This document was last updated the 4th of September of 2018. Written by Kéfir.
Before plunging into specific details on how we use the data generated on this site and what you can do to be more agent in all of this, we are going to give some context.
The Cyberwomen curricula was created and implemented by the Institute for War and Peace Reporting as part of the project Safety, Awareness and Action (SAWA) and funded through the Bureau of Democracy, Human Rights and Labor (DRL) at the U.S. Department of State.
The web platform was designed and developed by Kéfir, as well as the frontend web and graphic design. Kéfir, until present, administers the server where this project is hosted.
You can read more about the Cyber-Women project here.
The Right to Privacy is defined as a human right, explicitly stated under Article 12 of the 1948 Universal Declaration of Human Rights:
“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.”
Apart from human rights, there are specific data regulations. Perhaps you have heard the recent GPDR?
The “General Data Protection Regulation” came into effect the 25th of May of 2018.
This European regulation is designed to better protect citizens from data breaches and privacy violations. The new law is amongst other things stipulating how companies must handle their customers’ data.
Unfortunately, these regulations aren’t applicable in all contexts and they are not enough standing alone. Certain jurisdictions have a fairly good understanding and coverage of privacy; others are far behind. There are groups and people that, from the policy front-lines, are fighting to change this unequal access to privacy.
Have a look at the Association for Progressive Communications network’s statement on GPDR.
All websites and platforms visited by citizens that are protected by data regulations must provide a compulsory legal document that explains how they collect, retain and share personally identifiable information.
Personal Identifiable Information (PII) is any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly. Examples of sensitive PII elements include, but are not limited to: name, social security number, driver’s license and other government identification numbers; citizenship, legal status, gender, race/ethnicity; birth date, place of birth; home and personal cell telephone numbers; personal email address, mailing and home address; religious preference; financial information, medical information, disability information; spouse information, marital status, child information, emergency contact information.
Collecting and using data doesn’t necessarily have to be a harmful. Data is used for satisfying legal and funding-related reporting requirements and improving tools. What is important is that there is transparency of how data will be collected, stored, processed and shared.
Beyond complying certain minimums, this platform, in it’s bones and code, was designed and developed by activists to pursue and embed privacy as a value and ethical standpoint and practice.
We don’t just avoid identifying individuals but believe in not generating data that can be used for interests that aren’t aligned with those of whom visit this platform.
Typically, data use policies are abstract, lost in small print and quite cryptic. This reflects a lack of transparency and accountability, normally with the intention of hiding the details of a data business model and collaborations with third parties that users wouldn’t be happy to find out about.
In Cyberwomen, our Data Use Policy is an extension of the project: an opportunity to learn about our right to privacy, how it can be taken into account and what specific measures we can apply.
Websites that include contact forms must describe why they are asking for such information and what they are going to do with it afterwards. For example, if it going to be used for a newsletter or a database.
Cyberwomen doesn’t use contact forms. It does have associated email accounts so people can contact with the project (firstname.lastname@example.org) and request information related with privacy aspects (email@example.com).
These mail accounts are also administered by Kéfir that commit to implementing up-to-date security measures, maintaining non-identifiable data logs that are collect only information strictly necessary for it’s functioning and that are deleted after one week.
The email accounts are accessed via webmail and email clients, taking into account security practices mentioned in the curricula.
A log is a record. Services and applications that run on a device tend to save some type of record. This provides information when improving tools and solving possible errors. Generally this information is useful but it contains personal identifiable information like IP addresses and usernames that can be used to create fairly accurate profiles about people’s behavior. This is why it is important to anonymize logs in a secure way.
Kéfir’s servers don’t log any IP addresses, just anonymized visits, which we remove after a week.
Cyberwomen collect statistics, through https://sinapsis.kefir.red, Kéfir’s self-hosted version of Piwik/Matomo, which means only IWPR and Kéfir have access to this data. It is configured to not log any information that may identify individual visitors, like IP addresses. Also, all individual visits are converted into statistic data and then discarded after a month. Matomo also respects the Do-Not-Track feature browsers specify as a way to opt-out of these kind of systems.
This document may be updated in the future. Come back to this page to see updates.
All questions related to the Data Use Policy can be sent to firstname.lastname@example.org.
You can also contribute to your privacy. The fact that on our side we don’t collect data that you don’t consent to, that we store it for a limited time in a anonymized way and don’t share it with third parties beyond general information for funding report back purposes doesn’t mean that other potential intermediaries are vulnerating your privacy.