Security details and audit

  • 1
  • Idea
  • Updated 3 years ago
As a bit of a security nut, I can't believe this didn't occur to me before now (long-time user here). Given the (necessary) level of access that the CE software has into my online life, it would be helpful if you guys would do two things.

First, put an FAQ somewhere on your site with some details about how you're securing our data--what types of encryption you're using in transit and while stored, how you're avoiding sending extremely personal information (like bank account numbers, SSNs, etc.), and so on. Obviously, some of that might interfere with the accountability mechanisms, but it'd be nice to see as much information as possible in order to get some idea of how secure this is. 

Second, it should be standard operating procedures for an app with this level of access to get an outside security audit of the client software and server code. This helps make sure that it's as safe as it can be, given the constraints. I understand that this may have already happened and not been publicized, but still...
Photo of BarneyFifeFan


  • 18 Posts
  • 1 Reply Like
  • insecure

Posted 3 years ago

  • 1
Photo of Annelise

Annelise, Official Rep

  • 258 Posts
  • 13 Reply Likes
Hello BarneyFifeFan,

Thank you for your post and your questions! One of our managers was able to put together a response for you! It's quite lengthy but hopefully it answers all of the questions you have!

Security FAQs

Does Covenant Eyes monitor secure (HTTPS) sites?

Information we collect and how we use it
  • Information you provide prior to signup—When you fill out a form on the Covenant Eyes website, you are considered to have opted in to receiving e-mail communications from Covenant Eyes. You may modify your e-mail subscription preferences or unsubscribe at any time by clicking the “Unsubscribe” link in your e-mail.
  • Information you provide upon signup—When you sign up for or modify a Covenant Eyes account, you provide us with personal information about yourself and the people that you list on your account. This information includes names, contact information, usernames, and passwords created for Covenant Eyes, settings for our services, and billing information. We use this information to maintain your account and deliver services to people listed on the account.
  •  Information passively gathered while visiting our websites—When you visit Covenant Eyes websites, we may send cookies to your device and we may record server logs of your web requests on our websites. We use this information to deliver the functionality of the website and to learn how people use our websites so that we can improve them. These cookies may also be used to show you advertisements for Covenant Eyes on other websites using Google AdWords or other ad vendors. You may update your advertising preferences at any time using Google Ad Preferences.
  •  Information passively provided by other vendors—We may use other vendors, including Google AdWords, which collect information about your use of other websites and allow us to better target advertisements to you based on your needs and interests. We only see this information in aggregate, and never directly connect it to an individual’s browsing. You may update your advertising preferences at any time using Google Ad Preferences.
  •  One-on-one communications—We may keep records of our communications with you that involve customer support and sales. We use this information to follow up on issues with customers, determine the frequency and severity of technical issues, improve our sales, and for training employees. Unless you specifically request to be added to a mailing list, you will not be added to any marketing communications as a result of these personal requests.
  •  Internet activity—One of our core services is our accountability service, which requires that we log our Accountability Users’ Internet activity. For subscribers to that service (who have also agreed to our User Agreement), we gather activity per user, rate that activity, and use it to generate Reports that are then delivered to people that each Accountability User has identified.

In addition, we may internally use the information we collect to maintain and improve our products and services and to develop new products and services.

When do we share information?

We share information with others only when we must in order to deliver our services to you or when legally compelled to do so. These are the scenarios in which we share private information.

  • Covenant Eyes Accountability Users specify other people who will serve as their Accountability Partners. Each Partner is thus granted permission to receive Reports of a user’s Internet activity. We provide these Reports via e-mail and each partner can access Reports through our secure website.
  • Filter Guardians may view portions of a user’s Internet activity in the fulfillment of their role as Filter Guardian.
  • We may share information with strategic partners that work with Covenant Eyes only to improve your experience with our products, services, and advertising. This information may include limited contact information only for the sake of personal inquiries, but will not be shared with third parties for their marketing purposes.
  • We will disclose information when required to by the order of a court with proper authority.

What information is transferred from a users device to the Covenant Eyes servers?

Covenant Eyes software focuses on the the elements which make up the static portion of the site.

We don’t see private information on web pages, e.g., password, usernames, SSN, account numbers or balances, health records, etc. In these cases, we only see and report the name of the Domain that was visited. For example, if I log in to my bank site, Covenant Eyes software will record only the domain, no personal information. However, since this is appropriate internet activity, this would not appear on an accountability report. If your accountability partner wanted to, they could see the Domain (nothing more) in the detailed browsing log.

Our developers take meticulous steps to avoid capturing information which could lead to any form of identity theft.

Covenant Eyes is installed on computers that are used in doctor’s offices, hospitals and other offices which must comply with HIPAA regulations.

CE has two reports available to your Accountability Partner (AP); a summary report that is emailed to your AP and a detailed report which is only available on the CE web site.

