Big Silence: What “Privacy Respecting” Services DON'T Tell You About Their Data Handling Continuum

Tuesday 27 July 2021
Bob Leggitt
"This contradiction, enabled by a loophole in data protection law, allows “ethical tech” companies to be considerably LESS transparent about the entirety of the data-handling continuum than “big tech” companies."
Data mining sign
Image by Bob Leggitt @ Planet Botch

It's a wonderful development that more people are starting to care about and reject aggressive surveillance, as they steadily recognise the very real societal rot that unrestrained corporate spying and monitoring can cause.

Surveillance fears ultimately stifle freedom, and in some areas reduce public safety. We might be less likely to upload a profile picture online because of face recognition tracking in the offline world. We might limit our learning because we fear the consequences of searching for information on sensitive subjects. We might even decline to visit a doctor for an embarrassing or stigmatised physical or mental condition, because of the sharp rise in health service data-sharing with inscrutable private companies.

Simultaneously, we're at higher risk of indentity fraud, as surveillance giants like Facebook warrant themselves more and more personal data, whilst increasingly displaying a "shit happens" attitude to being hacked.

For the sake of freedom and safety, we desperately need an alternative to surveillance-crazed tech, but do we really have one?

KNIGHTS IN SHINING ARMOUR

Many brands claim to be that privacy-respecting alternative we so desperately need. They pitch themselves as our knights in shining armour. But there are hardly any that don't have deals with major surveillance companies. DuckDuckGo has a heck of a deal with Microsoft, and it's not alone. Startpage is similarly dependent on Google. Brave is in bed with Amazon, Google and others.

“Privacy respecting” tech, or Eth(ical) Tech, as I've been calling it, has a common-to-all marketing strategy, which is to claim an anti-surveillance stance. The larger the number of us who become concerned about out-of-control surveillance, the more effective this key stance becomes. It's been proven time and again to increase userbase volume way beyond the regular competitive means of the product itself.

DuckDuckGo has an estimated 25 million+ users at the time of writing, but only a fraction of them believe it's a functionally better search engine than Google. Without the anti-surveillance marketing it would never have got off the ground.

Behind the marketing fanfare, Eth Tech's anti-surveillance stance is actually highly superficial. The browsers, like Brave and Vivaldi, require a substantial amount of user tweaking before they're even close to genuinely escaping the classification of “surveillance tool”. The social media platforms, such as MeWe and Diaspora, are walled gardens that necessarily identify a specific user (by login details) as a condition of entry, and will not load without the tracker's longtime bestie - JavaScript - being enabled.

In fact, MeWe doesn't even load its Privacy Policy for visitors who disable JavaScript. Despite having no user function that requires JavaScript, MeWe's Privacy Policy page forces those who have disabled JS to enable it as a condition of viewing the page at all. It then makes 35 network requests and loads 10 scripts - one of which is literally headed “Javascript tracking client” at the top of its code. This, I remind you, is the Privacy Policy page, for a brand which has repeatedly yelled “we don't track you”.

Then there are the search engines…

DuckDuckGo incessantly chants “Privacy!!! We don't collect personal information.” But actually, when you look deeper, the only thing the brand specifically says it doesn't store, is the user's IP address. DDG does collect search data, which is also accessed by surveillance oligarchs such as Microsoft before the search results are delivered. And now, it appears, DuckDuckGo is also hell-bent on collecting email addresses.

THE INSCRUTABLE PARTNER

The glaring contradiction in the table cloth of transparency is that DuckDuckGo doesn't cite Microsoft as a partner or data recipient in its official Privacy information, even though Microsoft is blatantly core-instrumental in providing the service. And this contradiction, enabled by a loophole in data protection law, allows Eth Tech companies to be considerably less transparent about the entirety of the data-handling continuum than Big Tech companies.

Outside of the “privacy respecting tech” sphere, what happens is that the first party (the site you actually visit), officially admits in their privacy policy that they have partners, lists those partners, and then refers you to the partners' relevant privacy policies for information on how the partners handle the data. It can get devastatingly complicated, but it is transparent, and you do get a definite statement on how the third parties are handling your data.

However, because of a loophole in the law, Eth Tech companies like DuckDuckGo are under no obligation to refer to a particular privacy policy for their partners. Legally, that's only necessary when the data being transferred is classed as personally identifying data. Here's the legal loophole as expressed in GDPR…

“The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.”

So if data is “anonymised” to the point where it meets this condition, it is actually EXEMPT FROM DATA PROTECTION LAW.

Eth Tech companies say they don't collect any personally identifying data, and that they anonymise any personally identifying data they receive. In conjunction with the legal loophole, this has several implications. Among them…

  • They don't have to ensure users are aware of their partners' relevant privacy policies.
  • They don't have to divulge their sharing of “anonymised” data at all. They can sell to medical research, to data brokers, to anyone they like. And as long as the data sets are “anonymised”, they don't need to tell us. It goes without saying that partners in the data chain - such as Microsoft in DuckDuckGo's case - are also at liberty to secretly sell data they acquire as “anonymised”.

In soundbyte, there is no publicly available policy from Microsoft describing how it processes the data it extracts via DuckDuckGo, and under current law there doesn't have to be. This is the central problem with using services that claim they don't collect any personally identifying information. Their activities fall outside of data protection law.

Third parties receiving data through Eth Tech companies could be using all sorts of methods to reassemble personally identifying records from anonymised data. And some of the third parties are spyware manufacturers who specialise in doing exactly that.

So is it feasible that Microsoft collects the search data it gets via DuckDuckGo, with the specific intent of identifying who it came from? I'd say it's more than feasible. I'd say it's a virtual certainty. But Microsoft is, in this instance, inscrutable. It can do whatever it likes with anything classed as anonymised data, and it doesn't have to tell anyone what it's doing. Because it's not the first party, and the data it gets is deemed by the first party to be anonymised. That's how the rules work.

This is just one example relationship, but inscrutable partners run through Eth Tech like Brighton through a stick of rock.

PRIVACY POLICY TRICKERY

Because “privacy respecting” companies are not deemed to be collecting personally identifying information, they can completely omit all reference to the sale of anonymised or aggregate data from their privacy policies. So it's more about what they don't say than what they do. Take a look. Find an Eth Tech privacy policy that says “We do not sell data”. You won't. Here are some examples of what you will see…

From the current MeWe Privacy Policy…

“We do not sell your personal information to anyone”

From the 2015 MeWe Privacy Policy….

“We don't provide or share with third-party advertisers, search providers, and ad networks ("Advertisers") any personal information about you.”

From the DuckDuckGo Privacy Policy…

“DuckDuckGo does not collect or share personal information.”

From the Vivaldi Browser Privacy Policy…

“This feature does not send your personal information to Google.”

Seeing a pattern? “Personal”, “personal”, “personal”, “personal”. That oh-so-important distinction is always there. They can't simply say “We don't collect/share/sell data”, because they do collect/share/sell data. And since they autonomously deem the data they collect/share/sell to be anonymous, most often without any outside scrutiny, they are exempt from having to give us any information whatsoever about what they're doing.

The privacy policies for "privacy respecting" companies are extremely short compared to those of Big Tech. We might be inclined to believe that's because their attitude to privacy is very simple. It's not. It's anything but. The real reason the privacy policies are so short is that the companies don't have to tell us anything. So they don't tell us anything.

HOW ANONYMOUS IS "ANONYMISED"?

So how anonymous is anonymised data? Research has found that preventing anonymised data from being de-anonymised is virtually impossible, and has discovered that 99.98% of American people will be unmasked in an anonymised data set containing just 15 demographic attributes per person. That's as little as it takes for unmasking to be almost inevitable.

The real problem is the law.

You can't blame businesses for exploiting a loophole for profit, and the current culture right across marketing is to tell the public what it wants to hear, then think about making that fit the actual facts later.

Indeed, I did a short marketing course recently, interestingly enough provided by a prominent tech company. In one of the tests, you're given a range of positive personal statements, and asked to select the ones that actually apply to you. The punchline? If you don't select ALL of the positive statements, you fail. Even if they're not true, you have to select ALL of the statements, and then somehow come up with tenuous, off-the-wall reasoning that will make the untrue statements fit. The traditional notion of honesty doesn't even come into it.

This is modern marketing, and it's how these tech companies think. Tell the public what they want to hear, don't tell them what they don't want to hear, and use mental gymnastics to somehow wedge the lies into the category of truth.

In the Eth Tech genre, ironically, the most aggressive looking companies are probably the most trustworthy. Brave is a case in point. I don't personally like its business model, but it's obvious how it makes money. We don't have to guess where Brave's funding comes from.

Vivaldi sits at the other extreme. Fantastic-looking business model, but is it totally credible? Absolutely not. Many of Vivaldi's facets struggle to pass a basic reality check. Commercial enterprise does not do anything out of the goodness of its heart, and yet that's exactly what Vivaldi claims re some of its services. “We can fund this expensive project with money we make from another service” does not pass a reality check in modern business. You can fund it, but if there's no ROI why would you fund it?

Funding projects with no ROI is charity, and the ethical thing to do in charity is give the money to the world's most needy people - most of whom will not even be on the Internet. If you're not putting your money where there's dire humanitarian need, then your intentions are not charitable - they're transactional. There can be no trust until we understand what the transaction actually is.

We always need to keep in mind that there is a big part of the data-handling continuum that Ethical Tech doesn't have to mention, and is indeed compelled by its brand values not to mention. And the less easy it is to see how these businesses are making money, the more likely it is they'll be indulging in grotty, but perfectly legal, underground data deals. In the end, there's one maxim we should all observe regarding tech companies: "They can't collect what you don't give them". It's sad that it's come to this, but that's going to be everyone's best bet for anti-surveillance going forward.