With the entry into force of the European Union's new General Data Protection Regulation (GDPR) Security Praxis has updated its privacy policy. We welcome the fact that the EU cares about citizen's privacy. And we care about it too, so much so that we (almost) do not collect any personal information about you. Others may still do it, though.

Server side logs: encrypted and deleted after a few days

When you visit Security Praxis, your browser loads this website from its server. The web server stores on a log file (access logs, error logs, etc.) your IP address and other information provided by your browser (like the operating system, type of browser etc.). IP addresses are specifically defined as personal data per Article 4, Point 1; and Recital 49. In principle, we should obtain your consent in order to store your IP address. However, there is arguably a legal base to allow personal data collection on a limited scope even without your explicit consent asked in advance. As you may guess, it has to do with security: "to the extent strictly necessary and proportionate for the purposes of ensuring network and information security" (from Recital 49). Hence, we encrypt the web logs so in case someone breaks into the server there are good chances that this entity will not be able to read your IP address. We keep these server logs only for a few days for diagnostic purposes, after which we delete them automatically.

Web analytics

When you open a page on Security Praxis, if you browser is set to enable JavaScript it executes a bit of code thereby sending the same kind of information about your IP address to an instance of Matomo (former Piwik) hosted on the same Security Praxis server. This is a web analytics tool that help website owners understand how visitors engage with their website.

Crucially, the data that your browser sends to the web analytics service are not only encrypted in transit, but also anonymised. The last 16 bits of your IP address are set to zero (this is like deleting your phone number while keeping only the area code). A partially anonymised IP address will still reveal some information, i.e. that somebody living in your same country or city visited a certain webpage at a certain date and time, and so on. But even this partial information stays on our server and we do not share with anyone.

Cookies

You may have heard about "cookies" when browsing the internet. A cookie is a small text file that a website saves on your computer or mobile device when you visit a site. Since the European Union enacted its ePrivacy directive (some years before the GDPR) you may have spent a non negligible fraction of your online time clicking on pop-up banners saying that you accept that "cookie" are stored on your browser for this-and-that reason, unfailingly to help the website administrators to make it better and thus improve your user experience.

Websites and web analytics services could still identify you using permanent profiling “cookies,” but we have disabled those too, including the web analytics service cookie. We tested the Security Praxis website with Firefox browser: once the "Do not track me" preference is set, there are no cookies set. Period.

As an additional bonus, the Twitter timeline shown on the left column is filtered through a Nitter service that does not set any cookie and does not send your private information, not even your IP address, to Twitter.

Screen Shot - SecPrax - no cookies

You can find more information about how to control and/or delete cookies on aboutcookies.org. You can delete all cookies that are already on your computer and you can set most browsers to prevent them from being placed. If you do this, however, you may have to manually adjust some preferences every time you visit a site and some services and functionalities may not work.

Third-party occasional components

Some articles published on Security Praxis may embed videos from YouTube or updates from Twitter and other third-party services. When your browser loads these specific pages, the Security Praxis page it will send some bits of information to these services and they may store a cookie in your browser, according to your local settings (e.g. if the "do not track" preference is set or not). This is a tradeoff we have to live with if we want to keep providing you what we consider useful services. The best we can do is being open about it.

Acknowledgements

Cover image by allen, https://flic.kr/p/kcUR7t
On server logs: https://www.ctrl.blog/entry/gdpr-web-server-logs