Privacy Engineering

Tri-Lakes Town Square is built so that it cannot betray its readers or sources — not by policy, but by architecture. This page explains exactly how that works, and includes a live audit of the platform’s privacy controls.

Live Privacy Audit

The Legal Foundation

This platform operates under New York Civil Rights Law §79-h, the Shield Law, which protects journalists and news organizations from being compelled to reveal confidential sources or unpublished information. We have gone further: we have engineered the platform so that even if a court order were served, there would be nothing to produce.

No Visitor Logging

nginx, the web server that handles all incoming requests, is configured with access_log off. No visitor IP addresses, request paths, timestamps, or user agents are written to disk at any point. This is verified monthly by an automated compliance audit.

Cloudflare as an IP Shield

All traffic reaches this site through Cloudflare’s global network. The origin server — a private server in the Adirondacks — never sees a visitor’s real IP address. Even if logging were enabled, it would record only Cloudflare datacenter IPs. Your home IP address never touches our infrastructure.

The Proxy Layer

Between the web server and the Ghost CMS sits a Node.js proxy. It handles authentication, content delivery, and report submissions. It reads no IP data from incoming requests. The source code contains zero references to req.ip, remoteAddress, or x-forwarded-for.

Anonymous Upvotes

Story upvotes are stored entirely in your browser’s localStorage, keyed by story slug. The server is never contacted when you upvote a story. There is no server-side record of who voted on what.

Report Submissions

When a reader submits a community report or grievance, the submission stores only the content of the report, a neighborhood category, and a timestamp. No IP address. No device fingerprint. Name and email are optional fields — if you leave them blank, your submission is fully anonymous.

Image Upload Protection

All images uploaded to this platform pass through Sharp, a Node.js image processing library, before being stored. Sharp strips all EXIF metadata — including GPS coordinates, device model, and capture timestamp — from every image. A photo taken on your phone cannot reveal your location through this platform.

Document Metadata Stripping

Every document served from the Records archive — PDFs, spreadsheets, and office documents — passes through mat2, a dedicated metadata removal engine, before being delivered to your browser. mat2 strips authorship data, creation timestamps, editing history, embedded GPS coordinates, and software fingerprints from every file. A PDF obtained from a government source and uploaded here cannot reveal who accessed it or where it came from.

Database Logging

Ghost CMS uses MySQL 8 as its database. MySQL’s general query log and slow query log are both disabled. Error logging is directed to stderr only. No SQL queries containing report content are written to disk.

Container Log Caps

Every container — the web server, the proxy, Ghost, MySQL, and mat2 — is configured with a 1MB log cap and a single-file rotation policy. Logs older than the most recent 1MB are permanently discarded.

Monthly Compliance Audit

An automated shell script runs monthly and verifies all 21 privacy controls are in place. If any check fails, the operators are alerted. The audit covers nginx logging, proxy IP handling, Ghost log files, MySQL logging, Docker log rotation, credential exposure, Cloudflare tunnel status, and mat2 availability. The live audit widget above runs the same 21 checks in real time, split across two layers: 12 checks run inside the proxy container, and 9 host-level checks run inside a dedicated persistent audit container with access to the Docker socket and nginx configuration. Both layers are required to pass for the platform to be considered compliant.

What This Means

If this platform received a subpoena demanding “all data identifying who submitted report X,” the honest and complete response would be: the data does not exist. This is not a legal argument. It is an engineering fact. You cannot produce what was never collected.

Speak without fear.