Below are 3 examples of internet browsing, the information captured by Covenant Eyes, and how it is reported: Google search on the word “bikini”, log into a personal bank account, and log into and navigate a health insurance site.

Accountability Report (set to report on sites rated at Teen and above)

After browsing to a Bank web site, a Health Insurance site, and doing a Google Search on a keyword rated at Mature, this is what the Accountability report looks like. 

Detailed Browsing Log - Bank, Health Insurance, Google Search

After browsing to a Bank web site, a Health Insurance site, and doing a Google Search on a keyword rated at Mature, this is what the Accountability report looks like.

How does Covenant Eyes work, including all of the data that your software analyzes and how the analysis is done?

Covenant Eyes monitors the URLs that are accessed on the computers/devices where it is installed.  The Covenant Eyes software can see the user's Internet traffic, but this does not not include encrypted information such as passwords or other sensitive data.  Also, Covenant Eyes is not a "keylogger", so we do not monitor this information when it is typed in on the computer.  After collecting the Internet traffic, the URL data is encrypted and sent to our servers where our system analyzes them looking for entries which would indicate the presence of pornographic content. The system then assigns a rating to the URLs based on what it finds on the page.

What do Partners see on the Report?

Accountability Reports contain an overview of the websites you visited, including a general rating for each site along with the dates and times the sites were accessed. Sites with more mature subject matter will typically be rated higher than other sites.

Every Report has its own sensitivity level. Your Partner can choose how sensitive the Reports are. For example, if your Partner wants to see all the searches and websites rated “Teen” and above, then he or she can set the report sensitivity to T (Teen). If your Partner wants to see only material rated “Highly Mature,” he or she can set the sensitivity level to HM (Highly Mature). Learn more about the Report settings.

You can adjust Accountability Reports to four different age-based sensitivity levels.

Some features your Partner will see on the report:

  • Searches – Any web searches you do that are at or above the report sensitivity setting will show up on your Report.
  • Activity for Review – Any web domains you visit with high rated sites will be listed.
  • Average Hourly Usage – A graph will show the hours of day you use the Internet the most.

Report Settings - Reports can show a lot of different content, such as pages visited, search terms used, or average hourly usage. As you get used to examining the Report, you may find that certain sections aren’t helpful. You may turn these sections on or off by selecting or deselecting them from the list. You can change any Report settings through My Account.

What will partners NOT see on the report? rtners-not-see-on-the-report/

Accountability Reports contain an overview of the websites you visited, including a general rating for each site along with the dates and times the sites were accessed. However, there is a short list of what partners will not see on the Report.

  • Accountability Reports do not show the sites you visited before Covenant Eyes was installed—Covenant Eyes does not go back into your computer’s history. It only reports your web browsing from the time you install it.
  • Accountability Reports never show Internet activity older than 30 days—Covenant Eyes does not save Internet activity older than 30 days. Partners can save old Accountability Reports in their inboxes, but they cannot open any links on Reports older than 30 days. Accountability Reports do not show private messages—Reports do not include e-mail messages, instant messages, chat conversations, Facebook statuses, or any information you enter into a text field.
  • Accountability Reports do not show financial information—Covenant Eyes is not a “keylogger”: it does not record your keystrokes. This means any sensitive financial information, such as a credit card number, will never appear on your Reports.

User Privacy Agreement -

6. Privacy; use of information provided to Covenant Eyes. Covenant Eyes is committed to protecting your privacy concerning any information collected under the terms of your agreement(s). In acknowledging your agreement with this policy, you as the User have agreed to allow Covenant Eyes to monitor and/or filter your use of the Internet at your own computer. You, the User, agree that your Internet use may be monitored and reported to you and/or your Accountability Partners; monitored Internet use includes, among other things, web browsing, newsgroups, FTP, IP addresses, times of use, and may also include recording and reporting of additional Covenant Eyes accounts owned by you which may have different Accountability Partners. If one or more Accountability Partners are deleted, or if the account is canceled, Accountability Partners may be provided with a then-current report of activity up to the time of deletion or cancellation. In turn, Covenant Eyes promises that any information collected will only be provided to you or your Accountability Partner(s) as per this agreement, except upon specific request by you or your active Accountability Partner(s), and limited to the purposes of said request.

Additionally, while you are a member of a Covenant Eyes Community, Community Owners and Managers will see the anonymized, aggregated statistics of the users in the Community who have installed Covenant Eyes software and apps, have Accountability Partners, and use Filtering. Community Owners and Community Managers will see the names of Account Administrators and Billing Controllers of accounts that are a part of their Community, and may see the names of other users on those accounts when that permission has been granted by the Account Administrator.

If you have any further questions feel free to contact our Customer Service at 877.479.1119.

Best regards,