If you are anything like most people, you have ended up on this site because you've realized your privacy is being violated by governments and big corporations and you've been trying to do something about it. To accomplish that, you've likely traversed recommendation lists like the E-mail report or the Web browser rankings and modified your choices according to them. But is this the right approach?
The first question we have to ask ourselves is what actually is privacy - or else we will fail in our quest to reach it. Simply, privacy is the default state of other people not knowing where you are, what you do or think. Though the violators are trying really hard to blur the lines - we're not born with tracking devices under our skins. In fact, our biology is designed with privacy in mind - we're individuals each with our own sets of brains, eyes and ears whose contents are not directly shared with anyone by default. Humans have an ingrained need for privacy:
Ralph Adolph and Daniel P. Kennedy, neurologists at the University of Caltech in the United States, discovered that there’s a structure in our brain which is responsible for telling us where the limits of our personal space lie. This structure is the amygdala, a small region associated with fear and the survival instinct.
This discovery reveals something essential. The brain measures the personal limits of each individual. It’s like a personal alarm which tells us when something or someone is bothering us. When something is invading our privacy or violating our integrity until it becomes a threat to our well-being.
It reminds us that one of our greatest sources of anxiety is witnessing how we feel more “crowded” every day in every way.
And so, the
nothing to hide argument totally misses the mark, since privacy is the biologically necessitated default. This brings us to our next point:
As stated above, we lose it whenever our brain detects another person (or a group of people)
invading our personal space. However, this only works for people - we've spent over 99% of our time on this Earth in the wild, and that is what our brains are tuned to. There is no computers in the jungle, after all. Civilization has allowed privacy violators to hide behind devices (such as CCTV cameras) and avoid triggering our biological intrusion detection system. Does all this have anything to do with the article title? Sure does:
Just as privacy in the wild would entail getting away from the people who got inside your personal space - digital privacy works similarly except the person is replaced by an electronic device. Though CCTV makes this easy to see, the gadget in question could very well be the computer you use every day, your credit card, printer or even the IOT fridge. We have been so accustomed to a life full of electronics that this simple point eludes us. There can be no privacy loss with a tech-free life. Which of course I'm not recommending - only wanted to show the root of privacy issues. Clearly, the amount of data collected while avoiding all electronic devices would be zero - but then we'd lose all the advantages of those. How to balance this?
A privacy newbie usually comes in with the attitude of replacing his current violators with privacy-respecting versions. And of course, there are a bunch of providers who are happy to fulfill (or pretend to) that need. You heard your Google Chrome browser spies on you? Mozilla Firefox to the rescue (or not)! Gmail? ProtonMail. Google Maps? Hmm, we're not doing too swell here...Anyway, this same person in 30 years will be asking how to replace Google Parent, Google Cook, Google Home Designer, etc. Is this the right approach? We've established there can be no privacy violations without electronic invaders. Therefore, the way to take control of your privacy seems to be minimizing device usage. And so, the right question for a newbie to ask is not
how do I replace this service? but
do I actually need it?
Google Maps has been invented in 2005. Amazon Alexa - in 2014. Siri - 2011. Smartphones - in the 2000s. And yet a lot of people today cannot imagine a life without those. But 20 years ago, we all did fine without them. What has changed? It's obvious technology modifies the way society works (for example, there's a higher requirement for cars or other transportation than a few decades ago), but many of those devices can be easily dumped today - and even the "required" ones can as well with more effort. It is the capitalist focus on shiny new gadgets and the slick marketing which keeps them alive; as well as people's increasing laziness. Real privacy, therefore, has to start with not being dependent upon the violators instead of trying to replace, modify or block them.
Now that we've cut off most of the violators, we can more thoroughly focus on managing the ones we do actually need - such as search engines, web browsers (though even this you can curb by avoiding bloated sites and downloading the ones you care about for offline reading) or communicators (hey, there's always carrier pigeons...). So let's end the privacy saga and learn how to choose privacy-respecting services so that you won't have to rely on recommendation lists anymore (which are prone to bribes, fanboyism, groupthink, low quality research, outdated information, etc):
I have created several lists analyzing various providers, however, updating them is a Herculean task. New ones keep appearing while old ones go defunct (rare since privacy is a big business opportunity now), get bought or merge; and the existing ones keep adding new violations. However, they rarely change for the better - which brings me to my first criteria to be used in judging them:
Often, you have to dig up information from 15 years ago to get a proper view of a provider - such as in the case of DuckDuckGo. Briefly, the owner has run a data collecting operation for a few years until selling it (to an unethical company) and inventing DDG. He has then advertised it heavily as an alternative to Google, and it was of course much better - but eventually, he's started including anti-user stuff such as tracking cookies, pixel tags and Cloudflare; as well as playing fast-and-loose with the definition of
personal data. As you can see, the spirit of his previous invention eventually started surfacing (and knowing the previous history would have allowed more cautious people to have predicted that).
