[Imc-cleveland] Fwd: IMC-communication Digest, Vol 37, Issue 6

andypie andycleimc at earthlink.net
Tue May 16 15:12:30 PDT 2006 

>
I found this interesting and thought the rest of the collective might,  
also.



> Message: 1
> Date: Tue, 16 May 2006 19:26:57 +0200
> From: Alster <alster at indymedia.org>
> Subject: [Imc-communication] Oklahoma IMC intentionally logs users' IP
> 	addresses and more, discloses this data publicly
> To: imc-okla at lists.indymedia.org,  okimc at yahoogroups.com
> Cc: imc-communication at lists.indymedia.org
> Message-ID: <446A0B61.8020609 at indymedia.org>
> Content-Type: text/plain; charset=UTF-8
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> I browsed your website yesterday and was quite surprised.
>
> As you state on
>   http://okimc.org/privacy.php
> IMC Oklahoma's
>
>> [..] web server retains logs of all activity on the
>> website.
>
> This is the plain opposite of what the common Indymedia policy on
> logging IP addresses is about. Personally, I think that, with all the
> governmental repression and abuse we've seen in the past, it should be
> obvious that logging IP addresses of IMC users is a very bad idea.
>
> The background on why IP logging is bad and should not be done at all
> costs (exceptions in case of abuse may apply) has been discussed  
> several
> times on several global tech and non-tech related IMC mailing lists. As
> such, it is difficult for me to believe that there are still IMCs who
> knowingly and even intentionally log their users' IP addresses and thus
> provide a wonderful source of data for repressive law enforcement
> against dissentive voices. This deeply worries me.
>
> Please stop it, now.
>
> I'm continuing to quote from your privacy policy:
>> Normally, these logs are used purely for the purpose of
>> compiling statistics about site usage and are deleted after 7 days.
>
> So what is normal, and what is not? How are they stored, on a hard disk
> maybe? Then they are stored for the lifetime of the disk (and possibly
> beyond), not for 7 days. You do not delete data off a hard disk
> nowadays, as you cannot. Using special 'permanent data removal' tools
> may help, but they, too, have their limits.
>
>> In special cases, where persistent patterns of abuse are noticed, we
>> may decide to use the logs to identify the source of the abuse.
>
> I think many server admins would agree that it may be neccessary to
> temporarily log IP addresses to a device which allows for temporary
> storage (such as a RAM disk) if and when abusive behaviour is monitored
> for as long as it takes to identify and blacklist the source, but no
> longer. Realizing that an attack takes place is well possible without
> logging IP addresses, so, if at all (your OS knows where it's connected
> to and will provide access to this information directly from RAM), you
> only need to log IP addresses to file (to a safe place) after you
> realized an attack is taking place and while you examine its source so
> that you can better blacklist it on your firewall.
>
>> The information in these logs is not shared with any other body and is
>> not used for any other purposes.
>
> Well, this should be considered, at the very least, a very misleading
> statement. While I really hope and assume it is true that the Apache  
> log
> files OK IMC collects and keeps are not passed on to third parties,
> looking at the OK website shows clearly that it contains a web bug of a
> commercial 'web stats' provider on every single page processed by the
> content management system (which are all or nearly all).
>
> This means that IP address, accessed location (providing information on
> viewed, edited, stored articles and more), user agent (web browser),
> operating system, date and time of access, and other information are
> stored on both the web server of IMC OK AND the servers of the web
> statistics provider. And the statistics provider does not only store
> them, but also process and analyze them. You can bet that the  
> statistics
> you get to see are only a fracture of the analysis they actually run on
> the data you provide.
>
> Analysis of OK IMC usage data:
> http://my.statcounter.com/project/standard/stats.php? 
> project_id=721292&guest=1
>
> This 'free web stats' (in fact it is not free but you pay them with the
> usage data of your users which should be private) provider is one of
> those companies which only make a partial amount of their turnover from
> providing paid statistic services to their paying clients and  
> displaying
> (remotely hosted and well analyzed) ads to non-paying customers, but
> also a good amount from sharing the data they collected with others,
> whoever that may be. They may deny to do so, but they do so, the past
> has shown this several times and it keeps happening (I cannot provide
> proof that the company in question does it, though). In combination  
> with
> the cookies they store on your web site visitors' computers for five
> years, they (and noly they, not you or your web site visitors) are able
> to determine, even after lengthy breaks, who has been visiting which
> part of your (and many other) web site(s).
>
> Even worse, the 'free' web statistics provider you chose provides the
> last 100 raw log entries they collected from your site to *anyone*.  
> This
> means that whoever wants to know which IP address a certain article was
> pasted by, can simple retrieve those partial log files every 3 or 4
> hours (running a script) and they will know which IP address any  
> article
> was published by, without a warrant, any special permit, a login, even
> without paying any money. They just download it and run it through  
> their
> own web analytics software.
>
> Download raw logs here:
> http://my.statcounter.com/project/standard/csv/download_log_file.php? 
> project_id=721292&guest=1
>
> Would be bad if someone who doesn't like you that much did this and  
> sent
> an anonymous note to your boss providing him proof that you posted this
> article which is a little bit critical about the compnay your work for,
> wouldn't it?
>
> Btw., this is not so different from what Yahoo groups may or may not do
> with the emails sent through it and your accesses to its web management
> interface and group archives.
>
> I'm able to provide further information on all claims I make in this
> email and will do so if anyone asks for it. I'm able to provide
> technical support if this is needed to stop logging IP addresses by
> default and will do so on request.
>
> There are good ways to measure the usage of your website without  
> loosing
> any valuable information while not giving away private data on your web
> site visitors. Please stop providing incorrect and incomplete
> information on the data which is gathered on your web site, and, most  
> of
> all, stop logging IP addresses of your web site visitors and stop
> disclosing this information to third parties.
>
> Thank you.
>
> Alster
> - --
> GPG key
> http://keys.indymedia.org/cgi-bin/lookup?op=get&search=05059C17
> Fingerprint    1B8B 128F 8435 541C B3A5 1B7E CF5A 9D55 0505 9C17
> All other      http://docs.indymedia.org/view/Main/AlsteR
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (GNU/Linux)
>
> iD8DBQFEagthz1qdVQUFnBcRAjrTAJ9ilJ4hBgZTeS6c+UN2l5ck2hJ2OQCfdZb9
> t0Pm/jyGyAP9KdRfTcyvp/c=
> =vbw2
> -----END PGP SIGNATURE-----
>
>

More information about the Imc-cleveland mailing list