Starting anything – a campaign, an organization, a meetup, a website, a book club – requires decision making. And decision making is hard. With that in mind, I’m going to try and document the various decisions that we’ve had to make recently with regard to technology choices – from databases to taxonomies to survey tools. You’re in for a wild ride, but I thought I’d start off with one we had to make back when we updated this website: hosting.
What does hosting refer to? This website, and all others, stores its data (the text in this post for example) on a server that sits in an actual room in an actual building somewhere in the world. Choosing your web hosting means that you are choosing where that building should be, who should manage your data, and how the server, and your data on it, should be organized. There are three primary types of hosting services: shared server, private/dedicated and cloud. We didn’t look at cloud options when we were deciding where to host this site*, so there won’t be much on that in this post, but we did have to think through whether a shared or private server was right for us.
This choice can be a bit daunting – which is why we broke it down into a set of categories and criteria. The companies in the first column were chosen based on recommendations from our Advisory Board.
|Connection Security||Server Organization & Security||Monthly Price: Shared (VPS)||Server Location||Live Chat?||Control Panel?|
|Electric Embers||SFTP||Virtual Private (VPS) comes with base price||12.50 USD (12.50 USD)||U.S.||No (9-5 hotline, email tickets)||No|
|Web Faction||SFTP||Shared||5.50-9.50 USD (N/A)||U.S. and Netherlands||Yes||Yes|
|Rochen||SFTP||Shared and VPS||9-25 USD (149 USD)||U.S.||Yes||Yes|
|Orange Website||SFTP||Shared and VPS||4-36 USD (36-300 USD)||Iceland||No (And slow email reply)||ISPomage Panel|
|Project DOD||SFTP||Shared||60 USD (N/A)||U.S.||No (And no response)||No|
Breakdown of Our Selection Criteria
It’s helpful to separate issues of security into two categories: connection to the server, and the server.
The Connection to the Server
Connection refers to the passage of information from you, wherever you are now sitting, to the servers hosting the site you are viewing. When you access this site over SSL – which you are, because we have it turned on as the default – your connection is encrypted on your side and the side of our servers. This requires installation of an SSL Certificate (which we had to purchase our selves), which every hosting provider we spoke to said they would do without additional cost.
Connection also refers to the passage of information from us (engine room staff) to our servers: how do I upload the files that make up this website? It’s done using something called File Transfer Protocol (FTP), but it was important to us that this connection be encrypted, which is why we looked closely at every provider’s offerings with regard to SSH File Transfer Protocol, or SFTP. As you can see above, every company we looked at would have made it easy for us to upload and download files over SFTP.
Organization of Data on the Server
Would our data be sharing a space on a server with other peoples’ (shared), could we have our own server (private) or could we recreate the security of a private server by storing our data on many small different parts of one machine (Virtual Private Server)?
For us, the choice was between shared hosting and a Virtual Private Server (VPS), as a server all to ourselves would have been cost-prohibitive. As it was described to me, there are two main benefits to using a VPS: performance and security. Performance wasn’t an issue (we aren’t exactly competing with Facebook in our site traffic!). With regard to security: A VPS simulates a real private server. This means that no one other than us has any access to the server: they can’t make any connections to the file systems that are in the private server. Someone maliciously hacking our site would have a harder time accessing it, and it would be less vulnerable to the spam and noise that’s so prevalent on the internet. For these reasons, and because (as you can see in the criteria matrix) we were able to snag a deal in VPS hosting by choosing Electric Embers, we went with a VPS.
Location of the Server
Where will your data be at the least risk of law enforcement’s access to it? Personally, my initial instinct was to avoid the US and the EU because I assumed their laws with regard to privacy were the worst, and to look towards Iceland’s and those of other Scandinavian countries because I assumed they were the best.
It turned out that this isn’t exactly true. It also turned out that – as our colleagues at EFF have underlined (in email correspondence) – this is an incredibly difficult and complicated issue to try and extract a simple conclusion from. For instance, the security provided by a given jurisdiction depends on a variety of factors that are specific to one’s particular situation. You have to do your own threat analysis, asking questions like:
- Which law enforcement body might try to access my data?
- What is the relationship between that law enforcement body and its counterparts under the jurisdictions where I am considering hosting my data??
- Does the country in question have strong privacy laws with small print exceptions, like loopholes for law enforcement and/or intelligence agencies?
For us the decision hinged on one big factor: how likely would each provider be to tell us that they had been subpoenaed for our data? This was one of our big questions for each of the web hosting providers, and it was clear in those conversations the degree of vigilance the hosting providers had in protecting their clients’ sites.
For a good dive into some of EFF’s work to create comparative frameworks for jurisdiction over hosted data, see here.
Some of our advisors suggested that in addition to the above criteria for assessing security, we should speak to potential providers about the experience thinking strategically about the security concerns of human rights activists and identifying appropriate mitigation strategies. Since DDoS prevention is a tough nut to crack even for the experts, we felt that experience and strategic thinking, as well as the likelihood that the company would tell us right away if something were up, were good indicators of a hosting providers preparedness to respond to an attack.
When it comes to hosting, I love a 24-hour live chat. At the same time, there is something to be said for a hosting provider whose staff will take the time to get on the phone with you and explain in detail technicalities that are over your head. With that in mind, and also because of the price, we went with Electric Embers despite their lack of creature comforts like live chats or a control panel for easily installing software (i.e. WordPress, Drupal).
Tell Us About How You’ve Chosen Your Hosting Provider
Was this helpful for you? How much did we miss (I’m sure plenty)? Should we take another look at any of the above decisions, add new criteria or hosting providers to assess? *Should we have looked harder at cloud hosting? Let us know in the comments!