If you are anything like most people, you have ended up on this site because you've realized your privacy is being violated by governments and big corporations and you've been trying to do something about it. To accomplish that, you've likely traversed recommendation lists like the E-mail report or the Web browser ranknigs and modified your choices according to them. But is this the right approach?
The first question we have to ask ourselves is what actually is privacy - or else we will fail in our quest to reach it. Simply, privacy is the default state of other people not knowing where you are, what you do or think. Though the violators are trying really hard to blur the lines - we're not born with tracking devices under our skins. In fact, our biology is designed with privacy in mind - we're individuals each with our own sets of brains, eyes and ears whose contents are not directly shared with anyone by default. Humans have an ingrained need for privacy:
Ralph Adolph and Daniel P. Kennedy, neurologists at the University of Caltech in the United States, discovered that there’s a structure in our brain which is responsible for telling us where the limits of our personal space lie. This structure is the amygdala, a small region associated with fear and the survival instinct.
This discovery reveals something essential. The brain measures the personal limits of each individual. It’s like a personal alarm which tells us when something or someone is bothering us. When something is invading our privacy or violating our integrity until it becomes a threat to our well-being.
It reminds us that one of our greatest sources of anxiety is witnessing how we feel more “crowded” every day in every way.
And so, the
nothing to hide argument totally misses the mark, since privacy is the biologically necessitated default. This brings us to our next point:
As stated above, we lose it whenever our brain detects another person (or a group of people)
invading our personal space. However, this only works for people - we've spent over 99% of our time on this Earth in the wild, and that is what our brains are tuned to. There is no computers in the jungle, after all. Civilization has allowed privacy violators to hide behind devices (such as CCTV cameras) and avoid triggering our biological intrusion detection system. Does all this have anything to do with the article title? Sure does:
Just as privacy in the wild would entail getting away from the people who got inside your personal space - digital privacy works similarly except the person is replaced by an electronic device. Though CCTV makes this easy to see, the gadget in question could very well be the computer you use every day, your credit card, printer or even the IOT fridge. We have been so accustomed to a life full of electronics that this simple point eludes us. There can be no privacy loss with a tech-free life. Which of course I'm not recommending - only wanted to show the root of privacy issues. Clearly, the amount of data collected while avoiding all electronic devices would be zero - but then we'd lose all the advantages of those. How to balance this?
A privacy newbie usually comes in with the attitude of replacing his current violators with privacy-respecting versions. And of course, there are a bunch of providers who are happy to fulfill (or pretend to) that need. You heard your Google Chrome browser spies on you? Mozilla Firefox to the rescue (or not)! Gmail? ProtonMail. Google Maps? Hmm, we're not doing too swell here...Anyway, this same person in 30 years will be asking how to replace Google Parent, Google Cook, Google Home Designer, etc. Is this the right approach? We've established there can be no privacy violations without electronic invaders. Therefore, the way to take control of your privacy seems to be minimizing device usage. And so, the right question for a newbie to ask is not
how do I replace this service? but
do I actually need it?
Google Maps has been invented in 2005. Amazon Alexa - in 2014. Siri - 2011. Smartphones - in the 2000s. And yet a lot of people today cannot imagine a life without those. But 20 years ago, we all did fine without them. What has changed? It's obvious technology modifies the way society works (for example, there's a higher requirement for cars or other transportation than a few decades ago), but many of those devices can be easily dumped today - and even the "required" ones can as well with more effort. It is the capitalist focus on shiny new gadgets and the slick marketing which keeps them alive; as well as people's increasing laziness. Real privacy, therefore, has to start with not being dependent upon the violators instead of trying to replace, modify or block them.
Now that we've cut off most of the violators, we can more thoroughly focus on managing the ones we do actually need - such as search engines, web browsers (though even this you can curb by avoiding bloated sites and downloading the ones you care about for offline reading) or communicators (hey, there's always carrier pigeons...). So let's end the privacy saga and learn how to choose privacy-respecting services so that you won't have to rely on recommendation lists anymore (which are prone to bribes, fanboyism, groupthink, low quality research, outdated information, etc):
I have created several lists analyzing various providers, however, updating them is a Herculean task. New ones keep appearing while old ones go defunct (rare since privacy is a big business opportunity now), get bought or merge; and the existing ones keep adding new violations. However, they rarely change for the better - which brings me to my first criteria to be used in judging them:
Often, you have to dig up information from 15 years ago to get a proper view of a provider - such as in the case of DuckDuckGo. Briefly, the owner has run a data collecting operation for a few years until selling it (to an unethical company) and inventing DDG. He has then advertised it heavily as an alternative to Google, and it was of course much better - but eventually, he's started including anti-user stuff such as tracking cookies, pixel tags and Cloudflare; as well as playing fast-and-loose with the definition of
personal data. As you can see, the spirit of his previous invention eventually started surfacing (and knowing the previous history would have allowed more cautious people to have predicted that).
You don't really need to follow a provider's every move to decide to avoid them - just a few pieces of history will usually suffice. Mozilla has for years been dependent upon the funds of a known violator, Google - do you think this is something a privacy-respecting company would be comfortable with? Then they started switching deals to other privacy-haters such as Yahoo. Or consider the saga about their horrible mistreatment of a long-time supporter - if they don't care about such people, why would they do about the puny users?
So, as you can see, history is the fundamental upon which we base everything else. However, putting it all together requires a combination of willpower, time, effort and skill which many people might not have. It also doesn't provide any insight if the provider is new. Can we find a more clear-cut and immediate way to rate a provider?
The policy is very long and we don't want to spend the whole day analyzing it, so we first have to prioritize certain sections. Scroll right down to 3. What Data We Collect and Process which is the most important issue. Basic Account Data and Transaction Data cannot be avoided so we can skip reading those. The really revealing information is in subsection 3.4 Your Use of the Steam Client and Websites:
Personal Data we collect may include, but is not limited to, browser and device information, data collected through automated electronic interactions and application usage data. Likewise, we will track your process across our websites and applications to verify that you are not a bot and to optimize our services
Browser and device is pretty common (though still, doesn't have to be collected) so we can forgive Valve here. However,
data collected through automated electronic interactions and application usage data can pretty much mean everything you do on their site. This proves Steam to be a giant privacy violator. Not only that, they are also dishonest, hiding behind
but is not limited to; here, a cautious person will assume they are collecting absolutely everything possible - otherwise, why not mention exactly what is being collected? Another common deception is
to optimize our services; what is the optimization and why does it need my data? So, as we can see, Steam throws up a few red flags in the most important section. To be honest, with this information alone you could already put Steam in the "privacy violator" box and leave it at that; this is the speedrunning of privacy policies. But our goal here is learning how to do research, so let's move on:
The subsection 3.5 Your Use of Games and other Subscriptions collects
game statistics, which could I guess be justified in a service like this. But wait - later it says
as well as information about the device you are using, including what operating system you are using, device settings, unique device identifiers, and crash data.
which has literally nothing to do with gaming.
Unique device identifiers is especially violating. Okay, so we've proven beyond doubt Steam is collecting data way beyond what it needs to. There's no more need to dwell on this - let's move on to section 4. How Long We Store Data:
We will only store your information as long as necessary to fulfil the purposes for which the information is collected and processed or — where the applicable law provides for longer storage and retention period — for the storage and retention period required by law. After that your Personal Data will be deleted, blocked or anonymized, as provided by applicable law.
All these words and no specific figures. Even serious violators I've described in the E-mail report provide the actual numbers - so Steam once again shows it belongs into the shit tier. And even if you assume the retentiion period is short, after it's over you're still not sure the data is actually deleted, since the other two options are
blocked or anonymized. Can they say anything more which would redeem them here? I don't think so, therefore let's move on to the other sections:
5. Who Has Access to Data includes these gems in it:
Valve and its subsidiaries may share your Personal Data with each other
The subsidiaries are not specified. Suspicious.
In accordance with internet standards, we may also share certain information (including your IP address and the identification of Steam content you wish to access) with our third party network providers that provide content delivery network services
What are these network providers is of course not mentioned, neither is the exact data shared.