This site is run by me, a citizen of the Republic of the Philippines, and it’s server is hosted by Amazon Web Services and located off shore. I use this site to post material that might be interesting to persons who are also a bitgeek. Digital assets that I can’t otherwise post to Github are stored here.
Unless comments are enabled, this site does not collect or store any readers’ personally-identifiable information, and will not request any such information, for any purpose. Under this condition, legiscope.net falls mostly outside the definition of a “personal information controller” described in Section 3(h) of the Data Privacy Act of 2012 (RA 10173). Except for four items of information (bullet list below) which may conceivably be interpreted as ‘personal information;’ specifically, about the fact that you visited this site.
When comments are enabled, and you post a comment, this server stores 1) your comment text, and it may store 2) the name and 3) e-mail address, and 4) website URL (your website) that you entered in the comment box. Two items of “metadata” are stored as well – 1) the IP address of the `Net connection your machine is using, and 2) the time you submitted your comment. I didn’t ask for this, and am not particularly interested in making money off of the things said or posted here. When those comments are stored here, on the server for https://legiscope.net, then I am a personal data controller, who owes you a duty of care to protect that data from corruption, manipulation by third parties, or loss due to careless management of the server (i.e. rm -rf /var/db/ woopsie). But not to keep the information secret: Comments submitted to this platform are intended to be viewed by the public.
When you connect to a publicly visible web site such as https://legiscope.net, the following items of information are unavoidably sent to that site:
- Your computing system’s IP address on the Internet,
- The URL of the page that your Web browser is requesting,
- Possibly the site that referred you to https://legiscope.net, by putting a link on a page there that leads to here.
These items of information are used by the Apache Web Server to deliver the pages you are viewing now. They are also recorded in a text file, or “log”, as part of the normal operation of Apache Web Server.
These logs are kept for a period of at most seven days, and any logs older than seven days are automatically deleted. After seven days, the four bits of info about your visit (IP address, URL, and possibly referrer) are gone. This info is still useful for diagnosing connection problems, for identifying spam bots (and human bot origin IPs), and identifying the origin IP of electronic attacks on this site (e.g. denial of service, or attempts to break in to the site’s administrator pages). These logs are not used to perform day-to-day traffic analysis, e.g. for purposes such as de-anonymisation of users, geolocation profiling, etc. Those activities serve no purpose for me, as this site is not supported by ads (I don’t need to report usage stats), does not serve any branch of the Philippines (or any other country’s) intelligence service, or any such shit. These pages are a way to interact with communities in which I have a special interest, and to share content I make freely available.
I take reasonable care to ensure that no third party is able to get hold of those log files, or modify any files on this rented machine, by
- using secure remote access to this cloud-hosted server;
- restricting remote access to the server only from the IP endpoint at which I’m physically located;
- enabling two-factor authentication and a separate 70+ character password for the Web administrator pages of this CMS. This is a fucking pain. And;
- Checks for updates to both the operating system, and all applications (including the content-management system) are performed daily, and patches applied at most a working day after a notice is received from US-CERT advisories of the need to do so.
This site is a personal project, not my job, so I suggest that 24 hours to patch a low-value target is pretty damned good behavior on my part. The server access log in /var/log/secure, and Amazon’s own logs will stand forensic scrutiny, methinks.
The bottom line is that 1) any comments you post here, should I enable that capability, will record whatever drivel you chose to put on line for the world to read, and 2) I’m making sure that the fact you visited this site is only ever known to you and the Apache Server 2.4 program that’s serving these pages. Unless you mount an attack on this server that I notice, and then I will know which egress Internet Protocol address you’re coming from. A whole fat lot of good that will do me.
However, if Philippine authorities decide to subpoena my server records for some godawful reason, I have little choice other than to comply with such a demand to produce these server logs, and other information related to this site and the site’s content. Unless I decide to get a lawyer and challenge that demand made of me by legitimate authorities of the Republic of the Philippines. This bears mentioning because the Department of Justice was recently led by a dick. Our President is also a top-grade jackass. Our country owes the planet an apology for making this world a
little lot less well-off than it was in 2016. And, no: Only two-fifths of the electorate chose this. We’re not an evil people, damnit.
That said, do take care when posting comments or clicking on “Likes” or “Share” buttons on this page (if and when they are available). When you click on Facebook-related controls (e.g. by clicking on “Like” or “Share” buttons, or posting comments), your browser connects to Facebook, who do log additional information about you. I do not know how much information is sent to them (and neither does my server), since the “click” occurs on your machine, and legiscope.net is not party to the connection between you and them. They (Facebook) may be subpoenaed for their server records, and their server will likely show that your browser was referred to them from my site.
I reserve the right to activate or remove social media sharing tools (those “Like” and “Share” widgets). If these links are not enabled on any pages, no problem – just share the URL of a particular page or post elsewhere, or fetch the stuff you need from here, no problem. Creative Commons terms may apply to some of the stuff I put up here; others may be covered by one or another of the GPL license terms.
If comments are enabled, they are reviewed by me before being permitted onto comment threads. This is cumbersome. I suggest you copy content from the page you’d like to comment on, paste it into a social media sharing site of your choosing, and chat away there.
That said: This is my little platform on the Interwebs. Do be kind to anyone you trade comments with on these pages. I reserve the right to moderate and block abusive comments directed at other persons. I will use the server log IPs to block spam bots and trolls – especially fascist ones who support murder as government policy.
I hope you find something on these pages useful. The Matrix is a cold place otherwise.
– aahilario at gmail.com
Note: About emailing me: Unless you’re already a friend, a coworker, or the server for one of the numerous online newsletters I subscribe to, I will not normally respond to you. You may phish, but neither I nor any of my ARM boards will bite.
For the script kiddies and red-teamers out there who’ve nothing better to do: no, the login you might want to steal from here works nowhere else. And no, SSH login will not get you anywhere. Yes, it’s WordPress, as I’m too lazy to get a CMS that has fewer security holes than a Scotchbrite sponge, so YMMV (read that as “bugger off”). Be warned, I have no life, I’m pretty much in this server every fucking day, listening to Risky.biz and other podcasts of their kind. Padayon.
Updated 9 July 2018 after another reading of the Data Privacy Act.