A potential customer contacted us recently and, in amongst their technical questions, asked very directly:
What is your attitude to privacy as a company?
It’s a simple question, but also potentially loaded. What do you mean, attitude as a company? Is it your personal data privacy you’re concerned about or the data on your server? And can we really have one policy for the whole company? I think it’s the responsibility of any company that’s handling sensitive customer data to be honest about its approach to privacy.
Ultimately, I believe there are only two things you should consider when selecting a company on this basis:
- what the law says, and
- how much you trust that company to respect your privacy.
Firstly, the legal bit: our services to customers are governed by our terms and conditions. These are contractual obligations on top of our “statutory duties“: the laws we’re required to obey. That means, we are required by law to comply with the orders of a court in England and Wales, whatever those orders might say. In practice, that usually means extracting specific data on one of more of our customer’s servers.
On that topic, our MD, Matthew Bloch has said in the past:
“Bytemark don’t have any choice about compliance with court orders, but we have never been keen on them.
“We follow the letter of each order, painstakingly extracting and filtering the information ordered, accessing the bare minimum, even if that takes much more time.”
And that’s absolutely true – we spend much more time complying with the letter of a court order where it would be easier to simply copy all the data off and let the police filter it.
But as I say above, unless there’s been a court order requiring disclosure to the police, Bytemark will never disclose your data to any third party.
With that out of the way, I’ve written up some of the specific ways that we respect your privacy, which I’ve grouped into three areas:
- how we keep your personal data private
- how we help secure the data on your servers and
- how we contribute to the protection of privacy for everyone.
Keeping your personal data private
- We don’t share your personal details with any third party for marketing purposes.
- We are based in the UK so are not bound by (often spurious) DMCA takedown notices.
- At the same time, we are bound by the Data Protection Act and related regulations which means that any compromises of your personal data must be reported to the Information Commissioner.
Helping secure the data on your servers
- Our data centres are designed to provide extensive physical security, with access controlled, tracked and monitored at all times.
- We do not pretend that we can monitor the content of all our customers’ sites. All abuse reports must follow a very specific process.
- We don’t routinely monitor what people are doing on their servers, though we might have to look at the traffic to check compliance with our Acceptable Use Policy.
However, we do offer a ‘back door’ to your servers through a network boot environment. This is for your convenience (and ours, if you asked us to reset your passwords). Using full disk encryption on your server – where only you know the password – is the only way to mitigate any risk you might perceive from this tool.
Protecting and improving privacy principles for everyone
- We support the Open Rights Group with free hosting — that page has a few links to our blog which might help shape your opinion on us too including:
- We are one of the few hosting providers that will communicate with you using PGP-compatible encryption — we even recently donated to the GnuPG project.
- We’ve also written a blog post about the Snowden revelations: the Bytemark guide to dodging spies.
- Finally, we support Free software unconditionally: we use it to build and run our business. We process customer data in the UK using Free software, where the source can be inspected for bugs.
What other things could we do or show that would help us bolster your confidence that we are a company that respects your privacy? Drop us a comment below.