Wednesday, June 10, 2015

Protect Reader Privacy with Referrer Meta Tags

Back when the web was new, it was fun to watch a website monitor and see the hits come in. The IP address told you the location of the user, and if you turned on the referer header display, you could see what the user had been reading just before.  There was a group of scientists in Poland who'd be on my site regularly- I reported the latest news on nitride semiconductors, and my site was free. Every day around the same time, one of the Poles would check my site, and I could tell he had a bunch of sites he'd look at in order. My site came right after a Russian web site devoted to photographs of unclothed women.

The original idea behind the HTTP referer header (yes, that's how the header is spelled) was that webmasters like me needed it to help other webmasters fix hyperlinks. Or at least that was the rationalization. The real reason for sending the referer was to feed webmaster narcissism. We wanted to know who was linking to our site, because those links were our pats on the back. They told us about other sites that liked us. That was fun. (Still true today!)

The fact that my nitride semiconductor website ranked up there with naked Russian women amused me; reader privacy issues didn't bother me because the Polish scientist's habits were safe with me.


Twenty years later, the referer header seems like a complete privacy disaster. Modern web sites use resources from all over the web, and a referer header, including the complete URL of the referring web page, is sent with every request for those resources. The referer header can send your complete web browsing log to websites that you didn't know existed.

Privacy leakage via the referrer header plagues even websites that ostensibly believe in protecting user privacy, such as those produced by or serving libraries. For example, a request to the WorldCat page for What you can expect when you're expecting  results in the transmission of referer headers containing the user's request to the following hosts:
  • http://ajax.googleapis.com
  • http://www.google.com (with tracking cookies)
  • http://s7.addthis.com (with tracking cookies)
  • http://recommender.bibtip.de
None of the resources requested from these third parties actually need to know what page the user is viewing, but WorldCat causes that information to be sent anyway. In principle, this could allow advertising networks to begin marketing diapers to carefully targeted WorldCat users. (I've written about AddThis and how they sell data about you to advertising networks.)

It turns out there's an easy way to plug this privacy leak in HTML5. It's called the referrer meta tag. (Yes, that's also spelled correctly.)

The referrer meta tag is put in the head section of an HTML5 web page. It allows the web page to control the referer headers sent by the user's browser. It looks like this:

<meta name="referrer" content="origin" />

If this one line were used on WorldCat, only the fact that the user is looking a WorldCat page would be sent to Google, AddThis, and BibTip. This is reasonable, library patrons typically don't expect their visits to a library to be private; they do expect that what they read there should be private.

Because use of third party resources is often necessary, most library websites leak lots of privacy in referer headers. The meta referrer policy is a simple way to stop it. You may well ask why this isn't already standard practice. I think it's mostly lack of awareness. Until very recently, I had no idea that this worked so well. That's because it's taken a long time for browser vendors to add support. Although Chrome and Safari have been supporting the referrer meta tag for more than two years; Firefox only added it in January of 2015. Internet Explorer will support it with the Windows 10 release this summer. Privacy will still leak for users with older browser software, but this problem will gradually go away.

There are 4 options for the meta referrer tag, in addition to the "origin" policy. The origin policy sends only the host name for the originating page.

For the strictest privacy, use

<meta name="referrer" content="no-referrer" />

If you use this sitting, other websites won't know you're linking to them, which can be a disadvantage in some situations. If the web page links to resources that still use the archaic "referer authentication", they'll break.

 The prevailing default policy for most browsers is equivalent to

<meta name="referrer" content="no-referrer-when-downgrade" />

"downgrade" here refers to http links in https pages.

If you need the referer for your own website but don't want other sites to see it you can use

<meta name="referrer" content="origin-when-cross-origin" />

Finally, if you want the user's browser to send the full referrer, no matter what, and experience the thrills of privacy brinksmanship, you can set

<meta name="referrer" content="unsafe-url" />

Widespread deployment of the referrer meta tag would be a big boost for reader privacy all over the web. It's easy to implement, has little downside, and is widely deployable. So let's get started!

