Not So Boring Privacy Policy, Part 1—Cookies

©iStock/Sentavio

With all the recent hullabaloo about internet privacy, not to speak of the imminent European privacy act, and a similar piece of legislation on the way here in Canada, Phyllis and I thought it was time to update our Privacy Policy, particularly since our current one is simply a bit of boiler plate, that we, like most internet companies, copied from someplace else.

But rather than just copy one again, or hire a lawyer (can’t afford that anyway) to write some complicated smoke screen of blather and cover-our-ass clauses, we have decided to tell you in plain old English what information we store about you (not much), how we use that information (not much), and the steps we take to protect it from misuse by others (a lot).

Reduce Boredom

At this point I can hear you say:

“Fine, John, but how are you going to make this interesting?”

Yeah, I know, a tall order. That said, as part of running this site for 15 years and constantly improving our defences against hackers, as well as investigating the myriad of tools available to market our membership and using some of them, I have learned quite a bit about what goes on in the internet world.

Some of it is perfectly innocent business practice, some of it a bit grey, and some of it downright nasty.

And much of the stuff I have learned is pretty interesting, so maybe I can make this less boring by sharing some of that. And, in so doing, maybe help some of you, in just the same way we try to help with articles about things like docking and anchoring.

That said, if you are only interested in exactly what we are and are not doing, just read the parts that look like this paragraph and skip the rest.

Cookies

Let’s start off with the cookies—a silly name for short text files—that we store on your computer, tablet or phone (from now on I will just write “your device”) when you visit us.

What? You store stuff on my device?

Yup, and pretty much every site you visit does the same. And some of those sites use those little pieces of information in some pretty creepy ways: Ever wonder how sites know to show you ads about say sails after you do a search on “best sailmaker in….”? Or how companies know that you nearly bought a product from their site, and then decided against it? Well cookies are a lot of how that’s done.

What We Do

 So here’s what we do with cookies at AAC:

  • Monitor traffic to our site to determine stuff like what articles are most popular and the path that readers take to become members. We use a service from Google called Analytics to do that.
  • If you are a member, we write a cookie to your device when you log in so that we don’t have to bug you to log in again when you next visit.
  • We track user clicks on one of our Corporate Member’s ads.
  • We track user shares of our posts on social media.
  • Also, while not a cookie, we execute a small piece of Javascript in your browser to monitor how quickly our pages load—maintaining decent performance on a site this complicated is a huge challenge and this helps us make sure something has not slowed our site down.

That’s it.

What We Don’t Do

Perhaps, more importantly, here’s what we don’t do:

  • We don’t track you personally in any way. 
  • We don’t show you anything on our site driven by what you have already looked at—everyone sees the same stuff, although of course logged-in members see more…and less: no membership promotion.
  • We don’t use the cookie code to read anything off your device. In fact, as far as I know, that’s not even technically possible.
  • We don’t share any information about you with our Corporate Members.
  • We don’t share what you do at AAC with any other company or individual.

Not Tracking You Personally

Let’s expand a bit on all of that, and in the process arm you with information about what to look out for on other sites.

Google identifies each of you with a number any time you visit any site that runs Analytics, and that’s the vast majority of the internet.

So we can see the following about a visitor:

  1. How they found our site: search, referral (link), etc.
  2. The pages they visited.
  3. The course they followed to become a member (we hope).

All of this information is anonymous: We know what visitor number say 12530269484.15884993018 did on our site, but we don’t know their name or anything personal about them.

We have also instructed Google to delete even that information 14 months after the user’s last visit—the shortest retention time they offer.

But our intentional ignorance is only maintained as long as we don’t link the personal information we have on you in our mailing list and member files to Google’s tracking. Not to worry, we have never, and will never do that. Phyllis and I decided over five years ago that personal tracking was way too creepy.

To me this is the core of the whole privacy issue and the thing that every internet user should zero in on when deciding whether or not they are comfortable with how they are being treated by a particular site: Are they tracking you personally?

History of Internet Spying

By the way, here’s a bit of interesting history about how all this came about.

All Was Good

Up until a few years ago companies like Google, that live by selling advertising, rigorously maintained user anonymity—remember Google’s old and now long gone motto, “Don’t Be Evil”?

The Start of Something Bad

But then along came a Harvard University dropout who had built one of the most popular sites in the world and was trying to figure out how to make money from it. And he realized that the way to do that was to sell all the information he had accumulated about us…yup, that’s Facebook’s business model:

  • They convince us to share our most personal information.
  • They use deep psychology to addict us and our children to their “services”.
  • They use our creative work (photos, video, and writing), without payment, to entice others to join.
  • And they then auction (yup, to the highest bidder) information about us and our friends and family to pretty much anyone who will pay, so they can target us with creepy personalized advertising and even creepier propaganda masquerading as content.

