Maintaining a safe platform for adults, while reducing your cyber surveillance footprint!
Kim Crawley CISSP, Covid Safe Date founder, enterprise cybersecurity professor, digital privacy activist
Introduction:
It’s a useful coinicidence that I, Kim Crawley, founder of Covid Safe Date, the premier online dating platform for Covid avoiding adults, just so happen to be a credentialized and academic expert when it comes to data privacy protection, and cybersecurity in general.
But expertise isn’t enough, having the right attitude when it comes to people’s digital rights and freedoms is also crucial. As is a healthy distrust of the capitalist influence upon most western governments, and the alarming rise of technofascism. Why? Because way too many supposed cybersecurity experts, especially on LinkedIn, have expressed support of technofascist phenomenon such as Generative AI.
I’ve spent enough time consulting small and medium sized enterprises on cybersecurity operations, teaching enteprise cybersecurity to graduate (MSc) students, and writing books and whitepapers on these matters (see my portfolio at https://kimcrawley.com), that it’s interesting that I get to craft cybersecurity policy for my own venture this time. It’s a responsibility that I take with the utmost of seriousness.
My intention:
To maintain regulatory compliance with the strictest data privacy laws in the world, especially the European Union’s General Data Protection Regulation. (Refer to https://gdpr-info.eu/) That’s considered to be the gold standard data protection regulation that has inspired similar legislation in other international jurisdictions. I’m also mindful of the California Consumer Privacy Act, China’s Personal Information Protection Law, Brazil’s General Personal Data Protection Law, Ontario Canada’s Freedom of Information and Protection of Privacy Act 1990 (my geographic jurisdiction!), and similar regulations worldwide. There are also international cybersecurity standards that aren’t always legally mandatory to comply with, but represent a good standard to be mindful of. I’m also mindful of data protection and application security concepts such as the OWASP Top 10 and MITRE ATT&CK.
My objective with this web platform and all of the data that it handles is to be compliant with the strictest cybersecurity regulations and standards, but without having to be responsible for highly sensitive data that could greatly harm users’ safety if breached or shared with potentially fascist entities, such as government identification, financial identifiers and data, medical identifiers and data, and any sensitive means of authentication with the notable exception of hashed passwords, the minimum data entities required to compliantly implement OAuth and similiar systems, and possible OTP (one time passcode, time sensitive) multifactor authentication (MFA) systems.
1984 Hosting in Iceland is our sole data hosting supplier for the time being as of this writing. Here is their GDPR compliance and data privacy policy:
See https://1984.hosting/GDPR/general-information/ https://1984.is/GDPR/ https://archive.ph/E9mr9 https://archive.ph/NbVtl for more information.
“About the right to be forgotten.
The General Data Protection Regulation enables you to have all data related to your account deleted with a few exceptions as mandated by other laws and regulations, such as: outstanding debt, users that have violated our terms of service and data we are required by law to maintain records of, for instance proof of paid services which 1984 have to maintain for 7 years according to Icelandic law. You can exercise your new radical data rights, which means you ask us to delete all data connected to your username in our systems. By law we have 30 days to make an assessment and respond to you if there are any hindrances. Most requests are handled within this 30 day period. If there are hurdles we contact you immediately with an update.
IMPORTANT TO NOTE:
1. We delete all data. This means we will have no idea who you are after we honour your request
2. This also means all the stuff we or you have been hosting on our servers!
3. Once we handle the request there is no way for us to retrieve the data, so make sure to do back ups if needed.
4. Secure backup with 1984 are saved up to 90 days and are deleted on a rolling basis. This means that backed up data in our systems will be completely gone after 90 days.”
If you have a user account and/or any personal data on Covid Safe Date’s platform, regardless of where in the world you live and regardless of your personal reasons, if you’d like your “right to be forgotten” and/or any other GDPR practice or similar data privacy legislation practice to be enforced, please do the following as soon as possible:
Email 1984 Hosting via gdpr@1984.is and
email kim.crawley@stopgenai.com or message Kim Crawley through Signal app via crowgirl.84
I, Kim Crawley, will assure that all of your personal data is removed from Covid Safe Date’s platform as soon as humanly and technologically possible. And it’s 1984 Hosting’s responsiblity to do the same through the systems they own and control.
What sensitive data does Covid Safe Date and our supply chain entities handle?
To those ends, Covid Safe Date will only ever handle sensitive data when it’s required for authentication technologies, most notably the hashed passwords which are processed through this website (using WordPress’s CMS for the time being), and 1984 Hosting’s datacentre in Iceland. (See https://1984.hosting)
The bare minimum of web browser cookie usage (non-tracking as much as technologically possible) through Covid Safe Date’s supply chain entites, such as WordPress CMS, related plugins, and 1984 Hosting is used, and not one iota more.
We may deploy multifactor authentication in the form of time limited OTPs, to be distributed through email, SMS, dedicated authenticator mobile apps, and/or proprietary technologies such as YubiKey at some point in the near future in order to provide our users with greater protection from data breaches and other types of cybersecurity incidents. In fact, the user account registration process that we use already uses a OTP-type system. When users sign up for a user account with Covid Safe Date, they receive a time limited OTP sent to the email address they have given us. Their verification of the OTP enables them to create a password for their user accounts in order to authenticate with the Covid Safe Date website.
All user account passwords are stored exclusively in ciphertext, using the MD5 hashing algorithm through WordPress’s CMS, for the time being. Those hashes are stored in 1984 Hosting’s datacentre in Iceland, and on Kim Crawley’s own local data storage in Toronto, Canada for backups. 1984 Hosting, WordPress, Covid Safe Date, and Kim Crawley only ever handle password hashes, never passwords in cleartext or plaintext!
It’s the user’s responsibility to create a password that’s sufficiently resistant to brute force attacks. I personally recommend that you create a password with over 15 characters, a mixture of alphanumerical and special characters, and never ever under any circumstances ever use a password that has been “generated” by Large Language Model (LLM) Generative AI! This list of most commonly used passwords that’s maintained by NordPass is also a good guide to passwords that Covid Safe Date users should never use: https://nordpass.com/most-common-passwords-list/ https://archive.ph/nA3CN
If users require help with creating relatively secure passwords, I personally recommend choosing a reputable password manager software application to generate and store a password on your endpoint device (such as a PC or smartphone) for you, such as KeePass, 1Password, Bitwarden, or the password managers built into web browsers that have better cybersecurity, such as Tor Browser, Vivaldi, or LibreWolf. (I personally distrust Mozilla with vanilla Firefox, Google Chrome, Microsoft, and Brave Browser, for the record. Feel free to ask me why by messaging me through the Signal app via crowgirl.84)
I, Kim Crawley, also recommend that Covid Safe Date users use the Have I Been Pwned (https://haveibeenpwned.com/) service to be personally notified if and when their passwords may have been knowingly breached by any online service or similar entity.
Covid Safe Date and other online services that take cybersecurity seriously will only ever handle password hashes, and never cleartext or plaintext passwords. So in the event of a data breach, users are still unlikely to be subject to harmful cyber attacks which would otherwise result. But we still do our best to avoid breaching ciphertext of sensitive data as well!
Users should only change their password with Covid Safe Date if and when such a service notifies them that they may have been impacted by a known breach.
Credential stuffing is a type of cyber attack on passwords that data breaches facilitate. That’s when a cyber threat actor tries to use a target’s known breached password with one online service or application with other online services and applications. In order to avoid succumbing to credential stuffing attacks, I highly recommend that Covid Safe Date users avoid reusing passwords they’ve used with other online platforms. The usage of one of the password managers that I recommend is a great way to assure that the passwords you use with each online service are different. If your home is sufficiently physically secure enough that only you would ever see a password that you’d write onto paper the old fashioned analog way, you may do so if it helps you to remember your password in a secure way.
Reducing cyber risk through acquiring the absolute bare minimum required amount of sensitive data
The less sensitive data Covid Safe Date and our supply chain entities handle in regards to users, the stonger their security posture will be, the better protected their digital rights will be, and the smallest possible ever will their cyber attack surface ever be.
That’s my personal mindset as a credentialized cybersecurity expert. To those ends, Covid Safe Date and our supply chain entities will only ever handle password hashes, OTPs, and the email addresses users choose to give us.
Our only relationship to a user’s sensitive financial data will ever be through a platform such as Ko-fi (https://ko-fi.com/) for fundraising, and their supply chain entities. If a user or visitor chooses to financially support Covid Safe Date, a platform such as Ko-fi and their suppliers will handle their financial data, not Covid Safe Date or our direct suppliers (such as 1984 Hosting). Their responsibility is to handle financial data securely and in a regulatory compliant way. Covid Safe Date’s responsibility is to only choose third party fundraising platforms that are known to do so.
I, Kim Crawley, am very worried and concerned about new legislation that I expect to result in further technofascism and the erosion of users’ privacy and human rights, most notably California’s Digital Age Assurance Act (AB 1043), Colorado’s Senate Bill 25-086, Texas’s Senate Bill 2420, and similar legislation being discussed or implemented in jurisdictions such as the United Kingdom and Brazil.
Politicians who endorse such legislation claim to be doing so in order to protect children from inappropriate online content and communications. I personally believe that “think of the children!” is being used as an excuse and Trojan horse to erode users’ digital privacy and human rights. Legislation such as California’s AB 1043 may only require verification of a user’s self reported age through applicable operating system APIs for the time being. But this sets a dangerous precedent that I fully expect to result in greater technofascist surveillance and human rights violations as these laws and systems intensify with ever greater expectations to demand more sensitive user data, further telemetry, and the like.
For that reason, if and when any legislation anywhere in the world makes it legally mandatory for Covid Safe Date and/or our supply chain entities to verify a user’s age and/or real life identity through self reported birth dates or ages, government identification, credit card numbers, or similar sensitive data in order to provide online dating website services or any similar services to users in a particular geographic jurisdiction, we will choose to ban users from that particular geographic jurisdiction, rather than commence collecting further applicable sensitive data in order to be legally compliant with the new legislation.
If a user from such a jurisdiction already has an account with Covid Safe Date if and when such legislation becomes enforceable law, we will completely remove the user’s profile from our website, our web servers, and all applicable supply chain entities, notify the user via email why we have done so as soon as possible, and also remove any and all data pertaining to that user. Users from such a jurisdiction will also be geoblocked from accessing our (Covid Safe Date) website using technologies that make educated guesses about a user’s geolocation based on their gateway IP address. I, Kim Crawley, would rather be legally compliant by banning users from a geographical jurisdiction than ever handle privacy invasive sensitive data through our platforms, our suppliers, and/or third party services for handling user identification. We shall be following MidnightBSD’s lead in regards to California’s AB 1043 when it comes to these sorts of matters. (See https://archive.ph/yZnSZ#selection-385.51-385.63).
Online platforms that I personally consider to be repugnant, such as Discord and LinkedIn, have already partnered with third party entities like Persona for the stated purposes of age verifying users through government identification and biometrics. Entities such as Persona are directly tied to people whom I consider to be technofascist, such as Peter Thiel. These practices and systems have already endangered users through data breaches, and through helping the technofascist American intelligence state to surveil users. (See https://archive.ph/Kzkl2 https://archive.ph/UDesK and https://archive.ph/BmeY1)
Under no circumstances will Covid Safe Date ever engage in such human rights and user privacy abuses. So we will always choose to geographically ban users based on gateway IP addresses and/or user self reporting exclusively, in lieu of engaging in abusive user data practices, in order to avoid negative legal consequences for Covid Safe Date and Kim Crawley if necessary to do so.
Maintaining Covid Safe Date as an online service and communications platform for adults in a way that respects user privacy, human rights, personal liberties, and safety from technofascism.
By registering a user account with Covid Safe Date through our web platform and with our current suppliers, such as 1984 Hosting and WordPress, all users worldwide agree that they are at least 18 years old, or chronologically old enough to use an online dating platform according to their geographical jurisdictions’ laws and regulations, whichever chronological age requirement is greater, as per the date that they registered a user account on our platform.
To respect user human rights and privacy, we will only confirm that a user is an adult through a user’s self disclosure, and/or if another Covid Safe Date user, a person who has dated a user offline or otherwise knows the user offline in a personal capacity, and/or their legal parent or guardian tells us that the particular user is not a legal adult for the above stated purposes. If you are such a person who has sound reason to suspect that a Covid Safe Date user is not a legal adult, please notify Kim Crawley as soon as possible through Signal app via crowgirl.84 (an encrypted platform that I trust), or by emailing me via kim.crawley@stopgenai.com. Under no circumstances will I ever request evidence of your claims, nor should you share it with us. You should also avoid sharing such evidence on our Covid Safe Date online platform. I, Kim Crawley, will simply take your word for it. And I will remove the user’s account and all their applicable data from our platforms immediately, and notify the user via the email address they have given us that we have done so and why.
