We respect your privacy.
We operate by the Golden Rule (Matthew 7:12), so we are very careful to not collect information about you that might cause a problem for you. We are particularly sensitive to the needs of those who might be living in areas where reading the Holy Bible might trigger persecution. Therefore, we minimize what personal information we collect, and what we do collect, we protect with a combination of physically secure locations, cryptography, and periodic security audits.
What personal data do we collect?
We only collect personal data that we need to provide the services that we provide, and those items that we need to comply with applicable law. It seems that most of what information we collect is common sense, but just to be clear, we list it, below, for people who might be interested. Unlike many Internet businesses, we are not actually a business, and we don’t monetize our sites with advertising or sell contact information. Advertising is potentially confusing and might end up being a distraction or contradiction to our primary mission of making God’s Word more easily available to as many people as possible. Therefore, we only rarely allow any advertising, except for the promotion of the Bible translation agencies, missions, churches, and missionaries who make this site possible, and then only in contexts where such promotion makes sense.
There are six kinds of personal information we may collect:
- Identification associated with a login for privileged access.
- Anything you send directly to us by way of one of our web forms, email, messaging application, file sharing service, etc.
- Contact information required by an associated organization in exchange for access to their intellectual property, which they presumably intend to use for advertising. (This is a requirement of some Bible translation organizations.)
- Information shared with us from an associated organization on your behalf, such as notice from World Outreach Ministries of a donation received so that we can thank you for it.
- Internet Protocol (IP) addresses of devices connecting to our servers. This can sometimes be linked to a particular person, but only when combined with other information and when that person uses the same IP address consistently.
- Web browser cookies, which are small amounts of text stored by a web site on your browser that can be requested again by the same web site to help improve your user experience. These, by themselves, are not personally identifying information, but can be used as such. We only use them as anonymous session indicators and bookmarks, unless used in association with a login process.
How do I consent or withdraw consent to personal information collection?
When you sign up for privileged access, send us information, or send one of our partners information, you are consenting at that time to that information being collected and stored. We assume that you are smart enough to know that when you fill out a form with your personal information, you know that you are doing that, and have the capacity to not do it if you don’t want to. To withdraw consent, you stop doing any of the things that involve providing personal information, and don’t get the benefits associated with doing so. In the case of contact information given to gain access to a Bible translation, you may unsubscribe from the promotional emails that other organization sends you, using the instructions in those promotional emails.
ALL web servers collect collect IP address information, at least as long as it takes to complete operations, and normally longer with logs. Logs are required for security monitoring purposes. All routers and computers between you and us have the capacity to log IP address information. That is the way the Internet works. IP addresses are not optional. You can, however, unlink the public IP address you use from your identity by using a virtual private network (VPN) or service like The Onion Router (TOR) or both. That is under your control. On our side, we already delete IP addresses we don’t need any more, so there is nothing more for us to delete. We keep IP addresses long enough for security review, and for creation of aggregate, anonymized usage metrics. We also keep IP addresses associated with web contact form submissions to us, to help sort out messages we want from those we don’t want (i.e. fraudulent messages and illegal solicitations).
How do we use personal information?
We use personal information in ways that we hope are common sense and reasonable. Here are some specifics:
If you would like us to keep in touch with you concerning our ministry, you may add your name and email address to our Mailchimp prayer letter mailing list at MLJohnson.org. If you do, you may unsubscribe at any time using the link provided in each of those emails. Mailchimp tracks opens and approximate location data of those emails based on the IP addresses used in opening remote images as a measure of mailing campaign effectiveness. We don’t share that information with anyone else.
If you would like to get announcements concerning the World English Bible translation progress, you may join our Google Group announcement list for the World English Bible. You may join or leave this group at any time, using the instructions on the sign-up page or in emails you receive.
If you would like to keep up with what we are doing with Haiola development and some of the more technical issues of our digital Bible distribution, you may join our Google Group announcement list for Haiola. You may join or leave this group at any time, using the instructions on the sign-up page or in emails you receive.
If you would like to make tax-deductible donations to help support us, those may be made through World Outreach Ministries. As required by law and sound accounting principles, they track contact and payment information. They share some of that information with us so that we can send thank-you notes. They also send out receipts and monthly reminder mails, which we appreciate.
Many people have helped us by contributing comments via email or a web contact form. By doing so, you give us permission to keep and use your comments, along with source information you fill out and your IP address, and to act on them as we see fit. When a comment is incorporated into a public domain or open access licensed work, any portion of that comment that is used in the work also becomes dedicated to the public domain or included in the open access license. Using our web contact form is entirely optional. We include the IP address with submissions to enable certain kinds of spam filtering and to hopefully reduce the temptation to commit fraud.
