PCH

Data Privacy Statement from 2018-04-11 through 2018-04-12

Packet Clearing House recognizes the primacy of individuals’ rights to control the disposition of their personal data. The purpose of this statement is to inform you in detail about how PCH handles the personal data we collect to provide our DNS Anycast service, DNSSEC service, and other online services, including those delivered via our website.

General Considerations

In keeping with its research and support mission and the principles of scientific inquiry and open source development, PCH minimizes its handling of information that could be considered secret or confidential.

Public data that does not contain personal data is provided to PCH on a voluntary basis by PCH's research partners, peers, and project participants. PCH publishes this information to the public through its website, databases, and application programming interfaces. PCH may, at its sole option, anonymize, aggregate, delete, or restrict access to portions of the data but does not represent that it will do so in any particular case.

PCH intends to comply with the highest applicable standards of personal data protection. Currently, we consider the highest standards to be those established by the European General Data Privacy Regulation. Consequently, we attempt to provide to all of our users globally the same protections afforded to European citizens by the GDPR.

Collection, Processing, and Use of Personal Data for the Purpose of Provision of Services

PCH principally provides services on an organization-to-organization basis, including to the operators of Internet exchange points and domain name registries.

To establish contact with the organizations we serve, we must collect, process, and store the personal data of the individuals who are our points of contact with those organizations. This personal information includes name, professional role or function, and contact information such as telephone and email addresses. We use it exclusively to perform our obligations with respect to the recipient organizations, and only to the extent required to achieve these purposes.

This data will not be used for advertising, nor will it be divulged to third parties.

Collection, Processing, and Use of Personal Data for the Purpose of Providing Web Services

Any time you visit our website, we store the IP address from which you contacted us. If you choose to sign up on our site to create an account, we will know your first and last name, the company you work for, and your primary and secondary email addresses. We collect this data for the purpose of verifying the validity of newly-created accounts, and to facilitate the return of requested data to account holders. The data is used only to the extent required to achieve these purposes. The data will not be used for advertising, nor will it be divulged to third parties.

This policy applies to websites under the pch.net and internetmeetings.org domains.

Collection, Processing, and Use of Usage Data of PCH Website

PCH logs and stores the IP addresses of visitors to its website so that we can keep the site secure (i.e., in the case of a denial of service attack) and as well track how many visitors our site gets.We store your web access logs which include the IP address you’ve logged in from for the current year and the previous calendar year.

Opting out of Web Data Collection

We do not offer any active way for you to opt out of the data we collect short of not using our services. That said, our services do not block you from using a virtual private network (VPN) to obscure your IP address.

For an in-depth guide on opting out, anonymity, privacy, and security while browsing the web, see the Electronic Frontier Foundation's Surveillance Self-Defense.

Data Associated with the Use of PCH Nameservers

PCH's most widely used services are the public authoritative nameservers we operate on behalf of most of the world’s domain name registries. These services are provided to the public, both organizations and individuals, without any explicit collection of data that identifies individual users.

We have no individual or individually-identifiable relationships with users of these systems, nor any way of tracking or identifying users of the systems. However, to reply to each query we receive, we must retain the IP address of the querying system for the few microseconds it takes us to formulate and send a response. To ensure the security and integrity of systems, respond to requests for technical assistance, and formulate aggregate use statistics, we may retain the IP addresses associated with some queries for longer periods, typically up to twenty minutes.

In addition, the domain name registries on whose behalf we publish the domain name data may request that we forward a copy of this data to them, at which point it is governed by their data handling policies.

Because of the nature of authoritative nameservice, the vast majority of queries we receive originate from recursive nameservers, which are typically owned by organizations rather than being associated with individuals. Because we do not store information about the users of the systems, we have no way of distinguishing between IP addresses that represent organizations and those associated with individuals. In no event do we have any other information that might be correlated with IP addresses to identify an individual, and in no event do we retain specific IP addresses beyond the short (typically twenty-minute) window of time necessary to perform security, performance, and usage analytics, unless that IP address is part of an ongoing security threat to our systems.

Third-Party Sharing of Personal Data

We do not share any of the web data we collect with any other parties except when you make a donation. In this case, we make use of a payment services provider ("Stripe") to process the payment. Only the email address and the amount donated are known to us. All other information, including credit card and address, is never sent or stored on PCH servers.

Furthermore, we do not:

  1. Use any third-party tracking service or system.
  2. Host any social media "beacons" that can track your movements around the web.
  3. Use any content delivery networks that could act as passive beacons to track your movements around the web.
  4. Place any advertisements on our websites under the pch.net and internetmeetings.org domains.
  5. Use any anti-ad blocking or anti-javascript techniques on our sites.

Personal Data of Minors

PCH requires and retains the explicit permission of the parent or legal guardian of anyone whose data is retained who is not of legal majority in their country of residence.

Use of Cookies

We use cookies where necessary to ensure the convenient and secure operation of our website. Specifically, when you log in we give you a session cookie that lasts 24 hours after your last page view. This cookie allows us to know if you are still logged in or not.

Security

PCH takes its security responsibilities seriously and employs technical and organizational measures to protect your personal data against accidental or intentional manipulation, loss, destruction, or access by unauthorized persons. We review these measures regularly and include staff training and awareness to manage associated risks.

In Transit

All connections to our websites are done over an encrypted connection using current and safe protocols. Specifically, we require Transport Layer Security and we do not support any TLS ciphers that are known to be insecure. We always try to use keys that enforce perfect forward secrecy. For more information about which ciphers we employ and other specifics about our TLS configuration, please see SSL Labs current review of our site.

Passwords

We only store password hashes generated by the bcrypt algorithm and never store passwords in plain text. All password resets are done by emailing the user a link that expires in 24 hours.

Reporting vulnerabilities on pch.net domains

We support responsible disclosure and are happy to work with security researches. Please contact privacy@pch.net if you discover any vulnerabilities.

Reporting Data Breaches

In the event that a breach involving personal data is detected, PCH will notify the relevant data protection authorities within 72 hours. PCH will also take appropriate measures to inform any users affected by the breach in coordination with the data protection authority.

Rights to Access and Control Your Personal Data

We retain personal data as described in the sections above as long as it is necessary for the purpose(s) for which it was obtained.

You have the right to access, rectify, or delete the information we have stored on you, and such requests will be resolved within a maximum of one month. Our ability to modify or delete data may be limited if the data is subject to a retention obligation under applicable law, but we do not currently know of any data to which such obligations would apply. In the event that we encounter a conflict between privacy and retention regulations, we will document it here.

Contact Details

Please send data privacy requests in writing to:

Packet Clearing House
1600 Shattuck Ave Ste 212
Berkeley, California 94709
USA

or by email at privacy@pch.net

Correctness and Validity of this Data Privacy Statement

By using our website, you consent to your data being used as described above. This data privacy statement is the currently valid version as of 11 April 2018. We archive all prior versions.

PCH reserves the right to amend this data privacy statement at any time with effect to the future. The current and applicable version of this statement is found on our website at https://www.pch.net/about/privacy.