Links:

Thursday, June 4, 2015

Towards the Post-Privacy Library?

I have an article in this month's Digital Futures, a supplement to American Libraries magazine. The full issue is an important one, so go take a look. In addition to my article, be sure to read the article starting on page 20 entitled "Empowering Libraries to Innovate" in which I am quoted. Here's the web version.

I'm reprinting the article here so as to have a good place for discussion.



Alice, a 17 year old high school student, goes to her local public library and reads everything she can find about pregnancy. Noticing this, a librarian calls up some local merchants and tells them that Alice might be pregnant. When Alice visits her local bookstore, the staff has some great suggestions about newborn care for her. The local drugstore sends her some coupons for scent-free skin lotion. She reads "what you can expect..." at the library and a few months later she starts getting mail about diaper services.

Unthinkable? In the physical library, I hope this never happens. It would be too creepy!

In the digital library, this future could be happening now. Libraries and their patrons are awash in data that really isn't sensitive until aggregated, and the data is getting digested by advertising networks and flowing into "big data" archives. The scenario in which advertisers exploit Alice's library usage is not only thinkable, it needs to be defended against. It's a "threat model" that's mostly unfamiliar to libraries.

Recently, I read a book called Half Life. Uranium theft, firearms technology and computer hacking are important plot elements, but I'm not worried about people knowing that I loved it. The National Security Agency (NSA) is not going to identify me as a potential terrorist because I'm reading Half Life. On the contrary, I'd love for my reading behavior to be broadcast to the entire world, because maybe more people would discover what a wonderful writer S.L. Huang is. A lot of a library user's digital usage data is like that. It's not particularly private, and most would gladly trade usage information for convenience or to help improve the services they rely on. It would be a waste of time and energy for a library to worry much about keeping that information secret. Quite the opposite, libraries are helping users share their behavior with things like Facebook Like buttons and social media widgets.

Which is why Alice should be very worried and why it's important for libraries to understand new threat models. What breaches of user privacy are most likely to occur and which are most likely to present harm?

A 2012 article in the New York Times Magazine described a real situation involving Target (the retailer).  Target's "big data" analytics team developed a customer model that identified pregnant women based on shopping behavior. Purchases of scent-free skin lotion, vitamin supplements, and cotton balls turned out to be highly predictive of subsequent purchases of baby diapers. Using the model, Target sent ads for baby-oriented products to the customers their algorithm had identified. In one case, an irate father whose daughter had received ads for baby clothes and cribs accused the store of encouraging his daughter to get pregnant. When a manager called to apologize, the father was somewhat abashed. “I had a talk with my daughter,” he said. “It turns out there’s been some activities in my house I haven’t been completely aware of. She’s due in August. I owe you an apology.”

Among the companies collecting "big data" about users are the advertising networks, companies that sit in between advertisers and websites. They use their data to decide which ad from a huge inventory is most likely to result in a user response. If I were Alice, I don't think I would want my search for pregnancy books broadcasted to advertising networks. Yet that's precisely what happens when I do a search on my local public library's online catalog. I very much doubt that many advertisements are being targeted based on that searching ... yet. But the digital advertising industry is extremely competitive, and unless libraries shift their practices, it's only a matter of time that library searches get factored into advanced customer models.

But it doesn't have to happen that way. Libraries have a strong tradition of protecting user privacy. Once all the "threat models" associated with the digital environment are considered, practices will certainly change.

So let's get started. In the rest of this article, I'll examine the process of borrowing and reading an ebook, and identify privacy weaknesses in the processes that advertisers and their predictive analytics modeling could exploit.
  1. Most library catalogs allow non-encrypted searches. This exposes Alice's ebook searches to internet providers between Alice and the library's server. The X-UIDH header has been used by providers such as Verizon and AT&T to help advertisers target mobile users. By using HTTPS for their catalogs, libraries can limit this intrusion. This is relatively easy and cheap, and there's no good excuse in 2015 for libraries not to make the switch.

  2. Some library catalogs use social widgets such as AddThis or ShareThis that broadcast a user's search activity to advertising networks. Similarly, Facebook "Like" buttons send a user's search activity to Facebook whether or not the user is on Facebook. Libraries need to carefully evaluate the benefits of these widgets against the possibility that advertising networks will use Alice's search history inappropriately.

  3. Statistics and optimization services like Google Analytics and NewRelic don't currently share Alice's search history with advertising networks, but libraries should evaluate the privacy assurances from these services to see if they are consistent with their own policies and local privacy laws.

  4. When Alice borrows a book from a vendor such as OverDrive or 3M, it monitors Alice's reading behavior, albeit anonymously. At this date, it's very difficult for an advertiser to exploit Alice's use of reading apps from OverDrive or 3M. Although many have criticized the use of Adobe digital rights management (DRM) in these apps, both 3M and OverDrive use the "vendorID" method which avoids the disclosure of user data to Adobe, and at this date, there is no practical way for an advertising network to exploit Alice's use of these services. Here again, libraries should review their vendor contracts to make sure that can't change.
  5. If Alice reads her ebook using a 3rd party application such as Adobe Digital Editions (ADE), the privacy behavior of the third party comes into play. Last year, ADE was found to be sending user reading data back to Adobe without encryption;  even today, it's known to phone home with encrypted reading data. Other applications, such as Bluefire Reader, have a better reputation for privacy, but as they say "past performance is no guarantee of future returns".

  6. If Alice wants to read her borrowed ebook on a Kindle (via OverDrive), it's very likely that Amazon will be able to exploit her reading behavior for marketing purposes. To avoid it, Alice would need to create an anonymous account on Amazon for reading her library books. Most people will just use their own (non-anonymous) accounts for convenience. If Alice shares her Amazon account with others, they'll know what she reads.

    This is a classic example of the privacy vs. convenience tradeoff that libraries need to consider. A Kindle user trusts that Amazon will not do anything too creepy, and Amazon has every incentive to make that user comfortable with their data use. Libraries need to let users make their own privacy decisions, but at the same time libraries need to make sure that users understand the privacy implications of what they do.

  7. The library's own records are also potential source of a privacy breach. This "small-data" threat model is perhaps more familiar to librarians. Alice's parents could come in and demand to know what she's been reading. A schoolmate might hack into the library's lightly defended databases looking for ways to embarrass Alice. A staff member might be a friend of Alice's family. Libraries need clear policies and robust processes to be worthy of Alice's trust.

In the digital environment, it's easy for libraries to be unduly afraid of using the data from Alice's searches and reading to improve her experience and make the library a more powerful source of information. Social networks are changing the way we think about our privacy, and often the expectation is that services will make use of personal information that's been shared. Technologies exist to protect the user's control over that data but advertising networks have no incentive to employ them. I want my library to track me, not advertising networks!. I want great books to read, and no, I'm not in the market for uranium-238!

Monday, May 11, 2015

Review: Alex Winter's "Deep Web" about Silk Road's Ross Ulbricht

Going in to see the movie Deep Web, which played yesterday and today at the Montclair Film Festival, I was most interested in the question "Who is Ross Ulbricht?" Is he the libertarian idealist who created Silk Road to let people do what the government doesn't want them to do? Or is he the scheming drug lord who put out contracts on associates who had betrayed him, as alleged by the government? Though the movie was fascinating, I left with my question unanswered.

This is no fault of the filmmaker, whose challenge was to make a documentary about someone he had little access to. Despite interviews with family, friends and business associates, Ross Ulbricht appears as a shadow in this movie. We see him in a few home movies, we see his LinkedIn profile, but we never really see or hear Ross Ulbricht talk about the subject at hand.