And anyone who thinks that their recent contrition about all of this will stop it going forward is sadly deluded. Not going to happen since it’s the foundation of how they make money—if a service is free, you are the product being sold.

(The right thing for Facebook to do is change to a membership model so their loyalty would be to their users, not advertisers, but that will never happen, unless forced by law, since that model would only make them filthy rich, not obscenely rich.)

And the sad fact is that this model worked so well that Facebook started eating Google’s lunch, so Google jumped into the cess pit of personally-targeted marketing too. And don’t get me started on what a certain shaven-headed bookseller knows about us…and he charges us a membership as well. Hint: It’s called Prime.

No Third Party Personal Tracking

OK, enough ranting—hey, it wasn’t boring—back to what we don’t do at AAC…and this is a big one.

If a site uses Facebook to reach readers, as we do, they are always on at us to install something called the “Facebook Pixel”. A cute name for a piece of code that lets Facebook spy on you personally…even when you are not on Facebook.

I’m ashamed to admit that before we understood what they were doing we had the Facebook Pixel on this site for about six months, while we were figuring out how much Facebook contributed to our site (almost nothing). While not illegal, definitely a mistake, for which I apologize.

Anyway, the Facebook Pixel is gone now, and we won’t ever knowingly install it, or anything like it, ever again.

Sorry about the “knowingly” qualification, but another thing I have learned is that these companies are constantly figuring out new ways to get little sites like us to co-operate, often unknowingly, in their world domination plans, so while we can promise to be diligent in our efforts to thwart that, we can’t guarantee they will never fool us again.

For example, I’m pretty sure, based on their latest user agreements, that Google does not cross-reference your personal identity with activity at sites like ours that don’t share that, but they probably could if they wanted to, at least if you have a Google account, and we might never know.

Opting Out of Cookies

All that said, if you decide that you don’t want our cookies, there are several ways to do that.

Total Opt Out

You can simply tell pretty much any modern browser not to allow cookies, from all sites, or just this site. Here’s how to do that.
The problem with this approach is that if you are a member it will screw things up, since we will have no way to know you are a member when you visit again, or even just load a page.

Opting Out of Google Analytics Tracking

So if you decide you don’t want us to (anonymously) track you, which helps us figure out how to make the site better and keep it financially viable, you can do that here.
Assuming you believe Google—and I actually do on this one—this will stop them tracking you right across the internet, but still leave our membership site working properly.

A Promise

Well, now you know everything about what we intentionally do with cookies. Once again, sorry for the “intentional” qualification. As above, we just can’t guarantee that some company won’t figure a way to smuggle tracking code onto AAC.

That said, we do promise to be diligent about checking for and removing anything that tracks you, other than the stuff we have disclosed above. We are getting pretty good at sniffing out bad stuff and we have hired some really smart people to help us—more on that in Part 2.

One More Thing

Oh, yeah, nearly forgot the whole point of this:

By continuing to use this site, you have agreed to the above policy.

If You Care

There are also two other issues here of interest to readers concerned about AAC’s longterm survival. If that’s not you, you can stop reading now.

Still here? Thanks for caring.

Why We Track

An obvious question in all of this is why we don’t just delete Google Analytics and not track reader behaviour at all.

The answer is that we have only just crossed the line to financial sustainability and getting there was the result of constantly tweaking the way our site looks and works, in order to best convince readers to join.

The point being that just providing the best content we can possibly create is not enough; marketing is vital too. And there is no way to get our marketing right without analyzing what users do and want.

Practicality

Now let’s look at some practical stuff.

Trying to comply with every detail of every regulation that every country that we might have a member in, never mind a reader, is becoming a potential risk to this site’s survival.

What the lawmakers and bureaucrats have totally missed, or don’t care about, is that the administrative burden is pretty much the same for a company like ours with a tiny revenue, and even smaller profit, as for a huge multi-national with limitless compliance resources.

Phyllis and I are already spending more than half our business-related time on administration. And compliance (tax and privacy) is a big part of that, along with accounting, website maintenance, and customer support.

Bottomline, increasing our admin burden from what it is now will put us out of business.

For example: Providing specific opt-in for each cookie, as some have suggested is required by some countries, on the off chance that the requirement applies to us, would require coding that would need to be maintained every time our core software and plugins updated (several times a month). Just not practical.

The other problem is that many of these regulations are ambiguous, and who they apply to even more so. The advice we see most often is to…take legal advice. But hiring a lawyer competent to opine on international compliance would cost more than our entire profit…for multiple years. Just not practical.

