How OPRAmachine protects user privacy

As a part of OPRAmachine’s 2019 Sunshine Week initiatives and in response to several inquiries from users, we wanted to take a minute to share how we are protecting the privacy of our users.

1. We never publish your email address

Your private email address is never revealed to the government or other users when you use OPRAmachine. All a public agency would be able to see is the unique OPRA request email address from the domain along with the public display name of your account.

2. Our emails don’t leak out your IP address

Maintaining the confidentiality of your IP address is essential if you want to ensure that your OPRA requests are truly anonymous. Email headers, which are metadata included with regular emails, can potentially leak out your device’s current IP address, allowing government agencies and others to correlate your IP address with your identity if they have already associated your IP address with your identity via another account.

OPRAmachine, like all modern web applications, logs your IP address to diagnose technical and server issues, but we never publicly disclose IP addresses of users.

3. We’re covered by the New Jersey Shield Law

The New Jersey Shield Law is a special law that protects journalists and certain individuals connected to the newsgathering process. As OPRAmachine is run by a media organization and used by journalists and confidential sources for obtaining public documents, these privileges likely apply to any users of the site. Should we ever receive a subpoena for user information, we will zealously resist it.

4. We use the latest encryption

Your connection to OPRAmachine will always be secure, as our servers are configured to only allow encrypted connections using SSL/TLS. T We have received an “A+” rating from Qualys SSL Labs, so you can be sure that we are following industry standard best practices for the configuration of our servers.

A tradeoff from this has been that some of our users have reported that they have been unable to use OPRAmachine on their old devices. Unfortunately, this is necessary as some attacks rely on downgrading secure connections to older, insecure versions of the SSL / TLS standard, so we disabled these potentially insecure modes in order to ensure that our platform provides the highest level of security for the most users.

5. We don’t store the plain text of your password

When you register for an OPRAmachine, we run hashing algorithms on the password you choose and save an encrypted version of that to our database. That means that even if a worst case scenario hack of our servers took place, the plain text version of your password should not be compromised by a would-be attacker. This is in addition to the other security features deployed on our infrastructure.

comments powered by Disqus