Could PrivacyTools create a new "seal of approval"?

Someone made an interesting comment at the PrivacytoolsIO post Who owns your favorite privacy service Part 2: The questions we should ask ALL privacy services :

This seems like it could be a new brand guarantee like products marked and checked by ‘FairTrade’ or ‘Rainforest Alliance Certified’. ‘Privacytools.io certified services’ would get more users and companies would actively try and follow these requirements.

Thoughts? I’ve considered doing this myself over the years, but it seems more appropriate to be a bigger project.

However, we would have to hold firm on requiring full and transparent answers from companies for this. It could be tough to stand firm in the face of organizations looking for a “pass” on elements of questions they don’t want to address.

Great idea. Maybe start with reddit :wink:

1 Like

I definitely think it’s a good idea if it’s not easy to acquire. By not easy, I mean that a product should really be the best in term of privacy and ethics to get the seal.

1 Like

Regarding your list on Reddit:
How do we want to verify answers of companies (if they reply at all)?

Examples:

Do you share data – even “fuzzed” or “anonymized” data – with any of the owners/shareholders or any other company or organization server?

If this is shared in secret, we can’t verify the answer of the company. We have to hope that the answer is true.

Which components of your service are not open source?

Even if the company provides source code there is no guarantee that they actually using it on their servers.

How is data secured (in transit and at rest)?

We could only verify that there is HTTPS/TLS in place. However, it is really hard to check transport encryption in internal networks of companies. It is even harder to see if there is protection for data at rest or data in use.

What customer data is collected, how often, and in what level of identification?

They could claim that they process only some data while actually processing everything they get.


Then, some questions seem to be overly broad.

Examples:

Have you changed how information is processed and shared in the last year?

Which answer is expected here? A simple “Yes” or “No” is already an answer but do we learn something new in this case?

Please share a diagram showing how information flows when a user interacts with your service.

This could be a very big diagram depending on services offered by a company, so it is unlikely to get any diagram (or a comprehensive one).

Have you had any independent audits in the last three years? Please share the dates of those audits and audit reports.

What kind of audit? A penetration test of the internal infrastructure? A scan of public IP address ranges? A code review of an app? A review of internal business processes? A check of fire safety equipment?

If you require sign-up or account creation, do consumers have easy access to tools to delete their data? Can they delete everything on the servers or just the local cache?

Depending on local laws in effect, companies must store some data even if a consumer wants everything deleted. For instance, data about financial transactions must be stored for 10 years in some countries.

Warrant canary?

A warrant canary is a very weak form of assurance that something didn’t happen so far. If authorities seize servers, they could simply update warrant canaries if there is no cryptographic proof. However, they could also seize private keys used to sign canaries. Moreover, some organizations failed to update their canary (see https://www.zdnet.com/article/encrypted-email-provider-riseup-misses-warrant-canary-deadline/). This contribute to distrust.


We work for international companies and created several checklists to address different topics. The experience here is that you almost never get what you expected, and oftentimes you have to wait for months to get a reply—even in a B2B environment.

Finally, companies could simply change something covered by such checklists after filling it out. Then, a “seal of approval” could lead to false assumptions.

3 Likes

These are all valid points @infosechandbook. Of course, the limitations of any seal would HAVE to be disclosed. Maybe no seal is best – just a list of questions and answers for every company.

There are independent tests that could be done to validate some information, like company ownership. We could dive into the public records as we did with Startpage and Wire.

Lying could be perilous for larger companies. For example, a conscientious employee could step forward as a whistleblower if false information is provided. We might identify fear over this when a company is evasive or refuses to answer certain questions.

Are there some questions from that list that you believe are valid in all cases?

What would you recommend as an alternative way to assess companies?

1 Like

This isn’t a bad idea, but for a seal like that to have any credibility it needs to have clear, public standards for what constitutes certification, otherwise people will think (not wrongly) that it just depends on the opinion of the administrator. If there is a public discussion that goes into what the certifying standards should be, and those standards are applied regardless of anyone’s personal opinion, then it may be a good idea.

1 Like