Walter GreggOn this page: Main content. Data Collection. Data Usage. Data Protection. Data Sharing. Data Control.
No Privacy PolicyThere can be no assurance of internet privacy.
May 2017. When you visit a website without Tor (The Onion Router), for practical purposes, you sign your name. Webmasters can't usually opt out. What's collected? By way of example and not by way of limitation:
When you're reading the web, it's reading you. We can look up that IP address. If it belongs to the FCC.gov in Washington, DC, and you're the only one in the building at the time, you're identified. If it tells us you're visiting from an Alaska village of 30 where you're the only one running Linux, you'll stick out like a sore thumb. If you send me an e-mail from your computer and it sticks your IP address in the headers, as many programs do, it unmasks your website visits, leaving no doubt as to your identity.
Visitor data is used to used to answer publishing questions. What pages are people looking at recently? Is that ten-year old page still providing useful data or should we update it or redirect people to something current? Why aren't some pages in the index? Has Googlebot visited lately? Is that link really broken? Visitor data is also an audit trail kept for a time in case of criminal activity. You can see example reports at awstats.org.
My site's visitor statistics are protected by a username and password, and we all know how secure that really is. But I do use a unique password selected with Diceware.com. And I minimize retention of data. At least, I think I do. I have visited cPanel, Logs, Raw Access Logs, Configure Logs, and checked 'remove the previous month's archived logs from your home directory at the end of the month.' So the logfiles are about as well protected as I can arrange.
To add more protection, I'm currently activating HTTPS encryption. Once implemented, your internet provider and people monitoring the wires shouldn't have a record of what specific pages you viewed any more. But they'll still know you visited my site, and the records kept on my end will still exist. Also, if your internet provider is your employer, they may very well still have your complete browsing history. Employers routinely break HTTPS. Never trust the padlock on an employer computer where legally you have no reasonable expectation of privacy. Did you really believe that only the NSA could break HTTPS? Everybody's doing it, even your boss. See Slashdot posts, 2014: slashdot.org: Does your employer perform HTTPS MITM attacks?.
I now run StatCounter instead of PiWik. I find it provides more convenient statistical reports. I have configured it for privacy, so it stores no cookie and its logs are less sensitive than server logs. Some pages may still have the old PiWik code intsead of the statcounter code but the PiWik software is no longer installed.
I don't normally share the data accessible to me with third parties, and never for advertising. However, there can be no assurance that I won't voluntarily share information if there is a computer hacking or other law enforcement issue to deal with. I have no right or duty to withhold evidence of a crime. Additionally, because the data can be collected in so many places, I simply can't give any assurance of privacy. It's the all-knowing, all-seeing internet, after all.
You may be able to effectively opt out of statistics and logging by using a Tor proxy configured to scrub everyone's logs of your address and browser fingerprint. The best way to do that is by visiting torproject.org and downloading the Tails operating system, or if you can't run Tails, the Tor browser bundle. However, Google may come up in Polish; you may have to pick out which buildings have street signs or some such nonsense before you can do a search, and on an older computer such as a 1 GHZ Celeron, Tails, at least, may be intolerably slow.
That's all I know.