Digital privacy and rating tech companies’ policies

If you’re not paying for the product, you are the product

This phrase is frequently invoked to describe how much of the modern internet works. The digital tools many of us rely on are rarely free in the true sense of the word; instead, they are funded by the collection and monetisation of data about our interests, habits, and behaviour.

Yet, despite growing awareness of this reality, many of us are willing to accept the Faustian bargain. After all, the information being collected often seems trivial, and the systems that capture it are remote and complex. Do I really care if Google knows I need new hiking boots? And if Facebook understands my political views, then so what? I wear them on my sleeve anyway. Surely there are more important things to worry about?

But when we look at the broader picture, we begin to see how the mass-harvesting of our data is fuelling a broad transfer of power and wealth away from citizens, workers, and small businesses and into the hands of large corporations and increasingly authoritarian states. 

Technofeudalism

On an economic level, the mass accumulation of data has enabled the transition towards what Yanis Varoufakis calls “technofeudalism”, in which companies like Google, Amazon, and Facebook own and control the markets that others are forced to compete in, charging fees and rents and manipulating markets in their favour. Once established, the companies are free to leverage their market dominance to maximise their profits by driving up the costs for other businesses operating on their platforms while degrading the overall quality of their services.

Systems driven by user data also have a destabilising effect on democracies. Data-driven algorithms designed to keep users engaged can serve up misinformation, driving conspiracy theories and extremism.

The advent of AI tools has added a new dimension to data privacy concerns. Companies now harvest vast amounts of data for model training, including individuals’ personal data, raising new privacy concerns (alongside the significant issues around plagiarism). The tools themselves exacerbate existing online safety issues by facilitating the spread of misinformation and enabling hackers and scammers to carry out attacks more easily. 

State surveillance

Governments have taken advantage of the data-driven online ecosystem to ramp up surveillance of populations, including by accessing the data collected by private companies.

In the United States, agencies like ICE have relied on extensive surveillance and data analytics to drive their brutal programme of detentions under Donald Trump.

Meanwhile, in China, digital platforms such as WeChat are closely integrated with state surveillance and serve as
powerful tools for social control.

The UK government has also recently pushed for greater access to privately held personal data, including in a legal dispute with Apple, where it argued it needed to access users’ data in the event of a “national security risk”.

Prioritising privacy

We advocate choosing digital tools that prioritise privacy to limit how much we feed into this destructive surveillance system.

Private tools are not always used for virtuous reasons, however, and it is important to acknowledge the ethical tension that arises from the fact that tools that allow anonymity online may also permit various forms of online criminality and abuse to go undetected.

Conversely, crime prevention and national security are frequently given as pretexts to crack down on civil liberties such as freedom of expression and the right to protest.

We have chosen not to penalise companies for complying with legal data requests; instead, we have taken into account the jurisdictions in which they are incorporated as an indicator of their exposure to intrusive government surveillance.

How Ethical Consumer rates companies for data privacy

In our guides to web browsers, search engines, social media, and AI tools, we have rated companies on their overall privacy approach and on specific criteria for each tool. Digital privacy can be difficult to gauge because data is recorded in complex, invisible ways.

Companies are obliged to publish privacy policies that offer some information, but this means taking companies at their word; moreover, companies are known to use deliberately vague wording to disguise their actual practices. 

While no single metric is watertight, by combining data points across a range of criteria, the Ethical Consumer rating aims to provide a balanced assessment of companies’ overall approach to privacy.

General digital privacy ratings

All companies in the social media, AI tools, browsers and search engine guides have been rated on the following criteria:

• Whether the company states in its privacy policy that it may use your data for Targeted Advertising. Companies engaged in this were considered more likely to collect excessive user data.
• Whether the company states that it may use your data for AI model training. While public data across the web is scraped by AI companies for training, often without consent, actively collecting user data for model training was considered a particular privacy concern.
• Where companies offered a combined ecosystem of disparate services accessed via a single user account, this was considered an important privacy risk, as companies can combine data points from across different areas. Google is a notable example, as it can combine data from searches, documents, YouTube views, location, payments, advertising, and more into a single profile.
• Country of Incorporation – We referred to Freedom House’s Freedom in the World index to group countries into tiers based on the laws the company may be subject to and the level of data protection afforded. Companies may be legally compelled by law enforcement in their home jurisdiction to disclose user data even when it is stored or processed in other countries.
• External criticism – companies were marked down where we found significant criticisms regarding data protection or privacy issues from reputable news sources.

Specific digital privacy ratings for different tech products

As well as the above criteria Ethical Consumer's digital privacy rating also includes product-specific criteria relating to the different tech products e.g. web browsers.

Social Media

Social media platforms are typically a goldmine for data collection and surveillance, given that users voluntarily share extensive personal information.

The following criteria were used to judge the level of surveillance that platforms are likely to be carrying out:

• Whether the platform included a personalised feed of ‘recommended’ content, as the algorithms used for these tend to be driven by personal data. These types of algorithms are also linked to social harms like political polarisation and mental health issues.
• Whether the company tracks users across third-party websites using tracking pixels or embeds (as stated in its Privacy Policy).
• Whether the platform includes end-to-end encryption on private messages. Without this, the company or host may be able to access and analyse message content.
• Apps listed on Google’s Play Store are required to disclose what types of data they collect from users’ mobile devices and for what purposes. We combined the data types listed (giving greater weight to data collected for advertising or personalisation) as a broad indicator of the level of data harvesting.

Web browsers

As the portal via which online platforms and websites are accessed, the web browser plays an important role in online privacy. Many browsers have features designed to help prevent users from being tracked across the web. 

The rating looked for whether browsers included five key privacy features:

• Anti-fingerprinting protection, which helps prevent websites from uniquely identifying users based on device and system characteristics.
• Blocking third-party cookies by default reduces external advertisers' ability to track users across different websites.
• Tracker blocking is built in, which helps prevent known tracking scripts from loading.
• Stripping tracking parameters from URLs, removing identifiable data embedded in links that can be used to monitor user activity across the web.
• IP anonymity, using a built-in VPN or integration with networks like Tor. Concealing a user’s IP address makes it more difficult to track browsing activity back to an individual device or location.

These are simplified indicators, but taken together, they provide a reasonable overview of the browser’s approach to protecting against online tracking.

Search engines

Our searches and clicks can reveal a lot about us, including our interests, health information, location, political affiliations, and more. 

Search engines were assessed using the following criteria:

• Storing search queries (on a per-user basis). Google dominates the search market and stores users’ search histories as part of a detailed personal profile that it sells to advertisers. Several privacy-focused alternatives do not store this information.
• Displaying targeted ads. Targeted advertising creates an incentive to harvest user data. The ads themselves may also contain trackers that collect our data.

AI tools

As a technology, generative AI has enormous implications for our online privacy (whether we use the tools or not). Moreover, many people are turning to chatbots for advice and disclosing intimate details about their lives. 

The following criteria were used to compare the privacy approach of AI tools:

• Does it use chats for model training? When the private information we share with chatbots is used to train the model, it could be regurgitated elsewhere in uncontrollable ways.
• Does it store conversation history on its servers? Privacy-focused AI Tools such as Proton’s Lumio keep conversations private by storing them only on the user’s device.
• Zero-access encryption on chats means that even the service provider cannot read stored conversations.
• Is the tool built on open source software, which can be independently audited for how it uses and stores data?

NB: The separate privacy ratings for companies' various products add up to their overall privacy score on the score tables in the tech guides. Subscribers can view each separate rating on the online score tables of these guides.