How to judge a service or provider?

If you like this guide, please consider making a donation to support me.

How to judge a a service or provider?

1. Introduction
2. Surfaces

Basic requirements
Advanced requirements

3. Legal documents

The privacy policy
Terms of service

4. Other important considerations

Transparency Report
History and Background of the provider
Illusion of "Service based out of fourteen eyes countries"

5. Summary

Introduction

Nowadays privacy violators are all over the web, some of them are pretty easy to avoid, for example Google, which is obvious and well-known that they track you all over the web and spies on you, some of them try to pretend that they are private but it actually is a honeypot of the Government/Big Corpos like ProtonMail. But how can we disinguish between those? That's what we will cover them in this article.

Surfaces

Basic requirements

Here are the basic requirements that every provider or service should have or avoid:

Crypto to be accepted if paid: this is a really important factor to consider with - you don't want your bank to know every transaction you have done on the internet which can be targeted to you, do you?
No reCaptcha/hCaptcha for registration: reCaptcha is owned by google - enough said. hCaptcha is another captcha that claims to protect your privacy, but their privacy policy tells a different story.
No TOR blocking: A dealbreaker if they do so. Simply, your real identity are likely to be exposed and tracked over the internet without using TOR/VPN to hide your internet activity from the ISP.
No personal data for registration: No telephone numbers, no real names, no physical addresses and all other information that can be tracked to a particular person. Email address is acceptable since you can create email aliases.
No Google Analytics: This is obvious. Google will be able to track you all over the website if the website have installed google analytics. Never trust a provider's privacy statement about google analytics that it is configured not to collect your IP. This only means the provider can't see your IP, but google knows it all.
No cloudfare: Cloudfare is a big tech honeypot, see here for details about how it sucks.
Support for open standards: this is quite a important factor and indeed lots of providers stuck at this one. Open standards mean PGP support for email providers (instead of using their own encryption like tutanota), OpenVPN/Wireguard for VPNs, for instant messengers OTR/OMEMO/PGP support.

Now just take a look at those so-called privacy-respecting providers, we can see that almost all VPNs, instant messengers, email providers and website hosting providers have failed to achieve for these basic requirements. Many instant messengers stucked at the phone number requirement. The VPN industry is even worse - most of them have google analytics and is cloudfared, while some of them don't accept cryptos. Even you find out a service that met all those requirements (already pretty hard), a more advanced challenge comes below:

Advanced requirements

Here are the advanced requirements for a provider to get a higher grade/rating from me. However, even a provider scores well below, it won't reach a higher score from me as long as they failed to pass the basic requirements.

Onion site: Even you use TOR to surf a clearnet website, after your request have passed the TOR nodes, your traffic lefts unencrypted. That's what an onion site resolves - since both the server and you uses the TOR network, your whole traffic is encrypted with TOR, so you don't need to afraid anyone to spy on you.
No JavaScript: this is important for users who choose to disable JavaScript fully. The reason they do so? This is because to block third party trackers like Google Analytics, Google Tag Manager and other trackers such as amazon, in which JavaScript is used to spy on website visitors.

Legal documents

The Terms of Service/Use tells you how restrictive the provider is, while the Privacy Policy tells what they do with your data. Even the massive privacy violators collects your information and share them in purpose, if the provider is located in the European Union, they can face legal consequences if they lied. In case a provider doesn't have a Privacy Policy, you may just leave it alone and avoid - all privacy-respecting providers should have considered to release a statement of how they handle your data.

Without further ado, here's what you should be looking for in particular:

The Privacy Policy

IP addresses - generally, you should abandon the provider if these are stored for a long time (or without stating how long they even store). If this is combined with TOR/VPN blocking, then just forget about the provider as you will be leaking your IP if you use them.
Content data (i.e. Messages for IMs and emails, browsing data for browsers, etc. ) - A dealbreaker as the collection of data cannot be mitigated. An exception is that the server must save your messages to deliver their service (e.g. In XMPP).
"Statistical/Anonymous Information"- Operating system, Settings, Preferences, etc. - It's okay if they state what exact statsitical information do they collect. Avoid those only saying "We collect statistical information to improve our services."
Even if they store, how long?
Third party sharing: Depends on the third party. If the service uses third party payment processors for credit card payments and offers a choice to use bitcoin, it's fine. For the inevitable third party sharing of your personal data, even if it is "anonymous", avoid!

Terms of Service

The ToS is quite a minor part of the privacy index, but it's still important to see what's the provider's view or attitude towards what should/should not be accepted:

Disallowing the use of their services for "commercial purposes": It's okay if you use them for personal use.
No "discrimination" or "harassment": Nowadays even an ethnic joke can be considered "discrimination". If the provider have access to your content data and also have this ToS, you should avoid them.

Other Important Considerations

There are always situations where a provider achieves all the basic (or even advanced requirements), and having a good privacy policy. However, they may actually in fact being not trustworthy at all. These providers usually have loopholes in their privacy policy, e.g. They will easily transfer your personal data to the court when there is a court order (which can easily happen especially if you're an activist), or have an dark background or history, e.g. owned by a big corpo (or ad company)/having private linkage with Governments/changing their ToS/Privacy Policy suspiciously. In this section, we'll discuss the other important considerations for a provider besides the essentials and their privacy policy. Make sure to do in-depth research by yourself before using an unkown provider! (or read my imcompleted reviews)

Transparency Report

The transparency report of a provider tells you how they respond to government requests regarding the disclosure of personal data - whether they will kneel down and give the Government the requested data in order to prevent from shutting down, or reject them to protect user's privacy. Let's take Proton's Transparency Report as an example:

Under Article 271 of the Swiss Criminal Code, Proton may not transmit any data to foreign authorities [...] Swiss authorities may from time to time assist foreign authorities with requests, provided that they are valid under international legal assistance procedures and determined to be in compliance with Swiss law. In these cases, the standard of legality is again based on Swiss law. This is typically an illusion (to be discussed in the next sections) - they try to create a fact in your brain that swiss laws protect your privacy, but in fact it's the company's policy - whether they hand your data to them, or not.

In general, Swiss authorities do not assist foreign authorities from countries with a history of human rights abuses. Great! Now with the fact that your privacy is being held on Proton, who decided to transmit your data to swiss under the "privacy-respecting" swiss law, your privacy is now directly risked under the Diplomatic relations of Swiss (because they decide whether a country abuses human rights). Now let's check out the percentage of complied request out of all orders:

Aggregate statistics of legal orders that we have received can be found below: 2021 Number of legal orders: 6,243 Contested orders: 1,323 Orders complied with: 4,920 Impressive. They managed to get 4920/6243*100％ = 78.8 ％ of complied requests out of all requests, which is equal to that of google. If you use their services and be targeted by a foreign authority probably because you are involved in activism, you have a chance of 78 percent having your data to be released to the authority.

This is just an example. In fact there are a lot worser cases than the Proton example, so do the research before using a provider.

Don't forget to support me with a donation if you like the guide!

Return to main page