privacy
/ˈprɪvəsi,ˈprʌɪvəsi/noun
https://www.lexico.com/en/definition/privacy
a state in which one is not observed or disturbed by other people.
This document explains how you might be observed or disturbed by other people when using this website. This version is operative from April 1st 2020.
A. If you only read the content posted here…
Your Internet Connection
It is very likely that your internet access provider can observe the fact that someone using their network is visiting this website (and any other website you access).
It is also very likely that they will have information that allows them to identify the people who pay for their network connections.
It is therefore likely that access providers can associate your actual identity – name and address – with the observation that you have visited this website.
This association will be with a single individual for most people who have a regular mobile internet connection.
For fixed line connections, that are typically used by several people, the association will be with the member of the household who pays the bill.
Virtual Private Networks (VPN)
If you use a properly-configured Virtual Private Network then this would make it unlikely that your internet access provider could observe your visits to this website.
This would though make it very likely that your VPN provider can observe your visits so the risk of observation is transferred rather than eliminated.
Surveillance – Your Government
If you are under surveillance by your government then it is very likely that they will be able to observe your visits to this website as they will be able to order your internet access provider to collect this data for them.
This may apply even if you are using a VPN if your government has managed to get access to your device as this will allow them to see activity before it travels over encrypted networks.
Surveillance – Other Governments
It is generally harder for governments outside your own jurisdiction to observe what you are doing as they will not be able to order foreign internet access providers to collect data for them.
However, your governments may have data sharing arrangements in place with other governments that would allow them to observe your website activity and these arrangements may be secret.
It is also possible that other governments are using technology that allows them to gain access to your device and so can observe you directly.
My Server
When you visit my website you necessarily have to tell my server your Internet Protocol (IP) address so that it can correctly direct the content back to you in response to your requests.
The website uses a very common form of web server software called Apache that also stores a log of requests it receives including the IP address being used by each requester.
The server is configured to store the access log for a rolling 30 day period and it uses a program called logrotate to delete older log files and replace them with new ones.
This means there is a file on my server that contains the IP addresses of all connections requesting data for the most recent 30 days from today.
It is very unlikely that I can associate any of the IP addresses in my log file with a named individual as I do not have enough information to do this.
Others may be able to connect IP addresses with people – internet access providers, VPN providers, and information society services that hold other user data which links an individual with a particular IP address at a specific time.
Authorised Log File Disclosure
It would be possible for the UK government to order me to provide them with the log files as I am within their jurisdiction.
If the UK government had the log files it is likely that they could associate at least some of the IP addresses with individuals as they have access to other data sources, and this is especially true for UK visitors.
I am not aware of legal obligations I would have to provide my log files to any other government but would rather expect foreign governments to seek an order in the UK courts if they had reason to request this data.
I would hope to inform readers if I ever received such an order to disclose log files but I may legally prohibited from doing this.
Unauthorised Log File Disclosure
It is possible that someone gains unauthorised access to my server and is able to access the log files as well as to alter or delete my work.
I use a range of security measures offered by my hosting provider to prevent unauthorised server access.
If I become aware that there has been unauthorised access to my server then I will inform visitors through a post on the website.
I would not expect to be able to inform people directly where they are only readers of the site and I have no identifying information beyond an IP address.
Where people have provided email addresses in order to post comments then I will inform these people via the email address that they provided.
My Hosting Service
This website is hosted on Amazon Web Services (AWS) infrastructure which is governed by the AWS privacy policy at https://aws.amazon.com/compliance/data-privacy-faq/
It is unlikely but possible that AWS would receive an order requiring it to disclose content that I am storing in their data centres including log files.
If an order came from the US or UK governments then I would expect AWS to feel it is compelled to respond with data.
Where any other government seeks data, I would expect AWS to direct them to applicable UK or US judicial processes.
AWS policy means that I would be informed about such an order where this is legally permitted and I would in turn inform visitors to my website if this were to happen and I am also legally permitted to do so.
B. If you also post your own comments here…
There are some additional considerations if you choose to contribute to the discussion on this website by posting a comment.
Comments on the blog are public so the act of posting a comment indicates that you intend for this specific activity to be observed by others, ie there is no expectation of privacy for the content of a public comment.
Identity
My website will ask you to provide your name and email address if you post a comment and give you the option to share your website address.
This is a trust-based model as I do not have a system for verifying whether these details are accurate.
My goal in collecting this information is to enable a useful public debate on the issues in my blog posts.
Where someone appears to be giving false information for malicious purposes, ie they are ‘trolling’ the debate using false identities, then I will not allow those comments to appear on my website.
Where someone is making a valid contribution to the discussion but prefers to use an identity that appears not to be their real identity then I will generally allow these comments to appear.
Cookies
The website does not read or write cookies on the devices of people who simply access its content.
If you make a comment you will be offered the option to save your identifying information for future comments.
If you choose this option then the technical mechanism for saving your identifying information is to write cookies to your device which will be sent to my server whenever you come back to site.
There will be one cookie for each identifier that you agree to save – name, email address and website.
The cookie names are quite self-explanatory – comment_author_UNIQUEID, comment_author_email_UNIQUEID and comment_author_url_UNIQUEID.
These cookies will expire in 347 days, ie just under 1 year, from the date when they were placed.
If you do not wish to have any cookies from my website on your device then you may prefer not to save your identifying information when making comments.
Legal Disclosure – Incoming
Where I receive a request seeking the disclosure of comment content then I will need to look at my obligations for each specific set of circumstances.
As a general matter, I would expect to be compelled to disclose information in response to well-formed legal requests from the UK as these will be enforceable and binding on me.
I would expect to have more discretion over whether to respond to requests from other jurisdictions and would be guided by human rights principles in making such decisions.
If I receive any disclosure requests I will post information about my analysis of these and my response to them to the extent that this is legally possible.
Legal Disclosure – Outgoing
It is possible that someone posts comments on my website which include content that I can see is obviously illegal.
Where this comes to my attention then I will need to consider whether to make a proactive disclosure to law enforcement authorities.
In some cases, proactive disclosure may be a legal requirement, eg if someone were to post links to child exploitation images, but in other instances disclosure would be voluntary from a strict legal point of view.
As a general matter, I would see proactive disclosure as being appropriate where the content indicates that someone is at imminent risk of serious harm.
This is necessarily a matter of judgement and I would apply human rights principles to determine whether the greater harm would be caused by disclosure or failing to disclose in a specific instance.
As I am based in the UK, disclosure would normally be to the UK authorities. who may then share information with counterparts in relevant countries.
C. Data Controller Information
The data controller for this website is Richard Allan.
He is based in the UK where the operative law is the UK implementation of the EU General Data Protection Regulation.
The website runs from an Amazon Web Services (AWS) data centre in the UK.
AWS are a data processor for Richard Allan and other AWS infrastructure outside of the UK may be used to support the provision of the service under the terms of the relevant AWS policies.
The supervising authority for data protection in the UK is the Information Commissioner’s Office (ICO).
Any correspondence for data protection law purposes should be directed to Richard Allan using the contact form on this website.