Privacy policy for Tux Paint; ideas?

Roger Dingledine arma at
Thu Dec 8 05:49:12 UTC 2016

On Wed, Dec 07, 2016 at 10:27:37AM -0800, Josh berkus wrote:
> On 12/07/2016 09:23 AM, Bill Kendrick wrote:
> > [...] the
> > website does not have any kind of user accounting (login, forums,
> > cloud storage, etc.) [...]
> Then that's your privacy policy:
> "The Tux Paint website does not collect or store any user-identifying
> information.  The Tux Paint program does not communicate any user
> information online."

Careful! Bill said the website doesn't require logins or the like,
and Josh summarized that for him as the website does not collect any
user-identifying information. If I read this privacy policy and then
later learned that the tuxpaint website collects default apache logs,
with IP address and user-agent and so on, I might be pretty upset.

You might argue that IP addresses aren't user-identifying, and you'll
find judges in the US who agree with you, but you'll find judges in
Europe who do not agree.

I guess you might also think "he said the website, not the webserver",
but I hope we'd conclude that's still problematic.

Rather than trying to craft language to explain webserver log risks,
one solution would be to change the webserver config so it doesn't
keep scary logs, and then stick with Josh's text. For example, on the
Tor webservers we use a modified log format that writes for
requests that arrive over http and for requests over https,
and rounds down the timestamp to midnight. For example: - - [04/Dec/2016:00:00:00 +0000] "GET /robots.txt HTTP/1.0" 200 23 "-" "-" -

The apache config line we use to generate it is:

LogFormat " - %u %{[%d/%b/%Y:00:00:00 %z]}t \"%r\" %>s %b \"%{Referer}i\" \"-\" %{Age}o" privacy

and then you use it with a line in your VirtualHost stanza like

CustomLog /var/log/apache2/$name-access.log privacy

For more motivation, see
You might think tuxpaint doesn't need to provide this sort of security
for its users -- and indeed I would hope that tuxpaint would be pretty
far down the "first they came for" list -- but these are trying times
we're living in, and you never know when things will change, so keeping
your users safe by default is good practice.

Hope this helps,

More information about the Spi-general mailing list