You don't really need to follow a provider's every move to decide to avoid them - just a few pieces of history will usually suffice. Mozilla has for years been dependent upon the funds of a known violator, Google - do you think this is something a privacy-respecting company would be comfortable with? Then they started switching deals to other privacy-haters such as Yahoo. Or consider the saga about their horrible mistreatment of a long-time supporter - if they don't care about such people, why would they do about the puny users?
So, as you can see, history is the fundamental upon which we base everything else. However, putting it all together requires a combination of willpower, time, effort and skill which many people might not have. It also doesn't provide any insight if the provider is new. Can we find a more clear-cut and immediate way to rate a provider?
The policy is very long and we don't want to spend the whole day analyzing it, so we first have to prioritize certain sections. Scroll right down to 3. What Data We Collect and Process which is the most important issue. Basic Account Data and Transaction Data cannot be avoided so we can skip reading those. The really revealing information is in subsection 3.4 Your Use of the Steam Client and Websites:
Personal Data we collect may include, but is not limited to, browser and device information, data collected through automated electronic interactions and application usage data. Likewise, we will track your process across our websites and applications to verify that you are not a bot and to optimize our services
Browser and device is pretty common (though still, doesn't have to be collected) so we can forgive Valve here. However,
data collected through automated electronic interactions and application usage data can pretty much mean everything you do on their site. This proves Steam to be a giant privacy violator. Not only that, they are also dishonest, hiding behind
but is not limited to; here, a cautious person will assume they are collecting absolutely everything possible - otherwise, why not mention exactly what is being collected? Another common deception is
to optimize our services; what is the optimization and why does it need my data? So, as we can see, Steam throws up a few red flags in the most important section. To be honest, with this information alone you could already put Steam in the "privacy violator" box and leave it at that; this is the speedrunning of privacy policies. But our goal here is learning how to do research, so let's move on:
The subsection 3.5 Your Use of Games and other Subscriptions collects
game statistics, which could I guess be justified in a service like this. But wait - later it says
as well as information about the device you are using, including what operating system you are using, device settings, unique device identifiers, and crash data.
which has literally nothing to do with gaming.
Unique device identifiers is especially violating. Okay, so we've proven beyond doubt Steam is collecting data way beyond what it needs to. There's no more need to dwell on this - let's move on to section 4. How Long We Store Data:
We will only store your information as long as necessary to fulfil the purposes for which the information is collected and processed or — where the applicable law provides for longer storage and retention period — for the storage and retention period required by law. After that your Personal Data will be deleted, blocked or anonymized, as provided by applicable law.
All these words and no specific figures. Even serious violators I've described in the E-mail report provide the actual numbers - so Steam once again shows it belongs into the shit tier. And even if you assume the retentiion period is short, after it's over you're still not sure the data is actually deleted, since the other two options are
blocked or anonymized. Can they say anything more which would redeem them here? I don't think so, therefore let's move on to the other sections:
5. Who Has Access to Data includes these gems in it:
Valve and its subsidiaries may share your Personal Data with each other
The subsidiaries are not specified. Suspicious.
In accordance with internet standards, we may also share certain information (including your IP address and the identification of Steam content you wish to access) with our third party network providers that provide content delivery network services
What are these network providers is of course not mentioned, neither is the exact data shared.
In this policy, we describe how we are processing your personal data as a data controller and how you as an individual can exercise your rights. We only process personal data in accordance with the GDPR and other applicable legislations.
No unnecessarily long introduction. Right next, Mullvad lists a few subsections:
Of course, we're most interested in the first one - so let's read it:
The underlying policy of Mullvad is that we never store any activity logs of any kind. We strongly believe in having a minimal data retention policy because we want you to remain anonymous.
Good. However, lots of providers make that claim, only to contradict it later (hint: Mullvad doesn't). Then they say up front that they store payment data sometimes (thanks for being honest!) but the later sections reveal that it's only if you choose an unprivate payment method. Next up -
Our anonymous, numbered accounts:
We want you to remain anonymous. When you sign up for Mullvad, we do not ask for any personal information – no username, no password, no email address. Instead, a random account number is generated, a so-called numbered account. This number is the only identifier a person needs in order to use a Mullvad account. This is a fundamental difference that sets us apart from most other services.
While some others (such as Mozilla or StartPage) redefine the term
personal information so that they can claim they don't collect it - Mullvad means what it says. In fact, they take it up to eleven - all that's required to use the service is a number.
Anyone at anytime can create as many numbered accounts as they wish on our website. An account can be used by multiple people or by someone other than the person who initially generated it.
Many providers have rules against multiple accounts despite claiming anonymity / privacy. That, of course, requires storing some data in order to prove you're the same person. Therefore, the way Mullvad does it is the only way you can be private / anonymous. Okay, now pay attention, because the best bit is just about to appear:
Data that we store for an accountaccount number | expiry date xxxxxxxxxxx | 20170730
Data stored for WireGuard@ configuration (if used)account number | pubkey | tunnel address xxxxxxxxxxxx | xxxxxxxx | x
Data stored for port-forward configuration (if used)account number | port | wg_peer xxxxxxxxxxxx | x | x
The complete transparency is truly a sight to behold. Most other providers - even though they might not collect anything - don't go in such detail. So - while you might think you know what a VPN means by
After 6 months, all emails sent to our support address are automatically, permanently erased (from inbox, deleted items, sent items, trash, and archives).
Now why can't providers like FastMail do the same thing instead of providing a bunch of contradictory figures? Or worse - they don't even provide a duration - like ProtonVPN:
When you submit support requests or bug reports, we will collect the data that you choose to share with us about the issue being reported.
The policy should also be deep enough for the people who want it. Mullvad thoroughly answers questions such as
How can you limit the maximum number of simultaneous connections if you're not logging that information? for the more paranoid people. Most other providers won't bother doing that - they will just assume you will trust them and their vague claims like
no logs or
no personal data. Anyway, here is Mullvad's answer:
Each VPN server reports to a central service. When a customer connects to a VPN server, the server asks the central service to validate the account number, whether or not the account has any remaining time, if the account has reached its allowed number of connections, and so on. Everything is performed in temporary memory only; none of this information is permanently stored to disk.
This is the most reliable way to prove or disprove privacy. For web browsers (as well as anything else that uses the HTTP protocol, such as package managers) you can use mitmproxy. For anything else, use netactview. It lacks the rich functionality of mitmproxy, but it works for any protocol. To use it, first go to the
view menu and enable the
command option. This will allow you to see what program actually makes a connection. Then turn on the application you want to test (or all of them). Now watch; if you see a program make a connection when it isn't even supposed to use the Internet (I haven't had that happen yet) - well, you have your proof. It is also possible to check for the actual hosts a process is connecting to; you might be surprised to learn that your favorite "private" service is going through Amazon servers or such...Wireshark is another program that can do this, but it's more complicated and netactview does what we need it to do.
The above method works for both closed and open source software. Of course, if source code is provided, you can read it; but for the vast majority of people, it requires too much skill. Assuming you do have that skill - most software still has so many lines of code you could not inspect it properly. Even in small programs, it is still easy to miss a connection or have a malicious developer hide it. Network monitors, though, will reveal all - so they are the most viable option. But what if we're trying to judge an online provider, instead of software?
Sometimes, services do show their source code but you can't verify that it's the same one they're running. Fortunately, many providers can still be tested. You can easily check (with uMatrix or just the browsers' in-built tools) if a search engine is setting tracking cookies, like DuckDuckGo used to do, or if it's behind Cloudflare. Servers can have insecure setups which are often testable, such as ProtonMail's redirection of onion domains to the clearnet or secmail's revealing of the operating system and PHP version on their server. This can refute the
name of VPN +
government or +
court to find ones that were keeping logs and ones that weren't). You can talk to the people behind a service directly - which can increase your trust in them or even reveal interesting information such as secmail not having time to implement SSL. But in the end - short of hacking the server - you cannot 100% prove a VPN's no-log policy, for example.
Of course, it's not enough for a provider to have perfect privacy. Here's a list of other things we might need to look for:
We may suspend or terminate your Accounts [...] for any or no reasonor
you grant us a worldwide, royalty-free, perpetual, irrevocable, non-exclusive, transferable, and sublicensable license to use, copy, modify, adapt, prepare derivative works from, distribute, perform, and display Your Content.
Since a provider who checks all the boxes likely doesn't exist - we have to pick the issues that are the most important to us. Personally, I can deal with some inconveniences like slow speed in exchange for independence and activist focus. But it's up to you to decide what your priorities are and pick your providers according to them.Back to the front page