Privacy

Effective date: 2018-07-15

This page sets out the privacy policy for the website blog.aractus.com. Let me start by saying that I view privacy as an inalienable human right and that this philosophy governs my blog.

What information gets collected?

I collect general analytic data through the server logs, I do not use third party privacy-invading analytic tools. This information provides me with broad information about my visitors, but it doesn’t tell me anything about their age, gender, level of education, etc – it just tells me what your browser knows. Which is basically your operating system, your web browser, and approximate location based on IP address.

I sometimes get comments on my blog, or emails. This contains your name and email address which is certainly personal information, you can email me at any time if you have concerns about a comment you made if you wish it to be unpublished.

I don’t put ads on my blog, and I never have. So you can rest assured that no information gathered is used to market stuff towards you.

What information is shared with third-parties?

Well, not with advertisers that’s for sure. Some of the embedded content like Youtube is served from third party websites in iframes and it will be up to you to check their privacy policies. I do always suggest that you install and use uBlock Origin, and I encourage you to use it on my site to block third party content like ads in Youtube. I do however plan to migrate the youtube embeds to yotube-nocookie.com very soon. When you click links your browser will typically send a referrer header to the outgoing website which basically tells them you cam from my blog and which page you came from. This can be disabled, see info on do not track further down.

My new theme loads everything (other than iframe embeds) from the host server. All Javascript, Fonts, Images, CSS, etc is loaded from blog.aractus.com and not from third party locations. This includes any gravatar icons – they are served from the blog by proxy to protect your privacy.

How is your information protected?

As most of the internet is moving towards, my blog has been exclusively HTTPS since July 2016. This means that no third parties can intercept your connection to the server and read what blog pages you are reading. This also prevents javascript injection. I have set both the CA DNS record and HSTS header. This should further reduce the possibility of a MITM attack. Lastly, the search boxes uses post requests – meaning they don’t leave behind a unique visible URL in the browser history the search terms are “invisible”. While I do my best to ensure your privacy, all the protocols we once trusted to be secure turned out to have vulnerabilities … from SSL1 to TLS1. So obviously I can’t give an absolute iron-clad guarantee on security, and no one can – I encourage you to make your own informed decisions.

How is DNT (Do Not Track) handled?

When you visit with a DNT header the server will set the Referrer-Policy HTTP header to the value “no-referrer” on the majority of pages (any generated by WordPress). This instructs your browser to prevent the destination page or website knowing where you came from – yes even internal links will have no referrer. It may not work in all browsers, but if you’re selecting the setting it’s up to you to make an informed choice of which browser to trust – I highly suggest Firefox, Mozilla’s privacy philosophy is far more aligned with that of privacy groups compared to the likes of Google.

Another difference is that the options to (a.) save your information in your browser, and (b.) use Gravatar will be unchecked on the comment forms by default.

You may wonder why a privacy advocate such as myself doesn’t just set the “no-referrer” value all the time in the headers. The reason is because it is helpful to me to let other sites know they got a visitor from my website. So it’s actually not in my interests to set the referrer policy to “no-referrer”, but if you are visiting with DNT on I will go that extra bit for you and let your out-bound activities be anonymous.

Cookies and Local Storage

WordPress doesn’t set any visitor cookies on its own by default, unless you’re posting a comment or attempting to log in. You have the option when posting a comment to select whether you wish to save your details in a cookie or not. I was using a couple of cookies to enhance the browsing experience, but this is now done using local browser storage instead. Local storage cannot be read by the server and is known only to your browser.

Javascript

My blog does not require Javascript to function. The UI itself runs almost entirely on CSS not Javascript. However certain small improvements including towards your privacy are made using Javascript. The local storage mentioned above relies on Javascript. Automatically checking the comment options is done with a small Javascript function as well. I also use a javascript function to replace Youtube embeds with a placeholder element. This means that nothing loads from youtube until you interact with it. However if you have Javascript blocked for my blog then the iframe will load instead. This is a work in progress not all embedded videos have been converted yet. I would suggest you enable Javascscript, but the option is yours and I’m very happy to say the blog displays fine with Javascript disabled, a fact you may well have already noticed if reading this.

Additionally the site’s Content-Security-Policy HTTP header will only allow Youtube-related scripts. I know this doesn’t actually work on iframes, but it does mean that no external scripts can be embedded from foreign websites in the website itself.

GDPR Compliance Statement

This website is not governed by the laws of the EU and therefore not required to comply with the GDPR. That having been said, I believe the website is GDPR compliant, but if you notice a problem please bring it to my attention in contacting me.