Privacy policy for Tux Paint; ideas?

Hi all, I'm Bill, lead developer (in snooze mode ATM),
website maintainer, and main 'support' contact for Tux Paint,
the open source drawing program for young kids
(http://www.tuxpaint.org/)

In the past month or two, I've had at least two teachers,
and one person from an "internet safety" company, ask about
Tux Paint in regards to privacy, user-identifiable information,
etc. (I don't think in the previous 12 years I had ever been
asked; I guess some laws changed in the US this year?)

As Tux Paint is a completely offline program, with no network
capabilities at this time -- at least in the Desktop version
(other Tux Paint devs, remind me: what do the Android and iOS
versions do, if anything, online?) -- and as the tuxpaint.org
website does not have any kind of user accounting (login, forums,
cloud storage, etc.), this has never seemed necessary. [*]

However, it seems that, at the very least, it'd be helpful for ME to
have a "privacy policy" page on our site that I can direct teachers
and school IT folks to, rather than have to reply individually each
time... or worse yet, fill-out/sign/scan/email strange government
forms that ask questions that are almost entirely moot. :)

Does anyone out here have experience putting a privacy policy
together, a link you can throw me to some 'best practices',
or other relevant guidance?

Thanks in advance!

[*] There are these mailing lists, managed by SourceForge.net,
the IRC channel, which lives on FreeNode, and the
Facebook Group and Page, which live on Facebook -- and
all of which I currently manage.

They are outside the scope of Tux Paint itself, but I suppose on
whatever 'privacy policy' page/document that I come up with, it'd
make sense to (at the least) link to each service's relevant
privacy policy page.

Note: Sending this to tuxpaint's dev list, SchoolForge discussion list,
and Software in the Public Interest's general discussion list.

--
-bill!

On 12/07/2016 09:23 AM, Bill Kendrick wrote:
> As Tux Paint is a completely offline program, with no network
> capabilities at this time -- at least in the Desktop version
> (other Tux Paint devs, remind me: what do the Android and iOS
> versions do, if anything, online?) -- and as the tuxpaint.org
> website does not have any kind of user accounting (login, forums,
> cloud storage, etc.), this has never seemed necessary. [*]

Then that's your privacy policy:

"The Tux Paint website does not collect or store any user-identifying
information. The Tux Paint program does not communicate any user
information online."

On 12/07/2016 10:27 AM, Josh berkus wrote:
> On 12/07/2016 09:23 AM, Bill Kendrick wrote:
>> As Tux Paint is a completely offline program, with no network
>> capabilities at this time -- at least in the Desktop version
>> (other Tux Paint devs, remind me: what do the Android and iOS
>> versions do, if anything, online?) -- and as the tuxpaint.org
>> website does not have any kind of user accounting (login, forums,
>> cloud storage, etc.), this has never seemed necessary. [*]
>
> Then that's your privacy policy:
>
> "The Tux Paint website does not collect or store any user-identifying
> information. The Tux Paint program does not communicate any user
> information online."

Could probably be refined down to one sentence but other than that, this
is spot on.

JD

--
Command Prompt, Inc. http://the.postgres.company/
+1-503-667-4564
PostgreSQL Centered full stack support, consulting and development.
Everyone appreciates your honesty, until you are honest with them.
Unless otherwise stated, opinions are my own.

On 12/07/2016 10:27 AM, Josh berkus wrote:
> On 12/07/2016 09:23 AM, Bill Kendrick wrote:
>> As Tux Paint is a completely offline program, with no network
>> capabilities at this time -- at least in the Desktop version
>> (other Tux Paint devs, remind me: what do the Android and iOS
>> versions do, if anything, online?) -- and as the tuxpaint.org
>> website does not have any kind of user accounting (login, forums,
>> cloud storage, etc.), this has never seemed necessary. [*]
>
> Then that's your privacy policy:
>
> "The Tux Paint website does not collect or store any user-identifying
> information. The Tux Paint program does not communicate any user
> information online."

BTW, I think the reason folks are asking is because K-12 staff are
required to check privacy info for anything kids use.

On Wed, Dec 07, 2016 at 10:27:37AM -0800, Josh berkus wrote:
> On 12/07/2016 09:23 AM, Bill Kendrick wrote:
> > [...] the tuxpaint.org
> > website does not have any kind of user accounting (login, forums,
> > cloud storage, etc.) [...]
>
> Then that's your privacy policy:
>
> "The Tux Paint website does not collect or store any user-identifying
> information. The Tux Paint program does not communicate any user
> information online."

Careful! Bill said the website doesn't require logins or the like,
and Josh summarized that for him as the website does not collect any
user-identifying information. If I read this privacy policy and then
later learned that the tuxpaint website collects default apache logs,
with IP address and user-agent and so on, I might be pretty upset.

You might argue that IP addresses aren't user-identifying, and you'll
find judges in the US who agree with you, but you'll find judges in
Europe who do not agree.

I guess you might also think "he said the website, not the webserver",
but I hope we'd conclude that's still problematic.