We hear more from Dread Pirate Roberts, a pseudonym that was at least partly Ross Ulbricht. We see many of his posts on Silk Road forums, with highlights to show the complexity of his motivations. DPR seems more interested in ideals than money, he wants to make the world a freer and safer place. But he's a businessman who values loyalty and doesn't tolerate people who don't make good on their promises.

The central voice of the film is that of Wired Senior Reporter Andy Greenberg, listed as "Consulting Producer" of Deep Web. Because much of the film surrounds Silk Road forum postings and the legal case against Ulbricht, it relies heavily on Greenberg to boil down and assess voluminous posts and complicated proceedings. Greenberg doesn't quite have the screen presence the film needs from him, but hey, that's not his job. But so we don't miss the point, there's always a poster of Edward Snowden behind Greenberg in his office.

The film has at least two narratives that make for a sometimes conflicted message. One narrative is the libertarian argument in favor of online drug markets, another is that the government has prosecuted Ulbricht unfairly, perhaps illegally.

The moral argument in favor of Silk Road is particularly resonant in this post-Ferguson post-Baltimore era, and I wish the film had followed this thread further. The gist of it is that real-life drug markets are violent scourges that ruin communities, and moving them online removes most of the violence associated with the illegal transactions. Silk Road succeeded by bringing accountability to these transactions; a transaction gone bad would result in a seller losing reputation instead of someone getting killed. In a sense, Silk Road functioned as a government beyond the reach of domestic law. By contrast, the War on Drugs results in police inflicting violence and punishment  on people and communities causing harm out of proportion to the benefit of extending the rule of law.

In the context of this war, it's small wonder Ulbricht doesn't get the benefit of the legal doubt. It's hard not to compare Deep Web with the film I saw last year at Montclair Film Festival, Brian Knappenberger's The Internet's Own Boy. Both films recount the story of a bright young man turned entrepreneur, who is driven by idealism to do something to which the legal system reacts with brutality. Both films prominently feature analysis by the eminently reasonable Cindy Cohn and the starker views of Chris Soghoian. Despite the emotional power of Knappenberger's film, Popehat's Ken White criticized it for its naive view of the legal system. White's cynical view is that we shouldn't be so outraged that Aaron Swartz was singled out for extreme prosecution, because that's what our legal system does to most people it turns its attention to today. This point would go double for Ross Ulbricht. The prosecution of Ulbricht was unfair, but that's exactly how most drug-related cases are prosecuted. "Drug kingpins" who complain about the feds hacking their computers can't expect much forbearance from judges who advance in the system by being "tough on crime", and rich white folks shouldn't expect to be treated differently.

Unfortunately for Winter, the most shocking revelation in the Ulbricht case came after most of the current film was shot, and is only mentioned briefly at the end - two of the agents investigating Silk Road were indicted for stealing over a million dollars worth of bitcoin from the site after they had infiltrated and taken control of the site. It's hard to imagine that this won't play a major role on appeal.

As far as I can tell, Deep Web get its facts right. It manages to avoid many of the silly characterizations of Bitcoin in the popular media (for example, bitcoin enables anonymity but it's not automatic). The only quibble I have is the title. "Dark Web" would have been more accurate, as well as more dramatic.

Over all, I found Deep Web an extremely engaging telling of an important story. But it ends in an unsatisfying place, with a shoe dropping. See don't miss it when it airs on May 31; you'll be able to enjoy what happens next.

Trivia note: Both Ross Ulbricht and I, in our past lives, published scientific articles on the incredibly obscure topic of adsorption-controlled molecular beam epitaxy of oxides. Yep.
Deep Web premieres on May 31 at 8PM EST on EPIX.

