The Service Privacy Test is a little something I made to gauge how privacy centered a service/software is. I test them under 3 sections: Accounts, Use of Service, and Miscellaneous. To use this give a service a score of 100 and add the following when applicable. Most of the options will be in increments between 5 to 20 as the first iteration of this test had huge negative scores for services that had them. All the grading I do will use this this test to it's full extent. I'll try my best to grade as much services as possible but you're free to do some grading yourself. Just make sure to share it to the world, will ya?
All accounts really need at least one identifying factor to distinguish you from everyone else (apart from the given identification number). I believe an email alias would be the best option for privacy in this scenario.
Highly recommended to preserve anonymity. I know some services disallow this so its really up to you whether you want the same email in different accounts or not.
Giving away your phone number is a general no-no in the privacy world as it can be used to determine a lot about you, your country of residence to start. Apart from the various spam calls and texts, one data leak of your number is usually all it takes for a malicious third party to gain access to your phone. See here for an example (will direct to a Google blogspot).
Some will allow you to use the service but lock some features behind adding a phone number. While it is a pretty douchey move, it's at least an improvement over requiring it when signing up for an account.
I don't think I need to elaborate on this.
Why? Just...why?
Account deletion should honestly be a default yes for any service, trivial or not. It provides you with the right to be forgotten and a chance to have all data they have on you deleted (varies from service to service). Services that disallow account deletion should honestly be sued.
Honestly it annoys me when we as customers have to contact CS to delete our accounts and this should be classified as a huge red flag when signing up for one.
If you live in the EU or any other country with a Data Privacy Law that states a "right to be forgotten", then exercise that right and pressure these numbnuts to get your data off of their servers. This right here's just plain creepy to be honest.
Your IP address is essentially your "face" on the internet, except it's a lot easier to keep track of as it's just a couple numbers. Also it can correlate to your country of residence and if people put the time in, your exact geolocation. Companies use this identifier a lot when showing you ads so you might wanna avoid services that do this (unless you trust the service with this info).
While it may seem trivial at first, every little tidbit they can gather on your machine is a tidbit that can make you unique and stand out from the crowd. This includes what browser you're using (if a website), what OS you are on, screen resolution, etc. Note that this includes anything that can gauge performance of any sorts; i.e. HTML5 Canvas Data.
Another very big no-no. You might make exceptions for door-to-door delivery services but if you're keen on online privacy why are you using them in the first place?
Are you okay with that? Are you okay with the fact that the service will log everything you do while using it? Every term you searched, every post you liked/hearted, even every time you were idle? Okay the last one might not be applicable to all but you get it.
I am of the firm belief that if End to End Encryption messaging isn't supported, the service will read all messages sent when using it, no matter how many times they claim that they won't.
Pretty trivial honestly, as pretty much everything supports HTTPS these days. But on the offchance that it doesn't, well this exists.
Includes CDNs and miscellaneous data processing (3rd party to process phone numbers to state an example). I was a bit confused about the privacy implications of using 3rd party services myself as well. But I quickly realized that apart from the service, you'd be giving away your info to another party as well. I'll only advise skipping this if you trust the services with your data as well. Does not include 3rd party advertising (see below).
Online advertising has pretty much become a data harvesting business at this point. Gone are the days of when advertisements were just annoying 30 second videos in between your 12th rewatch of Seinfeld.
Keeping it in house is the most preferable way if they're gonna serve you ads. Inviting a 3rd party in just causes pandemonium if I'm being honest.
Telemetry is the collection of various data while analytics is the process of analyzing said data. Companies like to interchange the two so I've just lumped them together for brevity's sake (I will also refer to them in tandem as T&A). That being said, I don't believe all T&A are evil so I included some extra criteria to exclude the ones with good intentions in heart.
One of these being the ability to opt out. Note that some will not allow you to opt out of all telemetry and analytics.
Last one being this. Honestly all usage data collection should be opt in by default. Add that to the list of why we can't have nice things on the internet.
This includes directly blocking Tor IPs, Giving way too many security checks (some of which may fail) before you can start using the service, and using Tor/VPNs as grounds for account restriction or deletion (when applicable). While I understand this is to prevent DDoS attacks and the sorts it kinda sucks when they have all these invasive ways of tracking you and they just get angry when you use Tor. All I have to say to them is go f-
See previous item for description of an unpleasant experience. Tor IPs are a bit understandable, VPN IPs are just a douche move to be honest.
Having an onion site means they aren't against Tor (yay!) but that doesn't automatically mean they actually care about the privacy of their users. Being able to use Tor is also very nice to have in a service.
Undefined pretty much means they can do whatever they want with it and store it for as long as they like. I do not like services that do this. Having a permanent record of your personal data lying somewhere within arm's reach of a 2nd party for them to do whatever they want with it should not sit right with you. Again if you live in the EU or a country with its own GDPR, pressure these numbnuts to delete that.
This is usually stated something along the lines of "we will only store your information as long as necessary to fulfil the purposes for which the information is collected and processed". This means they should delete the data that they don't need once they've had their way with it.
Open source means you know exactly what goes on under the hood of that application you just installed (assuming you know how to read code). And even if you don't, this establishes transparency between you and the developers about what their service is all about. Always remember that open source does not automatically mean more private.
While it is a general no-no to avoid closed source in the privacy realm, there are just some closed source that gets recommended every now and then (OOSU10 for example). I'm a bit more open to this issue so only skip this if you trust the developers to do the right thing.
Only applicable if 1st party is closed source. While less preferable to add another party in the mix, it at least adds the option of using an open source client when the official ones are closed source.
This one's a personal pet peeve I've included in case other people also have the same problem about a product being sold by shady/untrustworthy companies. I'd also like to clarify that since Firefox only received a donation from Google and technically isn't backed by them then they should fall under this category and not the next one. I have been proven wrong once I finally tested FF, see Firefox's SPT for details.
By backed I mean a sizeable amount of their revenue is reliant on these companies or these companies are major stockholders. An example would be Tencent and Discord or Tencent and Reddit or Tencent and Epic Games or Tencent and... you get it.
By definition this should include Brave Software, Inc. as they are in the advertising business. Although many people still find their products trustworthy to use, some don't seem to share that view. Personally, the browser looks good but I ain't taking my chances (also Gecko browsers ftw). Once again, if companytrusted=1 then scoreaddendum=0 and skip=1 (return 0;).
===========================================================================
Once you've added all the numbers you should get a score between -200 and 140 (not exactly the numbers I had in mind when I made this but it is what it is). Personally I'd only use services that get a score of at least 40 assuming all 3 chapters are accounted for.
And remember this is only a guide, not a definitive Holy Scripture of sorts. Don't take the score you get here as an absolute and treat it more like a very well formed opinion. I also feel like this still has room for growth so might update this from time to time ;)
Changelog: