Privacy Policy: Software and Technology Projects

This policy describes our privacy practices for the information that's collected and used by EFF software and technology projects, like HTTPS Everywhere, the Decentralized SSL Observatory, or Privacy Badger (but not Certbot or Panopticlick, which have their own policies—see below). We may occasionally update this document or the relevant user interfaces to reflect changes in the information that we collect or new products or technologies we release. However, any revised privacy policy will be consistent with EFF's mission and will be available at https://www.eff.org/code/privacy-policy.

Unless otherwise specified, this policy does not apply to projects run by individuals or organizations outside of EFF, such as Tor, OTR, or GnuPG, even if we promote the use of those projects or happen to contribute to them.

EFF is located within the United States, and therefore will transfer, process, and store your information in the United States, which may not provide as much protection as your home country. (We’re working to make US practices better.)

Software Downloads: If you download and install software from EFF's web site, we may collect information about your visit to our site. Once installed, our software may also connect automatically to our site to attempt to determine if updated versions are available. As a result, our site may log information related to the software downloads, such as your computer's IP address. Our collection, anonymization, and use of that data is described our web site privacy policy.

If you download or receive EFF software from another source, such as the Chrome Web Store; Google Play Store; addons.mozilla.org; Github; or package repositories like those run by Debian, Ubuntu, or Red Hat; your interaction with that site is governed by its privacy policy, which may be less protective than EFF's policies. EFF cannot supervise or control the use of personal information by non-EFF software download sources.

Bug Reports and Research Datasets: EFF software and technology projects may give you the option to submit bug reports to us, either manually or (if you opt-in) automatically, such as when an error occurs. For example, if you disable HTTPS Everywhere on a particular site, that may be indicative of bugs in the ruleset for that site. If you choose to submit reports, the content of those reports will be available to the project developers, which may include third parties. The software user interface will describe the contents of the report and the retention policies in further detail. We may disclose bug reports to people as necessary to improve the software or technology project.

Sometimes our software and technology projects may collect other types of information to help with technology research, which generally will not include personally identifiable information. For instance, the SSL Observatory collects SSL/TLS certificates and associated metadata.  When our software collects such information, its user interfaces will explain what it does, and let you enable or disable submissions. This information may be included in datasets, which are discussed below.

Use of Information: In general, EFF uses the information provided by you to further its mission, including to strengthen Internet security and privacy, defend freedom and innovation, and to protect your rights in the digital world. To help you better understand how this information further these goals, we may include further explanations of the use of data within the project’s user interface.

Disclosure of Your Information: While EFF endeavors to provide the highest level of protection for your information, we may disclose personally identifiable information about you to third parties in limited circumstances, including: (1) with your consent; or (2) when we have a good faith belief it is required by law, such as pursuant to a subpoena or other judicial or administrative order.

If we are required by law to disclose the information that you have submitted, we will attempt to provide you with prior notice (unless we are prohibited or it would be futile) that a request for your information has been made in order to give you an opportunity to object to the disclosure. We will attempt to provide this notice by whatever means is reasonably practical. If you do not challenge the disclosure request, we may be legally required to turn over your information.

In addition, we will independently object to requests for access to information about users of our products and technologies that we believe to be improper and we have done so.

Updating or Removing Your Information

We endeavor not to collect personal data from users, but recognize that you may choose to provide such information in a bug report. You may choose to correct, update, access or delete the personal information you have submitted to us by sending an email to privacypolicy@eff.org.

Data Storage and Retention

EFF’s general privacy policy covers the storage and retention policies for our server logs and direct communications with EFF.

If you submit a bug report or contribute to a research dataset, we will maintain this information for as long as we believe it is relevant to improving the software or technology project. Generally, we do not store personally identifiable information (PII), including the IP addresses of users, when collecting bug reports or research data. However, on occasion, we may store IP addresses for limited debugging purposes. (You may also choose to submit these reports and data via Tor in order to prevent us from being able to observe your IP address.)

Contacting EFF

If you have any questions about our privacy and data protection practices, you can reach EFF at:

Electronic Frontier Foundation
815 Eddy Street
San Francisco, CA 94109 USA
Phone: +1-415-436-9333
Fax: +1-415-436-9993
Email: privacypolicy@eff.org.

If our processing of your personal data is covered by EU law, you may also lodge a complaint with the relevant data protection supervisory authority for your country of residence.

Sharing of datasets: From time to time, we may share datasets derived from our technology projects with research partners working on topics related to Internet security, censorship resistance, privacy or other public policy objectives. We may also publish datasets in an effort to further these objectives. The datasets we may share or publish will not intentionally contain PII and we will evaluate whether further sanitization or aggregation of data is necessary to reduce the likelihood that inferences about identifiable individuals' activities might be made from the published dataset. Because anonymization is an algorithmically complex problem, we cannot promise that it will be flawless or attack-proof. When we believe that a dataset may contain information that is especially sensitive or vulnerable to de-anonymization, we will not publish it, and if we share share such data with research partners, we will place them under a contractual obligation to keep the dataset confidential and avoid de-anonymization.

Security: EFF employs industry standard security measures to protect the loss, misuse, and alteration of the information under our control, including appropriate technical and organizational measures to ensure a level of security appropriate to the risk, such as the pseudonymization and encryption of personal data, data backup systems, and engaging security professionals to evaluate our systems effectiveness. Although we make good faith efforts to store information collected by EFF in a secure operating environment, we cannot guarantee complete security.

Privacy Policies for Specific Software and Technology Projects: Some of the technology projects from EFF may have specific privacy policies associated with them. When we launch projects with their own privacy policies, they will be linked to from this page.

Updated May 25, 2018 to provide more transparency about our privacy practices and more detailed information about how you can access, correct and remove personal data stored with EFF.

Updated on June 2, 2014 to reflect the possible collection of information for research datasets.

Updated on February 4, 2015 to correct typographical errors.

Previous Privacy Policies for Software and Technology Projects: