Comment by mk89

5 days ago

At first I thought it was a blog. No, this is a company. So, their privacy page (https://servury.com/privacy/):

> Server Logs > Like all web services, our servers may log: > IP addresses of visitors > Request timestamps > User agent strings > These logs are used for security and debugging purposes and are not linked to your account.

That's already a huge breach in comparison to mullvad privacy page. (https://mullvad.net/en/help/no-logging-data-policy)

74 comments

mk89

ybceo 5 days ago

I agree 100%. I went ahead and disabled all logging in Apache just now. Will update the privacy page to reflect this within the hour.

drink_machine 5 days ago
Shouldn't you have spent some time to think through basic things like this before trying to write an opinion piece on anonymity? Certainly it shows a lack of depth of understanding.
- everdrive 4 days ago
  
  The privacy crowd seems to be incapable of grey areas. Are all these the same thing? Are they all the same severity of problem?
  - A web site logs traffic in a sort of defacto way, but no one actually reviews the traffic, and it's not sent to 3rd parties. - A government website uses a standard framework and that framework loads a google subdomain. In principle, Google could use this to track you but there's no evidence that this actually happens. - A website tracks user sessions so they can improve UI but don't sell that data to 3rd parties. - A website has many 3rd party domains, many of which are tracking domains. - Facebook knows exactly who you are and sells your information to real-time-bidding ad services. - Your cell phone's 3G connection must in principle triangulate you for the cell phone to function, but the resolution here is fuzzy. - You use Android and even when your GPS is turned "off" Google is still getting extremely high resolution of your location at all times and absolutely using that information to target you.
  A LOT of the privacy folks would put all those examples in the same category, and it absolutely drives me up a wall. It's purity-seeking at the expense of any meaningful distinction, or any meaningful investigation that actually allows uses to make informed decisions about their privacy.
  
  19 replies →
- amarant 4 days ago
  
  We all mess up and miss things, op has shown maturity enough to admit to their mistakes and improve from them.
  My takeaway from this thread is an increased amount of trust in OP. Not because they made a mistake, but because of how they handled it. Well done OP!
- ybceo 5 days ago
  
  I disagree. Like I said earlier :
  Web server logs were not tied to user credentials in any way, they were used for debugging purposes and could not have been used to identify users.
  
  16 replies →
- lisbbb 4 days ago
  
  Privacy was a joke--every time I gave someone my data that data got breached, including the US government.
ljlolel 5 days ago
The whole thing is behind cloudflare!
- megous 5 days ago
  
  Anonymity is responsibility of a visitor in any case. If the visitor's anonymity depends on some website not storing logs, the visitor lost already.
  
  1 reply →
- bossyTeacher 4 days ago
  
  in 2025, can small and medium businesses afford to be exposed to the world wild web? You don't need to be a major site these days to be DDosed on the regular
  
  7 replies →
sdoering 4 days ago
Does it matter, when CF is collecting all that already before people even reach your site?
- zbentley 4 days ago
  
  Does CF matter, when intermediate ISPs are collecting IP address and DNS query activity and can be subpoenaed?
  The answer to both this and parent is yes: partial privacy improvements are still improvements. There are two big reasons for this and many smaller reasons as well:
  First, legal actors prioritize who to take action against; some cases are “worth seeing if $law-enforcement-agency can get logs from self-hosted or colo’d servers with minimal legal trouble” but not “worth subpoenaing cloudflare/a vpn provider/ISP for logs that turned out not to be stored on the servers that received the traffic“.
  Second, illegal actors are a lot more likely to break into your servers and be able to see traffic information than they are to be able to break into cloudflare/vpn/ISP infrastructure. Sure, most attackers aren’t interested in logs. But many of the kind of websites whose logs law enforcement is interested in are also interesting to blackmailers.
- dylan604 4 days ago
  
  If the authorities come to TFA site with demands, they can't do anything about what CF is doing. All they can do is turn over what they have, and/or prove they don't have what is being asked of them. What some 3rd party does is not germane at all.
mk89 5 days ago
Are you allowed to do that in US? I see the company is located in the USA, can companies disable logging just like that?
(Asking because I really don't know)
- immibis 5 days ago
  
  In most countries the law doesn't say you have to log everything about your users, but it does say that if you log it and the police ask for it then you have to give the data to them.
  
  4 replies →
- SoftTalker 4 days ago
  
  I don't know either, but I would guess there are no laws that says internet service operators must log anything.
  But, banks and financial services now must obey "know your customer" laws so it's not beyond imagination that similar laws could be applied to websites and ISPs operating in a particular country.
- drnick1 4 days ago
  
  What is truly absurd is that most websites default to logging activities. It's as if they actively conspired against their users.
godelski 3 days ago

Just curious, why not accept cash?
Not that I use it, but one of the best privacy features of Mullvad is that you can post them cash with your account number and they will credit it. That makes the transaction virtually, and for all practical purposes, untraceable.
It seems like you have the means to do exactly that too.

afro88 5 days ago

> That's already a huge breach in comparison to mullvad privacy page.

And the "3 data points, that's it" of the blog post

ybceo 5 days ago
Those data points refer to what is stored in the database and is tied to your 32 character credential.
Web server logs were not tied to user credentials in any way.
- kevin_thibedeau 4 days ago
  
  IPs are PII. They can be tied to an identity.
  
  1 reply →

willtemperley 4 days ago

I initially liked the sentiment but the offering doesn’t appear to add up. Unfortunately the real private cloud, if it exists, is bare metal and can’t really be sold as a subscription.

IlikeKitties 5 days ago

I mean technically yes but I find THAT kind of logging utterly benign.

procaryote 5 days ago
They're good enough for fingerprinting and matching against other logs.
Also:
> // What we DON'T collect:
> - IP addresses (not logged, not stored, not tracked)
> - Usage patterns (no analytics, no telemetry, nothing)
> - Device fingerprints (your browser, your business)
so, I've read one blog from this company, and already they're lying or incompetent
- tensegrist 5 days ago
  
  i hate to point it out, but that was written by an llm that probably wasn't prompted precisely enough to not make up comforting thoughts like that
  
  1 reply →

givemeethekeys 3 days ago

Do as I say, not as I do! /s