(I got access to thinkspot beta and this was my first post on that platform. I decided to crosspost it here to increase awareness of thinkspot, and also because the issues I raise here are relevant on other social media platforms as well.)
Hi, I’m Joel, and I eat Privacy Policies for breakfast.
The policy starts by making a clear distinction between personally identifiable information (PII) and aggregated information. These two concepts are something I’d like to see stressed more in media and other privacy conversations, as they are essential to understand when contributing to the wider discourse of data sharing and protection. Quote:
“If we are able to identify or locate you using the information we collect, we call that “Personal Information.” Examples of Personal Information include your name, email address, mailing address, phone number, and IP address. Some information we collect we cannot use to identify or locate you. Examples of this non-personally identifiable information include aggregated information about traffic and activity on the thinkspot”
However, it’s good to remind ourselves that even data that would normally not be categorized as personally identifiable, have been demonstrated many times to be suitable for identification after all – all it takes is a good enough algorithm. For example, in a 2018 study “You are your Metadata: Identification and Obfuscation of Social Media Users using Metadata Information”, researchers were able to identify individuals from a pool of 10,000 Twitter users with stunning 96.7 % accuracy.
Before delving deeper into the text, I have to highlight this short sentence that I’d like to see used more in privacy policies:
“If you consider information or content particularly sensitive and do not want us to collect it, do not share it with us on thinkspot.”
Practice good OPSEC people, keep that confidential information out of social media.
Most of the data thinkspot collects is pretty standard. Not saying that’s good, but it isn’t particularly bad either. For example:
“We collect information from about the computers, phones, and other devices that you use to access thinkspot. We may also combine this information across different devices you use. Information we obtain about your devices includes, for example: device identifiers (such as IP address and device ID); attributes (such as operating system and software version); network and connections (such as mobile operator and internet service provider); and cookie data (such as cookie ID and settings).”
The policy goes on to list different data collection technologies, including cookies and web beacons. A lot of this is again standard practice, but that doesn’t mean you as a user are forced to agree with any of that. With smart browser and browser extensions choices, most if not all of those can be blocked. Here’s a screenshot what trackers get loaded when opening up the main feed on thinkspot:
When you keep scrolling down your feed, a new tracker will be loaded every time you come across an embedded YouTube video. Note that you don’t have to watch or even click anything in such a post, YouTube wants to start tracking you from the impression of the video. I haven’t tried loading the page without an adblocker, but I do find it strange that Google Ads / Double Click trackers are loaded as well, considering I’m a paying subscriber on the service. That Hotjar tracker is used to create cursor heatmaps that are then used for site improvements and such. Yeah, thinkspot tracks your cursor if you let them.
Most browsers have a DNT or “Do Not Track” setting in them. This is often pretty much useless, as nothing forces any website to adhere to it, it’s more of a gentlemen’s agreement type of a deal. However, I’m still a bit bummed to see that thinkspot chose to ignore it:
“At present, thinkspot does not respond to “Do Not Track” signals and consequently, the Website will continue to collect information about you even if your browser’s “Do Not Track” feature is activated.”
Another aspect that’s completely ignored in this policy is privacy related legislation. As an EU citizen, of course it strikes as odd that GDPR isn’t mentioned even in passing, but neither is EU-US or Swiss-US Privacy Shield. Also missing is any mention of California’s “Shine the Light” law. Generally speaking, section about your data rights is pretty slim in this policy.
But I’d still like to end this short article on a positive note, and that’s the fact that thinkspot does not process children’s data:
“thinkspot is not intended for or directed to children under 13, and we do not knowingly collect Personal Information directly from children. If we become aware that we have collected Personal Information from a child under 13, we will immediately delete such Personal Information.”
In the end, a lot comes down to two things:
- What is your threat model?
- Do you aim to stay anonymous on the platform or not?
Personally, I decided to sign up with my own name and personal email address, like I did with my Twitter account. Why?
Because what freedom is there in freedom of speech if we have to have to hide ourselves while exercising it?
There’s time and place for truly private conversations, but in my opinion, social media by definition is not suitable for that.