Privacy Policy

Melbourne Activist Legal Support (MALS) recognises that protecting and advancing privacy is an important part of supporting activists and movements working for positive social and political change.

This informational page outlines what digital data may be created when accessing this website, along with commentary you may find helpful about digital data in general, and how it may apply to you and your data while using the Internet generally.

About

Like all digital interactions, the use of this website generates certain data. We’ve categorised the types of data that may be generated by this website as applicable below, and you can click on each to learn more about what data may be generated and why. Below also outlines how long data may be collected, with whom it may be shared, why, and if applicable, how you can access it or delete it.

For the purposes of clarity, “personal information” carries the definition provided by the the Office of the Australian Information Commissioner, as outlined in the glossary below; and “your data” refers to personal information about you as an individual that is accessible by MALS through your usage of this website, or from other digital interactions you may have had with MALS, such as communicating with us via e-mail.

For any questions about this policy, or any of the information contained on this page, please contact us.

Last updated: 5th February 2020.

Glossary

The OAIC states, “personal information includes a broad range of information, or an opinion, that could identify an individual,” which in the context of this policy, could include your:

  • name,
  • signature,
  • address of residence,
  • postage address,
  • phone number,
  • date of birth,
  • financial information such as your credit card number or bank account number,
  • image as appearing in photographs or video footage,
  • Internet Protocol (IP) address used to access this website or communicate with MALS, or
  • location information, provided from a mobile device.

Data Categories

This website runs on Open Source software tools such as Linux to build and serve the pages, and manage the content, while Cloudflare is used as an intermediary Content Delivery Network and security agent. This means that data generated by accessing this website will pass through at least three points:

  • your Internet Service Provider (the corporation that you buy Internet access from);
  • Cloudflare (the corporation that proxies and protects the content of this website); and,
  • the MALS Internet Service Provider (the corporation that physically hosts this website and end-point network connection). 

Data may likely pass through many more points because of how the Internet is a large interconnection of networks, but in terms of the end point of all requests related to this website in which MALS has control, the MALS Internet Service Provider advises that they deploy standard logging (as defined by the The World Wide Web Consortium) in order to manage demand to this website on their systems, and to protect the security of their network.

This means that you should expect that the data generated as part of simply accessing this website will be at least:

  • the IP address of the device making each request, as well as a basic guess at its geo-graphical location (whether based on the IP address range and its generally assigned network location, or a WHOIS lookup);
  • the domain name of the device making each request to this website (using reverse DNS where applicable);
  • the URL of each request, as well as the URL that referred each request;
  • the HTTP status code of each request, which may denote if a request was successful or not;
  • the Date and Time of each request;
  • the “User-Agent” identifier of the device making each request, as well as the type and version of its Operating System software.

As this is a publicly accessible website, you should expect that this data will be in the possession and control of all Internet Service Providers involved in providing this website to you, including the ones outside of MALS’ control. Many will keep this data for something like a few minutes, if at all, but others can keep it for up to 30 days, and sometimes much longer. For example, if our Internet Service Provider detects that our website is receiving fraudulent traffic, it may decide without notice to keep or expand the data that is generated from the requests made to the website for longer than 30 days in order to investigate and mitigate attacks on their infrastructures.

This website is also accessible in Australia, and as such, is subject to draconian laws such as the meta-data mass surveillance scheme. This means that many government agencies may collect and access any of the above data without a warrant. The law claims this data is kept for at least 2 years.

MALS has the ability to access web server data logs as a customer of Internet Service Providers, but in general does not use this information in the day-to-day functioning of MALS. We certainly do not collect nor retain any of the above data whatsoever for the purposes of identifying an individual person, tracking their online behaviour, or monetising the data in any way. We will never sell any data, ever.

MALS also does not keep a copy of web server logs.

Web server data does has the potential to identify you, so if you’re looking for more privacy than default while browsing this website, you could use a network anonymisation tool such as TOR, or a trusted VPN provider such as Riseup.net, which can route your requests through a series of relays, effectively obfuscating most of the web server data generated by your device.

As part of accessing this website, your browser may be issued with a cookie. This is a small piece of data sent from this website, and, depending on your browser’s settings, may be stored on your device for at least the duration of your browsing session. Most people have their browsers configured to keep cookies for a longer period of time than this, so it’s recommended you check and adjust your settings to something that you’re comfortable with.

Cookies are sometimes deployed by websites in order to allow them to interact with your device somewhat more smoothly. For example, to remember that you’ve filled in a form, or that you’re logged into the website. Other times, cookies are used by websites to store a unique identifier that can allow other entities (such as advertisers) to track you around the web.

This website does not create nor use any cookies whatsoever for the purposes of displaying advertising, identifying an individual person, tracking their online behaviour, or monetising any data in any way. We will never sell any data, ever.

No cookies on this site come from advertisers, as we don’t run advertising on our site, as it’s repugnant and unwanted.

