Shady Data Collection and Sales
The next step is to see what information is collected. If it’s just simple stuff, like your name and email address, there’s usually no problem: This is information that the service needs to create an account, and there’s little to no money in that data. However, as a general rule, the more information sites want from you—and the more exotic that data—the greater the chance that it’s being sold onward.
A lot of data doesn’t really need to be collected. Your phone number, for example: There’s really no reason for anybody to have this besides professional or governmental services. Another is information about your device that can be used to track it. Also known as device fingerprinting, it’s only necessary for specific software. Another big one is your location, which is necessary for map-based apps and nothing else. Then there’s a host of other examples: Most smartphone apps, for instance, don’t need access to your contacts list.
However, the above only counts when companies are being honest about what they’re doing. If they’re not, there are a few other ways to figure out that something fishy is going on.
Typos and Tricky Language
There are also opposite, ridiculously convoluted privacy policies that are just filled to the brim with legalese. You see tactics like this all the time in rental agreements, employment contracts, and plenty of other day-to-day legal documents, and they exist only to confuse you. If a piece of software or a service that you’re purchasing is trying to overwhelm you with legalese, then they’re probably trying to get the better of you. Don’t let them.
Suspicious Corporate Structure
Another thing to look out for is a weird corporate structure. Although in this day and age, it’s normal for corporations to own other corporations, which in turn own yet more corporations like some kind of Russian nesting dolls, there are some signs that things have taken a turn for the truly weird.
One example is when one of the companies in these chains of ownership is based in a jurisdiction known for secrecy. Examples include the Cayman Islands, the Seychelles, and Gibraltar. If you need secrecy so much that you’re based there, what are you hiding? For example, many VPNs will headquarter in such locales in a bid to avoid warrants for their customers’ data, but there are plenty of companies that don’t have the same need for secrecy also moving out there. It should raise your eyebrows when you see exotic locales like this in company information.
Other signals are when data is handed off to other companies under the umbrella. One example is Avast, which sold user data through a subsidiary named Jumpshot (It was closed soon after the story broke.). While it’s legal to transfer data to subsidiaries, when it’s explicitly mentioned, you might want to do some digging on the company in question to make sure that none of those subsidiaries are in the data-selling game.
Confusing Security and Privacy
Another issue that we’ve come across more than once is that some companies will equate privacy and security: When you look up how the company handles your data, they’ll overwhelm you with jargon and impressive encryption terms like AES or Blowfish. However, this has nothing to do with privacy.
In short, the difference is that security is how well a company protects your data from outside threats, while privacy is all about how a company handles inside threats, or how it treats your data. A service can have the best, most state-of-the-art security on offer, but if they’re selling your data to marketers, it’s still bad news for you.
In short, no matter how much a company talks about how well its infrastructure stands up to simulated attacks or how good its encryption is, you need to focus on how well it treats your data internally. It’s like a magic trick: Always look where the illusionist doesn’t want you to look.
In the end, though, the best tool that you have at your disposal is your common sense: If a site looks like a cowboy outfit and it wasn’t recommended to you by somebody you trust, don’t sign up for it. Discretion is the better part of valor, after all.