Rather than trying to craft language to explain webserver log risks,
one solution would be to change the webserver config so it doesn't
keep scary logs, and then stick with Josh's text. For example, on the
Tor webservers we use a modified log format that writes 0.0.0.0 for
requests that arrive over http and 0.0.0.1 for requests over https,
and rounds down the timestamp to midnight. For example:

0.0.0.1 - - [04/Dec/2016:00:00:00 +0000] "GET /robots.txt HTTP/1.0" 200 23 "-" "-" -

The apache config line we use to generate it is:

LogFormat "0.0.0.0 - %u %{[%d/%b/%Y:00:00:00 %z]}t \"%r\" %>s %b \"%{Referer}i\" \"-\" %{Age}o" privacy

and then you use it with a line in your VirtualHost stanza like

CustomLog /var/log/apache2/$name-access.log privacy

For more motivation, see
http://seclists.org/nmap-announce/2004/16
You might think tuxpaint doesn't need to provide this sort of security
for its users -- and indeed I would hope that tuxpaint would be pretty
far down the "first they came for" list -- but these are trying times
we're living in, and you never know when things will change, so keeping
your users safe by default is good practice.

Hope this helps,
--Roger

On 8 December 2016 at 06:49, Roger Dingledine <arma(at)mit(dot)edu> wrote:

> Careful! Bill said the website doesn't require logins or the like,
> and Josh summarized that for him as the website does not collect any
> user-identifying information. If I read this privacy policy and then
> later learned that the tuxpaint website collects default apache logs,
> with IP address and user-agent and so on, I might be pretty upset.
>

Agreed.

> You might argue that IP addresses aren't user-identifying, and you'll
> find judges in the US who agree with you, but you'll find judges in
> Europe who do not agree.
>

I thought I might chime in and give an "Europe" perspective which might, or
might not, apply to TuxPaint. Since TuxPaint (the service) is provided from
the US this might or might not apply, but maybe the information I provide
here is useful. Please bear with me and keep in mind that IANAL :)

*European Data Protection directive*

In Europe, the data protection directive, which entered in force this year
but will not be fully applicable until 2018 [1] defines personal data as:

‘personal data’ means any information relating to an identified or
identifiable natural person (‘data subject’); an identifiable natural
person is one who can be identified, directly or indirectly, in particular
by reference to an identifier such as a name, an identification number,
location data, an online identifier or to one or more factors specific to
the physical, physiological, genetic, mental, economic, cultural or social
identity of that natural person;

Note: This definition is already existing in the data protection directives
(in different countries) that this directive will replace.

*Is an IP address personal data?*

The most important part of the definition is that it data can "identify or
be used to identify" somebody. A license plate of car, for example, is
considered personal data in most cases (unless it is a company car). Also a
telephone number (because there is a contract signed by somebody that
"ties" to that number). Following that thread, an IP address has been
considered personal data by Data Protection Agencies in the past. For
example, see this note [3] (in Spanish only sorry) from the Spanish Data
Protection Agency which states than an IP address *is* personal data
because in many cases it can be used to identify persons.

Note that the possibility of identifying a person does not have to stay in
the hands of the one holding the data itself. You could argue that: "hey, I
have an IP address in a log but there is no way that I can determine who is
it". That is not relevant, the definition does not say that the service
provider can use it to tie it to somebody, an IP address is personal data
because somebody (i.e. the Internet Service Provider) can use that data to
make you identificable.

I do not want to start a debate on whether an IP address is or not personal
data, I just want to highlight that a lawyer and a judge might consider it
personal data and, consequently, somebody could pursue a service provider
on the basis of it holding this information.

*Privacy Policy for Tuxpaint*

Consequently, for Tux Paint's website I would suggest to describe in the
privacy policy what technical information is stored (if any) as a
consequence of website use.

In addition, you have also to consider TuxPaint as a "service provider" and
define a privacy policy that takes into consideration some other aspects of
the project. Not just the website, maybe also the mailing lists and other
means of contacting the project (i.e. email).

I would suggest googling a little bit for "privacy policy" in different
projects/websites and looking into how others have defined their website's
privacy policies.

I have done this (5 minutes, not much) and looked at some privacy policies
of websites of some EU sites. Maybe something along this lines could be
useful (or not):

PRIVACY POLICY

We respect the privacy of internet users and visitors to our website. As a
matter of principle, we do not collect, store or exploit personally
identifiable information of its visitors, unless the storage is for the
processing of necessary direct assignments or enquiries, and explicit
consent for utilisation and storage exists. Enquiries that reach us through
the voluntary stating of name, address and/or e-mail are deemed to be
approval of the storage of the data. On no account will personally
identifiable information be made available to a third party.

[INSERT Contact information from New Breed Software, For example the
following:
NewBreed Software
1335 Alder Place, Davis (California)
US 95618
info(at)newbreedsoftware(dot)com ]

Cookies

Our website does not make use of so-called cookies in order to recognize
repeat use of our website by the same user/internet connection subscriber.

