Service Policy

The Jabber.org IM service is committed to the privacy and security of your information and communications. This Service Policy governs your use of the service.

  1. Purpose
  2. Our Default Privacy Policy
  3. Information We Gather or Store
  4. Legal Compliance
  5. Passwords
  6. Private Messages
  7. Chatrooms
  8. Discussion Lists
  9. Cookies
  10. Scripts
  11. Data Backup
  12. Changes to This Policy
  13. How to Contact Us

1. Purpose

The Jabber.org IM service exists primarily so that instant messaging users all around the world can have a free and open IM experience.

The service is not built to host automated bots, distributed file exchange systems, high-volume systems in general, or abusive applications. If you run such an application or you willingly interact with an application that is deemed to be counter to the aims of the service, your account might be subject to rate limits or it might be disabled completely, at the sole discretion of the admin team. Low-bandwidth helper bots are acceptable.

In addition, the service is not intended for mission-critical applications, such as customer support systems or corporate IM deployments. If you or your organization wishes to use XMPP for such applications, we strongly encourage you to run one of the many fine XMPP server implementations at your own domain rather than use the free jabber.org IM service.

Please note that the service is free. Use of this service is entirely at your own risk, and we cannot be held responsible for losses financial or otherwise that you might suffer from use of our free service.

2. Our Default Privacy Policy

Our default privacy policy is never to gather or store information about you, to log your conversations, or to engage in any other behavior that would compromise your privacy and security in any way. However, if you choose to use our services (especially the jabber.org IM service) we sometimes need to gather or store information so that you can use the relevant service (e.g., we require authentication for IM login, so we need to store your password). The following sections describe exactly what information we might gather and store.

3. Information We Gather or Store

We do not automatically gather any personal information (name, address, etc.) about you at jabber.org; the only exceptions are information that you may voluntarily submit as described below.

When you create an IM account at the jabber.org IM service, you provide a username and password. We do not gather any other personal information about you when you create an account.

When you add people to your contact list (XMPP 'roster'), that information is stored on the server so you can retrieve it whenever you log in; the roster information can contain the names or nicknames of your contacts if you assign such names in your roster. This data is never made public and is accessible only by you.

The jabber.org IM service supports an XMPP extension for storing vCard data on the server: the vcard-temp protocol. If your Jabber client also supports this feature and you choose to create a vCard (a kind of 'electronic business card'), that data will be stored on the server. Your vCard data is publicly accessible so that other people can learn more about you (i.e., retrieve your electronic business card). Please check with the developers of your preferred Jabber client software about their support for this feature.

The jabber.org IM service supports an XMPP extension for storing generic XML data on the server: the Private XML Storage protocol. If your Jabber client also supports this feature, it might store bookmarked chatrooms, client preferences, and other data on the server. However, this data is never made public and is accessible only by you. Please check with the developers of your preferred Jabber client software about their support for this feature.

The jabber.org IM service supports an XMPP extension for publishing generic XML data through the server: the Personal Eventing Protocol (a profile of the XMPP publish-subscribe technology). If your Jabber client also supports this feature and you configure your client to enable that feature, it might use the jabber.org service as a way to publish information about the tunes you listen to on your computer, your mood, and other 'rich presence' data; furthermore, this data may be temporarily stored in our database so that it can be retrieved by your contacts when they log in. This data is never made public unless you so choose, and by default is accessible only by your contacts. Please check with the developers of your preferred Jabber client software about their support for this feature.

The jabber.org IM service has the ability to log the Internet Protocol (IP) address from which XMPP clients connect to the service, and keeps logs of such information for a few days so that if necessary we can block specific IP addresses that pose a threat or cause harm to the jabber.org IM service or our network. We also reserve the right to share such blacklisted IPs with providers of other IM services on the XMPP network in order to coordinate our mutual defenses against distributed attacks.

4. Legal Compliance

Very rarely, we have received court orders requesting information about specific users of the jabber.org IM service. Although we comply with such court orders, we do require a court order (not just an informal request) before we will disclose information about any user of the jabber.org IM service. If such an order enjoins us not to disclose the request to the user about whom information is being requested, we also comply with that aspect of the order.

