🆕 Software Suggestion | Startpage.com #1562
Comments
|
A note, the unsourced quotes in this post were from a letter shared with @danarel and myself from the Startpage CEO. |
|
I recommend re-listing, maybe we a add a flag about ownership w/ a link to their support page. |
|
Thank you Jonah and Dan for starting the conversation to re-list Startpage on PrivacyTools. As you can see from the information we provided, we are committed to being transparent about our business and privacy practices. Over the last few weeks we have shared detailed company information, technical explanations and data flow charts that clearly illustrate our numerous commitments to safeguard user privacy. This community is very important to Startpage and we look forward to continuing an open dialogue with the goal of raising privacy awareness worldwide. |
|
I would recommend to wait with this. I don't fully trust the situation yet. |
|
you can't be serious... http://techrights.org/2019/12/06/startpage-damage-control-mode/ |
|
That blog post is a disaster. Not to mention being served by a HTTP only site that focuses on security. But the entire thing relies on StartPage paying to be relisted and they have done nothing of the sort, and in fact we have turned over the possibility of being relisted to the community, based on the information we have. It seems the author cares more about clicks than facts. |
|
Sure, If you want to lose credibility |
|
Given what we know about StartPage now, and it's ownership, not-relisting them means we have to take a look at DDG and Qwant as well because both receive large amounts of VC funding and have investors which would normally raise eyebrows. However, both have a history of trustworthyness and we monitor them and use them as long as they maintain that trust. After our discussions w/ various members of the SP team and their CEO, it's clear to me at least that they knew they handled the situation badly, and instead of "damage control" are trying to right a wrong. What's ironic is the amount of people screaming that we must relist Wire because they like it, even though their leadership did the opposite of StartPage and basically said they don't care about the individual user and made no apologies for not disclosing their sale to the US or changes in their privacy policy. What we see here is StartPage disclosing the information we asked for, not changing their privacy policy, and really, if we are honest, not doing anything that should make us believe they are violating any user privacy. Like DDG and Qwant, as a community we must continue to watch them, and ensure they stay on that course, but that goes for literally every single privacy service out there. None of them are free from possible financial influence, and it's the transparency we must seek. What happens from here is up to everyone. I cast my vote in support of re-listing them, but mine is only one vote and not consensus. This fact alone destroys the argument being made in the blog post listed above because this page right here disproves that SP is being paid to be relisted or trying to use money to influence the decision. If that were the case, we'd just relist it and be done w/ it. Yet, you see above another team member (and I don't think they are alone) are not ready to relist it, and so for now, it's still not listed unless the community decides otherwise. |
But the biggest stakeholder at SP is now a data minIng company (System1). Doesn’t this make them “the big chief” in the boardroom? Does this also apply to DDG or Qwant? |
|
All of them have these kinds of voices in their board rooms. System 1's investment (via Privacy One Group) is what raised the red flag and prompted our questioning and original removal. However, it's worth noting that DDG and Qwant don't have totally different business models, albeit not "owned" by a company like System 1, but have significant investments of people who will want a return. Union Square Ventures invested in DDG, and the fund massive advertising companies, etc. https://www.usv.com/companies/ Among other VCs, DDG also got a large investment from OMERS https://www.omersventures.com/Portfolio They have a smaller, but similar portfolio to USV. Not to mention that they partner with Yahoo, Yandex, and Bing for search results, but also the rely on Amazon and eBay for money financially through an affiliate program. Given all of this, it's the fact that DDG has not had a case of breaking user trust, I personally continue to trust them. They are always open and honest about investments and partnerships and don't leave me thinking they have anything to hide, and in fact, if they were caught given up personal info, it would destroy their business. Qwant has investors from Axel Springer SE who are listed as a company focused on: Magazines, newspapers, online portals, affiliate marketing. They are also strongly politically motivated and have refused advertising from left-leaning political groups, etc. They also have taken $25 million from European Investment Bank a bank run by state leaders - so basically they are partially funded by the EU. Qwant also has a partnership with Microsoft. Yet, as stated above, Qwant: has not had a case of breaking user trust, I personally continue to trust them. They are always open and honest about investments and partnerships and don't leave me thinking they have anything to hide, and in fact, if they were caught given up personal info, it would destroy their business. And that's where I fall with StartPage. They did shake the trust I had placed in them by not being forthcoming w/ all of this information (they didn't actually hide it, but it wasn't really "announced" either. It was hard to get answers immediately which actually led to their delisting, but as I stated in a previous post, they have worked hard to right that wrong I have been happy with the level of outreach they have done and a lot of it wasn't public. StartPage does have a unique situation in which they are owned more than 50% by a company not known for its privacy, the opposite really, though I do think there are major financial reasons for them to want StartPage to remain as private as it is. And for the record, I am 100% against ALL VCs and I am personally 100% anti-capitalist. However, I know the world I live in and sadly for these business to survive, they often feel these are their only options. My hope is that the good ones hold firm to their principles along the way. I don't know the intimate details of StartPage's finances, but perhaps this was the only way for them to stay in business, and if so, I can at least be glad that a well respected privacy search engine is still in the mix. I hope they continue to be who they say they are, and the balls now in their court to continue to prove they are. |