Using Covid Safe Date is a privilege that we reserve for Covid safe adults who engage in exclusively consensual and lawful romantic and sexual activities with other adults. The ability to use Covid Safe Date isn’t a basic human right. Accordingly, being protected from sexual assault, all other non-consensual activity, and having one’s privacy and safety protected (even when a law would violate a user’s privacy and safety in my personal opinion!) are basic human rights, rights that Covid Safe Date take seriously to uphold, regardless if applicable laws support or violate such rights in my personal opinion.
Also, if you have sound reason to suspect that a Covid Safe Date user is verbally harassing and/or “doxxing” another Covid Safe Date user, if they are using our platform to engage in human trafficking (such as for the purposes for sexual prostitution), violent criminal acts, if you suspect sexual assault, any non-consensual sexual or romantic acts, and/or cyber crime, regardless of the users’s ages, please notify Kim Crawley as soon as possible through Signal app via crowgirl.84 (an encrypted platform that I trust), or by emailing me via kim.crawley@stopgenai.com. As with users’ self reporting of legal adulthood, we will never expect you to show us any evidence, we will take your word for it. And I will remove the user’s account and all their applicable data from our platforms immediately, and notify the user via the email address they have given us that we have done so and why.
I, Kim Crawley, am personally distrustful of law enforcement, and I will only cooperate with law enforcement to the extent that’s absolutely necessary for me to avoid criminal charges, and not one iota further. As I wrote in regards to age verification compliance, I will chose to geoblock users and remove any potentially risky user accounts and related data, rather than violate a user’s privacy, as much as humanly and technologically possible.
Oh, and fuck Gen AI! All my homies hate Gen AI!
TL;DR?
Covid Safe Date, our supply chain entities, and Kim Crawley will always do as much as humanly and technologically possible to be fully compliant with the European Union’s General Data Protection Regulation (GDPR), and all similar data privacy legislation anywhere around the world as is applicable. We do so by limiting the personal data that we handle to password hashes, and OTP for multifactor authentication (and as necessary, gateway IP addresses for geoblocking), along with the bare minimum of web browser cookie usage through our digital suppliers, such as 1984 Hosting and WordPress CMS.
If you’d like your personal data to be removed from Covid Safe Date’s platform as per the GDPR’s “right to be forgotten” or any similar policy, for any reason whatsoever, please notify Covid Safe Date via Kim Crawley and our data hosting supplier 1984 Hosting as per the instructions in this document immediately, and we will do so as soon as humanly and technologically possible.
If any legislation anywhere in the world requires us to handle user age self reporting, user age verification, government identification, biometrics, or any other sensitive personal data that Kim Crawley considers to be human rights, cybersecurity, and user privacy violating, Covid Safe Date will choose to ban all users and remove all of their data from our platform via self reporting and/or gateway IP based geoblocking in order to avoid having to handle user age self reporting, user age verification, government identification, biometrics, or any other sensitive personal data that Kim Crawley considers to be human rights, cybersecurity, and user privacy violating in order to be legally compliant and law-abiding. No ifs and or buts. Zero exceptions.
Using Covid Safe Date is a privilege for law abiding adults, and I, Kim Crawley, may deny usage of our platform to anyone whom I suspect to not be a law abiding adult, for any reason. Avoiding privacy and human rights violations, violent, and non-consensual romantic and sexual acts are your human rights, not your ability to use Covid Safe Date.
Financial data exclusively for fundraising purposes will only ever be handled by third parties that I trust, i.e. Ko-fi and their suppliers. Legal compliance pertaining to the handling of sensitive financial data is their responsibility.
We will never engage in any technofascism, such as (but not limited to) “Generative AI” and “Large Language Models,” telemetry (other than gateway IP addresses), and/or verifying and handling government identification and biometrics. We will always choose to avoid providing services to potentially legally risky users rather than engage in any technofascism, user privacy violations, and user monitoring and surveillance.
If you have any questions or concerns about anything in this document for any reason, please contact Kim Crawley as soon as possible by emailing me via kim.crawley@stopgenai.com or by messaging me through the encrypted Signal app that I trust via crowgirl.84. I will respond to your questions or concerns through those private means as soon as possible.