Contact me for feedback or questions! I reply to everyone.

Bypassing the privacy chase

- Introduction -
- What is privacy? -
- How do we lose our privacy? -
- Privacy in the digital age -
- Technology versus privacy -
- Things we can give up -
- Judging service providers -
- History of the provider -
- The privacy policy -
- Mullvad's privacy policy -
- Doing direct tests -
- Functionality and other stuff -

Introduction

If you are anything like most people, you have ended up on this site because you've realized your privacy is being violated by governments and big corporations and you've been trying to do something about it. To accomplish that, you've likely traversed recommendation lists like the E-mail report or the Web browser rankings and modified your choices according to them. But is this the right approach?

What is privacy?

The first question we have to ask ourselves is what actually is privacy - or else we will fail in our quest to reach it. Simply, privacy is the default state of other people not knowing where you are, what you do or think. Though the violators are trying really hard to blur the lines - we're not born with tracking devices under our skins. In fact, our biology is designed with privacy in mind - we're individuals each with our own sets of brains, eyes and ears whose contents are not directly shared with anyone by default. Humans have an ingrained need for privacy:

Ralph Adolph and Daniel P. Kennedy, neurologists at the University of Caltech in the United States, discovered that there’s a structure in our brain which is responsible for telling us where the limits of our personal space lie. This structure is the amygdala, a small region associated with fear and the survival instinct.
This discovery reveals something essential. The brain measures the personal limits of each individual. It’s like a personal alarm which tells us when something or someone is bothering us. When something is invading our privacy or violating our integrity until it becomes a threat to our well-being.
It reminds us that one of our greatest sources of anxiety is witnessing how we feel more “crowded” every day in every way.

And so, the nothing to hide argument totally misses the mark, since privacy is the biologically necessitated default. This brings us to our next point:

How do we lose our privacy?

As stated above, we lose it whenever our brain detects another person (or a group of people) invading our personal space. However, this only works for people - we've spent over 99% of our time on this Earth in the wild, and that is what our brains are tuned to. There is no computers in the jungle, after all. Civilization has allowed privacy violators to hide behind devices (such as CCTV cameras) and avoid triggering our biological intrusion detection system. Does all this have anything to do with the article title? Sure does:

Privacy in the digital age

Just as privacy in the wild would entail getting away from the people who got inside your personal space - digital privacy works similarly except the person is replaced by an electronic device. Though CCTV makes this easy to see, the gadget in question could very well be the computer you use every day, your credit card, printer or even the IOT fridge. We have been so accustomed to a life full of electronics that this simple point eludes us. There can be no privacy loss with a tech-free life. Which of course I'm not recommending - only wanted to show the root of privacy issues. Clearly, the amount of data collected while avoiding all electronic devices would be zero - but then we'd lose all the advantages of those. How to balance this?

Technology versus privacy

A privacy newbie usually comes in with the attitude of replacing his current violators with privacy-respecting versions. And of course, there are a bunch of providers who are happy to fulfill (or pretend to) that need. You heard your Google Chrome browser spies on you? Mozilla Firefox to the rescue (or not)! Gmail? ProtonMail. Google Maps? Hmm, we're not doing too swell here...Anyway, this same person in 30 years will be asking how to replace Google Parent, Google Cook, Google Home Designer, etc. Is this the right approach? We've established there can be no privacy violations without electronic invaders. Therefore, the way to take control of your privacy seems to be minimizing device usage. And so, the right question for a newbie to ask is not how do I replace this service? but do I actually need it?

Google Maps has been invented in 2005. Amazon Alexa - in 2014. Siri - 2011. Smartphones - in the 2000s. And yet a lot of people today cannot imagine a life without those. But 20 years ago, we all did fine without them. What has changed? It's obvious technology modifies the way society works (for example, there's a higher requirement for cars or other transportation than a few decades ago), but many of those devices can be easily dumped today - and even the "required" ones can as well with more effort. It is the capitalist focus on shiny new gadgets and the slick marketing which keeps them alive; as well as people's increasing laziness. Real privacy, therefore, has to start with not being dependent upon the violators instead of trying to replace, modify or block them.

Things we can give up

Now that we've cut off most of the violators, we can more thoroughly focus on managing the ones we do actually need - such as search engines, web browsers (though even this you can curb by avoiding bloated sites and downloading the ones you care about for offline reading) or communicators (hey, there's always carrier pigeons...). So let's end the privacy saga and learn how to choose privacy-respecting services so that you won't have to rely on recommendation lists anymore (which are prone to bribes, fanboyism, groupthink, low quality research, outdated information, etc):

Judging service providers

I have created several lists analyzing various providers, however, updating them is a Herculean task. New ones keep appearing while old ones go defunct (rare since privacy is a big business opportunity now), get bought or merge; and the existing ones keep adding new violations. However, they rarely change for the better - which brings me to my first criteria to be used in judging them:

History of the provider

Often, you have to dig up information from 15 years ago to get a proper view of a provider - such as in the case of DuckDuckGo. Briefly, the owner has run a data collecting operation for a few years until selling it (to an unethical company) and inventing DDG. He has then advertised it heavily as an alternative to Google, and it was of course much better - but eventually, he's started including anti-user stuff such as tracking cookies, pixel tags and Cloudflare; as well as playing fast-and-loose with the definition of personal data. As you can see, the spirit of his previous invention eventually started surfacing (and knowing the previous history would have allowed more cautious people to have predicted that).

You don't really need to follow a provider's every move to decide to avoid them - just a few pieces of history will usually suffice. Mozilla has for years been dependent upon the funds of a known violator, Google - do you think this is something a privacy-respecting company would be comfortable with? Then they started switching deals to other privacy-haters such as Yahoo. Or consider the saga about their horrible mistreatment of a long-time supporter - if they don't care about such people, why would they do about the puny users?

Knowing the history of a provider can put certain events into context. For example, the aforementioned tracking cookie on DDG could be said to be a mistake if his previous invention wasn't literally a data collecting operation. Add to that the other tracking DDG did and it's obvious the guy is just an opportunist for whom the recently popular privacy idea is just a way to get ahead. Mozilla's removal of the javascript toggle is a similar case - if you did not know about all the other anti-customization initiatives, you might even think it's an user-friendly change (that's how they tried to justify it). All you need is a few events to begin forming the big picture.

So, I've given the examples of DuckDuckGo and Mozilla as providers with a shady history. Do we have an opposite one? How about Autistici - created at some hackmeeting in 2001(!), and they've been fully committed to their mission since then. No information has come out showing that they have ever violated their principles. There have been no shady deals with privacy violating companies, no compromises, no deceptive advertising, no lying in the privacy policy, no trying to sneak in tracking by pixel tags, Cloudflare or whatever. In fact, on occasions when their resolve was put to the test, they've passed it with flying colors. If you read the R Plan (written in 2005), I think it's obvious these guys are the real deal and have always been.

So, as you can see, history is the fundamental upon which we base everything else. However, putting it all together requires a combination of willpower, time, effort and skill which many people might not have. It also doesn't provide any insight if the provider is new. Can we find a more clear-cut and immediate way to rate a provider?

The privacy policy

Fortunately, the offenders almost always graciously tell us how they're violating us. Though often it is hidden behind weasel words and such - if you carefully analyze a privacy policy, you can come out with a pretty clear picture of what a provider is all about. Though doing that properly also takes some skill, it is much less demanding than the above. We will now take a particularly bad one to the chopping block. Enter the Steam privacy policy:

The policy is very long and we don't want to spend the whole day analyzing it, so we first have to prioritize certain sections. Scroll right down to 3. What Data We Collect and Process which is the most important issue. Basic Account Data and Transaction Data cannot be avoided so we can skip reading those. The really revealing information is in subsection 3.4 Your Use of the Steam Client and Websites:

Personal Data we collect may include, but is not limited to, browser and device information, data collected through automated electronic interactions and application usage data. Likewise, we will track your process across our websites and applications to verify that you are not a bot and to optimize our services

Browser and device is pretty common (though still, doesn't have to be collected) so we can forgive Valve here. However, data collected through automated electronic interactions and application usage data can pretty much mean everything you do on their site. This proves Steam to be a giant privacy violator. Not only that, they are also dishonest, hiding behind but is not limited to; here, a cautious person will assume they are collecting absolutely everything possible - otherwise, why not mention exactly what is being collected? Another common deception is to optimize our services; what is the optimization and why does it need my data? So, as we can see, Steam throws up a few red flags in the most important section. To be honest, with this information alone you could already put Steam in the "privacy violator" box and leave it at that; this is the speedrunning of privacy policies. But our goal here is learning how to do research, so let's move on:

