banisraeliwine.ca

Privacy

Privacy

banisraeliwine.ca uses a plugin called Independent Analytics to analyze our web traffic and assess the impact of our campaign. People who access our website deserve to know how their data is being used and protected.

Our approach to privacy:

  • The data we collect is stored on our server, and is not sent anywhere else.
  • Some websites store information in the user’s browser (called a “cookie”) to track them. We do not use cookies.
  • We use IP addresses to distinguish returning visitors from new ones, and to get rough geographic information about visitors to our site. However, we do not store users’ IP addresses in plain text. IP addresses are scrambled using a non-reversible algorithm called a “hash” before being stored.
  • To make the hash algorithm more secure, a random piece of text called a “salt” is added to the input. We have opted to change the salt every day to limit the potential impacts of a data breach.

To learn about encryption, hashing, and salting, we recommend watching the video Password Storage Tier List by the YouTuber Studying With Alex. Although the video is about passwords, the processes it describes are used to protect all kinds of personal data, including web analytics data.

A good text-based resource that covers the same topics is the article Encryption, hashing, salting – what’s the difference? by Josh Lake on Comparitech.

Wait, how do websites get my data anyway?

The average website collects data about its users in three main ways:

  • IP addresses
  • user agent strings
  • cookies

An IP address is a unique identifying number assigned to any device that is connected to the internet. Just as a postal address is required to receive mail, an IP address is required to receive information through the internet. Information is sent over the internet in chunks called “IP packets”. Each packet contains 1) the actual message being sent, called the “payload”, and 2) a set of specific metadata called the “IP header“. The IP header specifies, among other things, a source address, i.e. the IP address where the packet is coming from, and a destination address, i.e. the IP address where a packet is going to.

When your web browser wants to view a website, it first sends the website’s server a formal request called an HTTP request. The server sends back a formal response — called an HTTP response — that should include the actual webpage you requested. These requests and responses are sent within the payload section of IP packets. This means that a website’s server receives your IP address within the IP header of your browser’s initial HTTP request.

Your IP address can be obfuscated using a virtual private network (VPN), which acts as a middleman between you and the internet. When you use a VPN, all your web traffic is routed through them. Websites only see the IP address of the VPN server that you’re using, and not your real IP address. Your VPN provider knows your real IP address, but you trust them not to give it away.

Like IP packets, HTTP requests have their own headers that contain a set of specific metadata to help the server know how to respond. However, IP headers and HTTP headers cover different types of metadata. One of the HTTP request headers is called “User-Agent“, and it contains information about what browser (e.g. Firefox, Edge, Chrome, Safari, etc.) and operating system (e.g. Windows, Mac, Linux, etc.) you’re using. User agent information is used to tailor a website’s content to a specific browser or operating system. Pieces of text are called “strings” in tech, so the piece of text in the HTTP header that identifies your user agent is called your “user agent string“.

After your web browser requests to view a website using an HTTP request, the website’s server sends your browser an HTTP response. An HTTP response has three parts: a status, some headers, and (optionally) a body. The status contains information about how successful the server was in fulfilling the HTTP request. For example, you may have seen websites display a 404 error message saying something like “bad request” or “page not found”. This is an HTTP status code indicating that the browser couldn’t find the requested webpage. The body of an HTTP response contains the actual webpage, if found successfully. The headers of an HTTP response are, once again, metadata. HTTP response headers give more information about the response, and specify various ways that your browser should react.

A website can use the “Set-Cookie” HTTP response header to store a cookie on your browser. A cookie is a small, temporary piece of data that a website can put onto a user’s browser for tracking or other purposes. A tracking cookie is kind of like putting a numbered tag on a newborn baby — the second time you interact with them, you’ll recognize which baby they are by looking at the number you put on them. Likewise, websites can remember who you are by looking at the tracking cookie they put on your browser, even if you are using a different IP address from the last time you visited their site. Tracking cookies can be used for more than just basic identification of a user. They can also be used to track specific purchases you make, specific posts you interact with, or really any action you take on a website. This is like adding information about a baby’s behaviour to their tag.

There is a lot to learn about about digital security, and it’s easy to get overwhelmed. Learning about digital security is a marathon, not a sprint, but it’s something we all must take seriously in our fight against authoritarianism and tyranny. If you want to learn more, there are some suggestions for further reading linked below. If you want to study the topic in depth, you can seek out career roadmaps and professional certifications in cybersecurity, web development, and other related tech fields.

Further reading on digital security: