Discussion: StartPage

it makes me sad.
We live in a f***** capitalist world

1 Like
1 Like

I’m curious, and want to learn. As I have read here at PTIO, Windows (10) is in a nutshell, designed to *SMRC. While Win Defender may protect users from a virus, who is protecting Win 10 renters from Microsoft? Isn’t using Win 10 like stepping into a glass shower inside a house made of glass?

Who protects us from the protectors?

Windows 10 ☛

~o~
*SMRC = Stalk, Monitor, Record and Control.

3 posts were merged into an existing topic: Delisting Startpage.com

Closing this discussion to reflect that this is no longer a recommended service. Discussions regarding their delisting should take place at:

Future discussions recommending Startpage’s re-listing should be created as a separate thread.

Privacytools Team Member @Trai_Dep shares recommendations on Startpage audits at reddit, writing:

We’re a collective – we celebrate individuals having different opinions. So while I’m largely in favor of StartPage being re-introduced as a recommended search engine, an aspect raised questions that I’d like to share here. It involves how StartPage characterizes their privacy audit on their blog. I also have questions about how their GDPR certification was done, and, how to verify these claims. This seems especially critical following a majority of their company being acquired by a marketing company.

EuroPriSe’s Privacy Audit (2011, 2013 & 2015)

Third-party verification is a cornerstone of evaluating how reliable a company’s claims are. StartPage’s marketing copy emphasizes that they successfully passed a third-party privacy audit, conducted by EuroPriSe. They describe their seal of approval:

EuroPriSe - the European Privacy Seal for IT Products and IT-Based Services

Are you ready to take the next step in EU data protection? Show your customers just how committed you are to safeguarding their data and following the best privacy practices with a European Privacy Seal (EuroPriSe). The European Privacy Seal recognizes IT products and IT-based services with exceptional adherence to European data protection law. Rigorous certification criteria makes the European Privacy Seal a prestigious achievement, while support from our experts keeps the certification process smooth and hassle-free.

StartPage earned this seal. If you visit the EuroPriSe Awarded Seals page, you’ll see that EuroPriSe awarded them a seal in 2011, and were re-certified in 2013 and 2015. But this raises several concerns. First, it could be argued that StartPage implicitly set expectations that, every two years, they’d re-certify. They haven’t met this schedule. Second, the gap between their last awarded seal, 2015, and now, 2020, is five years. This is an eon in the tech space. Third, a major change like a company acquisition – particularly a digital marketing company buying a privacy-oriented one like StartPage – raises questions that only a third-party privacy audit can address. These three issues surrounding the EuroPriSe seal not being current, in my mind, could affect StartPage’s credibility.

StartPage’s Characterization of the EuroPriSe Award Seals

Another aspect is, how is StartPage framing these awards? Is it a central aspect of their marketing? It appears so. The StartPage blog twice mentions their certifications, in Apr 2018, What auditing and review does your Europrise certification process involve?, and in Sept 2019, How can your privacy policies be verified? Can users trust Startpage.com to do what it says?

StartPage’s most recent article begins with,

Privacy is inherently an issue of trust. However, there are several compelling reasons to trust us more than other companies that make privacy claims.

First, there’s the lengthy certification process we have chosen to undergo. While other companies make privacy claims with no independent validation, we have gone to considerable effort to obtain independent certification.

We were certified by EuroPriSe, an independent auditing and certifying authority backed by numerous European privacy organizations. EuroPriSe performed a thorough audit of our privacy and data-handling practices in 2007/2008, and has regularly certified us since.

…There seem to be discrepancies between what StartPage’s marketing copy claims, and what the EuroPriSe Awards Page certifies. This is a problem. They claim that they have been “regularly re-certifed since,” when they have not. This is another problem. Their current marketing copy references privacy audits that are 3–4 years old, without supplying the award dates what would give required context. This is a third problem. Why are they shooting themselves in the foot like this?