Under these circumstances, the only kinds of information we provide are: dates, times, and IP addresses associated with login and logout events on the jabber.org IM service; and Jabber IDs of contacts stored in the XMPP "roster" on the jabber.org IM service. We do not provide information about messages sent or received (neither intended recipients nor message payloads), chatrooms joined, vCards requested, or other real-time XMPP exchanges (because we do not have the capability to obtain such information), nor do we provide information that is sometimes requested but inapplicable in the context of a free instant messaging service, such as telephone numbers, MAC addresses, email attachments, and payment methods.

5. Passwords

Passwords are not required to access the jabber.org website.

Passwords are required to access the jabber.org IM service. We strongly encourage you to log in with an encrypted connection so that your password is not exposed to eavesdroppers; you can easily do this by connecting on the legacy port 5223 for Secure Sockets Layer (SSL) or by upgrading your connection on the standard port 5222 to an encrypted connection using the Transport Layer Security (TLS) protocol. The Jabber.org IM service may in the future mandate this support and disallow unencrypted connections.

Please note that currently your account password at the jabber.org IM service is stored as plaintext, not in hashed or encrypted form. Although access to the machine on which the jabber.org IM service runs is highly restricted and protected, any of the trusted administrators with access to the machine can view your password, and if the machine is hacked then the hacker would be able to learn your password. It is a good security practice to always use a strong and unique password for each service or website that you access, and we strongly encourage you to use a strong and unique password at the jabber.org IM service as well (e.g., a password generated using a tool such as PasswordMaker). Furthermore, we are also exploring options for encrypted storage of your IM password, or for doing away with passwords altogether.

6. Private Messages

Private messages are IMs that you send to your friends at the jabber.org service or at other XMPP-based services on the Internet (such as Google Talk). If your messages are sent through other services then it is possible that those services can log your messages, and we do not have control over those services. However, your private messages are never intentionally logged at the jabber.org service.

If you are not online when someone sends you a message, the message is stored on our server for delivery when you log in again. These 'offline messages' are not encrypted when stored on our server.

7. Chatrooms

We host a number of chatrooms at the conference.jabber.org domain. Conversations in some of these rooms are archived for future reference at <http://logs.jabber.org/> — please visit that link to find out which rooms are archived. If you do not want your chatroom messages archived, please do not join these specific rooms. All other rooms on conference.jabber.org are unlogged, and logging can be enabled only by asking the server admins to enable logging (please ask in the jabber@conference.jabber.org chatroom).

Our chatroom software enables you to register a nickname across conference.jabber.org, and if you register a nickname then we store in the database an association between your JabberID and that nickname.

8. Discussion Lists

We (and the XMPP Standards Foundation) host a number of email discussion lists using the common Mailman list manager software. All messages to these lists are archived for future reference. If you do not want your messages archived, please do not post to these lists.

9. Cookies

The jabber.org website is deployed using static HTML pages and does not user cookies.

The register.jabber.org page uses a technology called CAPTCHA to discourage automated account creation; this feature access a CAPTCHA service at google.com, which might use cookies. If you are not comfortable with these cookies, we encourage you to disable or track them using a common web browser plugin such as CookieSafe for Mozilla Firefox.

10. Scripts

The jabber.org website does not use use JavaScript, nor does the register.jabber.org page.

11. Data Backup

In order to prevent service interruptions, we back up data related to our services. This data is backed up either at our secure data center (US Secure Hosting Center) or at the ASET service maintained by Penn State University.

12. Changes to This Policy

All changes to this policy must be approved by the Jabber.org admin team, in consultation with the XSF Board of Directors as a 'sanity check'. Potential changes to this policy will be posted at www.jabber.org and the juser@jabber.org email list 30+ days before they take effect, and notice will also be sent via instant message to all registered users of the jabber.org IM service.

13. How to Contact Us

If you have any questions or suggestions regarding this Service Policy, please send email to privacy@jabber.org or to the public juser@jabber.org discussion list (also accessible via news group).