We want to be clear that we actively try to avoid collecting potentially
sensitive information. For example, if we encounter an exposed, unauthenticated
database, we will only collect a minimal amount of information that will allow
us to corroborate the finding. In the case of an open (i.e. no authentication)
SQL database available, we would only collect a sample of the information
schema, avoiding collecting the table’s contents.
When we suspect that some sensitive information might be collected inadvertently
by our systems, we will store it in hashed format so that it can not be used
maliciously.
We only intend to study and collect data about corporations and other entities.
It is not our intent to collect or study the IP addresses of individuals as part
of this project. Since we only collect and study IP addresses, we cannot tell if
an IP address is owned by a person or an entity (as we have no personal data to
tie it to). If you identify yourself to us as an individual via our opt out
process (see “Opting Out” below), and request that we delete your personal
information, we will use commercially reasonable efforts to delete any personal
information about you from our scanning activities (other than information we
must retain to comply with your request to remain on our opt out list or as
otherwise permitted by applicable law).