Yes, companies have to comply with their privacy policies, by law. The question is… how can we be sure that they comply? Well, if they are open source, we can inspect the code and see for ourselves but this isn’t a thing for other companies and such. Even if they are caught, they can easily pay the fines. (for example, big tech companies…)
The only thing you can trust is code. This is why open source software is often recommended when it comes to security and privacy, providing it has encryption and other security measures implemented.
Another thing worth mentioning is decentralization. It’s very useful for some services, for example, cloud storage provider, as you wouldn’t have to rely on a single point of failure. And with the nature of the decentralization (zero-trust), anyone can be a provider for any decentralized service, which would require every bit of code, both the client and the node sides, to be open source for transparency.
On the other hand, company’s privacy policy can be used as a reference at best. Whether the said company will follow its privacy policy is another matter entirely. It often required trust/believe based on the company’s reputation, or even one’s personal believe. Another issue with most privacy policies (if not all) is that it’s useless against government threat, as the government could use national’s security threat as a reason to break anyone’s privacy policy.
My general rule, If I have moderate trust in the organization or developer, I will have moderate trust that the privacy policy was written in good faith and is adhered to.
If I don’t trust the organization or developer, I will be more skeptical towards the privacy policy (both in terms of reading it with a skeptical eye, and skeptical that they will follow it closely.
So the less trust I have in a developer, the less faith I’ll have that the privacy policy will offer meaningful guarantees or protections.
Another factor is that even if I don’t have high trust in a particular organization, there are situations where I will still place some faith in the privacy policy, not because I trust the developer to voluntarily honor it, but because I trust that the community backlash would cause more trouble for the developer than they would stand to gain from violating the privacy policy.
You can trust them, but if code closed or obfuscated we have NO guarantee that they actually do that they wrote. The only way to protect yourself from that - use only open source software. Or you have to believe someone’s word without any proofs
That sums it all up extremely well
If the code is obfuscated there is (circa) 75% chance we can deobfuscate (either manually or via script). When the code is closed (there is no code basically), we have to rely on dev word(s).
“Trust is good, control is better” as the saying goes. On second thought trust is pretty bad and unreliable in this space. There are always cases in which companies do not follow their own privacy policy and end up with a class action lawsuit, which ends up with the victims having to submit their data through some crappy online form just to get $5 out of the settlement while the lawyers run off with eight figures.
It’s generally advisable to always assume you are being watched on the internet and act accordingly. Likewise, you can always assume that once you put your data on somebody else’s server, it’s no longer in your control and you can’t be certain that it’s truly gone after deleting it.
I’m also not trying to implicate that every company is malicious. I’ve worked with too many companies that had to abide by GDPR and other laws, but didn’t have a plan for what to do in the event somebody requested their data to be deleted. Often times companies will try to do the bare minimum to be in compliance, but generally don’t go beyond that. In most cases, nobody really takes notice of it, since nobody wants to deal with it. No oversight tends to lead to no accountability.
In any case, this is why good OpSec is paramount if you care at all about your data. Never rely on a site’s ToS or privacy policy regardless of their reputation. That is not to say you can’t take their reputation into account, for example when choosing Mullvad as a VPN provider. However, it still doesn’t make you anonymous and it shouldn’t make you complacent. Complacency is the killer of any good OpSec.
Thats available in USA where law system is as damaged/broken as one dont even dare to imagine. There is very minimal chance of this happening in EU.
Just because the EU has stricter laws and better enforcement, doesn’t render it a safe system. A fine is often considered part of the cost of doing business. Ultimately, I would not rely on the enforcement especially given the frequency of violations and it’s unclear how many companies are getting away with the violations. Here is a tracker of GDPR violations: https://www.enforcementtracker.com/
Policy isnt really meaningful if the laws does not have teeth to punish the privacy policy offenders.
In my country, I see a lot of companies use the term “Privacy Notice”, carefully avoiding the word policy because of probably not having any actual set of company policies or any enforcement/auditing on them.
I dont think I’ve heard of any big company get in any legal trouble for having privacy issues. Then again I have no time for local news.
I believe you can never be sure about a privacy policy unless the code is open source and enforces the privacy policy.
If a privacy policy says they will never turn over message contents, the code must verifiably have E2EE that they cannot circumvent. Likewise, if a privacy policy says they will never turn over customer IP addresses, it better contain or support Tor or a similar IP protecting technology.
…than you should be 95% certain they will turn over message content. Today data is expensive and greed is everywhere man.
To answer question posed as a title: no we can not trust privacy policies.
That’s why I suggest that (regarding message contents) E2EE should enforce the policy, so that the service has no ability to violate it.