Server data

For technical reasons, data such as the following, which your internet
browser transmits to us or to our web space provider (so called server log
files), is collected: – type and version of the browser you use – operating
system – websites that linked you to our site (referrer URL) – websites
that you visit – date and time of your visit – your Internet Protocol (IP)
address. This anonymous data is stored separately from any personal
information you may have provided, thereby making it impossible to connect
it to any particular person. The data is used for statistical purposes in
order to improve our website and services.

MAILING LIST

Our website offers you the opportunity to subscribe to our mailing list.
The mailing list provides you periodically with information about TuxPaint.
To receive our newsletter, we require a valid email address. We will review
the email address you provide for the purpose of determining whether you
are in fact the owner of the email address provided or whether the actual
owner of said address is authorized to receive the newsletter. When
subscribing to our mailing list, we will store your IP address as well as
the date and time you subscribed. This serves to protect us in the event a
third party improperly and without your knowledge makes use of your email
address to subscribe to our newsletter. We will not collect any other data.
The data thereby collected is used solely for the purpose of receiving our
mailing list. No data is transferred to third parties. Nor is any of this
information matched to any information that other components of our website
may collect. You may cancel your subscription to the mailing lists at any
time. You will find additional details in the email confirming your
subscription as well as in each mailing list.

Contacting Us

On our website we offer you the opportunity to contact us, either by email
and/or by using a contact form. In such event, information provided by the
user is stored for the purpose of facilitating communications with the
user. No data is transferred to third parties. Nor is any of this
information matched to any information that may be collected by other
components of our website.

Information/Cancellation/Deletion

On the basis of the European Data Protection Rules (Regulation (EU)
2016/679 / Directive (EU) 2016/680), and the Data Protection laws of the
different EU countries, you may contact us at no cost if you have questions
relating to the collection, processing or use of your personal information,
if you wish to request the correction, blocking or deletion of the same, or
if you wish to cancel explicitly granted consent. Please note that you have
the right to have incorrect data corrected or to have personal data
deleted, where such claim is not barred by any legal obligation to retain
this data.

Note:
- Of course, this should be adapted to TuxPaint a little bit better.
- Even if the website is configured to not store IP address I would still
highlight the possibility to store that information.

I guess you might also think "he said the website, not the webserver",

> but I hope we'd conclude that's still problematic.
>

For non-IT guys, its the same thing. The regulation does not talk about
technical components, EU regulation talks about "service providers". Those
are the ones that are responsible for managing properly personal data and
it includes all their services, not just the website itself.

I hope the above is useful food for thought.

Best regards

Javier

[1] http://ec.europa.eu/justice/data-protection/reform/index_en.htm
[2]
http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf
- Article 4
[3]
https://www.agpd.es/portalwebAGPD/canaldocumentacion/informes_juridicos/otras_cuestiones/common/pdfs/2003-0327_Car-aa-cter-de-dato-personal-de-la-direcci-oo-n-IP.pdf

Javier Fernandez-Sanguino writes ("Re: Privacy policy for Tux Paint; ideas?"):
...
> PRIVACY POLICY
..
> This anonymous data is stored separately from any personal information you
> may have provided, thereby making it impossible to connect it to any
> particular person. The data is used for statistical purposes in order to
> improve our website and services.

... and for troubleshooting.

> MAILING LIST
>
> Our website offers you the opportunity to subscribe to our mailing list.

I assume there is a development list too, which is public.
This seems to be omitted.

What is further lacking is a statement that the Tux Paint program does
not record any tracking information about its users.

I assume it doesn't. If it has a "track changes" feature then this
isn't true. But a paint program intended for use by children probably
shouldn't have a "track changes" feature!

Ian.

--
Ian Jackson <ijackson(at)chiark(dot)greenend(dot)org(dot)uk> These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

On Wed, Dec 07, 2016 at 09:23:40AM -0800, Bill Kendrick wrote:
>
> Hi all, I'm Bill, lead developer (in snooze mode ATM),
> website maintainer, and main 'support' contact for Tux Paint,
> the open source drawing program for young kids
> (http://www.tuxpaint.org/)
>
> In the past month or two, I've had at least two teachers,
> and one person from an "internet safety" company, ask about
> Tux Paint in regards to privacy, user-identifiable information,
> etc. (I don't think in the previous 12 years I had ever been
> asked; I guess some laws changed in the US this year?)

Nearly 4 years to the day, I've finally drafted something.
I'd appreciate any feedback. IANAL, and I realize most (all)
out here won't be either, but if you see anything glaringly wrong
with it, let me know.

I started by trying to use a free "privacy policy generator",
and it was basically useless for my purposes here. :-D

My goal ended up being both discussion of privacy to users visiting
the website, and interacting with the project as a whole (via email,
mailing lists, etc.), as well as to briefly mention the fact that
the Tux Paint software _itself_ doesn't actually transmit anything,
let alone personal information. (I'm going to double-check with the
folks working on the Android version to confirm the accuracy of my
statement regarding its download capabilities.)

http://tuxpaint.org/privacy/

Thanks in advance!

-bill!