Ask questions

Questions worth asking when thinking about using an online service, Apps or devices. Is it free and open source or proprietary? What do we know about the company which owns the online services we use? What does the Terms of Service ask? Can we install services without giving up our personal information? Has the tool been security audited?

Last Updated: 08 Sep 2015

Companies launch new services that sound interesting, friends encourage us to join the latest social media platforms, a specific App might be recommended in the media or you want to rethink the tools and services you are currently using:in today's maze of companies, Apps, operating systems and devices, privacy and security quickly fade into the background. After all, if our friends are using them, why shouldn't we? But it is important to remember that each and every one of us has the power to take measures which can help protect our data. Below are some basic questions we believe are worth asking when you are thinking about using an online service:

1. Is it free and open source or proprietary? 2. What do we know about the company which runs the online services we use?

  • Who owns the company?

  • What is the company's jurisdiction?

  • Is the company known to collaborate with governments?

3. What are we actually agreeing to when we accept the Terms of Service?

  • What does the fine print in the Terms of Service say?

  • Do the Terms of Service change without notification?

  • Can we leave the service and really delete our digital shadow?

4. Can we install the services without giving up our personal information?

5. Has the tool been security audited?

  • Who carried out the security audit? The open source community?

Free and Open Source vs Proprietary

If a service, App, operating system or tool is proprietary, that means that the technology behind it, also known as the source code or software, is closed. It gives the user the right to use the product under specific conditions but limits the ability of people to share, modify or study it. More specifically, this means that we have very little control over how we can use it or what data we give up by agreeing to the specific license or terms of service. This is different to open source projects, which usually start in a public and collaborative manner and where the code behind the project is available under a license. This means that the projects can be peer reviewed and audited by the community. There is a distinction however between free and open source projects. As advocated by the free software movement, “free software” means that users have the freedom to run, copy, distribute, study, change and improve the software. This gives us more autonomy over the software that we use.

As such, “free software” is a matter of liberty, not price. The four freedoms of free software are listed below:

1. Freedom to run the programme as you wish – for any purpose.
2. Freedom to study how the programme works – and change it so it does your computing as you wish. This requires access to the source code.
3. Freedom to redistribute copies – so that you can help others.
4. Freedom to distribute copies of your modified versions to others – by doing this you can give the whole community a chance to benefit from your changes. This also requires access to the source code.

 

What do we know about the company which owns the online services we use?

Companies have principles and a history of actions that can tell us whether they are serious about protecting our data. One can find these by looking at their track record and by asking some simple questions. It is important to remember that if an online service or product is commercial and we are not paying for it, then we are the product. Some questions we could ask ourselves include the following:

 

  • Who owns the company? For instance, an App might be branded in one way but bought by a larger company over the course of its life, like WhatsApp being bought by Facebook. A change in ownership can change the terms of service and have implications for our privacy without our realising it.

  • What is the company's jurisdiction? In most cases when we use online services, our data travels outside the country we reside in. This means that our data, our name, message and location will travel through different countries, in some cases falling under local legislation. In other cases, certain countries require their companies to comply with their local laws, regardless of where in the world they are actually located. Most US technology companies, for example, have their headquarters in the US, which means that all the data that they collect falls under US legislation. In practice, this means that if a US technology company stores the data of a non-US citizen outside the US, this data can potentially be accessed by US authorities.

  • Is the company known to collaborate with governments? The news, companies' transparency reports, the Snowden revelations and multiple other reports have revealed that certain companies are known to cooperate with specific governments. The Snowden revelations, for example, illustrate that US intelligence agencies have been collecting data in bulk from some of the world's technological giants, such as Google, Facebook and Yahoo. In short, when choosing to use an online service, it is important to consider what data we want to keep private and from whom. The known cooperation between companies and governments might make us opt out of certain services for specific data or communication.

Terms of Service

Every time we install an App or sign up for a new service, we are asked to sign a Terms of Service. Here we agree with the rules governing the App or service - basically how we should behave, what we can expect from it, what data it has access to and what the company can do with our data. Like most people, we have probably not read these Terms of Service from “cover to cover”, as they are usually long and contain language which is not always easy to comprehend. But we can start by considering the following:

 

  • What does the fine print in the Terms of Service say? Like any contract, the small print contains the most important information but many of us do not bother to read it. If we do not want to trawl through the Terms of Service, it is at least worthwhile searching for privacy groups, or privacy orientated individuals might have already done the job for us and taken a closer look at specific terms of services. Here is a project that looks at some Terms of Service.

  • Do the Terms of Service change without notification? Terms of Service are not static contracts: they change regularly and some companies change significant privacy aspects without notifying their customers. These companies consider our continued use of the product as our consent to the new Terms of Service. This, however, can lead to awkward situations and may leave our communications, pictures or network more exposed than we intended.

  •  

Can we use digital services without giving up our personal information?

To use most digital products, we need to give up our personal information which can include our email address or phone number. This makes it impossible to be anonymous while using this product. In addition, by accepting the Terms of Service, we can also unknowingly provide permission for an App to look through other data we might consider sensitive, like our pictures, contact details and location. Some services will not ask us for personal information and they can be found in the Alternatives section. If they do ask us for personal information, look out for the defaults! In many instances, we can limit the access specific services have.

Has the tool been security audited?

The only way to know that a tool is secure and not leaking information is by having it reviewed by security experts as part of an audit. A security audit is an assessment of a system, tool or App to find any vulnerabilities in its technology.

 

  • Who carried out the security audit? The open source community? There are different ways of carrying out a security audit. Large technology companies have the resources and skills to carry out a security audit internally. Alternatives include hiring a firm which specializes in security audits or having it audited by the technical community in an open source format. In general, audits carried out by the open source community are preferable, as this allows others to investigate how the audit was carried out, what it looked like and what the recommendations were.

About

Tactical Tech's Me and My Shadow project helps you control your data traces, see how you're being tracked, and find out more about the data industry.

 Credits
Data Use Policy

Contact us

Email:
myshadow@tacticaltech.org
 
Tactical Tech website

@Info_Activism
@OnonymousTTC

Data Use Policy

More from Tactical Tech

 
Sign up to our monthly newsletter-magazine, In the Loop
Security in-a-box: Tools and tactics for your digital security

Ttc


Me and My Shadow
by Tactical Technology Collective is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.