[Ready for translating] Privacy policy page
[Ready for translating] Privacy policy page
I created the first draft for a long overdue privacy policy page: en/privacy
Here the goal again is to be short but at the same time it should give a comprehensive overview of all the privacy-related stuff going on. I think that it mentions everything but I might have forgotten something of course. This page should be linked at the bottom of each page, next to "About Adblock Plus". I am also adding a link from the issue reporter to the specific section concerning the reporter. And I'll copy the text to addons.mozilla.org of course.
Comments? Suggestions? Corrections?
Here the goal again is to be short but at the same time it should give a comprehensive overview of all the privacy-related stuff going on. I think that it mentions everything but I might have forgotten something of course. This page should be linked at the bottom of each page, next to "About Adblock Plus". I am also adding a link from the issue reporter to the specific section concerning the reporter. And I'll copy the text to addons.mozilla.org of course.
Comments? Suggestions? Corrections?
Re: Privacy policy page
On the issue reporter section, you may want to mention also images, email and list of extensions/plugins. These are optional and explicit in the wizard, but perhaps this can expand on usage/implications. For example:
- only the reduced / altered image is transmitted to the server (not the original image with potentially sensitive data)
- email to be contacted by maintainers (but not for automated notifications?).
Suggest to add this for clarity:
- only the reduced / altered image is transmitted to the server (not the original image with potentially sensitive data)
- email to be contacted by maintainers (but not for automated notifications?).
Suggest to add this for clarity:
The processed reports can only be accessed by somebody who knows their unique address.
Re: Privacy policy page
Greets
The "Members" URL provides a post-count associated with each user. This can be construed as "track website visitors". You may want to refine this section, or include a clause with regards to phpBB functionality.Cookies - Various parts of the Adblock Plus website use cookies to recognize logged in users or to store user's settings. Cookies are not evaluated beyond that and are in particular not used to track website visitors.
Wording, it's more clear as "if a subscription download fails several times in a row, an updated location [or address] of the filter list will be requested from the AdblockPlus.org servers [or website].".In addition, if a subscription download fails several times in a row, AdblockPlus.org website will be requested to get the new address of the filter list.
Consider: "Adblock Plus 1.3 introduced support for sending of issue reports to AdblockPlus.org [?]. This feature is available in all subsequent versions." It's a bit more verbose, but 'and higher' has the potential of being confusing if there ends up being a "1.10" version. Also, the sentence structure remains the same if the feature is removed - the second sentence becomes "This feature was available until version n."Adblock Plus 1.3 and higher allows sending in issue reports.
I think I know what you mean here - but, given "domain.com/app.php?1283148&q=blue&go=&form=QBLH&qs=n&sk=" it could be interpreted as:Parameter values in all transmitted addresses are removed before sending to avoid unintentionally leaking private information.
- The URI-Query is not sent. "domain.com/app.php"
- Name/Value pairs present on the URI-Query are not sent. "domain.com/app.php?1283148"
- Values from name/value pairs present on the URI-Query are not sent. "domain.com/app.php?1283148&q=&go=&form=&qs=&sk="
Publicly indicating security through obscurity is sketchy. Or am I reading this the wrong way? Also consider using gender-neutral "them" later in the paragraph.The processed reports can only be accessed by somebody who knows their unique address.
Re: Privacy policy page
Not really - it is a count of forum posts which are already obviously public.mrbene wrote:The "Members" URL provides a post-count associated with each user. This can be construed as "track website visitors".
Changed.Wording, it's more clear as "if a subscription download fails several times in a row, an updated location [or address] of the filter list will be requested from the AdblockPlus.org servers [or website].".
Changed (though in a somewhat different way).Consider: "Adblock Plus 1.3 introduced support for sending of issue reports to AdblockPlus.org [?]. This feature is available in all subsequent versions." It's a bit more verbose, but 'and higher' has the potential of being confusing if there ends up being a "1.10" version.
Given that I don't see an easy way to explain the exact approach taken I will have to simply rely on interested users inspecting report data. I really don't want to make this technical.I think I know what you mean here - but, given "domain.com/app.php?1283148&q=blue&go=&form=QBLH&qs=n&sk=" it could be interpreted as:
It is not security through obscurity. "You will not be able to reverse this hash function because I didn't tell you how I generate them" is security by obscurity. "You will not be able to reverse this hash because doing so takes XY years" is not. The algorithm for UUID generation is well-known, anybody can have a look at the code under http://mxr.mozilla.org/mozilla-central/ ... erator.cpp. However, the number of possibilities is high enough that somebody can brute-force reports.adblockplus.org for years and not find a single issue report.Publicly indicating security through obscurity is sketchy. Or am I reading this the wrong way? Also consider using gender-neutral "them" later in the paragraph.
