[liberationtech] OTR via jabber.ccc.de (and TOR?)

[Seth David Schoen]

Douglas Lucas writes:

> Hi everyone,
> 
> My first post here. I really enjoy reading this list!
> 
> Since the jabber.ccc.de privacy page http://web.jabber.ccc.de/?page_id=5 is
> in German, I can't read most of it. I don't want to rely on Google
> Translate for this!

Here is my manual translation, but I'm not sure how much more accurate
than Google Translate it is. :-)


What kind of data is stored?

Principally, the following pieces of data are stored by the server:

    The Jabber ID (jid) comprised of the username and domain for identification of the user account.
    The password for the Jabber account for identification when the Jabber client logs into the server.
    The contacts of a user stored at setup together with the fact of the direction(s) in which visibility exists with this contact.  This is stored so that you can log in with various clients and always have the same contacts.
    The date and time when the user account was created and when it was most recently used.  This allows disused accounts to be erased automatically.
    When a user is not logged in, incoming messages addressed to him are temporarily stored so that they can be delivered when he next logs in.  The time that these messages arrived is also stored with them.
    While a user is logged in, how long he has been online and how many data packets he has sent and received during this time period is recorded.  This is done in order to allow the monitoring of the quality of service and utilization level of the server and, if need be, to allow us to locate the sources of excessive use.
    In case of errors in the delivery of a message, information about from whom and to whom the message was sent and why the delivery failed is recorded.  However, the content of the message is not stored.  This is necessary to allow a problem to be detected when errors accumulate.

Furthermore, it is possible that the Jabber client may store data from the server.  This data can be stored by the Jabber client in such a way either that it may be queried by other Jabber users (for example, vCards containing contact information) or so that only the account user can call it up again (for example, configuration options of a Jabber client).  This data, its scope, and the length of time for which it is stored is the Jabber client's responsibility.

Daily backups of all of the above-mentioned data are made and kept for several days.  Previously-erased data may, in fact, thus continue exist for a few more days in these backups.

What is this data used for?

The data stored about a user will not be used commercially.  They will also not be sold or passed on to third parties.  No advertising is sent to the users of this service.

There are exceptions to this, as follows: If a user's information retained by the user or the user's software is published (a stored vCard is a particular example), this information is retrievable by other users individually.

The user's Jabber addresses (JID) will not be published; but, should the server user nonetheless himself publish his Jabber address, we cannot rule out the possibility that third parties may use this information to send advertisements to the user.  This can, in particular, even happen through a message customarily employed in e-mail exchanges.  The operator of this server expressly forbids the use of this service for the distribution of undesired (meaning not explicity requested) advertising, but this cannot be enforced in every case.

Messages that are sent from one user to another may be forwarded to another server.  Their treatment there is not necessarily subject to the policies of this server.  The same is true for information that the user has designated to be shared with some other user or with all users (for example, information about the user's online status or presence [is sent] to users to whom he has granted permission and also, for technical reasons, to the servers which those other users use).

If a user makes use of connections to another IM system, the protection of his privacy and data is also dependent on the features of the other system.  In particular, some systems allow the viewing of a user's online status/presence without the user's explicit consent.

The user's IP addresses are not disclosed to other users by this server.  All Jabber protocol communication is effectuated through the server.  Jabber clients can, however, exchange their IP addresses in messages, for example in order to begin a file transfer.  But the server does not examine these IP addresses and does not itself share the IP address of a user with a third party.

Statistics about the use and utilization of the server are derived from collected data.  These statistics are compiled anonymously; inference about individual people from these statistics is not possible.

Who has access to this data?

Two people have access to the data stored on this server.  They are Peter ‘vt100′ Schwindt and Sven-Haegar Koch.

Please note that data sent unencrypted across the Internet can be intercepted at many points.  Thus, users are advidsed to create an encrypted connection to the Jabber server with the help of SSL (this is not supported by all Jabber clients).  However, this only encrypts the connection between the user and the server.  When the message is delivered to its addressee, the connection may once again be unencrypted.  If the message first needs to be given to another Jabber server or another IM system, the connection to it also takes place unencrypted.  If necessary, the encryption of individual messages is especially recommended in this case.  Some Jabber clients support this with the help of PGP or GnuPG; in this case the message is not visible even to the Jabber servers themselves.

Notes

Points of confusion and further questions may be discussed with the server administrator (see Impressum).

This server is subject to the law and data protection regulations of the Federal Republic of Germany and the European Union.

These rules were taken from amessage.de, with their kind permission.

-- 
Seth Schoen  <schoen at eff.org>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
454 Shotwell Street, San Francisco, CA  94110   +1 415 436 9333 x107