Our web server software logs all web server activity, including what file or page was requested, the IP address it was sent to, the date and time, and the browser’s identity string. Except in the case of our web contact forms, listed above, we specifically avoid linking your IP address to your identity. We process these log entries to extract an approximate location using the IP2Location LITE database, then anonymize both the location and the source data. The location data is anonymized by taking the already-approximate location given by the free version of the geolocation database and shifting it by a random amount of up to 60 nautical miles in a random direction. Note that sometimes, the free version of the IP2Location database does not include an IP address, but will give a country. In that case, we use the country’s capital as an approximate location, which can be thousands of miles from where the actual user is, and is therefore very effective at anonymizing the data, probably to excess. The source data is anonymized cryptographically, then the source log is automatically deleted. The resulting anonymized data is aggregated into into Bible delivery statistics. The processed log database contains no personally identifying information. After all of that, we can’t tell exactly who read what part of which Bible translation, or exactly where they were, but we can get a pretty good idea of how many people are reading the Bible in a general geographic area, and how much each Bible translation is being downloaded or displayed.
We sometimes get content from third parties like the American Bible Society, Faith Comes by Hearing, and The Jesus Film Project. This content may be served in whole or in part from their servers. How they handle privacy with respect to web bugs, IP address logging, cookies, and web usage metrics is subject to their respective privacy policies.
We act as a reseller of domain registry services for Computer Service Langenback GmbH on behalf of selected partners. We collect the personal information required by the registry to perform that function, but shield it from public view by default.
How do we protect personal data?
Nobody can absolutely guarantee the security of personal data, or any other sensitive data, for that matter. Indeed, major governments and large corporations with huge IT budgets and the presumed capacity to protect and defend their information resources repeatedly get hacked, leaked, stolen from, embarrassed, and humiliated by some data security oversight. Sometimes they get blind-sided by some new vulnerability nobody anticipated, and sometimes it is just plain lack of attention to basic security principles. We intend to not be caught in the latter case ourselves. Therefore, we use the following precautions:
Physical security. Our primary operations are in low-risk
areas with appropriate physical safeguards against unauthorized
- Cryptography. We use cryptography to authenticate access and control to critical systems, to prevent unauthorized access to private data, to prevent unauthorized modification of public data, and to irreversibly anonymize some usage statistics.
- Minimizing what we collect. We don’t collect personal data we don’t need. Why would we? We don’t sell it or profit off of it. If we don’t have it, it can’t be stolen from us.
- Secure backups. We need backups to protect against data loss or corruption, so backups are necessary, but they are all in a secure location or encrypted (or both). This is helpful both in protecting sensitive data and in ensuring that we can quickly and reliably restore service when needed.
- Malware scans. We regularly scan our computers and servers for malware of various sorts, including anything that could bypass access controls.
- Software updates. We apply security patches and software updates timely to avoid unnecessary exposure to newly-discovered security vulnerabilities.
- Security monitoring and response. We monitor logs and web sites for suspicious activity and take appropriate action to block suspicious activity. Every day, hundreds of attempts are made at unauthorized access to our servers, which is not at all uncommon. What is uncommon is that we look at the logs, analyze the nature of the attacks, and evaluate if there is a chance that the attack may succeed. If so, we find ways to thwart that type of attack.
- Secure contact forms. We use contact forms that encrypt data using TLS from you to the server, then use Gnu Privacy Guard to encrypt the message from the server to the recipient.
Where do you store personal data?
We store sensitive data primarily in the United States of America. However, backups of it may be stored in encrypted form in other countries. It may be accessed by an authorized person remotely via encrypted connection or carried on encrypted media when necessary, but it is not available unencrypted outside of the USA except when actually in use by an authorized person.
Are you GDPR compliant?
Yes, even though we are not in the European Union. We may choose not to respond to GDPR-related requests that do not originate from a citizen of the European Union currently present in the European Union, or in case of conflict of law. God’s Law, the laws of the United States of America, and the laws of the state of Hawaii (in that order) all take precedence over extraterritorial laws. Our compliance with the EU GDPR is strictly voluntary, as we have no physical presence in the EU, and because we were basically doing things the way the GDPR required already.
If you live in Europe and have a GDPR-related request, you may write a formal request in English, containing your full contact information (name, mailing address, email address, and telephone number), a signed statement that you are a citizen of the European Union currently present in a member state of the European Union, and the nature of your request to:
Data Protection Officer
c/o Michael Johnson
26 HIWALANI LOOP
MAKAWAO HI 96768-8747
Note that we request paper mail for these legal requests so that we can check the postmark of origin. You will also have to authenticate your request by responding to an email to verify that it is indeed yours. Personal information associated with a GDPR request is required to make sure that we don’t provide personal information to someone who has no right to it.