Here's the Trailer:

Saturday, May 2, 2015

Ranganathan and the 5 Blind Librarians

It's "Choose Privacy Week". To celebrate, the American Library Association is publishing a series of blog posts; today they're running mine! I wanted to write something special, so I decided to have little fun with a parable. I'm reprinting it here:

I've heard it told that after formulating his famous "Five Laws of Library Science", the great Indian librarian S. R Ranganathan began thinking about privacy in libraries. Here's what I remember of the tale:

In India at the time, there were five librarians reknowned far and wide for their tremendous organizational skills, formidable bibliographic canny, and the coincidental fact that each of them was blind. It was said that "S" could identify books by their smell. "H" could classify a book just by the sound of the footfalls of a person carrying it. "T" was famous for leading patrons by the hand to exactly the book they wanted; the feel of a person's fingernails told him all he needed to know. "P" knew everything there was to know about paper and ink. "C" was quick with her fingers on a keyboard and there was hardly a soul in his city she had not corresponded with.  But these 5 were also sought out for their discretion; powerful leaders would consult them, thinking that their blindness made them immune to passing on their secrets of affairs and of state.

So of course, Ranganathan asked the five blind librarians to come to him so he could benefit from their wisdom and experience with privacy. The great librarians began talking among themselves as they sat outside Ranganathan's house.

"On my way through the countryside I encountered a strange beast", said librarian H.  "I can't say what he was, but he had a distinctive call like a horn: Toot-to-to-toooot..." and librarian H reproduced a complicated sound that must have had at least 64 toots.

"By that sound, I think I encountered the same beast." said librarian T. "I reached out to touch him. He was hard and smooth, and ended in a point, like a great long sword."

"No, you are wrong", said librarian P. I heard the same sound, and the strange beast is like a thick parchment, I could feel the wind when it fluttered.

"You fellows are so mistaken." said librarian C "You touch for a second and you think you know everything. I spent 15 minutes playing with the beast, she is like a great squirming snake."

"I know nothing of the beast except the smell of his droppings," said librarian S.  "But what I do know is that the beast had recently eaten a huge feast of bananas."

At this, a poacher who had been eavesdropping on the five librarians picked up his shotgun and ran off.

Just then, Ranganathan emerged through his door. Surprised at seeing the poacher run off, he asked the librarians what they had been talking about.

The librarians each repeated what they had told the others. When librarian S finally recounted the banana smell, Ranganathan became alarmed. The poacher had run in the direction of a grove of banana trees. Before he could do anything, they heard the sound of a powerful shotgun in the distance, and then the final roar of a dying elephant. 

With tears in his eyes, Ranganathan thanked the 5 librarians for their trouble, and sent them home. Though Ranganathan's manuscript on privacy has been lost to time, it is said that Ranganathan's 1st law of library privacy went something like this:


"Library Spies Don't Need Eyes".


Wednesday, April 1, 2015

Suggested improvements for a medical journal privacy policy


After I gave the New England Journal of Medicine a failing grade for user privacy noting that their website used more trackers than any other scholarly journal website I looked at, the Massachusetts Medical Society asked me to review the privacy policy for NEJM.com and make changes that would improve its transparency. On the whole their website privacy policy is more informative and less misleading than most privacy policies I've looked at. Still, there's always room for improvement. They've kindly allowed me to show you the changes I recommended:


Last updated: April 1, 2015

Governing Principles 

NEJM.org is owned and operated by the Massachusetts Medical Society (“MMS”). We take privacy issues seriously and are committed to protecting your personal information. We want to say that up front because it sounds nice and is legally meaningless. Please take a moment to review our privacy policy, which explains how we collect, use, and safeguard information you enter at NEJM.org and any of our digital applications (such as our iPhone and iPad applications). This privacy policy applies only to information collected by MMS through NEJM.org and our digital applications. This privacy policy does not govern personal information furnished to MMS through any other means.


WHAT INFORMATION DO WE COLLECT?

