Introduction
Privacy is important, and internet privacy is eroding at an alarming pace. It's almost impossible to visit websites without being tracked and advertised to, even as a paying customer for a service. Some jurisdictions have strong laws to protect internet privacy, such as the European Union and the US State of California, but many do not, including the United States at the federal level.
What I won't do
I want this site to be different. That's why I will never:
- Serve ads.
- Track you with tracking pixels or cookies.
- Load third-party content, such as images, scripts, or fonts.
- Sell your data.
- Use services like Google AMP.
Data I collect and how I use it
I do log some data to keep the site running smoothly.
I keep web server logs for the purposes of security and troubleshooting. At the moment, I retain them indefinitely, but I am investigating ways to collect that data anonymously and delete original logs as soon as possible. Other than what can show up in web server logs (IP address, requested resource, and potentially headers), I have no data about you.
I may use log data to compile interesting statistics. I may publish this information.
I may publish blog posts about the network activity to this server, particularly bot activity, but I will remove identifying information like IP addresses.
Security
Your connection to this website is encrypted with Transport Layer Security (TLS). This means that assuming there isn't a problem with the server's TLS implementation, your connection is encrypted and private.
TLS is important even for content that is static or that doesn't seem sensitive. Without TLS, ISPs can inject arbitrary code into web pages to load ads or serve account notices. This is detrimental to privacy and a serious breach of trust. It could even lead to malvertisements or worse.
Any attempt to connect with plain HTTP will be redirected to HTTPS. I had the site configured to offer both HTTP and HTTPS at first, because I believe in accessibility. Internet connectivity is not evenly distributed around the world, and the extra time and data required for TLS can be burdensome for people on high-latency or low-bandwidth connections.
As mentioned above, though, even serving static sites over HTTP allows for some pretty nasty man-in-the-middle attacks. And while I could technically absolve myself of responsibility ("It's not my fault your ISP injects cryptomining JavaScript payloads into your web pages!"), I still wouldn't feel right about enabling ISPs or oppressive regimes to potentially compromise people. Sure, you can do it with any HTTP site, but I'd rather it not be mine.
I have no way of knowing who will stumble upon this site or what their internet connection will be like, but my goal is to be as secure and accessible as possible. I hope HTTPS-only doesn't negatively impact too many people, but I also hope the security benefits outweight that. I may change my mind and offer an HTTP version of the site in the future.
Transparency
If you're able, I invite you to inspect this site not just with your browser's developer tools (Chrome, Firefox, Edge), but tools like curl and Wireshark as well. Trust, but verify.
This site's HTML is friendly and easy-to-read. You should be able to view any page's source and understand what's happening.
I plan to provide Atom and RSS feeds of this page so you can get notified if it ever changes. I'll try to keep these updates to a minimum. I also link to past versions so you can compare them across time.
Conclusion
This site is basic, and it's not as though there's much data collection happening in the first place, but that doesn't mean privacy isn't important, and it doesn't mean I respect your privacy any less. I hope this policy makes that clear.
Contact
If you have any questions or privacy concerns, please don't hesitate to e-mail me at privacy@davidfluck.com (mailto).