On StartPage’s Privacy Audit, And How They Might Be More Transparent

Privacytools Team Member @Trai_Dep shares recommendations on Startpage audits at reddit, writing:

We’re a collective – we celebrate individuals having different opinions. So while I’m largely in favor of StartPage being re-introduced as a recommended search engine, an aspect raised questions that I’d like to share here. It involves how StartPage characterizes their privacy audit on their blog. I also have questions about how their GDPR certification was done, and, how to verify these claims. This seems especially critical following a majority of their company being acquired by a marketing company.

EuroPriSe’s Privacy Audit (2011, 2013 & 2015)

Third-party verification is a cornerstone of evaluating how reliable a company’s claims are. StartPage’s marketing copy emphasizes that they successfully passed a third-party privacy audit, conducted by EuroPriSe. They describe their seal of approval:

EuroPriSe - the European Privacy Seal for IT Products and IT-Based Services

Are you ready to take the next step in EU data protection? Show your customers just how committed you are to safeguarding their data and following the best privacy practices with a European Privacy Seal (EuroPriSe). The European Privacy Seal recognizes IT products and IT-based services with exceptional adherence to European data protection law. Rigorous certification criteria makes the European Privacy Seal a prestigious achievement, while support from our experts keeps the certification process smooth and hassle-free.

StartPage earned this seal. If you visit the EuroPriSe Awarded Seals page, you’ll see that EuroPriSe awarded them a seal in 2011, and were re-certified in 2013 and 2015. But this raises several concerns. First, it could be argued that StartPage implicitly set expectations that, every two years, they’d re-certify. They haven’t met this schedule. Second, the gap between their last awarded seal, 2015, and now, 2020, is five years. This is an eon in the tech space. Third, a major change like a company acquisition – particularly a digital marketing company buying a privacy-oriented one like StartPage – raises questions that only a third-party privacy audit can address. These three issues surrounding the EuroPriSe seal not being current, in my mind, could affect StartPage’s credibility.

StartPage’s Characterization of the EuroPriSe Award Seals

Another aspect is, how is StartPage framing these awards? Is it a central aspect of their marketing? It appears so. The StartPage blog twice mentions their certifications, in Apr 2018, What auditing and review does your Europrise certification process involve?, and in Sept 2019, How can your privacy policies be verified? Can users trust Startpage.com to do what it says?

StartPage’s most recent article begins with,

Privacy is inherently an issue of trust. However, there are several compelling reasons to trust us more than other companies that make privacy claims.

First, there’s the lengthy certification process we have chosen to undergo. While other companies make privacy claims with no independent validation, we have gone to considerable effort to obtain independent certification.

We were certified by EuroPriSe, an independent auditing and certifying authority backed by numerous European privacy organizations. EuroPriSe performed a thorough audit of our privacy and data-handling practices in 2007/2008, and has regularly certified us since.

…There seem to be discrepancies between what StartPage’s marketing copy claims, and what the EuroPriSe Awards Page certifies. This is a problem. They claim that they have been “regularly re-certifed since,” when they have not. This is another problem. Their current marketing copy references privacy audits that are 3–4 years old, without supplying the award dates what would give required context. This is a third problem. Why are they shooting themselves in the foot like this?

StartPage Changes Their Privacy Audit Method

StartPage then explains that they won’t be continuing the EuroPriSe audits,

Europrise is now part of a larger, privatized company. As a company, we have been GDPR compliant since May 25, 2018 and we expect to be certified by a reputable outside independent organization once a certifying entity is established. We don’t want to duplicate certification efforts, so we prefer to go for GDPR certification and other compliances together.

A Call For Greater Transparency And Disclosure

Are there ways to have third-party verification of claims to be GDPR-compliant? I’m asking in good faith – I hope there are. StartPage would benefit if this was done. On the whole, I’m a fan of StartPage.com. But I’d like to see something more current than the five years. And as crucially, a privacy audit that was completed after System1 acquired them and implemented whatever practices & policies that made their investment work financially…

2 posts were merged into an existing topic: Discussion: StartPage