Contact me for feedback or questions! I reply to everyone.

Bypassing the privacy chase

- Introduction -
- What is privacy? -
- How do we lose our privacy? -
- Privacy in the digital age -
- Technology versus privacy -
- Things we can give up -
- Judging service providers -
- History of the provider -
- The privacy policy -


If you are anything like most people, you have ended up on this site because you've realized your privacy is being violated by governments and big corporations and you've been trying to do something about it. To accomplish that, you've likely traversed recommendation lists like the E-mail report or the Web browser ranknigs and modified your choices according to them. But is this the right approach?

What is privacy?

The first question we have to ask ourselves is what actually is privacy - or else we will fail in our quest to reach it. Simply, privacy is the default state of other people not knowing where you are, what you do or think. Though the violators are trying really hard to blur the lines - we're not born with tracking devices under our skins. In fact, our biology is designed with privacy in mind - we're individuals each with our own sets of brains, eyes and ears whose contents are not directly shared with anyone by default. Humans have an ingrained need for privacy:

Ralph Adolph and Daniel P. Kennedy, neurologists at the University of Caltech in the United States, discovered that there’s a structure in our brain which is responsible for telling us where the limits of our personal space lie. This structure is the amygdala, a small region associated with fear and the survival instinct.
This discovery reveals something essential. The brain measures the personal limits of each individual. It’s like a personal alarm which tells us when something or someone is bothering us. When something is invading our privacy or violating our integrity until it becomes a threat to our well-being.
It reminds us that one of our greatest sources of anxiety is witnessing how we feel more “crowded” every day in every way.

And so, the nothing to hide argument totally misses the mark, since privacy is the biologically necessitated default. This brings us to our next point:

How do we lose our privacy?

As stated above, we lose it whenever our brain detects another person (or a group of people) invading our personal space. However, this only works for people - we've spent over 99% of our time on this Earth in the wild, and that is what our brains are tuned to. There is no computers in the jungle, after all. Civilization has allowed privacy violators to hide behind devices (such as CCTV cameras) and avoid triggering our biological intrusion detection system. Does all this have anything to do with the article title? Sure does:

Privacy in the digital age

Just as privacy in the wild would entail getting away from the people who got inside your personal space - digital privacy works similarly except the person is replaced by an electronic device. Though CCTV makes this easy to see, the gadget in question could very well be the computer you use every day, your credit card, printer or even the IOT fridge. We have been so accustomed to a life full of electronics that this simple point eludes us. There can be no privacy loss with a tech-free life. Which of course I'm not recommending - only wanted to show the root of privacy issues. Clearly, the amount of data collected while avoiding all electronic devices would be zero - but then we'd lose all the advantages of those. How to balance this?

Technology versus privacy

A privacy newbie usually comes in with the attitude of replacing his current violators with privacy-respecting versions. And of course, there are a bunch of providers who are happy to fulfill (or pretend to) that need. You heard your Google Chrome browser spies on you? Mozilla Firefox to the rescue (or not)! Gmail? ProtonMail. Google Maps? Hmm, we're not doing too swell here...Anyway, this same person in 30 years will be asking how to replace Google Parent, Google Cook, Google Home Designer, etc. Is this the right approach? We've established there can be no privacy violations without electronic invaders. Therefore, the way to take control of your privacy seems to be minimizing device usage. And so, the right question for a newbie to ask is not how do I replace this service? but do I actually need it?

Google Maps has been invented in 2005. Amazon Alexa - in 2014. Siri - 2011. Smartphones - in the 2000s. And yet a lot of people today cannot imagine a life without those. But 20 years ago, we all did fine without them. What has changed? It's obvious technology modifies the way society works (for example, there's a higher requirement for cars or other transportation than a few decades ago), but many of those devices can be easily dumped today - and even the "required" ones can as well with more effort. It is the capitalist focus on shiny new gadgets and the slick marketing which keeps them alive; as well as people's increasing laziness. Real privacy, therefore, has to start with not being dependent upon the violators instead of trying to replace, modify or block them.

Things we can give up

Now that we've cut off most of the violators, we can more thoroughly focus on managing the ones we do actually need - such as search engines, web browsers (though even this you can curb by avoiding bloated sites and downloading the ones you care about for offline reading) or communicators (hey, there's always carrier pigeons...). So let's end the privacy saga and learn how to choose privacy-respecting services so that you won't have to rely on recommendation lists anymore (which are prone to bribes, fanboyism, groupthink, low quality research, outdated information, etc):

Judging service providers

I have created several lists analyzing various providers, however, updating them is a Herculean task. New ones keep appearing while old ones go defunct (rare since privacy is a big business opportunity now), get bought or merge; and the existing ones keep adding new violations. However, they rarely change for the better - which brings me to my first criteria to be used in judging them:

History of the provider

Often, you have to dig up information from 15 years ago to get a proper view of a provider - such as in the case of DuckDuckGo. Briefly, the owner has run a data collecting operation for a few years until selling it (to an unethical company) and inventing DDG. He has then advertised it heavily as an alternative to Google, and it was of course much better - but eventually, he's started including anti-user stuff such as tracking cookies, pixel tags and Cloudflare; as well as playing fast-and-loose with the definition of personal data. As you can see, the spirit of his previous invention eventually started surfacing (and knowing the previous history would have allowed more cautious people to have predicted that).

You don't really need to follow a provider's every move to decide to avoid them - just a few pieces of history will usually suffice. Mozilla has for years been dependent upon the funds of a known violator, Google - do you think this is something a privacy-respecting company would be comfortable with? Then they started switching deals to other privacy-haters such as Yahoo. Or consider the saga about their horrible mistreatment of a long-time supporter - if they don't care about such people, why would they do about the puny users?

Knowing the history of a provider can put certain events into context. For example, the aforementioned tracking cookie on DDG could be said to be a mistake if his previous invention wasn't literally a data collecting operation. Add to that the other tracking DDG did and it's obvious the guy is just an opportunist for whom the recently popular privacy idea is just a way to get ahead. Mozilla's removal of the javascript toggle is a similar case - if you did not know about all the other anti-customization initiatives, you might even think it's an user-friendly change (that's how they tried to justify it). All you need is a few events to begin forming the big picture.

So, I've given the examples of DuckDuckGo and Mozilla as providers with a shady history. Do we have an opposite one? How about Autistici - created at some hackmeeting in 2001(!), and they've been fully committed to their mission since then. No information has come out showing that they have ever violated their principles. There have been no shady deals with privacy violating companies, no compromises, no deceptive advertising, no lying in the privacy policy, no trying to sneak in tracking by pixel tags, Cloudflare or whatever. In fact, on occasions when their resolve was put to the test, they've passed it with flying colors. If you read the R Plan (written in 2005), I think it's obvious these guys are the real deal and have always been.

So, as you can see, history is the fundamental upon which we base everything else. However, putting it all together requires a combination of willpower, time, effort and skill which many people might not have. It also doesn't provide any insight if the provider is new. Can we find a more clear-cut and immediate way to rate a provider?

The privacy policy

Fortunately, the offenders almost always graciously tell us how they're violating us. Though often it is hidden behind weasel words and such - if you carefully analyze a privacy policy, you can come out with a pretty clear picture of what a provider is all about. Though doing that properly also takes some skill, it is much less demanding than the above. We will now take a particularly bad one to the chopping block. Enter the Steam privacy policy:

The policy is very long and we don't want to spend the whole day analyzing it, so we first have to prioritize certain sections. Scroll right down to 3. What Data We Collect and Process which is the most important issue. Basic Account Data and Transaction Data cannot be avoided so we can skip reading those. The really revealing information is in subsection 3.4 Your Use of the Steam Client and Websites:

Personal Data we collect may include, but is not limited to, browser and device information, data collected through automated electronic interactions and application usage data. Likewise, we will track your process across our websites and applications to verify that you are not a bot and to optimize our services

Browser and device is pretty common (though still, doesn't have to be collected) so we can forgive Valve here. However, data collected through automated electronic interactions and application usage data can pretty much mean everything you do on their site. This proves Steam to be a giant privacy violator. Not only that, they are also dishonest, hiding behind but is not limited to; here, a cautious person will assume they are collecting absolutely everything possible - otherwise, why not mention exactly what is being collected? Another common deception is to optimize our services; what is the optimization and why does it need my data? So, as we can see, Steam throws up a few red flags in the most important section. To be honest, with this information alone you could already put Steam in the "privacy violator" box and leave it at that; this is the speedrunning of privacy policies. But our goal here is learning how to do research, so let's move on:

The subsection 3.5 Your Use of Games and other Subscriptions collects game statistics, which could I guess be justified in a service like this. But wait - later it says as well as information about the device you are using, including what operating system you are using, device settings, unique device identifiers, and crash data. which has literally nothing to do with gaming. Unique device identifiers is especially violating. Okay, so we've proven beyond doubt Steam is collecting data way beyond what it needs to. There's no more need to dwell on this - let's move on to section 4. How Long We Store Data:

We will only store your information as long as necessary to fulfil the purposes for which the information is collected and processed or — where the applicable law provides for longer storage and retention period — for the storage and retention period required by law. After that your Personal Data will be deleted, blocked or anonymized, as provided by applicable law.

All these words and no specific figures. Even serious violators I've described in the E-mail report provide the actual numbers - so Steam once again shows it belongs into the shit tier. And even if you assume the retentiion period is short, after it's over you're still not sure the data is actually deleted, since the other two options are blocked or anonymized. Can they say anything more which would redeem them here? I don't think so, therefore let's move on to the other sections:

5. Who Has Access to Data includes these gems in it:

Valve and its subsidiaries may share your Personal Data with each other

The subsidiaries are not specified. Suspicious.

In accordance with internet standards, we may also share certain information (including your IP address and the identification of Steam content you wish to access) with our third party network providers that provide content delivery network services

What are these network providers is of course not mentioned, neither is the exact data shared.

Okay, I think this is enough. We've learned Steam collects lots of data it doesn't need to, does not tell you for how long, and tries to hide relevant information; it's also unnecessarily long. Three strikes (actually four) and you're out! And we've skipped most of their policy. Now, I've brought up this one as an example of a bad privacy policy - let's now analyze a good one for comparison:

Back to the front page