Re: Privacy policy page
I will eventually find time to check this, but my currently busy schedule means that the document will probably be evaluated on Friday; I apologise for the delay.
Re: Privacy policy page
Fair enough.Wladimir Palant wrote:Not really - it is a count of forum posts which are already obviously public.
I'll have to take a look at the functionality when it becomes available and revisit. I think I may have a personal bias against the word "parameter".Given that I don't see an easy way to explain the exact approach taken I will have to simply rely on interested users inspecting report data. I really don't want to make this technical.
My understanding is that the issue report will be available on a URL of format:It is not security through obscurity. "You will not be able to reverse this hash function because I didn't tell you how I generate them" is security by obscurity. "You will not be able to reverse this hash because doing so takes XY years" is not. The algorithm for UUID generation is well-known, anybody can have a look at the code under http://mxr.mozilla.org/mozilla-central/source/xpcom/base/nsUUIDGenerator.cpp. However, the number of possibilities is high enough that somebody can brute-force reports.adblockplus.org for years and not find a single issue report.
http://reports.adblockplus.org/<ReportUUID>
Given that anyone will be able to see the report if you give them a link, the location of the report is obscured (via randomization) but is not secured. Specifically - once discovered, the URL of the report will provide irrevocable access to the report until the report is deleted.
I do agree that brute force discovery of any reports is not feasible specifically because of the amount of load it would put on the reports.adblockplus.org servers (with 122 usable bits, something like 2x10^30 requests per second for an entire month to iterate through all possibilities and still maybe miss). Also, any reasonable 3rd party access scenario I can come up with on short order involves some form of compromised communication channel attack where the report would be a rather low value target. However, the reports are not secured in the traditional sense - just really well hidden.
Re: Privacy policy page
There is no strong authentication here, yes. However, in this scenario strong authentication would actually be harmful. We *want* users to share the link, e.g. if they are seeking help in a forum. This shouldn't be too complicated. This is potentially privacy-sensitive data but it is not *that* important.
Btw, you got the URL format slightly wrong - it is HTTPS. Which improves the situation, particularly as proxy servers go.
Btw, you got the URL format slightly wrong - it is HTTPS. Which improves the situation, particularly as proxy servers go.
Data Retention section
In the data retention section, it doesn't make it clear where the data is being stored.
Extremely rough reword:
Finally, should something about Sync be in the privacy policy?
Extremely rough reword:
It's a little wishy-washy about exactly what is stored. This page should probably be the definitive list.Adblock Plus stores various data in your Firefox Profile (link?), which is normally stored on your computer. Examples of such data include: your preferences (such the Adblock Plus icon location), filter subscriptions, custom filters, and hit statistics. This data could be used to reconstruct your browsing history and/or behaviour. This data is treated by Adblock Plus in the same way history data is treated by the browser, according to your browser's preferences, for example it isn't stored if you are using Private Browsing mode and it is cleared if you choose to clear your browsing history.
Finally, should something about Sync be in the privacy policy?
Re: Privacy policy page
Thank you, I clarified the data retention section (also linked explicitly to Sync's privacy policy).
Re: Privacy policy page
These are the changes that I would recommend:
Is there any chance that EasyList could be mentioned in the policy? Most users will only use the Adblock Plus domain and therefore only be affected by its privacy policy. I would also suggest that reports.adblockplus.org contains a directive that robots do not index the sub-domain.General notes
The general privacy policy of the Adblock Plus project is to avoid collecting more data than is required for the extensions and the AdblockPlus.org website to function correctly. The data gathered is anonymized if possible and removed when no longer required. It is never shared with any third parties. This policy lists the data that is collected and the processing applied to it.
AdblockPlus.org website
Website logs
All requests to the AdblockPlus.org website are recorded in the website logs. The data stored includes your IP address, time of the request, the web address accessed, the browser identifier and the referring page. This data is used to generate usage statistics as well as to investigate potential security issues and forum/blog spam. The detailed logs are retained for a period of 30 days after which only the aggregated usage statistics remain.
Stored IP addresses
The web applications installed on AdblockPlus.org store your IP address when you create a forum post, add a blog comment or translate a page. This allows administrators to address spam content and security breaches effectively. All stored IP addresses are removed after 30 days.
Cookies
Several areas of the Adblock Plus website use cookies to recognize logged in users or to store settings. Cookies are not evaluated in any other manner and are never used to track website visitors.
Forum registration
Registered users' data is used to form their public profiles and is therefore visible to other forum visitors. There are two exceptions:Registration is not required to participate in the forums.
- Passwords go through one-way encryption before being stored on the server, which means that they cannot be recovered by anybody, even if they have access to the database.