The subsection 3.5 Your Use of Games and other Subscriptions collects game statistics, which could I guess be justified in a service like this. But wait - later it says as well as information about the device you are using, including what operating system you are using, device settings, unique device identifiers, and crash data. which has literally nothing to do with gaming. Unique device identifiers is especially violating. Okay, so we've proven beyond doubt Steam is collecting data way beyond what it needs to. There's no more need to dwell on this - let's move on to section 4. How Long We Store Data:

We will only store your information as long as necessary to fulfil the purposes for which the information is collected and processed or — where the applicable law provides for longer storage and retention period — for the storage and retention period required by law. After that your Personal Data will be deleted, blocked or anonymized, as provided by applicable law.

All these words and no specific figures. Even serious violators I've described in the E-mail report provide the actual numbers - so Steam once again shows it belongs into the shit tier. And even if you assume the retentiion period is short, after it's over you're still not sure the data is actually deleted, since the other two options are blocked or anonymized. Can they say anything more which would redeem them here? I don't think so, therefore let's move on to the other sections:

5. Who Has Access to Data includes these gems in it:

Valve and its subsidiaries may share your Personal Data with each other

The subsidiaries are not specified. Suspicious.

In accordance with internet standards, we may also share certain information (including your IP address and the identification of Steam content you wish to access) with our third party network providers that provide content delivery network services

What are these network providers is of course not mentioned, neither is the exact data shared.

Okay, I think this is enough. We've learned Steam collects lots of data it doesn't need to, does not tell you for how long, and tries to hide relevant information; it's also unnecessarily long. Three strikes (actually four) and you're out! And we've skipped most of their policy. Now, I've brought up this one as an example of a bad privacy policy - let's now analyze a good one for comparison:

Mullvad's privacy policy

Probably the best VPN out there overall, and an example of how to write a great privacy policy. Let's analyze it then:

In this policy, we describe how we are processing your personal data as a data controller and how you as an individual can exercise your rights. We only process personal data in accordance with the GDPR and other applicable legislations.

No unnecessarily long introduction. Right next, Mullvad lists a few subsections:

Of course, we're most interested in the first one - so let's read it:

The underlying policy of Mullvad is that we never store any activity logs of any kind. We strongly believe in having a minimal data retention policy because we want you to remain anonymous.

Good. However, lots of providers make that claim, only to contradict it later (hint: Mullvad doesn't). Then they say up front that they store payment data sometimes (thanks for being honest!) but the later sections reveal that it's only if you choose an unprivate payment method. Next up - Our anonymous, numbered accounts:

We want you to remain anonymous. When you sign up for Mullvad, we do not ask for any personal information – no username, no password, no email address. Instead, a random account number is generated, a so-called numbered account. This number is the only identifier a person needs in order to use a Mullvad account. This is a fundamental difference that sets us apart from most other services.

While some others (such as Mozilla or StartPage) redefine the term personal information so that they can claim they don't collect it - Mullvad means what it says. In fact, they take it up to eleven - all that's required to use the service is a number.

Anyone at anytime can create as many numbered accounts as they wish on our website. An account can be used by multiple people or by someone other than the person who initially generated it.

Many providers have rules against multiple accounts despite claiming anonymity / privacy. That, of course, requires storing some data in order to prove you're the same person. Therefore, the way Mullvad does it is the only way you can be private / anonymous. Okay, now pay attention, because the best bit is just about to appear:

Data that we store for an account

account number | expiry date
xxxxxxxxxxx    | 20170730

Data stored for WireGuard@ configuration (if used)

account number | pubkey    | tunnel address
xxxxxxxxxxxx   | xxxxxxxx  | x

Data stored for port-forward configuration (if used)

account number | port | wg_peer
xxxxxxxxxxxx   | x    | x

I have never, ever seen this format used in any privacy policy except Mullvad's. What you see is literally copied from the log files - which is the most honest you can be while showing you what data is stored. A huge + for Mullvad and a facepalm for all the other providers that don't want to be direct with their users. In the next subsections, they're using the same kind of format to tell you the stored payment information for various methods, as well as activation codes and partner accounts. Then in the section What we don't log, they say this:

The complete transparency is truly a sight to behold. Most other providers - even though they might not collect anything - don't go in such detail. So - while you might think you know what a VPN means by no logs - Mullvad makes it crystal clear. Okay, I think we have no need to probe further here. But keep in mind that - even though I do think Mullvad is great - what I'm rating here is the privacy policy, not the service itself. And it scores the highest grade since the document in a simple and direct way tells you what exactly they log (or don't) and how. For example, under the header How we handle emails and problem reports they admit they use a third party for the email service and warn against trusting them. Then they say:

After 6 months, all emails sent to our support address are automatically, permanently erased (from inbox, deleted items, sent items, trash, and archives).

