Occult Watcher User Privacy and Security

  This memo describes measures taken in OccultWatcher to protect users privacy and security as follows:

1) Using encryption in communications with the server
2) Obscuring observer's positions to other observers
3) Protecting user details on the server
4) Recommended firewall settings

1. Using encryption in communications with the server

Occult Watcher contains two main components which are the client application referred to as OccultWatcher and the online server referred to as Observation Planning Server. The Observation Planning Server stores information about the announced stations and reported observations as well as user details such as email address, name, country, affiliation etc. OccultWatcher communicates with the server using XML Web Services via the
SOAP protocol over HTTP. In various cases OccultWatcher may send to the server the user's email address and his/her station coordinates.

Versions of OccultWatcher 2.5 and below does not use encryption in this communication with the server and theoretically it is possible but unlikely for someone to intercept the data between the client and the server.

Starting from OccultWatcher ver 3.0 all communication between the client and the server is encrypted using strong encryption algorithms and cannot be decrypted if intercepted by a man in the middle. The Observation Planning Service implements the WSE-Security and WSE-Encryption standards and forces encrypted communication using RSA and AES if the client supports it. All clients starting from OccultWatcher 3.0 support encryption.

2. Obscuring observer's exact position for other observers

To protect observer's privacy Occult Watcher further more implements obscurity of the exact observer's location making it in most cases very hard for someoome for a limited period of 1-2 hours to find out the exact location of announced by another user station. You have to be aware that if you observe from a remote location with only few roads it will be easier for someone to find your exact position. Following are details on how the obscurity is implemented.

When a user submits a station his/her exact position is sent to the server. If you are using OccultWacther 3.0 or later version this position is encrypted. Once the server receives and decrypts the exact submitted position, it computes a single random position in a random direction from the exact position and in the range of 1 to 2km (or 3 to 5 km) from it. This position is then saved as an obscured position of the station. Both the obscured and the real positions are stored on the server. When another observer is retreiving from the server the submitted positions by other observers for the same event, the server will return the generated obscured positions for the other observers, rather than the exact locations. This way everyone else will see the observer at the same spot, which is not the spot where the observer is going to be exactly. The exact locations are only sent to the owners of the stations.

To demonstrate how this work lets have a look at the following example of two observers observing from not too densly populated area. Alice and Bob have both submitted a station for the same event. The screenshots below show what Alice and Bob will see when they open up the GoogleMap provided by OccultWatcher.

This is what is shown to Alice:

And this is what is shown to Bob:

3. Protecting user details on the server

The data files used by the Observation Planning Server are securely stored on the server and can be only accessed by the Occult Watcher administrator which at this time is Hristo Pavlov. No personal details will be disclosed to anyone for whatever reason, this includes your email address, name, country, affiliation etc. details.

4. Recommended firewall settings

OccultWather normally uses only port 80 over HTTP to communicate with the Observation Planning Server and to get other online resources. All the web sites that OccultWatcher may ever connect to can be seen and reconfigured (if ever needed) from the Advanced Options on the Web Services tab: