FileSender Privacy Statement
This privacy statement highlights those items specifically dealing with user and file contents privacy for the Internet2 FileSender service. The complete terms and conditions for the FileSender service include all of the items highlighted here.
The FileSender service is designed to provide a convenient service for sending to other Internet users files that are larger than those supported by typical e-mail clients and servers.
In order to use the service, FileSender requires authentication by a research and education InCommon participant, and requires that the participant identity provider (IdP) provide EduPersonPrincipleName (EPPN) and e-mail address attributes. FileSender keeps a permanent log of those attributes, the date and time of the upload, and the filename(s) that were uploaded to the FileSender service, as well the e-mail address of the recipient(s) who were notified of the file(s) availability. The log also tracks every time someone downloads the file using the coded URL that is created when the file is stored. This information is kept even after the actual file contents are deleted. This information is kept in an unencrypted log which is normally available only to system administrators; however, should the system be compromised or breached, this information could be accessible to unintended persons. The system is explicitly not designed to protect the anonymity of users placing files on the service, and users placing files on the service should assume that there are conditions under which their use of the system and the file(s) they place there, including the files' contents, may become known to others, including Internet2 personnel who monitor the performance and use of the system, and/or law enforcement personnel who are called to investigate inappropriate or criminal use of the system.
As discussed in the terms and conditions document referenced above, Internet2 reserves the right to look at the log in order to maintain the system and to monitor abuse. Specifically, Internet2 monitors whether a given file is being downloaded an inordinately large number of times, which may be indicative of a file being stored for general public access (as opposed to access by a limited set of specifically named individuals who were sent the coded URL) and which may indicate that the URL has been posted publicly or sent to a large mailing list. In such cases, Internet2 may take actions, including notifying the person who stored the file of the problem, up to and including deletion of the file if such abuse is causing significant degradation in system performance.
Internet2 may also use the log to investigate complaints made to Internet2 about potential misuse of the system, as required by legislation such as DMCA, or for complaints about criminal use of the system, for example, that it is being used to transmit child pornography. In such cases, Internet2 may also need to examine the contents of the file to see whether such a complaint is meritorious, and will then notify the user who stored the file and/or appropriate local or federal authorities, as appropriate to the specific conditions and as dictated by law or regulations.
As discussed more completely in the terms and conditions, this service is not designed for storing confidential or highly sensitive documents, or for storing documents protected under legislation such as HIPAA or FERPA. Specifically, files are not encrypted either in transit or on disk, and the only protection against an arbitrary user gaining access to the file is the obscurity of the coded URL used to retrieve it, which is not secure. Once files are automatically or manually deleted from the system, the system does not do a secure deletion of the file contents (i.e., the contents are not written over), so there is a possibility that even after deletion the contents of a file could be re-constructed.