StartPage Changes Their Privacy Audit Method

StartPage then explains that they won’t be continuing the EuroPriSe audits,

Europrise is now part of a larger, privatized company. As a company, we have been GDPR compliant since May 25, 2018 and we expect to be certified by a reputable outside independent organization once a certifying entity is established. We don’t want to duplicate certification efforts, so we prefer to go for GDPR certification and other compliances together.

A Call For Greater Transparency And Disclosure

Are there ways to have third-party verification of claims to be GDPR-compliant? I’m asking in good faith – I hope there are. StartPage would benefit if this was done. On the whole, I’m a fan of StartPage.com. But I’d like to see something more current than the five years. And as crucially, a privacy audit that was completed after System1 acquired them and implemented whatever practices & policies that made their investment work financially…

1 Like

Pshaw, Liz, thanks for posting my article here!

I can’t see any credible reason for StartPage.com to not want to address reasonable concerns that their privacy-focused user base have raised.

As noted above, StartPage’s marketing has engaged in some arguably misleading practices regards emphasizing EuroPriSe’s awards in their promotional efforts. As bad, the last third-party verification of their privacy claims is more than five years old. Five Years!

This verification is especially warranted given their having recently been acquired – or at least, more than 51% acquired – by a marketing company that seems especially opaque.

StartPage can go a long way towards making up for these missteps by firmly and specifically committing to engage with a credible third-party to perform a privacy audit, including the new role that System1 has on their operations and practices. Vaguely self-certifying that they meet GDPR guidelines, as their current stance seems to be, doesn’t cut it.

Cheers, all! I look forward to your comments and suggestions!

2 Likes

Dear PrivacyTools community,

In October 2019, we learned that System1 had become the majority shareholder in Startpage.com via a new System1 subsidiary, Privacy One Group. Due to the uncertainty surrounding the acquisition and the initial lack of clear communication from the Startpage team towards the privacy community, we were forced to delist Startpage from PrivacyTools's search engine recommendations. In an explanatory blog post, we asked for more clarity surrounding the situation, stating:


This is a companion discussion topic for the original entry at https://blog.privacytools.io/relisting-startpage/
2 Likes

Nice :slight_smile: I’ve used Qwant after SP was delisted, but still prefer Startpage over it (and DDG)

1 Like

well, i just still using all of 'em :joy: i mean they did not change after they changed ownership so sounds fine to me

1 Like

There is so much more to this situation and relisting to be said, including a conflict of interest in fact or appearance raised by a Team Member back in January. I hope others will step up with concerns that still need to be addressed. Discussing Startpage is especially painful for me since I used to consult with Startpage and there are still a few colleagues there I care about. (My concerns lie with the new majority owner System1 and its involvement, not the old Startpage.) Plus, I honor my NDA.

I am not objecting to the Startpage relisting, as I’ve said before. That’s a Privacytools decision. But I will again make some recommendations that could help consumers make more informed decisions about Startpage. Here’s an excerpt of what I wrote in response to the draft search engine update back in January 2020:

…the wording “Behind StartPage is a European company that has been obsessive about privacy since 2006” is very old. I agree with Mikaela that it’s “strange” since we know Startpage is now majority owned by U.S. company System1.

For the sake of transparency, I believe the wording should be changed so consumers don’t mistakenly believe Startpage is subject only to EU privacy laws. (It’s a gray area, I’d say.) This matters A LOT to some people, and PTIO doesn’t want to lose trust.

It’s wise that you’ve gone with [a Team Member’s] earlier warning label recommendation for Startpage over ownership. I agree that consumers should be informed that Startpage (via the holding company) is now majority owned by System1 and that System1 is involved in day-to-day processing of search data. (See the small print in that diagram that notes user personal information is fuzzed).

I recommend sharing a link to System1 instead of or in addition to the Startpage explanation now linked so consumers can evaluate System1 ownership themselves.The current link only refers to System1 as “a consumer internet company with a lot of search engine experience.” Some consumers could feel misled when they find out that System1 is actually a pay-per-click behavioral advertising company. …

1 Like

Yes, I believe the PR just re-added the original listing. An update is proposed: https://github.com/privacytoolsIO/privacytools.io/pull/1878

Thanks for sharing that update to the description, @jonah. I would recommend some additional tweaks so consumers are fully informed:

System1 might not mean anything to Privacytools visitors, and I believe it is critical to inform consumers that Startpage is now owned by a pay-per-click advertising company. Here’s a possible tweak to the warning:

Startpage was recently acquired by United States-based System1, a pay-per-click advertising company.

I recommend linking to the System1 privacy policy because System1 seems to be involved in the day-to-day processing of Startpage search data. (See the fine print in that diagram that notes user personal information is “fuzzed.”)

Perhaps you should show both the U.S. flag and Dutch flag in the listing since Startpage is now majority owned by a U.S. company, and it seems day-to-day processing of search data happens in the United States based on the fine print in this data flow diagram.

1 Like

If the requirement is that we list the pass through to System1, then we should mention that Qwant passes their data through Microsoft (and even says at the point of passthrough your data falls under Microsoft’s Privacy Policy, not Qwants), or DuckDuckGo passing their data through Microsoft and Yahoo (and they to do so under the same strict anonymized fashion that Startpage does).

Lastly, we researched to the best of our ability the jurisdiction for which Startpage falls under based on the location of System1 and because Startpage remains an independent, privately held company based in The Netherlands, they do not fall under US law.

This separates them from DDG, which is wholly owned, and headquartered in the US, or like Wire, which relocated to the US only leaving an office overseas.

In the end, (and I did help research of all the search engines, but did not take part in the actual re-listing decision), I don’t personally think it makes sense to single out Startpage for passing their data to System1, when all search engines are passing their data through non-privacy respecting ad companies. We could add the flag to all of them, or delist all of them, or we could (as we did) - add a link to each privacy policy allowing users who want to further research, a quick and easy way to do so.

Here is their blog post on this subject: https://www.startpage.com/blog/startpage-articles/startpage-relisted-on-privacytools

If the requirement is that we list the pass through to System1, then we should mention that Qwant passes their data through Microsoft (and even says at the point of passthrough your data falls under Microsoft’s Privacy Policy, not Qwants), or DuckDuckGo passing their data through Microsoft and Yahoo (and they to do so under the same strict anonymized fashion that Startpage does).

Note: With Startpage, it seems there is a difference in the processing by System1, based on the data flow diagram, Dan. System1 now owns the majority of Startpage and is seemingly involved in the day-to-day processing of “fuzzed” or “anonymized” data. We really need an audit of this processing to know exactly what is going on.

Note: I’d be really upset if Google were also getting “anonymized” Startpage data because as security experts have warned, there’s generally nothing anonymous about anonymized data. Do you know if this is happening?

I agree that there is a lot more that needs to be mentioned – and asked – of ALL privacy services. This is the point of the Questions to Ask ALL Privacy Services (QtASK) project. I recommend that Privacytools ask and post much more detailed information about ALL services so consumers can make more informed decisions – and for more transparency and trust in Privacytools recommendations.

Lastly, we researched to the best of our ability the jurisdiction for which Startpage falls under based on the location of System1 and because Startpage remains an independent, privately held company based in The Netherlands, they do not fall under US law.

Someone should reach out to the ACLU or EFF for a legal opinion on this IMHO.

EDIT: Privacytools Team Member Trai also believes a current independent audit is needed. See his reddit post, On StartPage’s Privacy Audit, And How They Might Be More Transparent

Re-opened this topic as Startpage is listed again and trying to consolidate the 100 other posts started that contribute to the discussion.

Thanks! That must have been a chore. :wink:

Check out the r/PrivacyToolsIO post that Liz included above us. An attorney specializing in GDPR law showed up, and she’s giving a wonderful ELI5 of what the GDPR means, and how easy it is for ethical companies to follow.

But one of her major points is that being “GDPR compliant” is in no way similar to a third-party privacy audit along the lines of what EuroPriSe did with StartPage back in 2015. Not the same ballpark at all, despite StartPage’s claims that it is. (Uh oh… Why are they doing this kind of stuff? It makes them look very unreliable.)

1 Like