Początkowo opublikowane przez Morkonan:

Początkowo opublikowane przez The Nintendo guy:

..
According to to tosdr.org
They only have a D in privacy, instead of an E, like pretty much 90% of the website.
Impressive

Interesting.

I read through their entry.

https://tosdr.org/en/service/180

Some of their "checkpoints" are false. For instance, Valve/Steam specifically in the Privacy Statement above, informs users it is liable for inappropriate third-party use of any private information if it knowingly gives that data to a third-party for that use. In Tosdr, they claim the opposite and that no liability is accepted by Valve/Steam.

On non-binding arbitration, there are too many instances of applicable Laws and regulations in the Privacy Statement to make a universal arbitration claim... Some of those are "governments" who have "tanks" that will shoot businesses in the face if they violate certain laws.

"Arbitration" here is according to Privacy Shield:

https://www.privacyshield.gov/welcome

That's a body established by the US and EU concerning privacy and privacy-related data exchange. AFAIK, it's arbitration clause does not and can not possibly involve decisions concerning monetary awards. IOW - It's for "data" and how it's handled, only. So, if you "sue" someone, like Valve, for money, it's not something that can be resolved under PrivacyShield. It'd have to then go to the courts involved, "AFAIK." But, let's say you wanted your data entirely removed from Steam or contest how it's used. IF it involves something outside of Steam's current agreement, then it would be subjected to PrivacyShield and its clauses, AFAIK, just so long as you weren't monetarily suing someone. (I'm not an attorney.)


Some of their bullet-points, though... are stupid.

"This service uses your personal information for many different purposes " - Serriously? LOL? How does a website "pass" that qualificaction? By doing what?

Look at the rest of those entries that have been "failed." Quite a few, like the above, are nonsensical. There are few website pages, let alone sites, that would pass those standards... They're too arbitrarily defined.

And, I noticed they gave "Startpage" a great rating. (All passes or whatever?)

That's questionable...

None of the entries they have given a "pass" to involve inquiry into meta-data analysis and practices, there.

https://en.wikipedia.org/wiki/Startpage.com#Merger_and_recent_history

Privacy One Group is owned by... "System!". (The exclamation point is in their trademark.)

http://techrights.org/2019/10/16/startpage-is-surveillance/

https://restoreprivacy.com/startpage-system1-privacy-one-group/

I would be very cautious with Startpage. While it could be attempting to develop predictive algorithms based on search string data and linked behaviors, there's a bit more room there for exploitation. For instance, given enough user activity data and meta-data, it's very possible to identify specific individuals very accurately without having any direct IP/User data. That's the "metadata" debate associated with individual privacy. ie: You can be correctly ID'd without your IP addy being known if someone has access to your behavioral records and can compare them to current metadata. This "could be" what System! is attempting to do and is now using Startpage for in an effort to generate good algorithms. (Getting "real world" data to use to generate these sorts of algorithms is an activity that businesses around the world are competing heavily to find sources for. (Behavioral analysis, even "anonymous" behavior, is big money right now.)

The thing is, though, Steam/Valve doesn't appear to reach beyond its own services or systems and specifically states where and how it takes measures to protect user privacy. Some of the instances of "data sharing" are necessary, like players using the "User your Steam Login" api to log into third-party websites, for example. And, even then, it's a Steam ID, with aunthentication done back at Valve/Steam, AFAIK. (Corrections welcomed) Steam User IDs don't break beyond the NIC wall unless the user has enabled that.

If one reads the Steam Privacy Agreement, there's a lot more protections there going on than anything that website would acknowledge. And, Steam absolutely has to track people's accounts... forum posts... Library contents.. Like many websites, there are certain local tracking features that are absolutely required. Also note - While Steam may use cookies internally, which counts as "tracking," it's not monitoring one's private behavior outside of interacting with the services/website. It IS tracking gameplay, which is a primary activity on the service, and that would "fail" it according to the website you listed.

I'm unsure why that website "tosdr" exists. For instance, it showed Amazon on the front-page, obviously failing. And... there's no way Amazon could function if it "passed" "tosdr's" qualifications. We also all know Amazon tracks anyone, everywhere... But, if it didn't, and just restricted operations to selling junk online and doing absolutely nothing else, it'd likely fail abysmally. Tracking user purchases would fail it, even if it did so in order to communicate those to a shipper.

Is that a meaningful measurement?

I understand why the site exists, but some services cant even allow a user to login without "failing" that website's questions. A ton of those questions just aren't meaningful. I'd be hesitant to place much credibility on its recommendations. In order to be a meaningful answer, the questions have to be.. meaningful in the context in which they're asked.


PS: I am not a Steam Fanboi. I just ain't. I have grown to like the service after being a staunch anti-Steamer from way back. But, I don't "trust" anyone, either. I certainly don't "trust" Steam or Valve. But, if Steam/Valve hold true to the letter and apparent spirit of their Privacy Agreement, it seems to me to be a pretty decent, straighforward, attempt to ensure better privacy than some other operators. Certainly, it's better than Microsoft's, isn't it?

Note: I examined Steam's privacy agreement after reading someone make an assertion that Steam/Vavle's data collection and use of private information may be suspect. I don't see where it is given what is in the Privacy Agreement. If someone has info to the contrary, I'd appreciate knowing it.

Don't forget that steam also has google analytics enabled by default (sadly)
But someone in the steam forums some months ago actually told people how to disable it (and got multiple awards)
But yeah, i understand that google is a F, as a privacy rating (i think nobody will denie that). But that website always seemed a bit fishy to me, but hey at least it's not an F :P
And i also like Steam a lot. It has all the games i want and it's the only games launcher which natively supports Linux, so it isn't like i have a lot of choice to begin with

Początkowo opublikowane przez The Nintendo guy:

...
Don't forget that steam also has google analytics enabled by default (sadly)
But someone in the steam forums some months ago actually told people how to disable it (and got multiple awards)

It explicitly states in Steam's Privacy Agreement that it is enabled, however Steam limits it to a truncated IP address. That means they may get a partial, like regional data, but can not get data for any specific user.

Once again, I reiterate - Reading the Steam PA yields a good bit of information.

But yeah, i understand that google is a F, as a privacy rating (i think nobody will denie that). But that website always seemed a bit fishy to me, but hey at least it's not an F :P
And i also like Steam a lot. It has all the games i want and it's the only games launcher which natively supports Linux, so it isn't like i have a lot of choice to begin with

Google is evil. :/

But, take care with that website and what it recommends. It may have no nefarious intent, but its results and analysis do not yield useful information and could be very misleading.

It could mean that those who trust its judgement will reduce their own diligence when interacting on those websites it "likes." Given the sorts of questions it "rates," I think it's pretty useless for any practical estimation of a website's integrity or the exposure of private data.

For instance, all it takes to find out your specific interests is to pair the "metadata" that contains "no user-identifiable" information from Startpage and then someone buys datasets from someone else and matches that metadata activity. Then, they have... you. Your private information and habits that couldn't have been gained any other way, since you "trusted" Startpage.

It doesn't mean it can be used to hack you or anything, though that's not beyond reason either. But, what it does mean is that the privacy you think you may be getting from a website really isn't exactly what you think you're getting.