? Also consider using gender-neutral "them" later in the paragraph.
Wladimir Palant

Re: Privacy policy page

Post by Wladimir Palant »

mrbene wrote:The "Members" URL provides a post-count associated with each user. This can be construed as "track website visitors".
Not really - it is a count of forum posts which are already obviously public.
Wording, it's more clear as "if a subscription download fails several times in a row, an updated location [or address] of the filter list will be requested from the AdblockPlus.org servers [or website].".
Changed.
Consider: "Adblock Plus 1.3 introduced support for sending of issue reports to AdblockPlus.org [?]. This feature is available in all subsequent versions." It's a bit more verbose, but 'and higher' has the potential of being confusing if there ends up being a "1.10" version.
Changed (though in a somewhat different way).
I think I know what you mean here - but, given "domain.com/app.php?1283148&q=blue&go=&form=QBLH&qs=n&sk=" it could be interpreted as:
Given that I don't see an easy way to explain the exact approach taken I will have to simply rely on interested users inspecting report data. I really don't want to make this technical.
Publicly indicating security through obscurity is sketchy. Or am I reading this the wrong way? Also consider using gender-neutral "them" later in the paragraph.
It is not security through obscurity. "You will not be able to reverse this hash function because I didn't tell you how I generate them" is security by obscurity. "You will not be able to reverse this hash because doing so takes XY years" is not. The algorithm for UUID generation is well-known, anybody can have a look at the code under http://mxr.mozilla.org/mozilla-central/ ... erator.cpp. However, the number of possibilities is high enough that somebody can brute-force reports.adblockplus.org for years and not find a single issue report.
Michael
Posts: 1361
Joined: Sat Dec 19, 2009 12:29 pm

Re: Privacy policy page

Post by Michael »

I will eventually find time to check this, but my currently busy schedule means that the document will probably be evaluated on Friday; I apologise for the delay.
mrbene
Posts: 173
Joined: Tue Apr 10, 2007 10:09 pm
Location: Seattle, WA, USA
Contact:

Re: Privacy policy page

Post by mrbene »

Wladimir Palant wrote:Not really - it is a count of forum posts which are already obviously public.
Fair enough.
Given that I don't see an easy way to explain the exact approach taken I will have to simply rely on interested users inspecting report data. I really don't want to make this technical.
I'll have to take a look at the functionality when it becomes available and revisit. I think I may have a personal bias against the word "parameter".
It is not security through obscurity. "You will not be able to reverse this hash function because I didn't tell you how I generate them" is security by obscurity. "You will not be able to reverse this hash because doing so takes XY years" is not. The algorithm for UUID generation is well-known, anybody can have a look at the code under http://mxr.mozilla.org/mozilla-central/source/xpcom/base/nsUUIDGenerator.cpp. However, the number of possibilities is high enough that somebody can brute-force reports.adblockplus.org for years and not find a single issue report.
My understanding is that the issue report will be available on a URL of format:

http://reports.adblockplus.org/<ReportUUID>

Given that anyone will be able to see the report if you give them a link, the location of the report is obscured (via randomization) but is not secured. Specifically - once discovered, the URL of the report will provide irrevocable access to the report until the report is deleted.

I do agree that brute force discovery of any reports is not feasible specifically because of the amount of load it would put on the reports.adblockplus.org servers (with 122 usable bits, something like 2x10^30 requests per second for an entire month to iterate through all possibilities and still maybe miss). Also, any reasonable 3rd party access scenario I can come up with on short order involves some form of compromised communication channel attack where the report would be a rather low value target. However, the reports are not secured in the traditional sense - just really well hidden.
Wladimir Palant

Re: Privacy policy page

Post by Wladimir Palant »

There is no strong authentication here, yes. However, in this scenario strong authentication would actually be harmful. We *want* users to share the link, e.g. if they are seeking help in a forum. This shouldn't be too complicated. This is potentially privacy-sensitive data but it is not *that* important.

Btw, you got the URL format slightly wrong - it is HTTPS. Which improves the situation, particularly as proxy servers go.
fowl

Data Retention section

Post by fowl »

In the data retention section, it doesn't make it clear where the data is being stored.

Extremely rough reword:
Adblock Plus stores various data in your Firefox Profile (link?), which is normally stored on your computer. Examples of such data include: your preferences (such the Adblock Plus icon location), filter subscriptions, custom filters, and hit statistics. This data could be used to reconstruct your browsing history and/or behaviour. This data is treated by Adblock Plus in the same way history data is treated by the browser, according to your browser's preferences, for example it isn't stored if you are using Private Browsing mode and it is cleared if you choose to clear your browsing history.
It's a little wishy-washy about exactly what is stored. This page should probably be the definitive list.

Finally, should something about Sync be in the privacy policy?
Wladimir Palant

Re: Privacy policy page

Post by Wladimir Palant »

Thank you, I clarified the data retention section (also linked explicitly to Sync's privacy policy).
Michael
Posts: 1361
Joined: Sat Dec 19, 2009 12:29 pm

Re: Privacy policy page

Post by Michael »

These are the changes that I would recommend:
General notes
The general privacy policy of the Adblock Plus project is to avoid collecting more data than is required for the extensions and the AdblockPlus.org website to function correctly. The data gathered is anonymized if possible and removed when no longer required. It is never shared with any third parties. This policy lists the data that is collected and the processing applied to it.

AdblockPlus.org website

Website logs
All requests to the AdblockPlus.org website are recorded in the website logs. The data stored includes your IP address, time of the request, the web address accessed, the browser identifier and the referring page. This data is used to generate usage statistics as well as to investigate potential security issues and forum/blog spam. The detailed logs are retained for a period of 30 days after which only the aggregated usage statistics remain.

