This page attempts to describe what personal information this jabber server stores about you. If you have any questions, please don't hesitate to contact us.

Information not related with your account

  • The Jabber-service itself does not store any regular connection information. This means we will never be able to tell in hindsight where you connected from.
  • The webserver that serves this website (and e.g. list.jabber.at) keeps access logs (in the standard Apache log format) that are stored for up to four weeks.
    • This includes access to HTTP based Jabber-services, e.g. web presence and any BOSH connections (usually done by web clients). We are actively working on changing this situation.

Account-related information

Per default, the server stores the following data about you:

  • The Jabber ID (jid), consisting of user name and domain, used for identifying your account.
  • The SCRAM-SHA1 hash of the password to your account for authorization when your client connects to the server.
  • The saved contacts (often called "buddies") of a user, plus information about the visibility between this account and the contacts. This ensures that your buddy list stays the same, no matter which client you are using.
  • Date and time of account creation and when your account was last used. We use that data to periodically delete unused accounts.
  • "Offline messages" (that is, messages others send to you while you are offline) are stored until you log in again (but only for up to 31 days), along with the time the message was sent.
  • If an error occurs while delivering messages, we save a log entry detailing who sent the message to whom at which point of time and why it failed. The actual content of the message is not a part of that entry. We only need the metadata to determine the root of the problem when things go awry.
  • Our account registration website at account.jabber.at stores the IP-Address used for registering an account for 31 days to help detecting automated registrations.
  • If your client uses XEP-0313: Message Archive Management, your chat messages are stored for 21 days.
  • If your client uses XEP-0363: HTTP File Upload, your file uploads are stored for at most 31 days. Note that some clients only store an encrypted version of the file.

When using gateways/transports, the jabber-server stores the following information:

  • Username and password (if necessary) to connect to that transport (e.g. ICQ, MSN...).
  • A log laying out which Jabber ID at what point of time used which user identity to connect to a gateway/transport.
  • We use different software for various transports, which in turn saves data depending on what is needed for using the transport. If you require detailed information, please contact us.

Additionally, a Jabber client may store data on the server. If that data is accessible to others (like a vCard which contains contact details) or accessible only to you (like configuration settings for a Jabber client) lies in the hand of the client you use.

What happens to that data?

The information about our users are neither being used commercially nor sold or otherwise made available to third parties. No advertisements are being sent to the users of this service.

There exist a few exceptions to that rule: When a user stores data specifically to make it available to others (think of, for example, a stored vCard), it can be retrieved by other users.

The Jabber IDs (JID) of users will not be published; if a user, however, publishes his/her ID, third parties could use that information to send advertisements to that user. This is not unlikely to occur with the receival of a common mail message through the e-mail transport. The provider of this service specifically forbids using it to send unsolicited (that is, not explicitly requested) ads. However, the provider can not guarantee all users' compliance to this rule.

Messages sent from a user to another one connected to a different server can be sent to the latter entity. How data is being treated at the receiving end can differ from what is described in this document. The same holds true for information the user has selected for display to other users or all users (e.g. information about the online status/the presence).

Users of gateways to other IM networks may find that the preservation of his/her privacy also depends on the other system. Specifically, some other systems allow third parties to see the presence/online status of users without their confirmation.

The Jabber server does not report the IP addresses of users to other users. All communication using the Jabber protocol (XMPP) takes place with the server as a middleman. Clients can, however, exchange IP addresses, for instance before starting a file transfer. The server will neither examine those addresses nor forward them to third parties.

Statistics about the server's load will be derived from collected data. These statistics are anonymous. No information about single persons can be obtained from them.

Who can access this data?

Four persons have access to the stored data: Robert, Klausi, David and Mati.

Legal situation and cooperation with law enforcement

Austria currently has no data retention laws. It would be illegal for us to retain data longer then directly necessary for running this service. In Austria, a public court can order us to cooperate with law enforcement agencies to help with a criminal investigation. Such an order is only possible if the supposed criminal offense is punishable by at least a year in prison. An order is always only valid for a single accounts and must have a fixed time limit. Cooperation usually means that we have to hand over any stored data as well as start logging the connection (including all messages henceforth send from and to the user) and hand over this data as well. In case of such an order, we are

  • legally forced to cooperate with law enforcement and provide all information requested by the court order.
  • legally barred from informing the person under surveillance.

This of course means that in case of such an order, we will comply, even if we don't like it. None of us is willing to go to prison for an anonymous account. You are of course, regardless of any legal situation, advised to use either OTR, GPG or any other technology for end-to-end encryption. Surveillance orders are fortunately not very numerous:

year No. of court orders
2010 0
2011 0
2012 0
2013 1
2014 0
2015 0
2016 0

Backups

The data of the jabber-server is backed up hourly to a remote location. The data is encrypted using GPG before it is sent over the wire, therefore, only Robert, Mati and David can decrypt the backups, even if the backup-server is compromised. The hourly backups are stored for 3 days, daily backups are kept for an additional 4 days.

Notes

Please contact us, if you have any further questions.

This server is subject to the laws and regulations of the Republic of Austria and the European Union.

These regulations were shamelessly copied from web.jabber.ccc.de.