Approving Questions to Ask All Privacy Companies

This post is to everyone, but maybe there is someone in Privacytoolsio that needs to approve. Maybe @jonah or @blacklight447 ?

Is Privacytools ready to move forward with the plan to ask all recommended services the suggested final ownership and data processing questions developed by the community?

If not, then let’s discuss what revisions need to be made or if PTIO has decided not to move forward with the project.

If yes, then we need to approve the final recommended questions. Not sure how that’s done.

Thanks!

6 Likes

I would also like to know what the team think.

1 Like

I am fine with the questions, but I don’t consider myself to be in the position to approve them on behalf of the PrivacyTools Team and I don’t view myself as a good person for reaching out of the community.

I am not even that much involved with most of the community recently, only trying to read this forum and GitHub, while dreading what is going on at the Matrix part of the community, trying to avoid burnout and feeling that I have had a falling out with most of the team which is one of the reasons why I am avoiding Riot.

2 Likes

Glad that you liked the idea, I’m looking forward to see what the rest of the team think.

I feel you, I try to be up to date with both subreddits and this forum and sometimes it’s too much lurk, I couldn’t be present in every platform of the team. I hope you are well and that you can resolve whatever happened with the rest of the team, if you ever need to talk with someone you can count on me.

2 Likes

Hi @Mikaela - It is to keep up with everything. It’s also hard to stand firm on convictions when you’re in the minority. I also feel that way too often. Be true to yourself, but please remain. It’s often the divergent voice that makes all the difference.

Feel free to ping me or email me. I’m @LizMcIntyre at reddit and Twitter.

3 Likes

Hi @jonah @blacklight et al - I’m following up to see if Privacytools is ready to move forward with the plan to ask all privacy services the suggested ownership and data processing questions developed by the community.

If not, then let’s discuss what revisions need to be made or if PTIO has decided not to move forward with the project.

Several community members, including @a553d43c-f7fa-483a-8, @Supernova, @infosechandbook @davegson etc have also been interested in moving forward with this and similar objective measures. Thanks!

1 Like

I wonder if there is a flag or badge we can add to the site that shows the companies that have answered these questions.

It’s possible we list a service like ProtonVPN and then they don’t respond to our request. I would think we’d still want to list them for meeting our VON criteria etc, but if another organization listed does reply, we have a way to highlight them.

It may be one of those thing that help someone make their decision on which of the services to go with.

It would also add an incentive to answer them if you got a “reward” on the site for doing so.

1 Like

I think the idea is nice but the answers should also be displayed to know in detail how the company operates and the pros and cons of using their service.

1 Like

We would still really like to move this forward, but its temponary on hold because we are still at bit busy developing the COI policy and I am now working on a whistleblower policy.

After thats done (should be fairly soon), I think we can actually merge this project with our movement to make PTIO as an organization more resistant against conflicts of interest. What our goal is here is to make a set of requirements for each of our recommended services and software tools, here we could include the questions list as a part of our recommendations criteria for services.

We would have to have answer a few questions here though:

First, are we making the questions criteria a minimum criteria or a best practice criteria?
See @danarel 's comment for more about that.

Second, where are we going to store all the answers on our questions? We don’t want to clutter every page with loads of text, which can scare off users.

Third, when do we consider a question “answered” and when do we consider it “avoiding the questions”. because a company can easily try to lie their way out, mislead us, or trying to talk around the questions.

And as fouth, how are we going to keep this up to date? Are we going to annually ask every service if something has changed about their earlier provided answers? Are we going to say that it is a services own responsability to notify us of changes, and not notifying will cause a delisting?

There are a lot of different routes we can take here. Things to consider are for example maintance costs, the first route takes quite a lot of time, and since all of us work on PTIO in our free time, it may be problematic if we cannot provide the promised quality. the second way is a lot less work, but requires you to have some faith in the services good will, which can also be problematic for ovious reasons.