Information You Provide to Us
We will request information from you if you establish a personal profile to gain access to certain content or services, if you ask to be notified by e-mail about online content, or if you participate in surveys we conduct. This requires the input of personal information and preferences that may include, but is not limited to, details such as your name, address (postal and e-mail), telephone number, or demographic information. You can't use secure communications to give us this information, so you should consider anything you tell us to be public information. If you request paid content from NEJM.org, including subscriptions, we will also ask for payment information such as credit card type and number. Our payment providers won't actually let us see your credit card number, because there are federal regulations and such.
Information That Is Automatically Collected
Log Files
We use log files to collect general data about the movement of visitors through our site and digital applications. This may include some or includes all of the following information: the Internet Protocol Address (IP Address) of your computer or other digital device, host name, domain name, browser version and platform, date and time of requests, and the files downloaded or viewed. We use this information to track what you read and to measure and analyze traffic and usage of NEJM.org and our digital applications. We build our site in such a way that this information is leaked to our advertisers, our widget providers, our analytics partners, the advertising partners of our widget providers, all the ISPs that connect us, and government entities such as the NSA, the Great Firewall of China, and the "Five Eyes" group.
Cookies
We use cookies to collect information and help personalize your user experience us make more money. We store minimal personally identifying information ten tracking identifiers in cookies and protect allow our partners to access this information. We do not store complete records or credit card numbers in cookies. We don't put chocolate chips in cookies either. Even if they're the other kind of cookies. Because we read about the health effects of fatty foods, in NEJM of course. You can find out more about how we use cookies at our Cookie Information page which is a separate page because it's more confusing that way.
Most web browsers automatically accept cookies. Browsers can be configured to prevent this, but if you do not accept any cookies from www.NEJM.org, you will not be able to use the site. The site will function if you block third party cookies.
In some cases we also work with receive services or get paid by third party vendors (such as Google, Google's DoubleClick Ad Network, Checkm8, Scorecard Reasearch, Unica, AddThis, Crazy Egg, Flashtalking, Monetate, DoubleVerify, and SLI Systems) who help deliver advertisements on our behalf across the Internet, and vendors like Coremetrics, Chartbeat and Mii Solutions, who provide flashy dashboards for our managers. These vendors may use cookies to collect information about your activity at our site (i.e., the pages you have visited) in order to help deliver particular ads that they believe you would find most relevant. You can opt out of those vendors' use of cookies to tailor advertising to you by visiting http://www.networkadvertising.org/managing/opt_out.asp. Except for Checkm8, Scorecard Reasearch, Unica, Crazy Egg, Monetate, Coremetrics, Chartbeat, Mii Solutions and SLI Systems. And even if you opt out of advertising customization, these companies still get all the information. We have no idea how long they retain the information or what they do with the information other than ad targetting and data dashboarding.
Clear Gifs (Web Beacons/Web Bugs)
We may also use clear gifs which are tiny graphics with unique identifiers that function similarly to cookies to help us to track site activity. We do not use these to collect personally identifying information, because that's impossible. We also do not use clear gifs to shovel snow, even though we've had a whole mess of it. Oh and by the way, some of our partners have used "flash cookies", which you can't delete. And maybe even "canvas fingerprints". But they pay us money or give us services, so we don't want to interfere.




HOW IS THIS INFORMATION USED?

Information that you provide to us will be used to process, fulfill, and deliver your requests for content and services. We may send you information about our products and services, unless you have indicated you do not wish to receive further information.

Information that is automatically collected is used to monitor usage patterns at NEJM.org and at our digital applications in order to help us improve our service offerings. We do not sell or rent your e-mail address to any third party. You may unsubscribe from our e-mail services at any time. Life is short. You may have a heart attack at any time, or get run over by a truck. For additional information on how to unsubscribe from our e-mail services, please refer to the How to Make Changes to Your Information section of this Privacy Policy.

