The article says that privacy by design but then goes on to list examples of privacy by policy:
- "Don’t track anyone’s search histories"
This can simply be changed by changing you policy and deciding to start tracking it
- "Be careful that anonymized data really is anonymized, and is minimized to provide the most benefit with the least data."
A bad actor can always save a non-anonymized copy for "law enforcement" purposes
- "Keep nothing if users select the “Do not track” option in their browser."
Again more privacy policy, since it relies on you not changing your mind about DNT
A real example of privacy by design is duckduckgo's hidden service since it cannot, by nature, know who is using it.
I found most of the courses of action suggested by the article to be privacy by policy, which is laudable but it aint privacy by design.
The design part is that when bad guys or government agents show up to collect historical data, it isn't there.
I agree that for even better privacy, i.e. to protect against us being ordered to keep data in the future, you should search via Tor, reject cookies, etc etc.
well first i think you should be commended on having these policies and I think that this is the best you can get with a website. However an adversary can force you to change these policies. While an adversary can also force a developer of a free software project (private by design) to put in some kind ofof backdoor, in theory the target will be able to avoid this by reviewing the patches made to a project, in practoce I imagine a single target could be compromised by this backdoor, but i imagine it would soon be discovered. This is the key difference
I'm really curious what the HN community thinks about Privacy by Design, and also the tradeoff between keeping all of the exact data on all your users' behavior vs. keeping summary data that obscures most of the details while getting most of the benefit.
Hey Greg, we met a few years back in SF. Two [edit: three] small bits of feedback: I would suggest that you consider browsing without JavaScript (I guess a relatively huge segment of your audience, re: privacy concerns?) and also have obvious contact details or info about Blekko itself visually accessible from the main page. A ~live sparklinesque graph of search volumes or other upward metrics might also appeal and provide free marketing. [Third point: your default/suggested searches are culturally insensitive. How about putting in some consulted time for topic recommendations for non-US countries?] PS. Congrats on the recent round of investment!
We are adding contact & privacy policy info to the homepage footer today, and non-US countries should be getting different, much less US-centric topic recommendations -- in both cases I was the guy that insisted that we do it that way! :-)
A real example of privacy by design is duckduckgo's hidden service since it cannot, by nature, know who is using it.
I found most of the courses of action suggested by the article to be privacy by policy, which is laudable but it aint privacy by design.