This website also does not and should not interact with or generate any third-party cookies apart from:

  • Cloudflare, which is used as an intermediary Content Delivery Network and security agent, and hence generates a browser security token; or
  • Stripe, which handles the processing of Credit Cards as part of accepting donations.


You can choose to reject cookies from this website to no penalty other than some processes may then become unautomated, such as remembering that you’ve answered a CAPTCHA, or that you’re logged in. This should not be access-critical however, the website should still work if you reject cookies, but may require slightly more effort to use than otherwise from time to time.

Third-party cookies likely have differing data usage and privacy policies to MALS. You can learn more about each by clicking on their name above.

This website does not track you. We do not use Google Analytics, Facebook Pixel, nor any other service to track or profile users. In fact, we do not use any Google or Facebook products of any kind in the delivery or functionality of this website, as they compromise privacy and enable easy surveillance.

MALS does have access to basic monthly statistics of aggregate website usage as collected and provided by our Internet Service Provider (standard web server data), but MALS does not directly collect nor store this information. See “Website Page Requests” and “Cookies” above.

MALS does not collect nor retain any statistical data whatsoever for the purposes of identifying an individual person, tracking their online behaviour, or monetising the data in any way. We will never sell any data, ever.

If you send MALS an e-mail either using our Contact Form, or write to us directly using an e-mail client of your choosing, you should expect that the following data will be produced:

  • the IP address of the device that sent the message;
  • the domain name of the device sending the message (using reverse DNS where applicable);
  • the Date and Time the message was sent;
  • your name, as provided by you;
  • the subject of the message, as provided by you;
  • your reply e-mail address, as provided by you; and,
  • the contents of your message, as provided by you, whether OpenPGP encrypted or sent in plain-text.

Your message will arrive to our e-mail servers containing the above data, just like all other e-mails you send.

Your message will then be checked through an automated spam detection service to determine whether or not it is spam. If your message is deemed acceptable, it will be delivered. If not, it will be marked as spam. Repeat offenders will have their e-mail addresses or IP addresses blocked.

All messages sent to MALS will be securely kept and made accessible to trusted MALS members in order to read, understand, and respond to your message. Because of this, it is likely that your message will be at most kept possibly indefinitely, or at least as long as it is deemed relevant by MALS. This means you should expect the above information may be accessible by MALS for a long time.

All messages sent to MALS e-mail addresses are stored offshore, in a privacy friendly jurisdiction, and not in Australia.

MALS may share your contact details internally, in order to read, respond, and refer to any correspondence, but MALS will not share your contact details outside of our organisation, unless you have directed us to do so, or have given us permission. For example, you’re asking for legal support and we forward your contact information to relevant legal firms so they can correspond with you.

If you would like to protect the content of your message using OpenPGP encryption, please read our guide here. MALS has the ability to accept and respond to OpenPGP encrypted e-mails.

If you’d prefer an anonymous or “quick-burn” method of contacting MALS that is also encrypted, you could opt to send us a message using Session Chat. Please check our Contact Us page for our current Session Chat ID to connect to us securely.

If you sign up to one of our e-mail lists or make a donation to MALS and provide your e-mail address, you’ll receive e-mail announcements from MALS from time to time.

The data that is collected by MALS is your e-mail address, as provided by you. It is kept recorded for the duration of your membership of a list, in order to send you announcements, news, and updates. If you wish to unsubscribe from any e-mail announcements by MALS, you can do so at any time by clicking the “unsubscribe” link at the bottom of any Newsletter note we send. The unsubscribe link contains a code that will remove and delete your address immediately.

If your e-mail address is on our media contacts list, it has been added as part of outreach to publicly accessible media organisations and you should only receive our announced media releases or other intermittent journalistic announcements from MALS. If you wish to unsubscribe from any e-mail announcements by MALS, you can do so at any time by clicking the “unsubscribe” link at the bottom of any Newsletter note we send. The unsubscribe link contains a code that will remove and delete your address immediately.

MALS will never sell nor share an e-mail list.

If you make a donation to MALS–thank you!–you should expect the following data to be generated, along with the commensurate common Website Page Request data (as outlined above):

  • the Date and Time the donation was made;
  • your name, as may be provided by you (or not, if you opted to donate without publishing your name);
  • your e-mail address, as provided by you;
  • your credit card number or bank account details, as provided by you;
  • a postage or e-mail address, as may be provided by you when making a donation in honour or tribute to someone;
  • a publicly posted comment, as may be provided by you;
  • the donation amount;
  • if your donation is a subscription (i.e. it is recurring), at what interval you’ve opted to iterate it (daily, weekly, monthly, or yearly);
  • multiple browser cookies for Stripe that contain security tokens, and information about the current browser session to protect legitimate transactions, and test for fraudulent ones. These cookies also may store information about the webpage used to make the donation so that Stripe can process the data submitted to it and handle payments to MALS.

Except for browser cookies, the above data may be kept by MALS for a period of up to 7 years, to comply with regulations concerning monetary donations, and also to be accountable about our sources of funding.

