This policy was in effect from Oct 19 2011 to Jul 23 2012. You can view our current policy here.
In this policy, "EFF" refers to EFF staff, board members, cooperating attorneys, interns, volunteers, and consultants, all of whom are bound by law or contract to keep information they receive as part of their assistance to EFF confidential.
EFF does not sell or rent donor information under any circumstances, and we do not share information without prior consent except as compelled by law. (See discussion below.)
Information Gathered by EFF's Site
For visitors to our website, we generally log requests to our website through a program called cryptolog. Cryptolog takes the IP address portion of the request getting logged and encrypts it, as well as a chunk of random data (the salt), using a cryptographic hash function. The salt changes every night, which should result in making it very difficult for us, or anyone else, to recover IP addresses from our logs. We also generally do not log other standard technical information, including the browser software you use, your operating system or the Internet address of the website from which you followed a link to our site.
Circumstances in which EFF may need to log and retain technical information include when we believe it is reasonably necessary for conducting site testing, diagnosis of technical problems, and defending against attacks on the site. In those instances we will delete the information as soon as it is apparent the information is no longer needed for the purpose for which it was kept. For more information on EFF's position on data logging and techniques we use to anonymize, obfuscate, aggregate and delete information, see our Best Practices for Online Service Providers.
We do not use persistent cookies on this site. We use session cookies on certain portions of the website. Session cookies expire when you close your browser. You can use Tor if you wish to keep your technical information anonymous.
In addition, EFF collects and retains information you voluntarily submit to us. It is up to you whether to submit information to us, and how much information to provide. If you choose to become an EFF member or otherwise donate to EFF, we ask for your name, email address, mailing address and phone number. For online donors and shoppers, we also ask for your credit card number. We also maintain records of our members' use of the Action Center. If you use the EFF Shop, you are asked to provide personal information, such as a shipping address, necessary to complete your transaction.
If you enable the Decentralized Observatory feature of HTTPS Everywhere, we will collect copies of the certificates of SSL/TLS servers that you connect to. In order to help locate man-in-the-middle attacks, the Decentralized Observatory may also log which ISP you observed the certificate through, although you can disable this behavior in the Observatory settings window.
We may ask for additional personal information when you provide feedback or comments, or otherwise communicate with us. We are pleased to receive anonymous donations in the mail, but please note that your personal information is required if you choose to donate using our online form.
If you choose to subscribe to EFFector, our free electronic newsletter or any of our other mailing lists, we collect your email address, and, if you choose to provide it, a zip or postal code.
From time to time, we may ask for personal information on other portions of the site, such as asking you to sign a petition, participate in a contest, or provide prior art for a patent busting project.
EFF's Use of Information
In general, EFF uses the information provided by you to further its mission, protect privacy, defend freedom, and protect your rights in the digital world.
We use member and donor information to process and manage your membership or contribution. If you opt in, we will use your email address to send you updates and alerts on protecting your rights in the digital world, so you may take action, such as contacting your representative in Congress or attending an event. If you choose to complete the "Please tell us why you became a member of EFF" field when donating, this information may be shared with the entire EFF staff and board, and select unattributed quotes may be used to promote our mission, such as including a relevant quote in a grant proposal.
If you enable the Decentralized Observatory feature of HTTPS Everywhere, we analyze and publish the copies of the certificates of SSL/TLS servers that you connect to. These certificates generally do not identify you and we will take reasonable steps to try to avoid collecting certificates that may be used to identify you.
If you invite another person to join EFF or take action in one of our alerts, we will ask for that person's name and online contact information. We use this information to contact and, if necessary, remind that person that he or she has been invited to join EFF.
If you provide information for publication we may use your name to provide you with credit.
We may run surveys, contests, or similar activities through this site. Such information will be used for the purposes for which it was collected.
We look at technical information to diagnose problems with our server and to administer the eff.org site.
Third-Party Service Providers
Portions of the eff.org site, including our individual action alert webpages, are operated by third-party grassroots campaign service provider or providers ("Provider"), which are currently Salsa Labs and, for some limited purposes CiviSMTP. Providers may place session cookies on your computer. Providers may also logs standard technical information, such as the numerical Internet protocol (IP) address of the computer you are using; the browser software you use and your operating system; the date and time you access our site; and the Internet address of the website from which you linked directly to our site. Our Providers also store and organize the personal information collected through this site on our behalf for a time.
EFF also uses a third-party credit card processor.
For EFF's Providers and third-party credit card processor, the information they collect from EFF users remains under our control, and our agreement with each requires the information to be kept confidential and disclosed only to their employees who require such access in the course of their assigned duties. Provider and the credit card processor have also agreed to cooperate with EFF, if necessary, to protect this information from legal process. EFF may change the provider from time to time, and will transfer stored information to the new provider subject to similar restrictions.
From time to time, EFF may work with third-party consultants or other service providers who may have access to personally identifiable information. In such cases, we will restrict their use of personally identifiable information in accordance with their assigned tasks.
EFF's site provides links to a wide variety of third-party websites. EFF is not responsible for, and does not have any control over, the privacy practices or the content of such third parties. We encourage users to read the privacy policies of any website visited.
Disclosure of Your Information
While EFF endeavors to provide the highest level of protection for your information, we may disclose personally identifiable information about you to third parties in limited circumstance, including: (1) with your consent; or (2) when we have a good faith belief it is required by law, such as pursuant to a subpoena or other judicial or administrative order.
If we are required by law to disclose the information that you have submitted, we will attempt to provide you with notice (unless we are prohibited) that a request for your information has been made in order to give you an opportunity to object to the disclosure. We will attempt to provide this notice by email, if you have given us an email address, or by postal mail if you have entered a postal address. If you do not challenge the disclosure request, we may be legally required to turn over your information.
In addition, we will independently object to requests for access to information about users of our site that we believe to be improper.
If you enable the Decentralized Observatory feature of HTTPS Everywhere, we publish the copies of the certificates of SSL/TLS servers that you connect to. These certificates generally do not identify you, and we will take reasonable steps to try to avoid collecting certificates that may be used to identify you. In some instances, we may also publish information about which ISPs' networks these certificates were observed on.
Updating or Removing Your Information
You may choose to correct, update, or delete the membership information you have submitted to us by sending an email requesting changes to firstname.lastname@example.org. Furthermore, if we inadvertently collect more personal information than intended, we endeavor to delete the extraneous information. However, please understand that deleted information may continue to persist on backup media.
Changes to Our Policies
EFF employs industry standard security measures to protect the loss, misuse, and alteration of the information under our control. EFF has turned on HTTPS by default.
Although we make good faith efforts to store information collected by EFF in a secure operating environment, we cannot guarantee complete security. Information collected by EFF will be maintained for a length of time appropriate to our needs. However, we generally do not retain credit card information unless you choose to have us make automatic monthly withdrawals from your account for your donation.
Updated October 19, 2011 to reflect: a) implementation of Cryptolog, b) changing from Convio as a provider to a system with different providers that operates differently, including in the information collected, c) use of HTTPS, d) eliminating the specific mention of a protective order since that seemed too specific to apply in all situations and, e) some other small changes.