Communicate logging of ip-addresses in FAQ + clarify privacy policy

Issue resulted from this forum post: https://forum.torproject.org/t/our-commitment-to-donor-privacy-at-tor/19838/6

We currently log IP-addresses for rate limiting and spam protection and also send them to CiviCRM.

  • There is a valid reason to log these IP-addresses.
  • It is public knowledge due to open-source code.
  • Logging the IP-address for credit card and Paypal transactions does not impact privacy significantly because these payment methods can't be considered private anyway.

That being said, the logging of IP-addresses can still be a delicate matter for some users. And I think we should clearly communicate in the FAQ that we log IP-addresses and send them to CiviCRM. Just in the spirit to be as transparent and clear as possible.

Once we do have a onion-service, we could consider showing a warning that we provide a more anonymous and private option for donations.

⚠️ Regarding privacy policy (important).

The privacy policy currently has this text:

When you donate to the Tor Project, depending what mechanism you use, we may learn your name, the amount you donated, your email address, phone number and/or mailing address, as well as any other information you provide. We may also learn incidental data such as the date and time of your donation.

  1. First of all nowhere in the privacy policy we mention something about IP-logging.

  2. These two sentences "as well as any other information you provide" and "We may also learn incidental data such as the date and time of your donation" kind of bother me. I think we should list exactly ALL data fields that we collect, and clarify why we need that information field by field: Why do we require an email? To mail you again in the future. Why do we need your address? To send you a t-shirt? Why do we need your name? To address you in communication,... Idem for all the derived data like timestamp, IP,...

Access to that information is restricted inside the Tor Project to people who need it to do their work, for example by thanking you or mailing you a t-shirt.

Does this mean that the required data is deleted after e.g the t-shirt is sent? For how long is data stored? Is it deleted when it isn't required anymore?

  1. A small summary should be available in the FAQ with a link to the privacy policy giving the full and detailed information.

/cc @smith

Edited by Niel Duysters