This policy was in effect from Jul 24 2012 to Apr 30 2014. You can view our current policy here.
In this policy, "EFF" refers to EFF staff, board members, cooperating attorneys, interns, volunteers, and consultants, all of whom are bound by law or contract to keep confidential information they receive as part of their assistance to EFF.
EFF does not sell or rent member, donor or website visitor information under any circumstances, and we do not share member, donor or visitor information without prior consent except as compelled by law. (See discussion below.)
Information Gathered by EFF's Site
Logging: For visitors to our website, we generally log requests to our website through a program called cryptolog (cryptolog described further below) and do internal analytical logging (also described further below) for up to seven days from when the data was collected.
Circumstances in which EFF may need to log and retain technical information for longer than seven days include when we believe it is reasonably necessary for EFF’s mission and functionality, including situations such as:
- site testing,
- diagnosis of technical problems,
- defending against attacks to the site,
- handling a spike in traffic or other abnormal, short-term circumstances, or
- research projects (in anonymized form) that serve our overall mission to defend freedom online.
In those and similar situations we will delete the information as soon as it is apparent that the information is no longer needed for the purpose for which it was retained. For more information on EFF's position on data logging and techniques we use to anonymize, obfuscate, aggregate and delete information, see our Best Practices for Online Service Providers.
How Cryptolog Works: Cryptolog takes the IP address portion of the request getting logged and encrypts it, as well as a chunk of random data (the salt), using a cryptographic hash function. The salt changes every night, which should result in making it very difficult for us, or anyone else, to recover IP addresses from our logs.
How EFF Internal Analytics Works: EFF endeavors to gather sufficient information for analyzing our website and how visitors move within it without compromising the privacy of our visitors. EFF’s internal analytical logging, which is separate from the Cryptolog logs, involves logging for up to seven days a single byte of the IP address, as well as the referrer page, time stamp, page requested, user agent, language header, website visited, and a hash of all of this information. After seven days we keep only aggregate information from these logs. We also geolocate IP addresses before anonymizing them and store only the country.
Decentralized Observatory of HTTPS Everywhere: If you enable the Decentralized Observatory feature of the downloaded browswer extension HTTPS Everywhere, we will collect, analyze and publish copies of the certificates of SSL/TLS servers that you connect to. These certificates generally do not identify you and we will take reasonable steps to try to avoid collecting specific certificates that may be used to identify you. In order to help locate man-in-the-middle attacks, the Decentralized Observatory may also log which ISP you observed the certificate through, although you can disable this behavior in the Observatory settings window.
Cookies: We do not use persistent ID cookies on this site. We use session cookies on certain portions of the website. Session cookies expire when you close your browser. You can use Tor if you wish to keep your connection information anonymous.
Voluntarily Submitted Information: In addition, EFF collects and retains information you voluntarily submit to us. It is up to you whether to submit information to us, and how much information to provide. If you choose to become an EFF member or otherwise donate to EFF, we ask for your name, email address, mailing address and phone number. For online donors and shoppers, we also ask for your credit card number. We also maintain records of our members' use of the Action Center. If you use the EFF Shop, you are asked to provide personal information, such as a shipping address, necessary to complete your transaction.
We may ask for additional personal information when you provide feedback or comments, or otherwise communicate with us. We are pleased to receive anonymous donations in the mail, but please note that your personal information is required if you choose to donate using our online form.
From time to time, we may ask for personal information on other portions of the site, such as asking you to sign a petition, participate in a contest, or provide prior art for a patent busting project.
EFFector and other Mailing Lists: If you choose to subscribe to EFFector, our free electronic newsletter or any of our other mailing lists, we collect your email address, and, if you choose to provide it, a zip or postal code.
EFF's Use of Information
In general, EFF uses the information provided by you to further its mission, including to protect privacy, defend freedom and innovation, and to protect your rights in the digital world.
Member and Donor Information: We use member and donor information to process and manage your membership or contribution. If you opt in, we will use your email address to send you updates and alerts on protecting your rights in the digital world, so you may take action, such as contacting your representative in Congress or attending an event. If you choose to complete the "Please tell us why you became a member of EFF" field when donating, this information may be shared with the entire EFF staff and board, and select unattributed quotes may be used to promote our mission, such as including a relevant quote in a grant proposal.
