Don’t you think that we should put one criteria about privacy in these 4 sections ? Mainly to not use privacy-invasive analytics ?
We could use the email client criteria : Must not collect telemetry, or have an easy way to disable all telemetry.
We could inspire from the email providers criterias :
- Privacy policy that meets the requirements defined by the GDPR.
- Don’t require personally identifiable information (PII) besides a username and a password. (I don’t think any service would meet this one)
- (Do not store the IP adress)
Or apply/adapt this criteria from the password manager section : “Must not collect more PII than is necessary for billing purposes.”
For these 3 sections, the only criteria about privacy seems to be end-to-end encryption but I think this is not enough for a cloud service to be privacy respecting. See Apple. Metadata leaking is a privacy issue. Thus I think we could also add a criteria about metadata, like encrypting it.