March 3, 2022

5 privacy policy mistakes to watch out for

Dan Arel

Author: Dan Arel

When was the last time you read a privacy policy? Guest author Dan Arel explains which 5 things you should pay particular attention to when reading a privacy policy.

Running ThinkPrivacy.ch means that every day I am sent new product and service recommendations from companies and/or fans of those companies. Most write to me in the hope to be added to our list of service recommendations.

And while I love checking out new services, the first thing I do before I even bother checking to see if it’s a cool new product, well designed, or even useful, is read the Privacy Policy. If it’s a bad Privacy Policy, I know I can move on with my day. A good one, and I can continue my research.

So, what makes a bad Privacy Policy? The answer is: A lot of things. But here are the top 5 things I look out for:

1. What do they share and with whom?

When it comes to privacy, you don’t want the services you use to share your information with other parties. Yet, we all know there are legal limits to this request. Depending on the country the company is in, they may have different legal obligations to share data when a warrant is presented.

So first, I check to see if they share information with any outside vendors. Words like “for marketing purposes” are huge red flags, even if they say it only applies to non-identifiable information. There is a grey area to look out for here and I will address that in part 2.

Then, when it comes to legality, what are they able to share? Let’s take popular messaging app Signal as an example. Signal gets a lot of warrant requests, but they can’t share the information requested because they don’t have access to it. Since they are end-to-end encrypted and don’t hold the user’s security key on the server, they cannot unlock messages. Yet, another popular messaging app has a privacy policy that states it will share user data when required by law (which is fine), or when they deem it “necessary.” Here, that “necessary” is concerning because who defines necessary? Is their CEO able to access a user account and hand over all data because they don’t agree with the political stance of the individual? Language in these policies matter because it’s what gives companies wiggle room.

2. What information is collected?

When I use Startpage as my search engine, I know that my IP address is logged in their system as 0.0.0.0. Other search engines tend to only hide the last few digits. Let’s look at what that means:

Examples (full IP address)

154.67.88.47

82.159.53.49

Examples (only the first two blocks)

154.67.0.0

82.159.0.0

As you can see, the latter is still rather identifiable, especially if your operating system, country, and browser information is also logged. While they might not know your exact IP, they can piece things together much easier.

Also, might they still have your full IP? Some will store your full IP for a few days before deleting the file. While this is more private than logging it forever, it’s still not private.

As in step 1, it matters what companies do with this information. If the service delivers ads, what do they share with the ad company? With Startpage for example, I know they are sharing 0.0.0.0 and that doesn’t help the advertiser at all. The more that is shared, the more identifiable you become.

So, the clearer a Privacy Policy is about what they know, or better yet, what they don’t know; the better the service is at protecting your privacy.

3. Logging

When I visit a site, I do not only care about what they know about me, but also what they do with this knowledge. What are they logging, why, and for how long? Ideally, they are not logging anything, but if they are it’s important to know what it is exactly and for how long.

I mentioned earlier that some search engines log your IP in full. One example I found was a search engine claiming to be private but stored your history with full IP for 4 whole days before deleting it.

Other more popular privacy-focused search engines log your partial IP with your search history indefinitely. While they claim this is non-identifiable, examples above show how the more information they have about you, the more of a profile can be developed.

4. Location and Jurisdiction

Another important thing to look at is where the company is based and who they answer to. I’m not saying that this necessarily must be a deal-breaker, but it’s certainly important to know what rules apply in different countries, because every country has unique privacy laws that either benefit the end user, or the government. So, make yourself aware of what companies know about you and what they can share with others.

Take Startpage, for example. The company is located in The Netherlands, a country with fantastic privacy laws, including the European GDPR.  Furthermore, with Startpage’s strict policy to not store any information about you, they can’t share anything even when compelled by law.

Another example is messaging app Signal. While they are based in the US, a country which does not have great privacy laws, Signal’s Privacy Policy is clear about what they can share and what they cannot. That means using their service comes down to your personal threat model. Being in the US has its own risk, but Signal not having access to your chats alleviates some of that.

Some companies might make it less clear because they operate in various countries and your rights fall within the country that you’re using the product in. An above example of a chat app that would share information when it was deemed “necessary” has different privacy rights dependent upon your location in Europe versus the US. This means you may have less privacy rights in the US than outside of it, and using the product again comes down to your personal threat model.

5. Confusing and hard to follow

Privacy Policies should be reassuring. They should give you confidence that you’re choosing the right product or service. They should also be clear and organized.

A confusing, incredibly long, or disorganized Privacy Policy makes me think the company has something to hide or has so much information on you that it must legally explain where it all goes.

A Privacy Policy should be broken down into main sections that address privacy questions people need answers to: What do they collect, who has access to it, and what is the legal process for other to access that data?

If those questions are not easily answered and I am forced to dig through what feels like pages and pages of information, it’s a big red flag. Even if the service does require a lot of legal language, it’s not hard to summarize the key points in a way that makes it easy for consumers to understand up front what they are signing up for and agreeing to.

Only after I have completed all these steps while keeping an eye out for any other potential issues, do I proceed to a full evaluation of the product. Yet, it all starts with a well done and clear Privacy Policy.

 

Was this article helpful?

Thumbs Up Thumbs Down
\

Related Articles

How to set up my Linux OS to protect my privacy

Across the web, companies often offer ways to make your personal computer more private, which…

Read more

Why you should never just accept all cookies

It’s been happening for a while now, and you’re probably as annoyed as everyone else…

Read more
More Articles

Go Private

Make Startpage your
default search engine

Set as default