To remedy the first route, we could consider to spend some of the donation money to pay a member every year to spend lets say a week to check up all services, but that has its own issues as well. (How much does he get paid? Which member should be paid? etc etc)

1 Like

I don’t know if this should apply, maybe I’m wrong, but defining either of these it’s complicated and in some cases answering all of them doesn’t qualify as “best practice criteria” but rather the content of them do. IMO, in their current status, they should work to give an understandment of how they operate, and if they are ever tried to be considered as a guideline, something more strict should be considered at the time of evaluating the answers.
For example,

“Do you share data – even “fuzzed” or “anonymized” data – with any of the owners/shareholders or any other company or organization server?”

Best answer would be something along the lines of "No data, even “anonymized” data, is shared. While “we share fuzzed data” or “we share all data in plain text” would be a bad or intermediate answer.

Could WriteFreely not be used for this? I think that on the main website there should just be a list with which services have answered the questions (with a URL to an external website where you can read the answers), when, and maybe a URL to their official website.

It’s more or less similar to my answer to your first question, I guess there should be some sort of best answer, worst answer, no answer or something like that.

The best scenario would be that service’s owners notify the team after certain time, 3 months sounds good to me, there is no need for a change to occur, but a simple message saying “Nothing has changes” gives certain trust about them and if they are interested in being listed. And yes, not notifying deserves a delisting.

I think the best option is that services notify the team, and that someone checks if what they say is true or not -annually sounds good-, anyone could create an issue on GitHub if they see that they have been lying or haven’t updated they answers.

I am no team member so I don’t know if this is a good thing or if my word could be validated but I volunteer myself for free to check if they are doing things right. But as you said, maybe assigning someone of your team and offering them some money in compensation is the best.


By the way, I have not created the answers or nothing like that so my opinion is not that important, I think ultimately @LizMcIntyre and the rest of the team should have the last word, I’m just giving some feedback.

2 Likes

Great points of discussion and suggestions @blacklight447 & @a553d43c-f7fa-483a-8.

It’s good to hear PTIO is still planning to pursue the project.

I have some ideas on how this could be done fairly easily, and I’ve always been happy to volunteer my time – many hours already. I agree with @a553d43c-f7fa-483a-8 that public display in full transparency is critical to trust and to prove to the public that all decisions are made objectively. Surely, there would be space in a reddit Wiki, for example, if PTIO doesn’t want to house the info on its own server.

Since you are in the middle of creating the important foundation policies @blacklight447 , maybe we should focus on those and plan to revisit this project in a few weeks. Just ping us when you are ready – or one of us could bring up the topic again to find out if you are ready to move forward.

Thanks for all the work you are doing on policies @blacklight447 !

2 Likes

I’m definitely of the mindset of keeping things in-house, so to speak, rather than continuing to rely on third parties.

Probably not on the main website like blacklight was saying, but we could setup another site for this purpose. Maybe we need a PrivacyTools Wiki for documenting everything about the tools we recommend and our organization and stuff :man_shrugging:

4 Likes

As a developer concerned with the direction the AI industry is headed, I actually like this idea. I do feel like simpler software wont be able to answer more complex questions:

Ex. Software that doesn’t have a database ( certain open source projects ), wont be able to answer questions about how that data is being used. => Because there is no database present to misuse.

( I operate in such a way, where I don’t need a database. )

Privacy software can come in two varieities:

– Ones that operate without a database.
– Collects data, but that data is hosted on your computer.
– Software built in smaller components, that stores the data it does collect on your computer, and only collects data for specific limited domains. But otherwise does not collect data, except for the data it needs to self-train on.

( I work on the third use case. )

1 Like

@LizMcIntyre just to give you an update on this, I’m currently working on building https://wiki.privacytools.io/, which we can use for this information, among other things.

I will have to work out the best way to collect this information in a clear way on the site, but I think we’ll find a solution that works well.

1 Like

Is there anything to say about this yet or should we set another future bump?

I am behind of time for an unknown period once again.