• A small reminder of Legitimate URLs for my content

    I've had some reports come in of my site not loading correctly  via an onion (tor) address.

    Upon further inspection, it's not actually an address operated by me, but is someone trying to ride on the back of my content to extract ad revenue. For avoidance of doubt 6zdgqjwwmjiphye3.onion is not legitimate.


  • All Digital Downloads Withdrawn From Sale

    As I wrote recently, the EU definition of the Place of Supply with regard to digital services has shifted to the place in which the customer resides.

    As a result of the change (and more importantly, the bureaucracy involved in both recording the place of supply and filing returns) all digital downloads within my Shop section have been withdrawn from sale.

    You can read more about why this decision had to be made in my earlier post.

    If, for whatever reason, you've a burning desire to purchase something that was previously on sale, please Contact Me to arrange a manual transaction.


  • Bentasker.co.uk now available as a Tor Hidden Service

    Hidden Services have had something of a bad rap in the media of late, whilst it's undoubtedly true that some host some unpleasant material, the same can equally be said of the World Wide Web.

    Hidden Services do have the potential to bring a much higher level of privacy to the end-user, and aren't always about hiding the origin from the user (or an attacker). The cryptography used in Tor's transport is arguably much stronger (and easier to change if found to be broken) that is available for HTTPS.

    To that end, I thought it would be wise to configure the site to be multi-homed, that is to be accessible via both methods.

    Because both are run by the same back-end, updates will appear on both at the same time.

    So, you can now access BenTasker.co.uk at either

    A link to the .onion has also been added to the Privacy bar on the left.

  • Changes to BenTasker.co.uk

    I've recently made a few changes to BenTasker.co.uk, with some more in the pipeline.

    This post gives details on the changes made so far.

  • FLoC disabled on my sites

    Cookies have been viewed as the enemy for quite some time, with the result that 3rd party cookies are (quite rightly) being treated with high levels of suspicion.

    Unfortunately, the focus being on cookies rather than the tracking/profiling that they enable has left an opening for the unscrupulous to offer a cookie-less alternative.

    Enter Google, who a while back announced they were building something called Federated Learning of Cohorts (FLoC) into Chrome. The basic underlying idea of FLoC is that it assigns the browser a cohort ID - grouping it in with other browsers who have a similar browsing history.

    The browser's history never leaves the browser, with the cohort ID being calculated locally (updating once per week, based on the previous week's browsing), websites can then query the browser for it's cohort ID (by calling document.interestCohort()) and serve appropriate ads based on the ID returned.

    However, deeper inspection has shown that rather than solving privacy issues, FLoC simply presents new ones - in fact there's an obvious vector in the paragraph above - your cohort ID is the same across all sites you visit...

    Plus, although I say new, some of these issues were highlighted in 2019 and remain unaddressed.

  • I've gone Joomla 3!

    Joomla! 3.0 was released in September 2012, and I've been planning an upgrade of the site ever since. As should be obvious by the change in layout, the migration is now complete. 

    There are quite a few changes that have been made at the same time, some obvious, some far less so...

  • Launching the "House Stuff" blog category

    Not the most exciting news I'm sure, but I'm adding a "House stuff" blog category to my site.

    I've been feeling a bit... meh... of late, partly because I've not had opportunity to write anything here in a while. Part of the reason for that is that I've been focused on various home improvements/tweaks, not all of which fit well into more tech related sections (though there is some overlap).

    The aim of this category is to give me a cathartic outlet, even if I'm just reinsulating or building a door.


  • Onion Location Added to Site

    Bentasker.co.uk has been multihomed on Tor and the WWW for over 5 years now.

    Over that time, things have changed slightly - at first, although the site was multi-homed, the means of discovery really was limited to noticing the "Browse via Tor" link in the privacy bar on the right hand side of your screen (unless you're on a mobile device...).

    When Tor Browser pulled in Firefox's changes to implement support for RFC 7838 Alt-Svc headers, I added support for that too. Since that change, quite a number of Tor Browser Bundle users have connected to me via Onion Services without even knowing they had that additional protection (and were no longer using exit bandwidth).

    The real benefit of the Alt-Svc method, other than it being transparent, is that your browser will receive and validate the SSL cert for my site - the user will know they're hitting the correct endpoint, rather than some imposter wrapper site.

    Which brings us to today.

    Tor have released a new version - 9.5 - of Tor Browser bundle which implements new functionality: Onion Location

  • Onion V3 Address is live

    My site has supported using V3 Onions at the transport layer for quite some time, having implemented Alt-Svc headers to allow Tor to be used opportunistically back in October 2018.

    What I hadn't got around to, until now, was actually support direct access via a V3 hostname. I'd put a reasonable amount of effort into generating a personalised V2 address, and making sure it was documented/well used.

    However, V2 Onions have been deprecated, and will start generating warnings in a month. Total discontinuation of V2 support is scheduled for July 15th 2021.

    So, I figured I should get V3 support up and running, and have today launched the service.


  • Optimised Routing and Opportunistic Tor Enabled

    In the past few days, I've enabled some new functionality on my delivery network, affecting (almost) every domain being served by it.

    Those using a browser which supports these changes should see improved delivery performance, and enhanced privacy.

    This post details the changes that have been made, and what they mean to you

  • Privacy Policy - 20180522

    This page serves as the GDPR Privacy Notice for www.bentasker.co.uk.

    The controller of the data collected is Ben Tasker.

    You have the right to object to processing, either by objecting to a specific mechanism as described below, or by Contacting Me. If you feel your objection has not been appropriately handled, or that the processing does not have a lawful basis, you also have the right to complain to a supervisory authority.

    As an overall summary of the policy - I collect some data in order to run and improve the site, but will not share that data with third parties unless I'm legally compelled to do so

    Where I'm performing a service for you (i.e. you're a customer rather than simply visiting the site), our contract will include sections as needed to cover any additional elements I may encounter whilst working for you.

    Compliance with a Legal Obligation

    The following data is processed/retained in order to comply with Legal Obligations - GDPR Section 6(1)(c)

    Tax Records

    If you purchase a product or service for me, then you will have been issued with an invoice containing some or all of the following personal data

    • Your Name
    • Your Address
    • Your Email Address
    • Your Telephone Number

    A copy of your invoice will be filed with my Tax records, which in order to fulfil HMRC's requirements must be retained for up to 7 years.

    Because this data must be available in order to comply with a legal obligation, the GDPR rights of erasure and objection cannot be exercised for this data.

    The data is retained on isolated systems with very strong access controls, and will not routinely be passed to any third party. In the event of an audit by HMRC, however, the data may be provided to them when formally requested.

    Legitimate Interests

    The following data is processed/retained based upon the Lawful Basis of GDPR Section 6(1)(f) - Legitimate Interests. In accordance with GDPR, all have been subjected to a Legitimate Interest Assessment (LIA) in order to balance your rights with the legitimate needs.

    Access Logs

    All requests and connections to my network services are written to access logs for the necessary purposes of Network & Information Systems Security, Billing and Account Management Purposes and Network Systems scaling and management.

    The data stored which may be considered to contain Personal Data is

    • Connecting IP address
    • Details of the request/connection (i.e. which page and site was requested, or for non HTTP connections, which service was requested)
    • HTTP Referrer string (where available)
    • HTTP User-Agent header (where available)

    The data collected in access logs is not passed to any third party, and will not be unless required by a lawful warrant issued by a court whose jurisdiction includes the United Kingdom (and any such warrant, even then, may be contested if it's felt to be overly broad or inappropriate - I have no more interest in allowing the Government to trample over your rights than you do).

    Access logs are retained for 90 days from the date of their creation, after which they are automatically removed. However, where log lines are considered potentially relevant to a network incident, they may be retained until the investigation has completed. Those which are assessed to relate directly to the incident will be retained as part of the incident report, but will be anonymised as appropriate to the context in which they are being reported.

    Any individual wishing to object to this processing should use the contact method provided within this policy. All requests will be considered upon their own merits (and the feasibility of implementation).

    A limited amount of automated processing is used in order to identify "bad actor" IPs and limit their ability to cause harm to my systems. The data is not passed to any third party in order to perform this processing.

    The processing of this data is not only essential to the services I provide, but is necessary to help ensure that any other data I may hold on you remains protected. Logs form an essential component of investigations into any suspected breach, and without them it may not be possible to identify (and fix) the method used to achieve a compromise. Ultimately, this limited processing benefits both you and my entire user-base.

    Site Behavioural Analytics

    I use an analytics program in order to record site and user behaviour on my sites for the purposes of identifying how sites are behaving and where (and how) improvements can be made (for example if a regularly visited URL results in a 404 Not Found). The data is used in order to rectify issues, track site performance and to aid in troubleshooting when issues are reported. It is also utilised in order to help make scaling and deployment decisions within my Content Distribution Network (CDN), as well as identifying cases where a user has been routed to an incorrect server (for example, a US user being sent to an Asian distribution node).

    The following personal data is collected and stored

    • IP address (masked to exclude the final 2 bytes - i.e. 192.168.x.x instead of
    • Rough geographic location (based upon the anonymised form of the IP)
    • HTTP Referer (where available)
    • Screen resolution (used to aid design decisions and optimise media for delivery)
    • HTTP user-agent
    • OS and hardware platform (derived from the above)
    • Browser language (from the Accept-Language header)

    This granularity of data is retained for 31 days. The data is then used to generate an aggregated data-set (so records are grouped by items they have in common - like geographic location) which is retained for 4 month

    The data collected in access logs is not passed to any third party, and will not be unless required by a lawful warrant issued by a court whose jurisdiction includes the United Kingdom (and any such warrant, even then, may be contested if it's felt to be overly broad or inappropriate - I have no more interest in allowing the Government to trample over your rights than you do).

    If you wish to object to this processing there are three means of doing so

    • Visit https://piwik.bentasker.co.uk/optout and set appropriately
    • Enable "Do Not Track" in your browser
    • Install an adblocker and enable it

    The former will have full effect on all my sites/services. However, it will not protect you from similar processing on other people's sites, so it's strongly recommended that you consider the other options too (particularly the final one)

    The data is protected by a variety of strong mechanisms, and access to the data is very tightly restricted.


    Cookies set by the site are essential in order to operate, or in order to fulfil a request that you have made. They are used only for this purpose and not used in order to track or otherwise profile you.

    For a list of the cookies set, please see https://www.bentasker.co.uk/cookies. You can also self-serve on the Your Stored Data page.


    As might be reasonably expected, all my systems generate backups, for the purposes of ensuring Service/Business Continuity. They may also, in extreme cases, be used during investigation of Security Incidents.

    This means that my backups may (and likely will) contain any of the Private Data discussed in this privacy policy at any one time.

    The data collected within backups is not passed to any third party, and will not be unless required by a lawful warrant issued by a court whose jurisdiction includes the United Kingdom (and any such warrant, even then, may be contested if it's felt to be overly broad or inappropriate - I have no more interest in allowing the Government to trample over your rights than you do).

    Backups are generated (at least) daily and retained for 90 days from the date of their creation.

    Any individual wishing to object to this processing should use the contact method provided within this policy. All requests will be considered upon their own merits (and the feasibility of implementation). However, you should be aware that it's unlikely to be possible to exclude your data from backups.

    Similarly, individuals are unable to exercise their right of erasure against backups. Interfering with a backup may render it entirely unusable, undermining the legitimate purpose of the backups. However, because backups are only retained for a short period before rotating out, your data will cease to exist in a backed up form within 90 days of completion of your erasure request under different sections of this policy.

    Data with backups is not accessed nor processed unless a backup restoration is required - which is (and will hopefully remain) a rare occurrence. The existence of the backups therefore doesn't change the way you're data is handled/processed other than that it means it will be stored in an additional location.

    Backups are very strongly encrypted, and the necessary decryption keys are stored in an 'offline' format with strong physical security. Backups are not moved outside of the European Economic Area. Systems generating backups have the ability to upload data to the storage area, but not the ability to read it back - so even with the decryption key, compromise of a backed up host should not be sufficient to grant access to the backup contents.

    The generation of backups is essential to providing and maintaining any digital service, and in some cases (such as for Tax records) may also be necessary in order to ensure compliance with a legal obligation (GDPR Section 6(1)(c)). Ensuring the continuity of service can be maintained benefits the both of us.


    The following items are processed based upon a lawful basis of Consent - Section 6 (1)(c)

    Social Media Icons

    Various pages within this site display Social Media icons allowing you to quickly and easily share content onto various social networks.

    By default, these are disabled, so no requests are made to social media sites as the result of loading a page.

    If you wish to utilise these buttons, you will need to consent to the activation of these links, and can do so in one of the two following ways

    • Per page: You can simply click the social media icons to enable them (and then click the relevant icon to share the content). On the next page load/refresh, the icons will once again be disabled.
    • Site wide: In the privacy options pane on the left of this site is the option "Unblock Social icons". Clicking this will set a locally stored object in your browser, and the icons will be active on every page. If you wish to withdraw that consent, you may simply click "Block social icons" in the same location and your preference will be reverted.

    When you enable social icons, be aware that your browser will place a request to the social media network in order to generate the share button (and ultimately, to share/like the content if you click again). The privacy policies of each of the social networks applies to those requests, but as a guide, each of the social networks will likely do the following if you allow the icon to load

    • Record your IP address and time of request
    • Set a cookie (and check for existing cookies)
    • Record the address of the page you're on
    • Record your username (if you're currently logged into that social media network)

    They will also likely process the above in order to update an advertising profile.

    The social media icons are provided for convenience purposes only, and out of principle I advise against enabling them globally. You may also want to consider configuring an ad-blocker to block social media icons for networks that you either don't use, or don't commonly share content to (for example, I block Facebook like buttons and LinkedIn Share buttons as I primarily share content on Twitter).


    The following are provided for informational purposes, as they doesn't fall within the scope of GDPR (usually because they don't include the collection or processing of personal data)


    Where ads are shown on pages within this site, they're displayed using Google's "non-personalised" ads setting. No data is collected about you and your previous (or future) browsing history is not used in order to 'tailor' the ads for you. The ads displayed are based on the content of the page/site you are viewing.

    As no personal data is processed, the ads do not fall within the scope of GDPR. However, they do help ensure that the site remains available as they contribute towards the (not inconsiderable) running costs. None-the-less, if you'd prefer not to see the ads, it's recommended that you install an Adblocking extension such as Ublock Origin as this will help protect you across the net.

    You can see a breakdown of the rationale of the ads versus other options here - Google, Cloudflare and GDPR - My Quandry

  • Removing Ads from my Sites

    (It occurs to me that publishing this on 1 Apr isn't the best move - rest assured this is genuine)

    I've long felt uncomfortable with the privacy trade-offs of having advertising on my sites.

    Shortly before GDPR came into effect, I wrote a post detailing how I was, once again, revisiting the decision of having ads on my site.

    The decision then, as before, was that the ads were a necessary evil as the revenue they generate contributes something to the running costs of this site, helping keep over a decade's worth of work online.

    Today, however, I'm changing that decision and removing Google's Adsense from all of my sites

  • Shop section closing 31 December 2014

    The shop section of my site will be closing for business on 31 December 2014 and I'll be withdrawing all digital downloads from sale.

    It's not something I actually wanted to have to do, but as the changes to the EU VAT rules come into effect on the 1 January 2015 (HMRC at least are calling it VAT MOSS), the additional overhead involved in compliance means that running the shop will likely no longer be financially feasible.

    The closure will include everything in my (somewhat small) shop, so

    • Joomla Extensions
    • Ebooks
    • Credlocker Extensions
    • Photos