Data Privacy Statement from 2018-04-11 through 2018-04-12
Packet Clearing House recognizes the primacy of individuals’ rights to control the disposition of their personal data. The purpose of this statement is to inform you in detail about how PCH handles the personal data we collect to provide our DNS Anycast service, DNSSEC service, and other online services, including those delivered via our website.
In keeping with its research and support mission and the principles of scientific inquiry and open source development, PCH minimizes its handling of information that could be considered secret or confidential.
Public data that does not contain personal data is provided to PCH on a voluntary basis by PCH's research partners, peers, and project participants. PCH publishes this information to the public through its website, databases, and application programming interfaces. PCH may, at its sole option, anonymize, aggregate, delete, or restrict access to portions of the data but does not represent that it will do so in any particular case.
PCH intends to comply with the highest applicable standards of personal data protection. Currently, we consider the highest standards to be those established by the European General Data Privacy Regulation. Consequently, we attempt to provide to all of our users globally the same protections afforded to European citizens by the GDPR.
Collection, Processing, and Use of Personal Data for the Purpose of Provision of Services
PCH principally provides services on an organization-to-organization basis, including to the operators of Internet exchange points and domain name registries.
To establish contact with the organizations we serve, we must collect, process, and store the personal data of the individuals who are our points of contact with those organizations. This personal information includes name, professional role or function, and contact information such as telephone and email addresses. We use it exclusively to perform our obligations with respect to the recipient organizations, and only to the extent required to achieve these purposes.
This data will not be used for advertising, nor will it be divulged to third parties.
Collection, Processing, and Use of Personal Data for the Purpose of Providing Web Services
Any time you visit our website, we store the IP address from which you contacted us. If you choose to sign up on our site to create an account, we will know your first and last name, the company you work for, and your primary and secondary email addresses. We collect this data for the purpose of verifying the validity of newly-created accounts, and to facilitate the return of requested data to account holders. The data is used only to the extent required to achieve these purposes. The data will not be used for advertising, nor will it be divulged to third parties.
This policy applies to websites under the pch.net and internetmeetings.org domains.
Collection, Processing, and Use of Usage Data of PCH Website
PCH logs and stores the IP addresses of visitors to its website so that we can keep the site secure (i.e., in the case of a denial of service attack) and as well track how many visitors our site gets.We store your web access logs which include the IP address you’ve logged in from for the current year and the previous calendar year.
Opting out of Web Data Collection
We do not offer any active way for you to opt out of the data we collect short of not using our services. That said, our services do not block you from using a virtual private network (VPN) to obscure your IP address.
For an in-depth guide on opting out, anonymity, privacy, and security while browsing the web, see the Electronic Frontier Foundation's Surveillance Self-Defense.
Data Associated with the Use of PCH Nameservers
PCH's most widely used services are the public authoritative nameservers we operate on behalf of most of the world’s domain name registries. These services are provided to the public, both organizations and individuals, without any explicit collection of data that identifies individual users.
We have no individual or individually-identifiable relationships with users of these systems, nor any way of tracking or identifying users of the systems. However, to reply to each query we receive, we must retain the IP address of the querying system for the few microseconds it takes us to formulate and send a response. To ensure the security and integrity of systems, respond to requests for technical assistance, and formulate aggregate use statistics, we may retain the IP addresses associated with some queries for longer periods, typically up to twenty minutes.
In addition, the domain name registries on whose behalf we publish the domain name data may request that we forward a copy of this data to them, at which point it is governed by their data handling policies.
Because of the nature of authoritative nameservice, the vast majority of queries we receive originate from recursive nameservers, which are typically owned by organizations rather than being associated with individuals. Because we do not store information about the users of the systems, we have no way of distinguishing between IP addresses that represent organizations and those associated with individuals. In no event do we have any other information that might be correlated with IP addresses to identify an individual, and in no event do we retain specific IP addresses beyond the short (typically twenty-minute) window of time necessary to perform security, performance, and usage analytics, unless that IP address is part of an ongoing security threat to our systems.
Third-Party Sharing of Personal Data
We do not share any of the web data we collect with any other parties except when you make a donation. In this case, we make use of a payment services provider ("Stripe") to process the payment. Only the email address and the amount donated are known to us. All other information, including credit card and address, is never sent or stored on PCH servers.
Furthermore, we do not:
- Use any third-party tracking service or system.
- Host any social media "beacons" that can track your movements around the web.
- Use any content delivery networks that could act as passive beacons to track your movements around the web.
- Place any advertisements on our websites under the pch.net and internetmeetings.org domains.
Personal Data of Minors
PCH requires and retains the explicit permission of the parent or legal guardian of anyone whose data is retained who is not of legal majority in their country of residence.
PCH takes its security responsibilities seriously and employs technical and organizational measures to protect your personal data against accidental or intentional manipulation, loss, destruction, or access by unauthorized persons. We review these measures regularly and include staff training and awareness to manage associated risks.
All connections to our websites are done over an encrypted connection using current and safe protocols. Specifically, we require Transport Layer Security and we do not support any TLS ciphers that are known to be insecure. We always try to use keys that enforce perfect forward secrecy. For more information about which ciphers we employ and other specifics about our TLS configuration, please see SSL Labs current review of our site.
We only store password hashes generated by the bcrypt algorithm and never store passwords in plain text. All password resets are done by emailing the user a link that expires in 24 hours.
Reporting vulnerabilities on pch.net domains
We support responsible disclosure and are happy to work with security researches. Please contact firstname.lastname@example.org if you discover any vulnerabilities.
Reporting Data Breaches
In the event that a breach involving personal data is detected, PCH will notify the relevant data protection authorities within 72 hours. PCH will also take appropriate measures to inform any users affected by the breach in coordination with the data protection authority.
Rights to Access and Control Your Personal Data
We retain personal data as described in the sections above as long as it is necessary for the purpose(s) for which it was obtained.
You have the right to access, rectify, or delete the information we have stored on you, and such requests will be resolved within a maximum of one month. Our ability to modify or delete data may be limited if the data is subject to a retention obligation under applicable law, but we do not currently know of any data to which such obligations would apply. In the event that we encounter a conflict between privacy and retention regulations, we will document it here.
Please send data privacy requests in writing to:
Packet Clearing House
1600 Shattuck Ave Ste 212
Berkeley, California 94709
or by email at email@example.com
Correctness and Validity of this Data Privacy Statement
By using our website, you consent to your data being used as described above. This data privacy statement is the currently valid version as of 11 April 2018. We archive all prior versions.
PCH reserves the right to amend this data privacy statement at any time with effect to the future. The current and applicable version of this statement is found on our website at https://www.pch.net/about/privacy.