[Imc-communication] Oklahoma IMC intentionally logs users' IP addresses and more, discloses this data publicly

Alster alster at indymedia.org
Tue May 16 10:26:57 PDT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I browsed your website yesterday and was quite surprised.

As you state on
  http://okimc.org/privacy.php
IMC Oklahoma's

> [..] web server retains logs of all activity on the
> website. 

This is the plain opposite of what the common Indymedia policy on
logging IP addresses is about. Personally, I think that, with all the
governmental repression and abuse we've seen in the past, it should be
obvious that logging IP addresses of IMC users is a very bad idea.

The background on why IP logging is bad and should not be done at all
costs (exceptions in case of abuse may apply) has been discussed several
times on several global tech and non-tech related IMC mailing lists. As
such, it is difficult for me to believe that there are still IMCs who
knowingly and even intentionally log their users' IP addresses and thus
provide a wonderful source of data for repressive law enforcement
against dissentive voices. This deeply worries me.

Please stop it, now.

I'm continuing to quote from your privacy policy:
> Normally, these logs are used purely for the purpose of
> compiling statistics about site usage and are deleted after 7 days.

So what is normal, and what is not? How are they stored, on a hard disk
maybe? Then they are stored for the lifetime of the disk (and possibly
beyond), not for 7 days. You do not delete data off a hard disk
nowadays, as you cannot. Using special 'permanent data removal' tools
may help, but they, too, have their limits.

> In special cases, where persistent patterns of abuse are noticed, we
> may decide to use the logs to identify the source of the abuse. 

I think many server admins would agree that it may be neccessary to
temporarily log IP addresses to a device which allows for temporary
storage (such as a RAM disk) if and when abusive behaviour is monitored
for as long as it takes to identify and blacklist the source, but no
longer. Realizing that an attack takes place is well possible without
logging IP addresses, so, if at all (your OS knows where it's connected
to and will provide access to this information directly from RAM), you
only need to log IP addresses to file (to a safe place) after you
realized an attack is taking place and while you examine its source so
that you can better blacklist it on your firewall.

> The information in these logs is not shared with any other body and is
> not used for any other purposes.

Well, this should be considered, at the very least, a very misleading
statement. While I really hope and assume it is true that the Apache log
files OK IMC collects and keeps are not passed on to third parties,
looking at the OK website shows clearly that it contains a web bug of a
commercial 'web stats' provider on every single page processed by the
content management system (which are all or nearly all).

This means that IP address, accessed location (providing information on
viewed, edited, stored articles and more), user agent (web browser),
operating system, date and time of access, and other information are
stored on both the web server of IMC OK AND the servers of the web
statistics provider. And the statistics provider does not only store
them, but also process and analyze them. You can bet that the statistics
you get to see are only a fracture of the analysis they actually run on
the data you provide.

Analysis of OK IMC usage data:
http://my.statcounter.com/project/standard/stats.php?project_id=721292&guest=1

This 'free web stats' (in fact it is not free but you pay them with the
usage data of your users which should be private) provider is one of
those companies which only make a partial amount of their turnover from
providing paid statistic services to their paying clients and displaying
(remotely hosted and well analyzed) ads to non-paying customers, but
also a good amount from sharing the data they collected with others,
whoever that may be. They may deny to do so, but they do so, the past
has shown this several times and it keeps happening (I cannot provide
proof that the company in question does it, though). In combination with
the cookies they store on your web site visitors' computers for five
years, they (and noly they, not you or your web site visitors) are able
to determine, even after lengthy breaks, who has been visiting which
part of your (and many other) web site(s).

Even worse, the 'free' web statistics provider you chose provides the
last 100 raw log entries they collected from your site to *anyone*. This
means that whoever wants to know which IP address a certain article was
pasted by, can simple retrieve those partial log files every 3 or 4
hours (running a script) and they will know which IP address any article
was published by, without a warrant, any special permit, a login, even
without paying any money. They just download it and run it through their
own web analytics software.

Download raw logs here:
http://my.statcounter.com/project/standard/csv/download_log_file.php?project_id=721292&guest=1

Would be bad if someone who doesn't like you that much did this and sent
an anonymous note to your boss providing him proof that you posted this
article which is a little bit critical about the compnay your work for,
wouldn't it?

Btw., this is not so different from what Yahoo groups may or may not do
with the emails sent through it and your accesses to its web management
interface and group archives.

I'm able to provide further information on all claims I make in this
email and will do so if anyone asks for it. I'm able to provide
technical support if this is needed to stop logging IP addresses by
default and will do so on request.

There are good ways to measure the usage of your website without loosing
any valuable information while not giving away private data on your web
site visitors. Please stop providing incorrect and incomplete
information on the data which is gathered on your web site, and, most of
all, stop logging IP addresses of your web site visitors and stop
disclosing this information to third parties.

Thank you.

Alster
- --
GPG key
http://keys.indymedia.org/cgi-bin/lookup?op=get&search=05059C17
Fingerprint    1B8B 128F 8435 541C B3A5 1B7E CF5A 9D55 0505 9C17
All other      http://docs.indymedia.org/view/Main/AlsteR

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEagthz1qdVQUFnBcRAjrTAJ9ilJ4hBgZTeS6c+UN2l5ck2hJ2OQCfdZb9
t0Pm/jyGyAP9KdRfTcyvp/c=
=vbw2
-----END PGP SIGNATURE-----

More information about the IMC-communication mailing list