Now why can't providers like FastMail do the same thing instead of providing a bunch of contradictory figures? Or worse - they don't even provide a duration - like ProtonVPN:

When you submit support requests or bug reports, we will collect the data that you choose to share with us about the issue being reported.

The policy should also be deep enough for the people who want it. Mullvad thoroughly answers questions such as How can you limit the maximum number of simultaneous connections if you're not logging that information? for the more paranoid people. Most other providers won't bother doing that - they will just assume you will trust them and their vague claims like no logs or no personal data. Anyway, here is Mullvad's answer:

Each VPN server reports to a central service. When a customer connects to a VPN server, the server asks the central service to validate the account number, whether or not the account has any remaining time, if the account has reached its allowed number of connections, and so on. Everything is performed in temporary memory only; none of this information is permanently stored to disk.

It is not enough to plaster we care about privacy! all over your site, or even to claim no logs or no personal data. A trustworthy privacy policy makes it clear what is stored and for how long, but also has additional information for more inquisitive people and lacks the fluff, lies and contradictions that many other providers are famous for. In theory, you could be a massive privacy violator but still have decent privacy policy (or at least, one that makes sure you know what you're signing up for!). Even though a good example doesn't really come to my mind right now - all the violators try to bluff their way through. But what if we don't trust the privacy policy, anyway? After all, maybe the author is just an expert at lying?

Doing direct tests

This is the most reliable way to prove or disprove privacy. For web browsers (as well as anything else that uses the HTTP protocol, such as package managers) you can use mitmproxy. For anything else, use netactview. It lacks the rich functionality of mitmproxy, but it works for any protocol. To use it, first go to the view menu and enable the command option. This will allow you to see what program actually makes a connection. Then turn on the application you want to test (or all of them). Now watch; if you see a program make a connection when it isn't even supposed to use the Internet (I haven't had that happen yet) - well, you have your proof. It is also possible to check for the actual hosts a process is connecting to; you might be surprised to learn that your favorite "private" service is going through Amazon servers or such...Wireshark is another program that can do this, but it's more complicated and netactview does what we need it to do.

The above method works for both closed and open source software. Of course, if source code is provided, you can read it; but for the vast majority of people, it requires too much skill. Assuming you do have that skill - most software still has so many lines of code you could not inspect it properly. Even in small programs, it is still easy to miss a connection or have a malicious developer hide it. Network monitors, though, will reveal all - so they are the most viable option. But what if we're trying to judge an online provider, instead of software?

Sometimes, services do show their source code but you can't verify that it's the same one they're running. Fortunately, many providers can still be tested. You can easily check (with uMatrix or just the browsers' in-built tools) if a search engine is setting tracking cookies, like DuckDuckGo used to do, or if it's behind Cloudflare. Servers can have insecure setups which are often testable, such as ProtonMail's redirection of onion domains to the clearnet or secmail's revealing of the operating system and PHP version on their server. This can refute the we really care about your security! claims; but what if the provider has made no obvious blunders? Well, it comes down to establishing trust through their history and privacy policy. You can search for previous breaches or their runs with governments etc (use terms such as name of VPN + government or + court to find ones that were keeping logs and ones that weren't). You can talk to the people behind a service directly - which can increase your trust in them or even reveal interesting information such as secmail not having time to implement SSL. But in the end - short of hacking the server - you cannot 100% prove a VPN's no-log policy, for example.

Functionality and other stuff

Of course, it's not enough for a provider to have perfect privacy. Here's a list of other things we might need to look for:

Since a provider who checks all the boxes likely doesn't exist - we have to pick the issues that are the most important to us. Personally, I can deal with some inconveniences like slow speed in exchange for independence and activist focus. But it's up to you to decide what your priorities are and pick your providers according to them.

Back to the front page