Translator's note. — a privacy-focused website analytics service (in a way, the opposite of Google Analytics)
As the founder of Simple Analytics, I have always been mindful of the importance of trust and transparency for our clients. We are responsible for them so that they can sleep peacefully. The choice should be optimal from the point of view of the privacy of both visitors and customers. So, one of the most important issues for us was the choice of the location of the servers.
In the last few months we have gradually moved our servers to Iceland. I want to explain how everything happened, and, most importantly, why. It was not an easy process and I would like to share our experience. There are some technical details in the article, which I tried to write in plain language, but I apologize if they are too technical.
Why move servers?
It all started with the fact that our site was added to . This is a list of domain names for ad blockers. I asked why they added us, because we do not track visitors. We even setting "Do Not Track" in the browser.
I wrote к :
[…] So if we continue to block good companies that respect user privacy, what's the point? I think it's wrong, you shouldn't put every company on the list just because it sends a request. […]
And received from :
Everyone agrees with you, but I don't want my requests going to an American company (in your case Digital Ocean […]
At first I did not like the answer, but in a discussion with the community, I was pointed out that he was right. The US government may indeed have access to our users' data. At the time, our servers were actually running Digital Ocean, they could just pull out our drive and read the data.
There is a technical solution to the problem. You can make a stolen (or disconnected for any reason) drive unusable for others. Full encryption will make it difficult to access in the absence of a key (note: the key is only for Simple Analytics). It is still possible to get small chunks of data by physically reading the server's RAM. The server cannot work without RAM, so you have to trust the hosting provider in this regard.
This got me thinking about where to move our servers.
New place
I started looking in this direction and came across a Wikipedia page with . There is a list of "enemies of the internet" from Reporters Without Borders, an international NGO based in Paris that advocates for press freedom. A country is classified as an enemy of the Internet when it "not only censors news and information on the Internet, but also carries out almost systematic repression of users."
In addition to this list, there is an alliance called a.k.a. FVEY. It is a union of Australia, Canada, New Zealand, Great Britain and the USA. In recent years, documents have shown that they deliberately spy on each other's citizens and share the information they gather in order to circumvent legal restrictions on domestic espionage (). Former NSA official Edward Snowden described FVEY as "a supranational intelligence organization that does not obey the laws of its own countries." There are other countries working together with FVEY in other international cooperatives, including Denmark, France, the Netherlands, Norway, Belgium, Germany, Italy, Spain and Sweden (the so-called 14 Eyes). I have been unable to find any evidence that the 14 Eyes alliance is abusing the intelligence it has gathered.
After that, we decided that we would not host in any of the countries from the list of “enemies of the Internet” and would definitely skip the countries from the 14 Eyes alliance. The fact of collective surveillance is enough to refuse to store our clients' data there.
Regarding Iceland, the above Wikipedia page states the following:
The Icelandic constitution forbids censorship, and there is a strong tradition of protecting freedom of expression that extends to the Internet. […]
Iceland
During the search for the best country in terms of privacy protection, Iceland appeared again and again. So I decided to study it carefully. Please keep in mind that I do not speak Icelandic, which may have missed important information. if you have any information on the topic.
According to the report from Freedom House, in terms of censorship, Iceland, together with Estonia, scored 6/100 points (the lower the better). This is the best result. Please note that not all countries were evaluated.
Iceland is not a member of the European Union, although it is part of the European Economic Area and has agreed to follow consumer protection and business law similar to that of other member states. This includes the Electronic Communications Act 81/2003, which introduced data retention requirements.
The law applies to telecommunications service providers and requires records to be kept for six months. It also states that companies can only release telecommunications information in criminal or public safety matters and that such information cannot be released to anyone other than the police or prosecutors.
Although Iceland generally follows the laws of the European Economic Area, it has its own approach to protecting privacy. For example, Icelandic law encourages the anonymity of user data. ISPs and hosts are not legally responsible for the content they post or transmit. According to Icelandic law, the registrar of the domain zone is responsible for the legality of the use of the .is domain (). The government does not impose any restrictions on anonymous communication and does not require registration when buying SIM cards.
Another benefit of moving to Iceland is the climate and location. Servers generate a lot of heat, and Reykjavik (Iceland's capital, where most data centers are located) has an average annual temperature of 4,67°C, so it's a great place to cool your servers. For every watt of server and network equipment running, proportionately very few watts are spent on cooling, lighting, and other overheads. In addition, Iceland is the world's largest producer of clean energy per capita and overall the largest producer of electricity per capita, with approximately 55 kWh per capita per year. For comparison, the EU average is less than 000 kWh. Most hosters in Iceland get 6000% of their electricity from renewable sources.
If you draw a straight line from San Francisco to Amsterdam, you will cross Iceland. Simple Analytics has a majority of its clients in the US and Europe, so it makes sense to choose this geographic location. Additional pluses in favor of Iceland are privacy laws and an environmental approach.
Server transfer
First, it was necessary to find a local hosting provider. There are quite a few of them, and it is really difficult to determine the best one. We didn't have the resources to try everyone, so we wrote some automated scripts () to set up the server to easily switch to another host if necessary. We settled on a company with the motto "Defending privacy and civil rights since 2006". We liked this motto and asked them a few questions about how they would handle our data. They reassured us, so we proceeded with the installation of the main server. And they only use electricity from renewable sources.
However, in the course of this process, we encountered several obstacles. This part of the article is quite technical. Feel free to move on to the next one. When you have an encrypted server, it is unlocked with the private key. This key cannot be stored on the server itself, that is, it must be entered remotely when the server boots. Wait, what happens when you turn off the power? It turns out that all web page requests to the server will not be completed after a reboot?
That's why we added a primitive secondary server in front of the main server. It simply receives pageview requests and sends them directly to the main server. If the primary server has crashed, then the secondary server will store requests in its own database and will repeat them until it receives a response. Thus, there is no data loss after a power failure.
Let's get back to loading the server. When the encrypted main server boots up, we need to enter a password. But we don't want to go to Iceland or ask someone there to enter the server room, for obvious reasons. For remote access to the server, the secure SSH protocol is usually used. But this program is available only while the server or computer is running, and we need to connect before the server is fully loaded.
So we found , a very small SSH client that can be started with (initramfs). And you can allow external connections via SSH. Now you don't have to fly to Iceland to download our server, hooray!
It took us a couple of weeks to move to a new server in Iceland, but we're glad we finally did it.
Keep only the data you need
At Simple Analytics, we live by the principle of “Keep only the data you need”, collecting the minimum amount of it.
Often used in web applications data. This means that the data is not actually deleted, but simply made inaccessible to the end user. We do not do this - if you delete your data, it will disappear from our database. We use hard delete. Note: they will remain in encrypted backups for a maximum of 90 days. In case of an error, we can restore them.
We don't have delete_at fields 😉
It is important for customers to know what data is stored and what is deleted. When someone deletes their data, . The user and their analytics are removed from the database. We also remove the credit card and email from Stripe (payment provider). We keep payment history, which is necessary for paying taxes, and keep our log files and database backups for 90 days.
Question: if you store only a minimum of sensitive data, why do you need all this protection and additional security?
Well, we want to be the best privacy-focused analytics company in the world. We will do our best to provide the best analytics tools without invading the privacy of your visitors. Even while protecting vast amounts of anonymized visitor information, we want to show that we take privacy very seriously.
What's next?
When we improved privacy, the loading speed of scripts embedded in web pages increased slightly. This makes sense because they used to be hosted on the CloudFlare CDN, which is a collection of servers around the world that speed up downloads for everyone. Right now we're thinking of putting up a very simple CDN with encrypted servers that will serve only our JavaScript and temporarily store web page requests before being sent to the main server in Iceland.
Source: habr.com