PCH

Data Privacy Statement from 2018-03-15 through 2018-04-11

PCH respects the sanctity of your personal data seriously. The purpose of the statement below is to inform you in detail about how PCH handles the personal data we collect to provide our DNS Anycast service, DNSSEC service and other online services, including those delivered via our web site.

General Considerations

In keeping with its research and support mission and the principles of scientific inquiry and open source development, PCH minimizes its handling of information which could be considered secret or confidential.

Public data of many forms are provided to Packet Clearing House on a voluntary basis by PCH's research partners, peers, and project participants. PCH publishes this information to the public through its website, databases, and application programming interfaces (APIs). PCH may, at its sole option, anonymize, aggregate, delete, or restrict access to portions of the data, but does not represent that it will do so in any particular case.

As a result of PCH’s global nature, PCH must comply with the highest applicable standards of personal data protection. Currently, we believe the highest standards are established by the European General Data Privacy Regulation. Consequently, we attempt to provide to all of our users globally the same protections afforded to European citizens by the GDPR.

Collection, Processing and Use of Personal Data for the Purpose of Provision of Services

PCH provides services to the operators of Internet exchange points (IXPs) and domain name registries. These services are provided on an organization-to-organization basis, but in order to establish contact with the organizations we serve, we must collect, process and store the personal data of the individuals who are our points of contact with those organizations. This personal information includes name, professional role or function, and telephone and email addresses. We use it exclusively for the purpose of performing our obligations with respect to the recipient organizations, and only to the extent required to achieve these purposes. The data will not be used for advertising, nor will it be divulged to third parties.

Collection, Processing and Use of Personal Data for the Purpose of Providing Web Services

Any time you visit one of our web sites, we store the IP of your computer and give your browser a unique cookie that doesn’t expire. The cookie allows us to accurately calculate unique visitors so that we may garner gross, aggregate statics. We store your IP and cookie in our web access logs which we never delete.

If you choose to sign up on our site to create an account, we will know your first and last name, the company you work for and your primary and secondary email address. We collect this data for the purpose of verifying the validity of newly-created accounts, and to facilitate the return of requested data to account holders. The data is used only to the extent required to achieve these purposes. The data will not be used for advertising, nor will it be divulged to third parties.

Web sites covered by this are: www.pch.net, prefix.pch.net, lg.pch.net, internetmeetings.org, inoc-dba-web.pch.net.

Collection, Processing and Use of Usage Data of PCH Website

PCH logs and stores the IP addresses of visitors to its website so that we can keep the site secure (ie, in the case of a denial of service attack) and as well track how many visitors our site gets. In the case of our resources section (pch.net/resources), we have grants that explicitly request we report number of visitors and downloads. To facilitate this reporting, we internally log first name, last name, user-name and email for both browsing and downloading of our resources section. This Personal data is only used internally and always aggregated in reports when shared.

Opting out of Web Data Collection

We do not have any active way to opt out of the data we collect short of not using our services. That said, our services do not block you from using a virtual private network (VPN) to obscure your IP address. As well, you can delete the tracking cookie after every visit to our site to no detrimental affect. If you create an account, you may also log out while browsing and downloading anything from our resources (except IMPACT data which mandates you be logged in).

For an in depth guide on opting out, anonymity, privacy and security while browsing the web, see the Electronic Frontier Foundation's Surveillance Self-Defense.

Data Associated with the Use of PCH Nameservers

PCH’s most widely-used services are the public authoritative nameservers which we operate on behalf of most of the world’s domain name registries. These services are provided to the public, both organizations and individuals, without any explicit collection of data which identifies individual users.

We have no individual or individually-identifiable relationships with users of these systems, nor any way of tracking or identifying users of the systems. However, in order to reply to each query we receive, we must retain the IP address of the querying system for the few microseconds it takes us to formulate and send a response, and in order to ensure the security and integrity of systems, respond to requests for technical assistance, and formulate aggregate use statistics, we may retain the IP addresses associated with some queries for longer periods, typically up to twenty minutes.

In addition, the domain name registries on whose behalf we publish the domain name data may request that we forward a copy of this data to them, at which point it is governed by their data handling policies.

Because of the nature of authoritative nameservice, the vast majority of queries which we receive originate from recursive nameservers, which are typically owned by organizations rather than being associated with individuals. Because we do not store information about the users of the systems, we have no way of distinguishing between IP addresses which may represent organizations, and those which may be associated with individuals. In no event do we have any other information which might be correlated with IP addresses to identify an individual, and in no event do we retain specific IP addresses beyond the short (typically twenty-minute) window of time necessary to perform security, performance, and usage analytics, unless that IP address was part of an ongoing security threat to our systems.

Third-Party Sharing of Personal Data

We do not share any of our web data we collect with any other parties with two exceptions:

What we do not do

Beyond our integration with Stripe and our resources section, we do not:

Personal Data of Minors

PCH requires and retains the explicit permission of the parent or legal guardian of anyone whose data is retained who is not yet eighteen years old, or of legal majority in their country of residence.

Use of Cookies

We use cookies where necessary to ensure the convenient and secure operation of our web site. Specifically, we give you a browser cookie that doesn’t expires to help us track unique visitors. When you log in, we give you a session cookie that lasts 24 hours form your last page view. This allows to know if you are still logged in or not.

Security

PCH takes its security responsibilities seriously and employs technical and organisational measures to protect your personal data against accidental or intentional manipulation, loss, destruction or access by unauthorised persons. We review these measures regularly and include staff training and awareness to manage associated risks.

In Transit

All connections to our web sites are done over an encrypted connection using current and safe protocols. Specifically, we do not support any Transport Layer Security (TLS) ciphers that are known to be insecure. We try to always use keys which enforce perfect forward secrecy. For more information about which ciphers we employ and other specifics about our TLS configuration, please see SSL Labs current review of our site.

Passwords

All passwords are stored in a hash using the bcrypt algorithm. We never store passwords in plain text. All password resets are done by emailing the user a link which expires in 24 hours.

Reporting data breaches

In the event that a breach involving personal data was detected, PCH will notify the relevant data protection authorities within 72 hours.

Rights to Access and Control Your Personal Data

We retain personal data as described in the sections above as long as it is necessary for the purpose(s) for which they were obtained.

You have the right to access, rectify or delete the information we have stored on you, and such requests will be resolved within a maximum of one month. Our ability to modify or delete data may be limited if the data is subject to a retention obligation under US Federal Law or California state law, but we do not currently know of any data to which such obligations would apply. In the event that we encounter a conflict between this requirement and the European General Data Protection Regulation, we will document it here.

Contact Details

Please send data privacy requests in writing to:

Packet Clearing House
1600 Shattuck Ave Ste 212
Berkeley, California 94709
USA

or by email at privacy@pch.net

Correctness and validity of this Data Privacy Statement

By using our website you consent to your data being used as described above. This data privacy statement is the currently valid version as of 1 February 2018.

PCH reserves the right to amend this data privacy statement at any time with effect to the future. The relevant version of this statement shall always be the version you can call on when your visit our website.