Privacy Questions to Ask Services #1846
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#1846
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
On Reddit and the Forum discussions have taken place on some basic questions to ask privacy services to give us all additional assurances of their offerings.
In some cases, this has been treated as nearly mandatory for services requesting listing, but doesn't seem to apply across the board. So one though the PT team had was to make these questions totally optional. Those services who decide to answer them will get a link to their answers on the product card or listing on the PT site.
We came to this conclusion for 2 reasons.
A company for example such as ProtonVPN, which meet our requirements may not answer the questions and we don't feel it's likely we would de-list them for that. So the rules must apply equally to everyone.
Many times, a recommendation comes from a customer who can't answer those questions and it's naive to think that customer, or someone from PT then should reach out to get them aswered before listing.
However, it's not naive to ask and give them the option if they so choose. This does give them an added boost on the site as our visitors then have an additional resource in their decision making.
Next, we wanted simplicity. Too many questions, and they won't answer them. Too few, and we don't know the information we are looking for to begin with. So it came down to breaking what we WANT to know vs what we NEED to know. From there, a few questions could be combined to 1, a few eliminated, and a few simplified.
This is the current list of questions we have and are looking for some further thoughts on. Ideally, we only clarify and or eliminate from there, but try not add if it's not necessary. Again, we think companies are more likely to answer something that takes 5 min rather than a day or two.
• Who owns the company/organization?
• Do you share any data, including fuzzed or anonymized, with anyone inside or outside of the organization?
• Is your service open source? If so, where is the source code hosted?
• If applicable, please share your latest audit.
• If you store user data can customers view it, and request to delete their data and or accounts?
• What is your data retention policy?
• What is your business model? How do you fund operations and make money?
• Do you offer a transparency report?
• How is data secured (in transit and at rest)?
• Who has access to customer data?
• What 3rd parties have access to customer data?
• What processes do you have in place to alert users and or the public if there is unauthorized access to data?
• What process do you have in place for notifying customers about changes to your Terms & Conditions and or Privacy Policy?
I think the list is good as-is to be honest 🤔 👍
Couple of suggested amendments
1.0 "Who owns the company/organization?"
1.1 Straight-forward question, but I wonder if it might be better amended to:
1.2 "Who owns and/or are the ultimate beneficiaries of your company/organisation?"
1.3 This addresses situations where ultimate beneficiaries are companies registered in secrecy havens, such as in Delaware (not looking at Facebook or Glassdoor or anyone in particular ;)
2.0 "If applicable, please share your latest audit."
2.1 "If applicable, please share your latest [software] audit" ? Or if we're after financial statements as well, then perhaps we need to spell that out.
We def don't want financial statements. That's well beyond the scope and I think will turn away companies from wanting to take part in this.
I think on the 1.2 part, one thing I bring up is that companies can and will answer these how they wish and with any amount of jargon they can muster, if they so please.
So we can ask who owns and are the ultimate beneficiaries and they may not say "well we pay back this VC first," etc, and may just answer with "the shareholders" or something more vague.
One important aspect of this I want to maintain is that since it should be voluntary, is gathering information that's the utmost critical. The massive majority of software we recommend is open source and not a lot of it has big money behind it. Firefox, Brave, DDG, Qwant, (and VPNs) are really the one that come right to mind who have huge amounts of money behind them.
I am also cautious because the original questions (prior to further input) were created in bias to go after 1 particular business, and we need these to be adaptable to everyone (that we we don't have 30 version of this).
If it's worded to only attract corporations, we are going to limit who will answer because that limits the services we offer.
That's the main reason I shortened the first question, because there's a lot more nuance to it. When we asked Startpage what % was owned by One Privacy Group, they answered "more than 50%" which was a good enough answer for us at PT, but not for everyone looking on.
Ultimately, we need to get the basics, and then post them for people to see and make their own decision. At this time, these questions will not be asked as part of the listing process and unless something in them is alarming, such as someone saying Facebook owns them, won't be used to qualify or disqualify a service. The goal is to have another piece to help those torn between services to make informed decisions.
Our main criteria as you've seen is what we are setting in each section, such as email and VPN. We plan to continue to expand that.
Sorry for the rambling mess. I am working, but wanted to reply to this and my minds all over the place!
Here's a link to the original QtASK questions and an explanation for them:
https://wiki.privacytools.io/view/Questions_to_ask_all_privacy_services
Dan, the original questions were narrowed down by the PTIO community with ease of answering in mind. The consensus was that answering the questions shouldn't be burdensome. Which questions do you think are too burdensome time-wise?
Standard questions help ensure no important information is overlooked and that companies are evaluated objectively and fairly. If companies choose not to answer questions, it's their right. However, unanswered or partially answered questions should be highlighted IMHO for a fair comparison of services.
What is biased and unfair is asking only a few companies these questions and not asking ALL companies the same questions.
Preventing bias was one of the reasons for developing universal questions with the help of the privacy community -- to ensure fairness while getting to critical information that should help consumers and consumer organizations make more informed decisions about privacy services.
More than 50% helps us know that Privacy1 controls Startpage, which is helpful. Most people will rightfully ask many more questions if a privacy service is majority owned by a pay-per-click ad company like System1. But what if System1 owns 99% -- especially since System1 seems to process Startpage searches, and System1 has a horrible privacy policy?
What if Facebook, Google or even Peter Thiel owns 49% of Startpage? I think we would agree that even 5% ownership by one of these entities of ANY privacy service could be a concern. This is why we should know about all ownership -- even minority owners.
I believe QtASK questions could be a big PLUS for ALL companies AND perhaps open our eyes to privacy organizations and services that deserve another look.
Since you brought up Startpage/System1, consider that published QtASK answers could be a benefit to Startpage/System1 in conjunction with sharing a thorough, current public audit. For example, an audit could help allay concerns about Startpage sharing "anonymized data" with System1. Aral Balkin is just one expert who has pointed out that, ""Anonymised data” is a multi-billion dollar industry for a reason. And the reason is because there’s nothing anonymous about it."
So rather than look at QtASK as a burden, I hope companies see the questions and answers as an opportunity to prove they are to be trusted. They should be proud to publish their code, publish current audits and answer important questions in full.
We aren't asking ANY companies these questions. They are voluntary questions that companies can answer if they choose to.
PT hasn't asked any companies to answer them, they have only been asked by community members and without PT approval. We have had to go back and offer apologizes to some for being given misinformation on our behalf.
We believe our criteria being created offers a better way to remove bias. If a product does not meet the standards we set forth, it's removed. When we set VPN standards, IVPN was removed for not meeting them, and then they set forth on correcting the issues and got themselves re-listed. As a team, we really like IVPN, but they didn't meet the criteria and until they did, as much as we liked them, they came down.
Same for Riot.
We are focused on developing those to be the best they can be and there's not much a company can do to lie about verifiable technical and logistical criteria.
The Questions, however, can be misleading in various ways as previously stated.
If we can't discover that Facebook owns part of a company ourselves, what reason do they have to list them in the questions. Perhaps the person answering the question doesn't think 5% is worth noting? It just leaves too much room for interpretation.
We do however see some value in them and will offer companies the chance to answer them if they so choose, we just don't feel they are crucial enough to be part of the criteria. Like I said on the forum, perhaps a user is torn between two services and the questions help them make that final decision.
If you read the first paragraph of the Privacy Policy, you'll see that Privacy One Group and Startpage are not listed. That's because we asked for clarity on that. We wanted to know if Startpage had it's own privacy policy, or like some other System1 companies, shared it with System1.
I am not sure why you think System1 processes their searches. Their searches are literally processed by Google, and even when asked, Startpage offered us a chart of their data flow which was made public on their site.
And lastly, as I have stated more than once on here, on Reddit, on the Forum: I do not work for Startpage. I did not accept a job. I have written 4 guest blogs for them, and had an in person meeting (in which I was able to ask a lot of questions about the System1 relationship). This is all again public information that I shared with not only the team, but the community.
I do not list any of my clients or even my full-time job in my bios. I have no plans to do so, as this has never been my practice and won't be. I list almost every single site I have ever written for on my site, that includes an archive link to even older posts, but my social profiles are my personal property and not owned by any company or organization such as PT that I volunteer for. The views I express there are mine and mine alone. I don't list organizations because they are not part of my views and I would not want them to be mistaken as such. I also keep some of my work secret from the public only because, and I know I have mentioned this before, I have been the target of public harassment campaigns by white supremacists for writing I have done for sites such as The New Arab. Such attacks have then been directed at them. Not only causing them grief of having to deal with it, but the goal is to get me fired from said jobs, and that's a risk I am not taking.
So out of the respect for my own privacy, and the business I have prior to and or currently work with, I don't list them.
But I can unequivocally say, I do not work for Startpage. In fact, currently speaking, my guest blogging with them is complete. I do hope to continue it, as I think the articles reached some people and I was able to choose topics I cared deeply about and reach new people in the community.
And again, as part of the still in progress COI policy at PT, I have no vote in things search related. Even though I am not working with any search engines, I have had no issue keeping that policy in place and not voting. I think that's a good policy to uphold and will continue to do so.
I do want to actually expand on this though, because I agree it's incredibly important.
I am going to invent a fake scenario that mimics a bit of the System1 deal, but I am using fake companies so I can use actual percentages without accidentally misleading someone.
I start a VPN company, Arel VPN.
I then sell a % of my company to Liz Electronics. You now own 99% of my company and I own 1%
However, Liz Electronics is actually 75% owned by Facebook.
I am sent the questions and am asked who owns the company.
I answer: Liz Electronics and Arel VPN.
Is that a lie? Not technically. Sure, Facebook actually has a great deal of stock in my company now through another, but I don't have to say Facebook owns me.
Startpage could actually only tell us that Privacy One owns them. Thankfully they chose not to, and they let us know System1 actually owns Privacy One. This allows us to make an informed decision, not even for PT, but just as users. We make the decision to use them based on this information.
But re: the questions.
So I am about to buy a VPN and I look to the questions, I see Arel VPN looks awesome, and I have no known issue with Liz Electronics, and I sign up having no idea Facebook owns any part of this deal.
The issue though, is that to get to the bottom of that, we have to ask such intrusive questions, we either end up trusting no one at all. or everyone refuses to answer them because they are far too in detail for privately held companies and then we have no one to list.
This is why we are so focused on criteria. Can we verify that data is being secured, and what steps can we take to show our visitors this?
That, I believe is far more straightforward and simplified. There's not room for ambiguity.
We also know how important trust is, this is where I believe the questions come in and companies can choose to help build that trust if they answer them. But we do believe that answering those questions are on them.
Offtopic
I'll start out by addressing the personal skirmish - in hopes to get this discussion quickly on topic again.
@danarel
It started out with this forum post, then the first reddit post and then part 2. I was involved from the start, and two of my questions got included in the first reddit post.
Characterizing the whole QtASK project as biased, which you did by attacking the core, is unprofessional, especially since you are the one communicating the current verdict of the PT team.
Yes, @LizMcIntyre is biased - in fact everyone is. But she did her best to transform her personal, challenging journey (quitting her job based on principle) into something that would benefit others. She knew about her personal involvement, which ultimately enabled her. And we knew about it too.
Ultimately, she did a marvelous job at involving the community and collecting their ideas. And yes, we can take three of the initial questions with a grain of salt, but attacking the core is unfriendly at best, hostile at worst.
You mentioned yourself you were working and had your mind all over the place when writing. I'm sure you did not mean any harm, but I hope you see where you stepped on toes (not only Liz's)
@LizMcIntyre
Your first few paragraphs were surprisingly neutral after Dan's unfavorable expression.
But then you countered. I know he questioned your core, which likely triggered this, but everything below that sentence is unprofessional too. It is questioning Dan's honesty and personal involvement in Startpage, which he has been nothing but open about. The initial dilemma regarding disclosure or not even led to PT establishing an excellent Whistleblowing Policy and Conflict of Interest Policy.
Yes, the past was challenging, but very fruitful, a big part thanks to both of you. Let's focus on the current obstacles and not rub salt into each others wounds.
@danarel, first I wanted to ask if you could link both the most recent forum and the reddit post in your original post for reference.
The Status Quo
Answering any question means commitment and accountability - it is super uncomfortable. And our society is really not good at it. When a friend asks if you want to hang out in a week - a "yes" means commitment and potentially breaking your word, a "no" means rejecting your friend - so what do you say?
A perfect "non-answer" evading all forms of commitment. And by evading the commitment you evade the accountability and consequences. So how does it apply to businesses?
Look at Mark Zuckerberg's congress hearing. Or Sundar Pichai's. What do they have in common? They are both deliberately not answering questions. It's the same pattern.
Non-answers are shit
Though, for malicious actors the "non-answer" are actually great. It is always better than having to say something and potentially receiving a financial or reputation backlash.
If "no answer" is not an option, the next best thing to do is to burry the answer in legal jargon, and twist the definition of words while you're at it. From a ToS of your choice:
Actually meaning:
But most importantly, never ever publicly make a statement. Officially, only mention "we never sell data". And when confronted directly just avoid the question by not answering it.
Politicians are good at "Non-answers" too.
The Privacy Scene
I assume you are equally frustrated by the status quo - especially how common this pattern is in the technological field. It is so common to never talk about your business model (which often is data exploitation), your ownership (Venture Capital/mega corps) or your partners. Just slam something vague into the ToS and you're good to go.
Dan mentioned:
Yes, and that is the problem. Privacy tools and privacy companies should be different. Should they be allowed to hide behind the "non-answer"? They claim not to exploit your data, so why avoid answering questions?
My Conclusion
That is why I feel the QtASK project is utterly important. And its importance is why I disagree with making them only optional.
PT concerns
This is the most important one. Because I disagree. The valuable thing in the QtASK project is that we receive an official response from projects/companies. It's not about the content, it's only about it being official. Only then can we truly hold them accountable. And yes, PT should never take the content of the answer as a criteria for listing or not. It must just exist. And let every user judge the content based on their preference and threat model.
Your scenario @danarel of a company hiding its ownership behind its owner is a great point. But let them do this. Make them deceive us officially and receive the public backlash once it comes out. (And probably also the de-listing then.)
The beauty behind not judging the content of the official answer is, it works great for novel projects too:
Perfect! An official response explaining the situation. The great thing is, this automatically becomes awkward as the months and years go by. After they mature, they will want to come back to update their answers.
Yes, I would suggest having like 3-5 as a requirement and add optional ones for the diligent.
If you give a company half a year or a year to retrospectively answer them, they surely will have the resources to do so. It's not about if they have resources, but how they prioritize them. If you give them enough breathing space I 100% guarantee they will allocate energy towards that. It would just be stupid not to do so from a marketing perspective. Speaking as a co-founder of a company.
You oftentimes reject listings because they are technologically premature, like in an alpha state. If the leadership cannot answer some basic questions about their project I would argue they are premature in another field. I see no problem with waiting for them to take the time to make "official" statements.
Wrap Up
Again, I disagree making them optional, but I agree that it should start out small. PT should not judge the content, but every user can do that for themselves.
What are your thoughts after this huge dump? :)
Hi @danarel. I apologize if I misunderstood. You wrote in a few places that you had accepted consulting work with Startpage/System1. Here's an excerpt of one exchange from the PTIO subreddit:
You wrote above here in this github thread:
So I hope you see for the record why there is some confusion. Maybe it's simply a matter of definitions of "work for them vs. work with them," "job," "consulting" etc.
I wish the best for you and hope you can land more of the blogging/consulting work with them you seek. I want to make it clear that I wish you only the best.
My suggestions for avoiding conflict of interest scenarios are truly to avoid a repeat of what happened earlier this year, @davegson. It's not personal. We ALL want PrivacyTools to remain a trusted source for unbiased privacy recommendations. Honesty and transparency are key to this continued trust! COI's -- whether in fact or appearance -- can undermine all the important work at PTIO. This is why @blacklight447-ptio has worked so hard to create the PTIO Conflict of Interest Policy. Has that been finalized, btw? @Mikaela do you know?
Hi @danarel. Sorry for the delay in getting back to you on your question. You asked:
Look carefully at the Startpage data flow diagram you mentioned.
In the fine print you'll find the following:
"...certain services, including some Instant Answer sources, have been shared by System1 from its other search properties, and are administered by them. Only anonymized and fuzzed data flows through these services..."
Maybe Google processes the data, too. I don't know. Maybe through System1 since it also has search engines that access the Google index?
I've been trying to find out more details, but have never gotten them. It would be really helpful to have a current independent audit of Startpage and these data flows with System1 etc. The last audit was in 2015, I believe. That was before the site revamp, purchase by System1 and the data flow through System1. Do you know if that is in the works? (I would publicly applaud a public, thorough independent audit.)
I resigned on 2020-04-19 in hopes of recovering my mental health with several stressful life changes such as beginning work try-out-practice (taxing my time alongside PrivacyTools (also too stressful lately) and preventing me from focusing on self-improvement and my other goals) and the pandemic going on. At that time there were no news that I was aware of on any of the policies, I don't know what has happened since as I have unwatched this repository and disabled forum mailing list mode alongside dropping several other projects from my watchlist.
Selfmarking offtopic.
Thanks for letting us know. Please stay in touch and stay well!
as a little update @LizMcIntyre the conflict of interest policy is about done, we only have some other policies in the making which are linked to the coi policy to make it more complete, of which the compliance officer and whistleblower policy are an example off. once these are done and everything is set, the policies will become active as official PrivacyTools policies.