In this policy, "EFF" refers to EFF staff, board members, cooperating attorneys, interns, volunteers, and consultants, all of whom are bound by law or contract to keep information they receive as part of their assistance to EFF confidential.
EFF does not sell or rent donor information under any circumstances, and we do not share information without prior consent except as compelled by law. (See discussion below.)
Information Gathered by EFF's Site
For visitors to our website, we temporarily log standard technical information, such as the numerical Internet protocol (IP) address of the computer you are using; the browser software you use and your operating system; and the Internet address of the website from which you followed a link to our site, for up to 48 hours. The information is kept for 48 hours primarily to assist EFF in diagnosing technical problems and defending against attacks on the site.
After 48 hours, EFF anonymizes, obfuscates, aggregates and/or deletes unneeded technical information. Circumstances in which EFF may need to retain technical information longer than 48 hours include when we believe it is reasonably necessary for conducting site testing, diagnosis of technical problems, and defending against attacks on the site. In those instances we will delete the information as soon as it is apparent the information is no longer needed for the purpose for which it was kept. For more information on EFF's position on data logging and techniques we use to anonymize, obfuscate, aggregate and delete information, see our Best Practices for Online Service Providers.
In addition, EFF collects and retains information you submit to us. It is up to you whether to submit information to us, and how much information to provide. If you choose to become an EFF member or register for the EFF Action Center, we ask for your name, title, email address, city, state, postal code, country of residence, and phone number, and we may invite you to select a password. For online donors and shoppers, we also ask for your credit card number. We also maintain records of our members' use of the Action Center, and you may wish to indicate your particular interests in your Action Center profile. If you use the EFF Shop, you are asked to provide personal information, such as a shipping address, necessary to complete your transaction.
If you enable the Decentralized Observatory feature of HTTPS Everywhere, we will collect copies of the certificates of SSL/TLS servers that you connect to. In order to help locate man-in-the-middle attacks, the Decentralized Observatory may also log which ISP you observed the certificate through, although you can disable this behavior in the Observatory settings window.
We may ask for additional personal information when you provide feedback or comments, or otherwise communicate with us. We are pleased to receive anonymous donations, but please note that your personal information is required if you choose to donate using our online form.
If you choose to subscribe to EFFector, our free electronic newsletter, we collect your email address, and, if you choose to provide it, a zip or postal code.
From time to time, we may ask for personal information on other portions of the site, such as asking you to sign a petition, participate in a contest, or provide prior art for a patent busting project.
EFF's Use of Information
In general, EFF uses the information provided by you to further its mission, protect privacy, defend freedom, and protect your rights in the digital world.
We use member information to process and manage your membership or contribution. If you opt in, we will use your email address to send you updates and alerts on protecting your rights in the digital world, so you may take action, such as contacting your representative in Congress or attending an event. If you choose to complete the "Please tell us why you became a member of EFF" field when donating, this information may be shared with the entire EFF staff and board, and select unattributed quotes may be used to promote our mission, such as including a relevant quote in a grant proposal.
If you enable the Decentralized Observatory feature of HTTPS Everywhere, we analyze and publish the copies of the certificates of SSL/TLS servers that you connect to. These certificates generally do not identify you and we will take reasonable steps to try to avoid collecting certificates that may be used to identify you.
If you invite another person to join EFF or take action in one of our alerts, we will ask for that person's name and online contact information. We use this information to contact and, if necessary, remind that person that he or she has been invited to join EFF.
If you provide information for publication, such as suggesting a link for the Deeplinks blog, we may use your name to provide you with credit.
We may run surveys, contests, or similar activities through this site. Such information will be used for the purposes for which it was collected.
We look at technical information to diagnose problems with our server and to administer the eff.org site.
Third-Party Service Providers
Portions of the eff.org site (shop.eff.org, secure.eff.org, and action.eff.org) are operated by a third-party grassroots campaign service provider ("Provider"), which is currently Convio. Provider may place cookies on your computer in order to store information, such as items placed in your shopping cart in the EFF Shop, or storing your account login when using the Action Center. Provider logs standard technical information, such as the numerical Internet protocol (IP) address of the computer you are using; the browser software you use and your operating system; the date and time you access our site; and the Internet address of the website from which you linked directly to our site.
Our Provider also stores and organizes the personal information collected through this site on our behalf. The information remains under our control, and our agreement with Provider requires the information to be kept confidential and disclosed only to Provider's employees who require such access in the course of their assigned duties. Provider has also agreed to cooperate with EFF in seeking a protective order, if necessary, to protect this information from legal process. EFF may change the provider from time to time, and will transfer stored information to the new provider subject to similar restrictions.
EFF's site provides links to a wide variety of third-party websites. EFF is not responsible for, and does not have any control over, the privacy practices or the content of such third parties. We encourage users to read the privacy policies of any website visited.
Disclosure of Your Information
While EFF endeavors to provide the highest level of protection for your information, we may disclose personally identifiable information about you to third parties in limited circumstance, including: (1) with your consent; or (2) when we have a good faith belief it is required by law, such as pursuant to a subpoena or other judicial or administrative order.
If we are required by law to disclose the information that you have submitted, we will attempt to provide you with notice (unless we are prohibited) that a request for your information has been made in order to give you an opportunity to object to the disclosure. We will attempt to provide this notice by email, if you have given us an email address, or by postal mail if you have entered a postal address. If you do not challenge the disclosure request, we may be legally required to turn over your information.
In addition, we will independently object to requests for access to information about users of our site that we believe to be improper.
If you enable the Decentralized Observatory feature of HTTPS Everywhere, we publish the copies of the certificates of SSL/TLS servers that you connect to. These certificates generally do not identify you, and we will take reasonable steps to try to avoid collecting certificates that may be used to identify you. In some instances, we may also publish information about which ISPs' networks these certificates were observed on.
Updating or Removing Your Information
You may choose to correct, update, or delete the membership information you have submitted to us by sending an email requesting changes to firstname.lastname@example.org. Furthermore, if we inadvertently collect more personal information than intended, we endeavor to delete the extraneous information. However, please understand that deleted information may continue to persist on backup media.
Changes to Our Policies
EFF employs industry standard security measures to protect the loss, misuse, and alteration of the information under our control. Information submitted through the shopping, membership, and donation processes is encrypted through a Secured Socket Layer (SSL) connections, which protects the information in transit.
Although we make good faith efforts to store information collected by EFF in a secure operating environment, we cannot guarantee complete security. Information collected by EFF will be maintained for a length of time appropriate to our needs. However, we generally do not retain credit card information unless you choose to have us make automatic monthly withdrawals from your account for your donation.
Updated June 22, 2011 to reflect the Decentralized Observatory feature of HTTPS Everywhere. You can view our previous policy here.