We may report aggregate information about usage to third parties, including our service vendors and advertisers. These advertisers may include your competitors, so be careful. For additional information, please also see our Internet Advertising Policy. We may also disclose personal and demographic information about your use of NEJM.org and our digital applications to the countless companies and individuals we engage to perform functions on our behalf. Examples may include hosting our Web servers, analyzing data, and providing marketing assistance. These companies and individuals are obligated to maintain your personal information as confidential and may have access to your personal information only as necessary to perform their requested function on our behalf, which is usually to earn us more money, except as detailed in their respective privacy policies. So of course, these companies may sell the data collected in the course of your interaction with us.
Advertisers
We contract with third-party advertisers and their agents to post banner and other advertisement at our site and digital applications. These advertisements may link to Web sites not under our control. These third-party advertisers may use cookie technology or similar means i.e. Flash to measure the effectiveness of their ads or may otherwise collect personally identifying information from you when you leave our site or digital applications. We are not responsible or liable for any content, advertising, products or other materials offered from such advertisers and their agents. Transactions that occur between you and the third-party advertisers are strictly between you and the third party and are not our responsibility. You should review the privacy policy of any third-party advertiser and its agent, as their policies may differ from ours.
Advertisement Servers
In addition to advertising networks run by Google, which know everything about you already, We use a third-party ad server, CheckM8, to serve advertising at NEJM.org. Using an advertising network diminishes our ability to control what advertising is shown on the NEJM website. Instead, auctions are held between advertisers that want to show you ads. Complicated algorithms decide which ads you are most likely to click on and generate the most revenue for us. We're thinking of outsourcing our peer-review process for our article content to similar sorts of software agents, as it will save us a whole lot of money. Anyway, if you see ads for miracle drugs on our site, it's because we really need these advertising dollars to continue our charitable work of publicizing top quality medical research, not because these drugs have been validated by top quality medical research. CheckM8 does not collect any personally identifiable information regarding consumers who view or interact with CheckM8 advertisements. CheckM8 solely collects non-personally identifiable ad delivery and reporting data. For further information, see CheckM8’s privacy policy. Please note that the opt-out website we mentioned above doesn't cover CheckM8, And there's not a good way to opt out of CheckM8, so there. The Massachusetts Medical Society takes in about $25 million per year in advertising revenue, so we really don't want you to opt out of our targeted advertising.



WHAT SECURITY MEASURES ARE USED?

When you submit personal information via NEJM.org or our digital applications, your information is protected both online and offline with what we believe to be appropriate physical, electronic, and managerial procedures to safeguard and secure the information we collect. For information submitted via NEJM.org, we use the latest Secure Socket Layer (SSL) technology to encrypt your credit card and personal information. But other information is totally up for grabs.

USER-GENERATED CONTENT FORUMS
Any data or personal information that you submit to us as user-generated content becomes public and may be used by MMS in connection with NEJM.org, our digital applications, and other MMS publications in any and all media. For more information, see our User-Generated Content Guidelines. We'll have the right to publish your name and location worldwide forever if you do so, and we can sue you if you try to use a pseudonym.

OTHER INFORMATION

Do Not Track Signals
Like most web services, at this time we do not alter our behavior or change our services in response to do not track signals. In other words, our website tracks you, even if you use technical means to tell us you do not want us to track you.
Compliance with Legal Process
We may disclose personally identifying information if we are required to do so by law or we in good faith believe that such action is necessary to (1) comply with the law or legal process; (2) protect our rights and property; (3) protect against misuse or the unauthorized use of our Web site; or (4) protect the personal safety or property of our users or the public. So, for example, if you are involved in a divorce proceeding, we can help your spouse verify that you weren't staying late at your office reading up on the latest research like you said you were.

Children
NEJM.org is not intended for children under 13 years of age. We do not knowingly collect or store any personal information from children under 13. If we did not have this disclaimer, our lawyer would not let us do things we want to do. If you are under 13, we're really impressed, you should spend more time outside getting fresh air.

Changes to This Policy
This privacy policy may be periodically updated. We will post a notice that this policy has been amended by revising the “Last updated” date at the top of this page. Use of NEJM.org constitutes consent to any policy then in effect. So basically, what we say here is totally meaningless with respect to your ability to rely on it. Oh well.