Invitees to EFF: If you invite another person to join EFF or take action in one of our alerts, we will ask for that person's name and online contact information. We use this information to contact and, if necessary, remind that person that he or she has been invited to join EFF.
Publication by EFF: If you provide information for publication we may use your name and contact information you have provided to us to provide you with attribution.
Other activities: We may run surveys, contests, or similar activities through this site. Such information will be used for the purposes for which it was collected. We also look at technical information to diagnose problems with or consider improvements to our servers or related technologies and to administer the eff.org and other websites we host or provide.
Third-Party Service Providers to EFF
Portions of the eff.org site, including our individual action alert webpages, are operated by a third-party grassroots campaign service provider or providers. These service providers may place session cookies on your computer. EFF’s service providers may also log standard technical information, such as the numerical Internet Protocol (IP) address of the computer you are using; the browser software you use and your operating system; the date and time you access our site; and the Internet address of the website from which you linked directly to our site. Our service providers may also store and organize the personal information collected through this site on our behalf.
EFF also uses a third-party credit card processor and hosting providers.
For all of EFF's service providers, hosting providers and credit card processors and any other providers we may use in the future, the information collected from EFF users remains under our control, and our agreement with each will require the information to be kept confidential and disclosed only to employees who require such access in the course of their assigned duties. EFF also requires all of our third-party service providers to notify EFF if they receive legal process seeking information about visitors to EFF’s website.
EFF may change the specific third-party providers from time to time, and will transfer stored information to any new provider subject to similar restrictions and agreements. From time to time, EFF may work with third-party consultants or other service providers who may have access to personally identifiable information. In such cases, we will restrict their use of personally identifiable information in accordance with their assigned tasks.
EFF's site also provides links to a wide variety of third-party websites, including interactive links to sites like Twitter or mapping services. EFF is not responsible for, and does not have any control over, the privacy practices or the content of such third parties. We encourage users to read the privacy policies of any website visited via links from EFF’s website.
We do occasionally allow our website to interact with other services, like social networking, mapping, and video hosting websites. It is our policy not to include third-party resources when users initially load our web pages, but we may dynamically include them later after giving the user a chance to opt-in. If you believe a third-party resource is automatically loading, please let us know so we can address it.
Disclosure of Your Information
While EFF endeavors to provide the highest level of protection for your information, we may disclose personally identifiable information about you to third parties in limited circumstances, including: (1) with your consent; or (2) when we have a good faith belief it is required by law, such as pursuant to a subpoena or other judicial or administrative order.
If we are required by law to disclose the information that you have submitted, we will attempt to provide you with notice (unless we are prohibited) that a request for your information has been made in order to give you an opportunity to object to the disclosure. We will attempt to provide this notice by email, if you have given us an email address, or by postal mail if you have entered a postal address. If you do not challenge the disclosure request, we may be legally required to turn over your information.
In addition, we will independently object to requests for access to information about users of our site that we believe to be improper.
Updating or Removing Your Information
You may choose to correct, update, or delete the membership information you have submitted to us by sending an email requesting changes to email@example.com. Furthermore, if we inadvertently collect more personal information than intended, we endeavor to delete the extraneous information. However, please understand that deleted information may continue to persist on backup media.
Changes to Our Policies
EFF employs industry standard security measures to protect the loss, misuse, and alteration of the information under our control. EFF has turned on HTTPS by default.
Although we make good faith efforts to store information collected by EFF in a secure operating environment, we cannot guarantee complete security. Information collected by EFF will be maintained for a length of time appropriate to our needs. However, we generally do not retain credit card information unless you choose to have us make automatic monthly withdrawals from your account for your donation.
Updated July 24, 2012 to reflect: a) changing our logging practices and promises to reflect our use of analytics; b) include “research” as a basis for longer logging but on an anonymized basis; c) specifically mention situations in which our website interacts with third-party websites in ways that may allow the third party to gain information about visitors to EFF’s website, d) allow for third-party hosting providers and e) eliminate the mention of specific service providers so that we do not need to update the page if we change providers but the policies remain the same, and f) specifically include both donors and website visitors as those whose information we do not sell or rent under any circumstances, or share without prior consent.