If you sign-up to attend one of our training events, workshops, or talks, you should expect the following data to be generated, along with the commensurate common Website Page Request data (as outlined above):

  • the Date and Time the RSVP was made;
  • your name, as provided by you when booking your ticket(s);
  • your e-mail address, as provided by you;
  • your credit card number or bank account details, as provided by you while making the payment for your ticket(s);
  • multiple browser cookies for Stripe that contain security tokens, and information about the current browser session to protect legitimate transactions, and test for fraudulent ones. These cookies also may store information about the webpage used to make the bookings for the event so that Stripe can process the data submitted to it and handle payments to MALS for tickets.

Except for browser cookies, the above data may be kept by MALS for a period of up to 7 years, to comply with regulations concerning monetary donations, and also to be accountable about our sources of funding.

Some pages on this website may include embedded content such as videos or images from archive.org or other websites, or ‘Tweets,’ or excerpts of other website’s pages.

Embedded content from other websites behaves in the exact same way as if you had visited the other website too. This means we take care when deciding to embed content from other websites, as this means the external website has access to some of the same website page request data that is generated by your device when you view the page on our website.

External websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website. External websites will almost definitely have very differing motivations around data generation and usage than MALS does, so we do our best to take this into consideration when embedding their content into our website.

Our main use of embedded content is likely to be ‘Tweets,’ so if you wish to block Twitter from your browser while accessing our website, you could do so by searching for an appropriate trusted plugin or extension such as NoScript, for example. Or you could block Twitter on your device entirely by using modifications to the ‘hosts’ file on your computer. We recommend investigating StevenBlack’s Unified Hosts Blacklist, if you wish to learn more about blocking connections to specific websites.

MALS does not run any advertising on its website, but strongly recommends the usage of an ad-blocker functionality in your browser when using the Internet generally.

Additional Information

Personal information submitted to this website is protected through SSL encryption in transit, and connections to this website should be configured to automatically prefer the use of strong encryption ciphers.

This website also uses salts to hash passwords and protect logins, fail2ban to protect against brute-force attacks, as well as many other Open Source measures to automatically log and audit the use or attempted use of online systems containing personal information.

Personal information submitted to this website may be kept for as long as there is a justifiable need to retain the information. This period of time will vary, depending on what the information is, and how and why it was submitted or created.

For example, if you post a comment on this website, it may be kept indefinitely, in order to remain published. Likewise, we may opt to keep e-mails sent to us for an indefinite period of time, in order to read, respond and refer to that message internally. Given the nature of MALS as an organisation, the need to refer to past correspondence can be sometimes very important to our work. This could mean that your messages may be kept for many years. Not all messages will be kept this long of course, but it means you should expect that any e-mails we will receive could be kept for a long time.

Other data such as website page requests or statistical usage patterns will be kept for much shorter periods of time, sometimes as short as a few minutes, but could be as long as a month or more. 

We try to explain this as much as possible above where each period of time may vary, what you should expect, and why, but if you have a specific question about a particular set of your personal information, please see the heading below, “How do I obtain and/or delete my data?”

In the highly unfortunate event that any personal information is accessed without permission or inappropriately (for instance, if we get hacked, or a company that provides a service to us gets hacked), we will tell you what happened as soon as we know about it. We will also contact anyone directly effected or suspected to be at risk and announce what we’ll do to help clean up the mess.

Obviously nobody ever wants this to happen, so we take as many precautions as we can manage to keep our systems secure and protected with the resources available to us, but like all computer systems, nothing is 100% impossible. We recognise that extreme vigilance is required to keep personal information secure and private, and MALS makes the commitment to do that with care and trust.

If you would like to query MALS about your personal information from this website, please see the heading below, “How do I obtain and/or delete my data?”

Internally, your personal information may be shared with trusted MALS members, and only when there is a need to do so within our group. MALS makes the commitment to do this with care and trust.

Your personal information will never be shared with anyone outside MALS, unless you’ve directed us or given us permission to do so.

MALS certainly does not and will never share any of your personal information with the police, unless you have directed MALS to do so, or have given explicit permission for a specific instance. For example, if you’ve allowed MALS to publish a document about police misconduct using your name, and the document is sent to the Police Professional Standards Command to investigate the misconduct.

Permission for sharing any personal information outside of MALS shall be sought and only accepted for a specific purpose, and that purpose will be as direct and clearly articulated to you as we can make possible, in order for you to give proper informed consent.

If you’ve signed up to one of our e-mail lists; or have made a donation or subscription to support MALS; or have attended one of our training events or workshops; we will have some of your personal information. If you would like to obtain a copy of this information, you can request to receive an exported file of it, including the data you may have provided to us.

You can also request that we delete any personal data we hold about you. This does not include any data we are obliged to keep for set periods for administrative, financial, legal, or security purposes. For example, we are required to keep records of donations for up to 7 years to comply with financial regulations, and so this information is not able to be deleted until after then.

If you have any questions about this privacy policy, please contact us.