|
Danarel you are of course making good points. It is though a lot of let’s hope, from what we know, that we can trust these companies with our data up until we really know differently. That’s not how a privacy focused advocacy group can work. With this logic we should also be recommending google and MS Win 10. They wholeheartedly tell us that they don’t really collect any data that couldn’t be de-anonymised and that would never ever violate our privacy. So you say but look all the other companies DDG, Qwant, etc. they all do have investors and some rather not very privacy friendly ones. Whom could we then possibly recommend? That’s exactly the point. Maybe you can’t recommend any searching engine run by a company. The point of a group advocating privacy is not by all costs to produce a list of recommendations, but rather inform people of the risks and the status quo are. List for each company the facts you know. Make people aware that only because e.g. DDG swears to protect your privacy and we have no other information to prove them wrong, we in the end can not possibly know what they really do. Is that a recommendation? Well it’s the truth of the status quo. Maybe recommend free and open source searx instances. Make people aware that – ok even then - someone dubious could be running that instance. Maybe one can create an instance that has a security audit every year or so to make sure that they indeed do what they claim to do. We can’t for instance recommend people the TOR browser letting them believe if you use that browser under no circumstances whatsoever could someone find out your true identity. It is far more complicated than that. And for less tech savvy people maybe almost impossible to achieve. But it is still worthwhile recommending as a very good starting point. Don’t give them the illusion of perfect anonymity. So like wise in the search engine field it may be that in the end we are facing a situation where it is almost impossible to have a clear cut indisputable recommendation of a search engine that protects your privacy. All we as privacy advocates can do is list the facts. List the investors, list the way companies have behaved, have communicated, etc. in the past. And having a privacy violating investors holding the majority of your company must be at least slightly suspicious especially with they way it was communicated (but even with proper communication). Saying now we had a nice open conversation with the CEO and all seems fine is not very convincing to say the least. What on earth is this guy supposed to have told you? And neither was your communication out in the open. I can claim I had a very convincing private discussion with the CEO of xy company. Rest assured all is fine….. It seems your site has an effect. They (startpage) are now trying to do damage control. If your site has such an effect you have great responsibility. Other companies may be watching as well. By the way you react you can set a standard letting them know what kind of miscommunication is acceptable and which isn’t. In the end most people will drop by your site look at a list of recommendation and start using whatever you listed. Put at least a red or if you will an orange flag on it with more detailed information for anyone who would be interested in making a more informed decision. |
|
In regards to the email with the CEO, the OP has his responses from the email to the specific questions we in order to even consider releasing which is what we were seeking. We found a couple questions went unanswered in his post on StartPage and he clarified them in the email which is posted above. |
|
There are a few privacy questions to how Startpage operates. Why proprietary? Since it seems that Startpage operate as a proxy/meta search engine, why do you need to hide your code? However, Startpage claim to 'certify' Their privacy practices by another company. Why not just use SearX/YaCy instead? It's open source and you can self-host. As I understand, SearX and Startpage work on the same principle. System1 is a marketing company which invested 270m in behavioral tracking to maximize their profits. They have a long list of small search engines that they purchased. They also have a privacy browser called 'Hushbrowser', with a pretty scary privacy policy. I didn't find an explanation to the fact that System 1 is funded by Raine Group. Raine Group money comes from China Media Capital which has ties to Shanghai Municipal Government and Chinese Communist Party. The case is stronger especially since Startpage hasn't (maybe I missed it?) commented about the fact that System1 is a behavioral marketing company. They Should've been more transparent about the nature of this investment and it seems that we're witnessing damage control. According to Startpage:
Are they claiming 'nothing changed' sincerely? Or is it just whitewashing like the Hushbrowser? From the same page they claim:
It seems they are wrong/misleading. instead, System1 lets 3rd parties do it:
And they do it themselves:
Even their investment partner says so:
In any case, my opinion is that Startpage's founders made a mistake. There is a clear conflict of interest. System1 is eating a lot of small search engines, will there be competition when they finish their meals? It's true that we should examine and maybe show 'flags' for other companies as well, for example, Mozilla is 95% funded by Google, and it should be noted. |
I don't have an answer to this, but I think the same can be said of DDG, etc. So in this case, I don't find this disqualifying.
Personal preference I'd say. I personally use DuckDuckGo because I like the results. I use StartPage as a backup (I have found startpage is better when I am looking for help w/ code, etc.). I don't use SearX because I generally don't find the results up to par.
I mean, this entire issue is because of System 1. Nothing you're saying here is news. However, I will always laugh at how TechRight's is being used as a source. I linked them when this first started and once I realized they don't even have an SSL cert, and when asked why said they couldn't get one yet, I stopped taking them seriously. They have zero clue what they are doing.
As far as I know, none of us have asked SP about this, but here's a pretty good explanation: https://forum.privacytools.io/t/85-of-startpage-traffic-sourced-from-one-site-per-alexa/2003/4?u=danarel I am going to skip quoting some of the rest of what you said only because none of us are defending System1 and I don't think any of us will. But I wanted to bring it back to this:
This is the entire argument I have laid out.. Do we have reason to believe they are not being sincere? That's the entire crux of this argument. I believe we do have a reason to think it, and I am not going to demand anyone agree with me. I have said it a million times, I think the ball is in their court to prove it to us. Which is one reason I have said in re-listing I think a flag that links to this information is important so that people can make an informed decision on what products and services they choose to use. I am going to skip some more again because I think it's just more System1 hate and again, none of us are trying to defend what System1 does.
And here lies the problem. At some point we are just flagging everything and then what's the point? Mojeek just announced a large private investment, Mozilla has Google, DDG has VC's Bing, Yahoo, Yandex, StartPage has VCs, and on and on and on. Yet, we need to be careful because we can't only recommend self-hosted products. 1, they aren't always safer, and 2, that's a lot to ask of your every user. So we need to offer the best available and the most accessible, and flags on everything just tells the user, "you may as well just use Chrome because everything's fucked anyway!" |
“What about them”... Usually Not the best argument. And falsify this discussion by bringing techright to the table just feels like gaslighting. For instance: mozilla is non-profit, open source, there are no shareholders. And there is a difference between revenue and investment. |
|
It seems that I have only commented on this internally, so I could also tell here publicly that I am indifferent about Startpage and whether it gets relisted or not. I wonder if there should be a forum poll as GitHub may not be the most popular tool in the community and I would find requiring registration on a thrid party service (Reddit) a bit distasteful. |
I think so. From my comment above Startpage said in a support post:
We know this is either a lie or they haven't profiled the company investing int them (which I doubt). What I also find misleading about Startpage's actions is waiting for so long to disclose this majority investment:
From a blog with a valid SSL cert, and a tracking script in the background. Yet, I do not "disqualify" any blog post which writes based on open source knowledge, which I/you can verify when I quote, especially when they link sources. You said:
Telling privacytools.io's users that by using the recommended software and services they are now private would be misleading. We all have to know that by taking steps towards privacy respecting software we are making a statement, along with avoiding being "low hanging fruit". I like a quote from a recent EFF article:
We have to resist the "all or nothing" approach, we can only take some of our privacy back, bit by bit. I think that aligns with showing the caveats and conflicts of interest of "privacy-respecting" companies, accepting that we are more private using them, but it's never a 100%. Even after all their shady practices, there is no evidence they violated anyone's privacy. |
|
Too add on the "why proprietary" question: as this is a service, knowing the source code will give you almost zero benifit, as you are completely unable to verify that the code they publish is the code they run. Sure you can make your own instance if the code its opensource, but then we are at the point were we are recommending the software, not the service. |
|
Sure you can make your own instance if the code its opensource, but
then we are at the point were we are recommending the software, not
the service.
You actually wouldn't be able to, you would need to make a deal with
Google.
|
|
|
I am not sure this proves what you think it does. I just read this and it sounds like someone trying to make a case, being disproved, and then doubling down. In the end he relies on "they can be compelled" which they have not, and could also fight back in court. So again, DDG has not had a case of breaking user trust. In fact, the user in this case broke my trust by not admitting they were wrong, and instead doubled down. |
|
Not being fully transparent on the ownership and articles of association leaves us with doubt. |
and others
Startpage was delisted in #1410 following the discussion in #1409. We asked Startpage four questions in our blog we would like answered.
The % of Startpage and Surfboard Holding B.V. (the Startpage holding company) System1 acquired in December 2018.
From another reply, we know that Privacy One Group is a majority shareholder (51%+), which gives us two pieces of information:
From my perspective this is an acceptable answer, and tells us all the information we need to know, even though they did not define specific percentages. I don't see how knowing the exact numbers gives us any more useful information than this.
The current % ownership by System1 at the time of the audit (and any other major owners).
This is, presumably the same as above, is it not? Based on the information from this latest reply and other replies they have given, we know that there are no other stakeholders in the company.
Information about Privacy One Group Ltd. Where is it registered and in what city, state and country does it operate? (We have not been able to verify registration information.)
(source)
The primary concern by the team and community was that it was not clear if this company even existed from a legal perspective, and it could have just been a(n unincorporated) division of System1. We now know this entity exists, and we know why it exists (see Q&A below):
A diagram of data flows, including flows to outside organizations, like System1, Privacy One etc.
(source)
Additional Information
Startmail is evidently not affected by this change:
This is something we already knew (https://github.com/privacytoolsIO/privacytools.io/issues/1409#issuecomment-546765877) but I wanted more clarity on.
My Thoughts
I think, personally, Startpage (unlike some other companies) has been very forthcoming with the privacy community. Their response adds clarity to the situation and they are obviously now keeping track of this issue very closely.
I dislike how this information was not communicated from the start, but ever since I have had no trouble communicating with them regarding these issues. I would probably be fine with relisting them as a search engine provider at this time.
The text was updated successfully, but these errors were encountered: