Running ThinkPrivacy.ch means that every day I am sent new product and service recommendations from companies and/or fans of those companies. Most write to me in the hope to be added to our list of service recommendations.
1. What do they share and with whom?
When it comes to privacy, you don’t want the services you use to share your information with other parties. Yet, we all know there are legal limits to this request. Depending on the country the company is in, they may have different legal obligations to share data when a warrant is presented.
So first, I check to see if they share information with any outside vendors. Words like “for marketing purposes” are huge red flags, even if they say it only applies to non-identifiable information. There is a grey area to look out for here and I will address that in part 2.
2. What information is collected?
When I use Startpage as my search engine, I know that my IP address is logged in their system as 0.0.0.0. Other search engines tend to only hide the last few digits. Let’s look at what that means:
Examples (full IP address)
Examples (only the first two blocks)
As you can see, the latter is still rather identifiable, especially if your operating system, country, and browser information is also logged. While they might not know your exact IP, they can piece things together much easier.
Also, might they still have your full IP? Some will store your full IP for a few days before deleting the file. While this is more private than logging it forever, it’s still not private.
As in step 1, it matters what companies do with this information. If the service delivers ads, what do they share with the ad company? With Startpage for example, I know they are sharing 0.0.0.0 and that doesn’t help the advertiser at all. The more that is shared, the more identifiable you become.
When I visit a site, I do not only care about what they know about me, but also what they do with this knowledge. What are they logging, why, and for how long? Ideally, they are not logging anything, but if they are it’s important to know what it is exactly and for how long.
I mentioned earlier that some search engines log your IP in full. One example I found was a search engine claiming to be private but stored your history with full IP for 4 whole days before deleting it.
Other more popular privacy-focused search engines log your partial IP with your search history indefinitely. While they claim this is non-identifiable, examples above show how the more information they have about you, the more of a profile can be developed.
4. Location and Jurisdiction
Another important thing to look at is where the company is based and who they answer to. I’m not saying that this necessarily must be a deal-breaker, but it’s certainly important to know what rules apply in different countries, because every country has unique privacy laws that either benefit the end user, or the government. So, make yourself aware of what companies know about you and what they can share with others.
Take Startpage, for example. The company is located in The Netherlands, a country with fantastic privacy laws, including the European GDPR. Furthermore, with Startpage’s strict policy to not store any information about you, they can’t share anything even when compelled by law.
Some companies might make it less clear because they operate in various countries and your rights fall within the country that you’re using the product in. An above example of a chat app that would share information when it was deemed “necessary” has different privacy rights dependent upon your location in Europe versus the US. This means you may have less privacy rights in the US than outside of it, and using the product again comes down to your personal threat model.
5. Confusing and hard to follow
Privacy Policies should be reassuring. They should give you confidence that you’re choosing the right product or service. They should also be clear and organized.
If those questions are not easily answered and I am forced to dig through what feels like pages and pages of information, it’s a big red flag. Even if the service does require a lot of legal language, it’s not hard to summarize the key points in a way that makes it easy for consumers to understand up front what they are signing up for and agreeing to.