So I have spent hours diligently reading about many of these regulations, and we are going forward in the sincere belief that we have complied. We are making our best effort here.

Part 2

In Part 2 I will cover what information we store about you and the steps we have taken to keep that information safe from bad actors.

Comments

If you have any questions, please leave a comment.

Like what you just read? Get lots more:


Please Share

Meet the Author

John

John was born and brought up in Bermuda and started sailing as a child, racing locally and offshore before turning to cruising. He has sailed over 100,000 miles, most of it on his McCurdy & Rhodes 56, Morgan's Cloud, including eight ocean races to Bermuda, culminating in winning his class twice in the Newport Bermuda Race. He has skippered a series of voyages in the North Atlantic, the majority of which have been to the high latitudes. John has been helping others go voyaging by sharing his experience for twenty years, first in yachting magazines and, for the last 12 years, as co-editor/publisher of AAC.

16 comments… add one
  • Marc Dacey May 17, 2018, 12:24 am

    Even though I take “care” of my own end through the usual blockers and script-refusers, as I’ve done for many years now, I appreciate the full-frontal aspect of your operation here. So you get a rare cookie from me, because I know it saves me logging in. Most places are far more “monetized” than this one, and I’m glad to hear you are (finally) in the black. Will many of your readers and patrons read this, or even appreciate it? Maybe not, but it’s important to go on record with this sort of thing now and again.

  • James Dylewski May 17, 2018, 5:17 am

    Thanks John I found it informative not boring
    keep up the good work
    James
    sv Windigo

  • Rod Morris May 17, 2018, 8:24 am

    Thank you for a very readable and interesting article. The extra effort to write this in an educational and entertaining way is not insignificant. I have noted this same effort in all your articles and that is what makes AAC such a great site.

  • Marco May 17, 2018, 9:49 am

    Hi John,
    I have recently received an offer from my internet security provider for a vpn access. Would that create a problem at your end?

    • John May 17, 2018, 10:19 am

      Hi Marco,

      No problem our end as far as I know, but I think you will take a bad speed hit with a VPN. First the VPN itself adds a lot of overhead and second it may fool our CDN, that serves all of our photos and images, into thinking you are somewhere you are not, so the images won’t be served from the closest location.

      Why would you want a VPN anyway? Back before most sites were SSL compliant they made sense, but I can’t see a security benefit now.

      • Marco May 17, 2018, 4:19 pm

        Thanks for your reply and advice. I guess I was getting sold something I don’t need, through lack of knowledge…

        • John May 17, 2018, 4:49 pm

          Hi Marco,

          Your welcome. In defence of VPNs, back before most sites were SSL a VPN was a really good idea for anyone who used public WiFi, but now I think they are probably more trouble than they are worth.

          • Marc Dacey May 18, 2018, 12:25 am

            That depends a bit, I think, John. I would route banking transactions, for instance, through a VPN were we just tenuously hooked into some random YC’s guest wifi. Of course, I’m still also a fan of PGP and other similar measures. Half the battle is to make your presence more trouble than it’s worth, so the maleficent move on to the easier targets.

          • John May 18, 2018, 7:29 am

            Hi Marc,

            Sure, you can do that, but given that a bank will be using SSL, I really can’t see the point. All you would be doing is adding encryption on top of encryption.

  • Mike McCollough May 17, 2018, 12:05 pm

    This is a very nice explanation, thank you. One of the better ones I have read. It would be informative to distribute to a wider audience, not only as a site advertisement, but also to inform them about what free means.

  • Stephen Lewinton May 19, 2018, 3:48 am

    Would like to echo comments and thanks for the efforts made to make everything readable and interesting. Also congrats that you are in the black.

    As someone struggling with EU GDPR I think you view is a sensible pragmatic response to the increasing regulatory complexity.

  • John May 19, 2018, 7:53 am

    Hi All,

    Thanks very much for the kind comments. This sudden flurry of new regulation has been, and is still, a royal pain the neck to deal with. It’s encouragement from our members that makes Phyllis and I willing to keep dealing with this kind of stuff.

  • John Armitage May 22, 2018, 2:13 pm

    Excellent, John, thanks.

    • John May 23, 2018, 7:48 am

      Thanks, John,

      Just added it all to the NCG site too. Now back to real work.

  • Carole Lockhart Jun 2, 2018, 6:30 am

    I found this article very informative. Thanks for explaining in non-lawyerese.

    • John Jun 2, 2018, 7:58 am

      Hi Carole,

      You are welcome.

Only logged in members may comment: