Preventing Privacytools conflicts of interest - ensuring Privacytools integrity

By now, you’re probably aware of a conflict of interest at Privacytools (PTIO). It seems Startpage/System1 offered a PTIO Team Member work during the delisting/relisting discussions. This person was in direct contact with Startpage and representing PTIO.

There is already at least one article out about this, and I believe it is important to take steps to shore up trust in PTIO recommendations.

I believe it would be wise to move forward with initiatives/models that help ensure objectivity, like those recommended by @infosechandbook @a553d43c-f7fa-483a-8 @supernova @esmailelbob and others. The “Questions to Ask All Privacy Services” project is nearly ready to go and could help. It’s just waiting on approval from the PTIO Team. (I am not a PTIO Team Member, btw.)

Here are just a couple of policy recommendations that could help with trust, and I’m sure the community will have additional suggestions that could help keep PTIO a trusted resource:

  • Develop a Conflict of Interest policy: Companies should be on notice that they will be “outed” should they offer or suggest any kind of compensation or future benefit while being considered for listing, delisting or relisting. Maybe a 6-month contribution/offer moratorium period surrounding any PTIO status change would help?

  • Develop a PTIO Whistleblower policy: This will encourage PTIO Team Members to come forward when they believe a conflict or other issue exists that needs to be made public. (The current conflict of interest was brought to light by a Team Member who felt a moral obligation to speak out on the Startpage relisting.)

Thoughts?

EDIT: Since Dan has voluntarily revealed that is the PTIO Team Member who was offered compensation/work by Startpage during delisting/relisting discussions, I believe it is now okay to link to this github post that started the controversy.

6 Likes

Look your english is hard and i did not sleep :joy: so you mean we should create page explain all info about that service as i already commented on that last post right ? and if right i want to help so just tell me what i do

1 Like

TechRights should never be viewed as a respectable source and are trying only to stir up controversy.

They reached out for comment and told me what they would accuse me of if I didn’t reply. They are manufacturing drama and a story.

I just want to make it clear, their only purpose is to smear and slander people.

2 Likes

The good news is that the PTIO member who was offered the job/compensation was not named in the article. That showed some respect.

EDIT: Note that Dan reveals it’s him below, so I will now share the original github post that started the controversy and prompted the whistleblower to add a “conflict of interest” label. This should help put things in better perspective.

The other good news is that this is a wake-up call for the community. PTIO has the opportunity to develop policies that will reassure the public that recommendations are always made fairly and objectively.

If companies are put on notice they will be reported and “outed” if they offer any kind of compensation during listing/delisting/relisting discussions, they will think twice. They will realize that offering a PTIO decision maker something of value during sensitive times will be seen an unstated, but thinly veiled, “quid pro quo.”

2 Likes

The issue is, that implies the companies are doing something wrong if they ask during the process.

As stated on GH, the StartPage offer was made because the company learned that the member, which is me btw, and I’m not hiding that fact, had relevant experience that could benefit them. But instead of having that conversation during the delisting discussion, a separate meeting was scheduled to discuss my professional experience.

So in this scenario “outing” them for asking to discuss my profession with them would likely have cost me a gig because it would have shown I didn’t trust their intentions.

That’s a lot different than a company asking to have a discussion about how they can get relisted.

I think the guidelines should also be careful not to hinder our team members (who are all unpaid volunteers) from getting jobs, be it full time, or consulting.

We have families to feed, etc. what we need is trust from users that we care about the organizations integrity, but also that our team is set up in such a way that one member can’t accomplish something such as relisting or listing a service on their own.

We have checks and balances there already, and they have proven to work.

I just don’t want to hurt not just myself, but others from good careers.

As a former auditor, I can assure you that ethical organizations (especially volunteer ones) usually have policies in place that forbid the practice of giving or receiving compensation (other than tokens of appreciation, like a pen or t-shirt) that could give rise to a conflict of interest in fact or appearance. This is to ensure integrity and ongoing trust.

No one wants to put anyone else’s livelihood at risk, but the integrity and trust of PTIO has to be paramount. If a PTIO Team Member sees PTIO as a “make it or break it” fishing pond for job opportunities, that’s particularly dangerous. Desperate people do desperate things.

If PTIO decision making status is allowed to devolve into a money-making opportunity, recommendations will naturally be suspect, and PTIO will lose trust.

4 Likes

Thank you both for sharing this. I like and support PTIO, even though I don’t agree with some recommendations :d

I also think it’s ok if some team member is involved in some (de)listed company, as long as decisions are made by team, not a single person, and according to checklists, as you mentioned. Even some Google or MSFT employees don’t like their (privacy) policy and try to make some changes, so their products/services are not completely bad (from PP PoV)

We also need to have in mind that privacy oriented products/services can be profitable (Protonmail, Mullvad, Nextcloud…) while respecting users privacy, and we should expect more data selling companies (such as System1, Cloudflare, etc) who offer such services. They will offer users 2 choices - pay us with your data or with your money. It’s a win-win situation for them. So in the end Startpage or 1.1.1.1 might actually be good privacy services, but it’s up to us if we want to use them, when we know their other businesses.

I agree with you @crossroads. I’m fine with a PTIO Team Member working for a company listed or delisted at PTIO as long as it’s disclosed – at least in the bio – if that person makes public comments about the company at PTIO.

That said, there should be a “blackout period” for any kind of offer or acceptance of a benefit, like a job or donation. An organization should not offer a job/compensation/donation during a sensitive time, like a time surrounding listing/delisting/relisting. An offer could be seen as a bribe in the window surrounding an event like that.

You make another good point about checklists and standards. PTIO does not have them now AFAIK. So much of this kind of thing could be avoided if processes were standardized and everyone could see objective measures.

3 Likes

That’s a pretty clear conflict of interest. Such an offer establishes a relationship between an influencer of content on the PTIO website and the object of a recommendation. Whether there is any actual influence or not does not matter, it is the appearance and potential for influence that must be prevented. If there is any question of bias then trust in PTIO by the community would be damaged.

It is not not your trust which is in question. It is the trust of the PTIO community that recommendations are made without any bias or influence.

I think it is achievable to have a conflict of interest policy that does not hinder such opportunities. It must be clear and transparent when such opportunities are being seriously considered when offered or are currently in affect. Any potentials conflicts of interest should be clearly disclosed and the decision making rights of involved persons revoked for subject pertaining to any content having to do directly with the object of the conflict or with any similar technologies the object is involved with. For the example of StartPage, that would mean the revocation of any rights to make decisions about any search engines.

I think Liz has many wise comments so will not repeat those here.

5 Likes

First of all I want to make clear that I don’t think any of this discredits PT’s value as an organization nor the validity of the decisions that its members take.


I will quote certain comments from this discussion and the GH issue.

Danarel: Given what we know about StartPage now, and it’s ownership, not-relisting them means we have to take a look at DDG and Qwant as well because both receive large amounts of VC funding and have investors which would normally raise eyebrows.

I think you are right, if we should apply the same logic we used to judge SP to all search engines, we would end up having Infinity search, SearX and YaCy as the only alternatives to Google search. Still, I think this is an issue that it is strongly related to search engines, if something similar would happen on some other kind of software I don’t know how people would react.

I understand the world we live in, and running something that requires so much money without funding is nearly impossible, but I can’t but be a little sceptic when it comes to companies. We should be vigilant, and watch out what are their moves as Dan stated here:

Like DDG and Qwant, as a community we must continue to watch them, and ensure they stay on that course, but that goes for literally every single privacy service out there. None of them are free from possible financial influence, and it’s the transparency we must seek.

I know this will not affect how they operate and that it will not cause bias, one single member can’t decide for the rest, and if it ever causes (to any member who may have an opportunity to get a job somewhere that may generate a conflict of interest) I have trust that the necessary measures will be taken in order to restore balance.

Nevertheless creating some sort of way to let readers know about this kind of situations may help in terms of public relations, and to some extent I agree with this comment:

In the end I don’t think we have a lot of options in this field, and the rest work in more or less the same way. If services like the ones I mentioned earlier would have more features or would work better, I wouldn’t doubt in ditching the ones that are owned by big capitalist companies, but for now…
Relisting ST is not a bad choice, but if I were you, I would make a public statement since if this fake news (which btw I can’t read since the website is down) already created this controversy on GB and on Discourse, if it comes to Reddit it will be worse.


More on this, I think the first idea sounds really nice and it would be something easy to implement.

The second one, I see it a bit more difficult, it’s a small team and I’m sure they talk to each other pretty frequently, I doubt anyone would have problems recognizing how each one writes if the point is anonymity.

1 Like

I think he meant the fact that Starpage should have asked before accepting to be owned by Sysyem1, not the fact of he accepting the job.

I wish organizations could replace companies to provide services like this, I feel much more safe when it comes to trust.

3 Likes

nope, it was me! xD and yeah i understand you its like telegram problem i mean all on reddit say its bad so normal or new user in privacy not know why exactly it’s bad but if you asked one of folks they will say it’s bad because encryption not auto (for me its not big problem) so at least when someone say something is bad also say why it is bad and same on good to get a big map and let user see what fits him

1 Like

I’m co-founder of safing, a company sponsoring PTIO. Here are my two cents from a founders perspective.

TLDR

only read Section 5.

1. What the PTIO team does is incredible

I’m a web developer. I understand what it takes to create and maintain a website. Through colleagues I know about the implications of hosting and server management. Through the last year I’ve also invested more and more time participating and contributing to the privacy community. And striving for the same kind of transparency as a company, I’m also responsible for the presentation of all our information. Oh yes, and then there’s policies, legal stuff and management. The point of all this being - I feel I can somewhat grasp what your responsibilities are and the sheer amount of work it all requires.

To top it off, this is my full time job (and I still struggle to keep up with it all). But you all are doing this in your free time! It really is mind blowing what the PTIO team has done and continues to do. You do not hear this often enough: THANK YOU!


So even though you are buried in work you still manage to prioritize correctly and hit your high set standards. This discussion is another example of it. A crucial affair that needs to be discussed and resolved. Thanks for all of your transparency in the matter.

As a result it really does not surprise me that your venture is seen as an exemplary role model in the whole privacy space. As Dan correctly said:


But this is not the end of the story, let me elaborate:

2. Perceived trust vs Trust

How trust works is that a person simply has to perceive you or any other entity as trustworthy. This is based on metrics that vary from person to person. You normally are only able to have any kind of relationship if this perceived trust exists. Be it friend <=> friend, customer <=> company, community <=> ptio, etc…

Now take note it does not matter if the trusted entity is really trustworthy or not, as long as the perception upholds, the relationship can continue. (*cough*, shitty VPNs, *cough*)

The same applies the other way around: if you are perceived as untrustworthy but are the most honest and trustworthy project in the world, you will still not succeed.

There is a whole industry aware of that fact and willingly exploiting our psychology. Marketing.

3. The Privacy Community

We are a bunch of people who have been exploited and lied to time and time again. Marketing claimed this, marketing claimed that. And yet, companies failed us again and again and again.

As a result we have become one of the most skeptic bunch in the world. We question everything. Every marketing claim thrown at us we inspect and take apart with scrutiny. And that is a great thing! No marketing claim without truth behind it lives long in the privacy realm. I truly believe that our community is one of the few places where truth and transparency prevail.

But beware, we are still driven by psychology. We still have limits and draw lines since we cannot investigate everything. So where do we draw the lines? It depends on each individual, but as a whole I believe there are a few strongly agreed upon “rules”. Think open source vs closed source. And another one is:

4. Money corrupts unbiased judgement

A recent blog post by @jonah shows how money corrupts top ten lists. As @danarel mentioned, your commitment to being unbiased as a team made you set up wonderful barriers to prevent any room for bias. Your finances team is decoupled from your review team. And you clearly state what sponsors get and what they don’t get.

And you communicate this clearly, so the community can perceive you as trustworthy - and there is a lot of evidence to back it up after their investigating. This is why you got where you are.

But your policies do not address the current affair.

5. There’s no way around a policy

I can exactly predict what will happen when you allow team members to be financed by a company listed or wanting to be listed on PTIO. The community will investigate and take apart that decision with scrutiny (see 3.), they will agree on their conclusion that this will corrupt you (4.) and their psychology will kick in and perceive your whole venture as untrustworthy (2.) - and start advocating this perception throughout the space.

Sadly, in this matter I cannot see a room for compromise. Because where should we draw the line? Is part-time OK? Consulting? What amount of consulting? What if it turns out to be “just 5 hours” of consulting (but paying 10.000$/h)?

And from a company perspective, there is another conflict: Why would a company go down the official and transparent route of supporting you via sponsorships when there is a potentially “more effective” way? (this whole story does not shine any good light on Startpage fmpov, but that’s another story)

And I really want you to get more sponsors and ideally even gain the possibility to pay some of your work through the opencollective initiative.


You’d shoot yourself in the foot in too many ways. You need a policy.

6. Conclusion

After a long buildup and some blunt words I’d like to wrap up with words of thanks.

Thanks again for all your work (1.), thanks for your transparency - not only in this concern but in general! And thanks for always holding the bar so high, prioritizing the PTIO mission before personal gains.


To @danarel:

I am in no doubt that you never meant any malice and I believe that you could cope with consulting a company without it corrupting your judgement. Thanks to you personally for being so open about it. It kinda proves my point. But sadly, perception is stronger which fmpov, excludes that as an option :neutral_face:


to @all PTIO team members:

If a great opportunity emerges for you and you are excited about it, by all means, take it. Nobody will blame you for prioritizing financial stability. As mentioned before, you’re taking up an humongous amount of work for free. I can only assume some of you will struggle more financially because of it. And likewise nobody will think lesser of you if you resign (for whatever reason) after a while and pass on the baton.


I truly hope you know I and so many others appreciate everything you do. Kudos to all of you!


And 7. consider supporting their work, individuals and companies alike!
https://opencollective.com/privacytoolsio

5 Likes

I think this would be a good idea in theory, but in practice I think the team is too small to have enough people interested in a specific topic and in some cases I fear this policy could stop VPN or Real Time Communication sections entirely or damage others like DNS.

Most of the team is in the team-only Matrix room and may be discussing there daily/nightly depending on timezone and while I am not sure would I recognise someone else’s text without name, I agree that there wouldn’t be too many options who has talked about something externally.

However I don’t think the point of the Whistleblower policy would be anonymity, but more of something that could provide support for the decision that whistleblowing is the right option or encourage taking that option calmly. I think it should also document how to perform the disclosure better than this.

2 Likes

Totally agree, IMHO it is totally an issue about public relations, I trust you people and I don’t think this will make you change the way of doing things, but I’m sure a lot of people (most of them on reddit) will get paranoid about a lot of stuff who they shouldn’t, and this can be one of them. For the sake of transparency creating some sort, or a policy will provide you with a better perception from the community.

1 Like

This makes me more unhappy about startpage than before, as it seems a cynical and manipulative move on their part. I don’t doubt that they see value in the skills of the entire PTIO team, but how can they not be fishing here for areas of influence? It has been found repeatedly that pharmaceutical companies leaving even something so small as pens and memo pads in medical practices creates a sense of obligation in the physicians. It’s simply the sense of reciprocity in the human mind.

2 Likes

I believe now is the time for Team Members to document what companies/types of companies they work with/consult with generally that should preclude them from making decisions about a specific company or industry – basically any kind of potential PTIO conflict of interest in fact or appearance. This doesn’t mean everything – only affiliations a reasonable person would see as conflicts.

For example, @mikaela notes later (in response to my question about other potential PTIO conflicts of interest) that @Jonah owns the hosting provider Nablahost.

Ideally, Jonah would disclose this in his bio, and Jonah would recuse himself from voting on any hosting providers. He would also disclose and recuse if he services (or discusses servicing) any company/service listed or considered for listing/delisting/relisting on PTIO. (To Jonah’s credit, PTIO has not listed Nablahost, but has actively discussed whether listing it would be ethical.)

If, for example, Startpage or System1 asks Jonah for a bid on hosting one of their servers, he would recuse himself from voting on Startpage and search engine matters while he is considering the offer. If a contract is formed, then Jonah would recuse as long as the relationship is in effect.

Later in this thread, @infosechandbook refers to a forum thread titled War of Recommendations in which he recommends ways to make PTIO recommendations/actions more transparent and evidence based, writing:

What could be a solution?

As originally suggested on GitHub , PTIO should introduce a transparent catalog of criteria for software and services. For services, there are already suggestions by @LizMcIntyre . Furthermore, PTIO should define a list of typical threats that need to be considered when evaluating software and services. Finally, recommendations should come with sources for statements and recommendations should be regularly and transparently reviewed.

What would happen if PTIO adopts infosechandbook recommendations? In the Jonah Nablahost case, Jonah’s hosting service would be evaluated using standard objective criteria, like any other service. These criteria (and PTIO Team member ownership) would be made public to foster trust in PTIO recommendations.

Sounds complicated, but @Supernova points out how a compliance officer could help keep organizations out of the muck, as you’ll see in a later post. Maybe a PTIO volunteer could serve in this role and help advise Team Members about disclosures and recusals. (Maybe @Supernova?) This person could also help ensure objectivity and transparency with regard to PTIO decision making.

NOTE: Edited to reflect new information and helpful comments by @infosechandbook @supernova and @mikaela

Independently of myself, @blacklight447 is working on some policies that I cannot comment on at this time, but I will share my thoughts on everything else here.

I think you’re great, Liz, but realistically your views on this subject cannot be taken at face value either. Your bias against Startpage and their relisting on PrivacyTools is almost definitely affecting your actions: “reading between the lines” to draw attention away from recommendation discussions and towards problems that don’t exist.

Ultimately the only consequence we’ve really seen here is that the privacy of one of our team members was violated. He requested and made clear that he did not wish the details of his life be shared publicly, especially as they were still working out what a final agreement would look like. Sharing this information on GitHub was unnecessary at that time, and continuing to delve into the matter on GitHub and in this thread do not seem like actions made in good faith. It creates an unhealthy environment where people will be unwilling to share this information in the future. I know for a fact that these discussions have caused considerable stress for many people in the team and community.

To me, constant side discussions regarding Startpage like this seem like ad hominem arguments intended to distract the community and the team from relisting Startpage based on the facts that we currently understand about their organization. We know that they have been responsive to all questions and concerns we have voiced, and I do think they should be relisted, as I stated in all my reasoning at #1562. The opinions of the team and community do not change these facts, and the opinions of a single team member make up but a small part of the decision making process as a while.

Creating additional documentation of the team is not something we are considering. We respect the right for our team members to only divulge the information they wish to be public, as is the purpose of our entire organization. In the same line, we hope that the procedures we have in place regarding recommendations and the transparency of the organization as an entity make why we chose to take the actions we do.

Hey @jonah. I did NOT reveal Dan’s name as the PTIO Member. He did right here in this thread. I would not do that without his okay. He wrote the following in the post above using his name:

As stated on GH, the StartPage offer was made because the company learned that the member, which is me btw, and I’m not hiding that fact, had relevant experience that could benefit them. But instead of having that conversation during the delisting discussion, a separate meeting was scheduled to discuss my professional experience.

========================

Note that I was the first one to encourage Privacytools to take a breather before immediately delisting Startpage back in October. In fact, you were the first to recommend immediate delisting. In addition, I requested that we give Startpage time to respond on multiple occasions, as you’ll see in this github thread.

Yes, I am very disappointed with Startpage, but my concern lies with its new majority owner System1. I have become more concerned as new information comes forward, like the fact that System1 processes some fuzzed search data. I think it is reasonable to be concerned about a pay-per-click advertising company being involved in the processing of a privacy search engine. I’m clearly not alone in that, and I believe it is important to speak out as many here have about their concerns.

I agree that Startpage finally did answer most (though not all) of the questions completely. For that reason, I did not object to the relisting. My comments were only suggestions that would have made any listing more accurate and protect PTIO’s reputation.

However, I do understand PTIO Team Member @blacklight447 's reason for recommending against relisting based on lost trust. This latest incident is just one more support for her argument. Your sponsor Safing’s @davegson commented on this situation, writing:

this whole story does not shine any good light on Startpage fmpov

I have to agree with that.

You are suggesting that somehow I manufactured this conflict of interest. In fact, it was brought about by a very unfortunate situation and revealed as a conflict of interest by a PTIO Team Member whistleblower. Not me. I also give Dan Arel credit for coming forward with details and being willing to share his name.

BTW - I believe Dan could be considered a victim here because he reported the situation internally to the PTIO Team and likely had no idea how this could be perceived as a shady backroom deal. An appropriate policy would have saved him and all of PTIO from this controversy.

Creating additional documentation of the team is not something we are considering. We respect the right for our team members to only divulge the information they wish to be public, as is the purpose of our entire organization . In the same line, we hope that the procedures we have in place regarding recommendations and the transparency of the organization as an entity make why we chose to take the actions we do.

I think this is very unfortunate, but it’s not my decision. This current conflict of interest situation shows why transparency is so important to trust and why objective documentation that supports listing/delisting/relisting decisions would engender greater trust. In fact, your biggest and only current PTIO sponsor @davegson (Safing) has recommended a policy, writing:

There’s no way around a policy

I would appreciate it if you would correct the record and what you wrote in light of the evidence I have shared here. Thank you.