- Email addresses are only displayed in the public profile if explicitly agreed to, although by default are used for the sending of notifications you subscribed to.
Blog comments
When a comment is added on the Adblock Plus blog an email address can optionally be specified, although unlike the other fields will never be displayed and is only used to notify the comment author about replies.
Adblock Plus extension
Extension update checks
Your browser periodically checks for updates of your extensions including Adblock Plus. Some general information, such as browser version, extension version, operating system and your IP address, are transmitted during an update check. Adblock Plus nightly build updates are handled by AdblockPlus.org website and the data transmitted is subject to its privacy policy. Updates to stable releases are handled by Addons.Mozilla.Org website and is subject to the Firefox Privacy Policy.
Subscription downloads
If you add filter subscriptions to your Adblock Plus installation the subscription will be requested regularly to retrieve updates. Every update results in the hosting website recieveing your IP address. This data is subject to the privacy policy of the website in question.
Furthermore, if a subscription download fails on five consecutive occasions, the updated address of the filter list is requested from the AdblockPlus.org website. The data transmitted includes Adblock Plus version, subscription address, and information about the error encountered. This data is used to identify issues that have not been reported by subscription maintainers and is subject to the usual AdblockPlus.org privacy policy.
Issue reporter
This feature was introduced in Adblock Plus 1.3 and allows you to send issue reports to be temporarily stored on AdblockPlus.org domain. These reports contain information required to investigate the issue, including Adblock Plus version, browser version, address of the web page where the problem is visible, blockable items on this web page, matching filters and active subscriptions. Parameter values are removed from all transmitted addresses to avoid unintentionally leaking private information. It is also possible to provide additional optional information, which may be privacy-sensitive:
The processed reports can only be accessed by somebody who knows their unique address. These addresses are only shared with the maintainers of the filter subscriptions mentioned in the report and are unlikely to be found by others unless a link is provided. All reports and their associated data are automatically removed after 30 days.
- Website screenshots provide a scaled-down and color-reduced version of the page viewed. It is possible to remove particularly sensitive sections of the page before it is sent to the Adblock Plus website.
- Email addresses are only used to request more information on the issue, and are
- Lists of installed extensions are necessary for the investigation of conflicts with other extensions.
Further AdblockPlus.org website requests
Adblock Plus may make further requests to the AdblockPlus.org website as required, for example if a documentation link is clicked or if the full list of filter subscriptions needs to be downloaded. These requests are subject to the usual AdblockPlus.org privacy policy.
Data retention
Adblock Plus stores some data in the Firefox profile on your computer. Adblock Plus never transmits this data to any servers, but other extensions and services, such as Firefox Sync, may do so. Most of the data (your preferences, filter subscriptions and custom filters) is unobjectionable privacy-wise, although filter hit statistics and recent issue reports could be used to reconstruct your browsing history. Adblock Plus treats this information identically to how history data is treated by the browser: this data isn't stored if you are using Private Browsing mode and is removed if you choose to clear your browsing history.
Element Hiding Helper extension
Extension update checks
Your browser periodically checks for updates of your extensions including Element Hiding Helper. Some general information, such as browser version, extension version, operating system and your IP address, are transmitted during an update check. Adblock Plus nightly build updates are handled by AdblockPlus.org website and the data transmitted is subject to its privacy policy. Updates to stable releases are handled by Addons.Mozilla.Org website and is subject to the Firefox Privacy Policy.
Last edited by Hubird on Fri Oct 22, 2010 11:56 pm, edited 1 time in total.
Reason: Removed repeated word
Reason: Removed repeated word
Re: Privacy policy page
Like this robots.txt file?Michael wrote:I would also suggest that reports.adblockplus.org contains a directive that robots do not index the sub-domain.
I wanted to do that - but then I realized that I have no idea what ares2.org is doing with its logs. Most likely there will be more mirrors in future, formulating a privacy policy for EasyList will be a challenge.Is there any chance that EasyList could be mentioned in the policy?
Thank you, implemented your suggestions: https://hg.adblockplus.org/www/rev/5d9e39c378d0
Re: [Ready for translating] Privacy policy page
Marked as ready for translating.
Re: [Ready for translating] Privacy policy page
When I checked the sub-domain, which was quite a while ago, the file was not present, resulting in reports being indexed by search engines; regardless, I am glad that it has now been created.Wladimir Palant wrote:Like this robots.txt file?Michael wrote:I would also suggest that reports.adblockplus.org contains a directive that robots do not index the sub-domain.
Re: [Ready for translating] Privacy policy page
I'm pretty certain that it was there from the very start - I copied it over from hg.adblockplus.org when I created the subdomain.