Stored IP addresses
The web applications installed on AdblockPlus.org store your IP address when you create a forum post, add a blog comment or translate a page. This allows administrators to address spam content and security breaches effectively. All stored IP addresses are removed after 30 days.

Cookies
Several areas of the Adblock Plus website use cookies to recognize logged in users or to store settings. Cookies are not evaluated in any other manner and are never used to track website visitors.

Forum registration
Registered users' data is used to form their public profiles and is therefore visible to other forum visitors. There are two exceptions:
  • Passwords go through one-way encryption before being stored on the server, which means that they cannot be recovered by anybody, even if they have access to the database.
  • Email addresses are only displayed in the public profile if explicitly agreed to, although by default are used for the sending of notifications you subscribed to.
Registration is not required to participate in the forums.

Blog comments
When a comment is added on the Adblock Plus blog an email address can optionally be specified, although unlike the other fields will never be displayed and is only used to notify the comment author about replies.

Adblock Plus extension

Extension update checks
Your browser periodically checks for updates of your extensions including Adblock Plus. Some general information, such as browser version, extension version, operating system and your IP address, are transmitted during an update check. Adblock Plus nightly build updates are handled by AdblockPlus.org website and the data transmitted is subject to its privacy policy. Updates to stable releases are handled by Addons.Mozilla.Org website and is subject to the Firefox Privacy Policy.

Subscription downloads
If you add filter subscriptions to your Adblock Plus installation the subscription will be requested regularly to retrieve updates. Every update results in the hosting website recieveing your IP address. This data is subject to the privacy policy of the website in question.

Furthermore, if a subscription download fails on five consecutive occasions, the updated address of the filter list is requested from the AdblockPlus.org website. The data transmitted includes Adblock Plus version, subscription address, and information about the error encountered. This data is used to identify issues that have not been reported by subscription maintainers and is subject to the usual AdblockPlus.org privacy policy.

Issue reporter
This feature was introduced in Adblock Plus 1.3 and allows you to send issue reports to be temporarily stored on AdblockPlus.org domain. These reports contain information required to investigate the issue, including Adblock Plus version, browser version, address of the web page where the problem is visible, blockable items on this web page, matching filters and active subscriptions. Parameter values are removed from all transmitted addresses to avoid unintentionally leaking private information. It is also possible to provide additional optional information, which may be privacy-sensitive:
  • Website screenshots provide a scaled-down and color-reduced version of the page viewed. It is possible to remove particularly sensitive sections of the page before it is sent to the Adblock Plus website.
  • Email addresses are only used to request more information on the issue, and are
  • Lists of installed extensions are necessary for the investigation of conflicts with other extensions.
The processed reports can only be accessed by somebody who knows their unique address. These addresses are only shared with the maintainers of the filter subscriptions mentioned in the report and are unlikely to be found by others unless a link is provided. All reports and their associated data are automatically removed after 30 days.

Further AdblockPlus.org website requests
Adblock Plus may make further requests to the AdblockPlus.org website as required, for example if a documentation link is clicked or if the full list of filter subscriptions needs to be downloaded. These requests are subject to the usual AdblockPlus.org privacy policy.

Data retention
Adblock Plus stores some data in the Firefox profile on your computer. Adblock Plus never transmits this data to any servers, but other extensions and services, such as Firefox Sync, may do so. Most of the data (your preferences, filter subscriptions and custom filters) is unobjectionable privacy-wise, although filter hit statistics and recent issue reports could be used to reconstruct your browsing history. Adblock Plus treats this information identically to how history data is treated by the browser: this data isn't stored if you are using Private Browsing mode and is removed if you choose to clear your browsing history.

Element Hiding Helper extension

Extension update checks
Your browser periodically checks for updates of your extensions including Element Hiding Helper. Some general information, such as browser version, extension version, operating system and your IP address, are transmitted during an update check. Adblock Plus nightly build updates are handled by AdblockPlus.org website and the data transmitted is subject to its privacy policy. Updates to stable releases are handled by Addons.Mozilla.Org website and is subject to the Firefox Privacy Policy.
Is there any chance that EasyList could be mentioned in the policy? Most users will only use the Adblock Plus domain and therefore only be affected by its privacy policy. I would also suggest that reports.adblockplus.org contains a directive that robots do not index the sub-domain.
Last edited by Hubird on Fri Oct 22, 2010 11:56 pm, edited 1 time in total.
Reason: Removed repeated word
Wladimir Palant

Re: Privacy policy page

Post by Wladimir Palant »

Michael wrote:I would also suggest that reports.adblockplus.org contains a directive that robots do not index the sub-domain.
Like this robots.txt file? ;)
Is there any chance that EasyList could be mentioned in the policy?
I wanted to do that - but then I realized that I have no idea what ares2.org is doing with its logs. Most likely there will be more mirrors in future, formulating a privacy policy for EasyList will be a challenge.

Thank you, implemented your suggestions: https://hg.adblockplus.org/www/rev/5d9e39c378d0
Wladimir Palant

Re: [Ready for translating] Privacy policy page

Post by Wladimir Palant »

Marked as ready for translating.
Michael
Posts: 1361
Joined: Sat Dec 19, 2009 12:29 pm

Re: [Ready for translating] Privacy policy page

Post by Michael »

Wladimir Palant wrote:
Michael wrote:I would also suggest that reports.adblockplus.org contains a directive that robots do not index the sub-domain.
Like this robots.txt file? ;)
When I checked the sub-domain, which was quite a while ago, the file was not present, resulting in reports being indexed by search engines; regardless, I am glad that it has now been created.
Wladimir Palant

Re: [Ready for translating] Privacy policy page

Post by Wladimir Palant »

I'm pretty certain that it was there from the very start - I copied it over from hg.adblockplus.org when I created the subdomain.
Post Reply