Things We Don't Do: Excessive Logging

It's no secret that we're firm believers in the idea that our users' data is theirs alone, and that it should be kept private. Part of our overall privacy maintenance strategy is simply to avoid doing a lot of the really gross and/or stupid things tech companies typically do in order to show you ads, or to track your behavior for their own "learnings," etc. Because these sorts of things aren't always immediately obvious, we think it's important to spell out explicitly what it is we aren't doing. To that end, I'll be publishing a series of posts tagged "Things We Don't Do." For this first installment, I'd like to talk about our logging policies. Most services store a reference to everything you do, even when they don't have a good reason to do so. We store as little info about you as possible.

Server Access Logs

Whenever you send a request to a Web server, that Web server has an opportunity to write down some data about your visit: your IP address, the browser you use, the time of your request, and the site that referred you are all common bits of data that are recorded in server access logs. Typically, the IP address is the only bit of data that is specific to you, but in combination with the other pieces of data in these logs, a lot can be inferred about who you are. These inferences are often used by other sites for all manner of unsavory purposes.

How we're different: While most sites may hang onto this data for months--or even indefinitely--we delete all access logs within 5 days of their creation. If you visited our site more than 5 days ago, we have no record of it. We also anonymize IP addresses before a log entry is created, making it far more difficult to correlate a log entry with a specific user. One drawback (for us) is that we have far less data to work with when we are looking at visitor / usage stats. We're willing to be a bit more in the dark than we might be if it means less data about you is at risk.

Access / PII Records in the Database

Very commonly, a service will store data about your usage habits in a database entry which is correlated with your user account. They may record the time of your most recent visit, personally identifiable information (PII) such as your name or phone number, and any number of other things. If you've ever given any kind of info whatsover to most Web services, you can bet this info is in their database forever--or at least until some attacker gains access to the database.

How we're different: The only PII we have in our database is an email address for each user, which we use solely for account management purposes (sending you a receipt, confirming a change of password, etc.) That is all we know about you personally--and if you give us a throw-away one-off address, as more than half of our users do, we don't really know anything about you personally at all.

We do keep a record of the last time at which any piece of your content data (i.e. your bookmarks) was altered. This is useful for syncing your data via our API, for example: a client application can thus compare its own last update with the one recorded on our server. In practice, it works like this: if you edit the tags on a link, we write down the time you made that change. If you then change that link's category, we replace the record of your previous edit with the time you changed the category. In other words, there is no huge record of every time you did some thing on the site: we only know the last time you did something, and we don't know what that something actually was. The time data is correlated to your account within the database only, so there is no direct connection to your IP address or anything of that sort.

We don't have anything else about you or your usage of the site in our database. Period. And what's more, if you cancel your account, we delete everything we do know about you after a 30-day window (to ensure your account will still work if you change your mind). It all gets deleted, forever.

Payment Method data

Many sites which accept payments will store your payment info on their servers, thus allowing you to keep your payment info on file with them. This data gets stolen all the time, as it's obviously an attractive target.

How we're different: We have zero payment-related info in our database. None. It is all stored by our Level 1 PCI-compliant payments processor, Braintree. In turn, they know nothing at all about you. They do not store your name, address, or phone number: just a credit card number, the expiration, and the CVV code. We send them a scrambled ID number that we use to connect their data with your account, so they don't even know the ID of your user account in our database. We haven't yet imagined a setup that keeps your data more cleanly separated from potentially identifying payment info, but if we ever think of one we'll implement it!

Wrapping Up

We have worked very hard to ensure that we are retaining as little data about you personally as is possible in order to operate a useful service, and on an ongoing basis we will continue working to pare down the data we do store. Eventually, we'd like to know nothing about you at all.

The good news is that we don't need to know all that much. We think most sites could stand to keep a lot less customer data, but we can't really help that. Maybe they'll learn (hopefully not the hard way) someday.