I am fine with the questions, but I don’t consider myself to be in the position to approve them on behalf of the PrivacyTools Team and I don’t view myself as a good person for reaching out of the community.
I am not even that much involved with most of the community recently, only trying to read this forum and GitHub, while dreading what is going on at the Matrix part of the community, trying to avoid burnout and feeling that I have had a falling out with most of the team which is one of the reasons why I am avoiding Riot.
Glad that you liked the idea, I’m looking forward to see what the rest of the team think.
I feel you, I try to be up to date with both subreddits and this forum and sometimes it’s too much lurk, I couldn’t be present in every platform of the team. I hope you are well and that you can resolve whatever happened with the rest of the team, if you ever need to talk with someone you can count on me.
Hi @Mikaela - It is to keep up with everything. It’s also hard to stand firm on convictions when you’re in the minority. I also feel that way too often. Be true to yourself, but please remain. It’s often the divergent voice that makes all the difference.
Feel free to ping me or email me. I’m @LizMcIntyre at reddit and Twitter.
I wonder if there is a flag or badge we can add to the site that shows the companies that have answered these questions.
It’s possible we list a service like ProtonVPN and then they don’t respond to our request. I would think we’d still want to list them for meeting our VON criteria etc, but if another organization listed does reply, we have a way to highlight them.
It may be one of those thing that help someone make their decision on which of the services to go with.
It would also add an incentive to answer them if you got a “reward” on the site for doing so.
We would still really like to move this forward, but its temponary on hold because we are still at bit busy developing the COI policy and I am now working on a whistleblower policy.
After thats done (should be fairly soon), I think we can actually merge this project with our movement to make PTIO as an organization more resistant against conflicts of interest. What our goal is here is to make a set of requirements for each of our recommended services and software tools, here we could include the questions list as a part of our recommendations criteria for services.
We would have to have answer a few questions here though:
First, are we making the questions criteria a minimum criteria or a best practice criteria?
See @danarel 's comment for more about that.
Second, where are we going to store all the answers on our questions? We don’t want to clutter every page with loads of text, which can scare off users.
Third, when do we consider a question “answered” and when do we consider it “avoiding the questions”. because a company can easily try to lie their way out, mislead us, or trying to talk around the questions.
And as fouth, how are we going to keep this up to date? Are we going to annually ask every service if something has changed about their earlier provided answers? Are we going to say that it is a services own responsability to notify us of changes, and not notifying will cause a delisting?
There are a lot of different routes we can take here. Things to consider are for example maintance costs, the first route takes quite a lot of time, and since all of us work on PTIO in our free time, it may be problematic if we cannot provide the promised quality. the second way is a lot less work, but requires you to have some faith in the services good will, which can also be problematic for ovious reasons.
To remedy the first route, we could consider to spend some of the donation money to pay a member every year to spend lets say a week to check up all services, but that has its own issues as well. (How much does he get paid? Which member should be paid? etc etc)
I don’t know if this should apply, maybe I’m wrong, but defining either of these it’s complicated and in some cases answering all of them doesn’t qualify as “best practice criteria” but rather the content of them do. IMO, in their current status, they should work to give an understandment of how they operate, and if they are ever tried to be considered as a guideline, something more strict should be considered at the time of evaluating the answers.
“Do you share data – even “fuzzed” or “anonymized” data – with any of the owners/shareholders or any other company or organization server?”
Best answer would be something along the lines of "No data, even “anonymized” data, is shared. While “we share fuzzed data” or “we share all data in plain text” would be a bad or intermediate answer.
Could WriteFreely not be used for this? I think that on the main website there should just be a list with which services have answered the questions (with a URL to an external website where you can read the answers), when, and maybe a URL to their official website.
It’s more or less similar to my answer to your first question, I guess there should be some sort of best answer, worst answer, no answer or something like that.
The best scenario would be that service’s owners notify the team after certain time, 3 months sounds good to me, there is no need for a change to occur, but a simple message saying “Nothing has changes” gives certain trust about them and if they are interested in being listed. And yes, not notifying deserves a delisting.
I think the best option is that services notify the team, and that someone checks if what they say is true or not -annually sounds good-, anyone could create an issue on GitHub if they see that they have been lying or haven’t updated they answers.
I am no team member so I don’t know if this is a good thing or if my word could be validated but I volunteer myself for free to check if they are doing things right. But as you said, maybe assigning someone of your team and offering them some money in compensation is the best.
By the way, I have not created the answers or nothing like that so my opinion is not that important, I think ultimately @LizMcIntyre and the rest of the team should have the last word, I’m just giving some feedback.
It’s good to hear PTIO is still planning to pursue the project.
I have some ideas on how this could be done fairly easily, and I’ve always been happy to volunteer my time – many hours already. I agree with @a553d43c-f7fa-483a-8 that public display in full transparency is critical to trust and to prove to the public that all decisions are made objectively. Surely, there would be space in a reddit Wiki, for example, if PTIO doesn’t want to house the info on its own server.
Since you are in the middle of creating the important foundation policies @blacklight447 , maybe we should focus on those and plan to revisit this project in a few weeks. Just ping us when you are ready – or one of us could bring up the topic again to find out if you are ready to move forward.
I’m definitely of the mindset of keeping things in-house, so to speak, rather than continuing to rely on third parties.
Probably not on the main website like blacklight was saying, but we could setup another site for this purpose. Maybe we need a PrivacyTools Wiki for documenting everything about the tools we recommend and our organization and stuff
As a developer concerned with the direction the AI industry is headed, I actually like this idea. I do feel like simpler software wont be able to answer more complex questions:
Ex. Software that doesn’t have a database ( certain open source projects ), wont be able to answer questions about how that data is being used. => Because there is no database present to misuse.
( I operate in such a way, where I don’t need a database. )
Privacy software can come in two varieities:
– Ones that operate without a database.
– Collects data, but that data is hosted on your computer.
– Software built in smaller components, that stores the data it does collect on your computer, and only collects data for specific limited domains. But otherwise does not collect data, except for the data it needs to self-train on.