on
Spliting from the discussion on adding Add Navigation (GPS) tools
It seems to me that we should have a look at this app seperately from the dicussion on adding the category itself. Like dicussions already exist for the other options
Navigation
HERE in 2020 seemed to do some targeted advertising per WIRED, see
Also, it is good to know that they are owned by a consortium of 3 car company. On the one hand, I see this as a clear incentive for not doing shady stuff as they don’t need to for money.
On the other hand, car companies now have a bad reputation for privacy.
It is based in the Netherlands, so it will most likely follow GDPR.
I wanted to contribute my grain of salt about Here WeGo.
First of all, thank you very much for your work at Privacy Guides. It’s my go-to resource for information on more private tools, so kudos to you all for the effort you put in.
Now, about Here Technologies. One of the companies I consult for on data protection issues started using one of their solutions (Asset Tracking) about a year ago. This meant I was in charge of performing some due diligence on Here’s GDPR compliance, including their Asset Tracking product. This was my first time reading about Here Technologies’ solutions, and I didn’t even know about their WeGo app until then. The company I was consulting for, being EU-based and highly privacy-sensitive due to the nature of the goods they handle, was ultimately very impressed with Here’s approach to data protection.
Here’s Approach to Data Protection
@Regime6045 has already provided an excellent overview of Here Technologies’ Privacy Notice, so I don’t have much to add on that front.
From my experience, Here Technologies’ Privacy Notice looked far superior to those of many similar services. Privacy seems to be a priority for them, and they extensively apply data minimisation and pseudonymisation measures in line with the GDPR, which is great to see.
Now, one aspect worth mentioning is that Here Technologies has achieved ISO 27701 certification. This is a step in the right direction as it integrates privacy considerations into their ISMS (not just security). In contrast, for example Google Maps doesn’t have this certification. In fact, they didn’t have it when the company I was assisting was evaluating solutions, and after a recent check, they still don’t. Frankly, I doubt Google Maps could obtain ISO 27701 certification due to their extensive handling of sensitive location data for behavioural advertising. ISO 27701 emphasizes transparency in data handling, also requiring clear communication about how data is collected, processed, and shared. For Google Maps, meeting these standards would require significant revisions to their privacy practices… something highly unlikely.
In contrast, Here Technologies has ISO 27701 certification, which I found reassuring.
That said, I’m not claiming Here WeGo is perfect. It’s not. However, after reviewing their extensive documentation, including ISO 27701 materials, I felt confident enough to use the app for my personal purposes. Unfortunately, you’ll have to take my word for it because their ISO 27701 documentation is not publicly accessible without an NDA.
My Personal Experience with Here WeGo
Before hearing about Here Technologies, I mainly relied on OsmAnd (for biking, walking, etc.) and Google Maps (for public transport and real-time navigation with traffic). As a Windows and Android user, I didn’t think there was a viable alternative to Google Maps. But after discovering Here WeGo, I decided to give it a try and was pleasantly surprised.
I live in an EU city, and Here WeGo works perfectly for public transport and general traffic. After a couple of weeks using both Google Maps and Here WeGo, I decided to switch entirely to Here WeGo and haven’t looked back. I still use OsmAnd for hiking since Here WeGo can’t compete in that area, so my current setup is Here WeGo + OsmAnd, which I think is the perfect combination for privacy and usability (at least in Europe).
That said, in terms of usability, Here WeGo is still not flawless. Google Maps is ahead in some respects. For instance, Here WeGo works great in my city, with accurate public transport information and even up-to-date restaurant listings. However, when I travelled outside Europe (to Egypt and Southeast Asia) this past year, Here WeGo’s performance was disappointing. It was better than OsmAnd for traffic, but nowhere near as reliable as Google Maps. Unfortunately, I had to rely on Google Maps during those trips, though I mitigated some privacy concerns by using it on a separate profile on GrapheneOS.
Conclusion
I’d love to see Here WeGo mentioned in Privacy Guides; not necessarily as the most private or transparent option (it’s not open source, after all), but as a generally privacy-friendly app with reliable real-time traffic data. To mitigate any potential risks, I’d recommend using the app without creating an account, as it’s not required. Now, if you do decide to create an account for some reason, consider using fake data.
What does this entails?
Could you explain more?
Well, ISO 27701 is an extension of ISO 27001, which is probably the gold standard when it comes to security certifications. ISO 27701 builds upon the security framework of the former certification and aims to demonstrate compliance with privacy and data protection practices. It’s an expensive certification to achieve, involving an extensive audit by a certification body like Bureau Veritas. They check a series of operational controls related to privacy, from data processing activities to personnel training and adherence to laws and regulations.
Before even going for this audit, companies usually engage one of the big four (Deloitte, PwC, EY, KPMG) for consulting and advisory services to prepare, which is, of course, very costly and takes considerable time and effort. Once a company secures ISO 27701, it’s a strong indicator of compliance with GDPR and other privacy regulations. To maintain this certification, regular external audits are required.
In my line of work (checking businesses for GDPR compliance), seeing an ISO 27701 certification (which is quite rare) makes my job significantly easier. To me, having this certification is already a great relief in terms of privacy considerations. However, it’s a very strong indicator, not a bulletproof guarantee. Anyone conducting a compliance check on an ISO 27701 certified business should still review the ISO Report. The nice thing about this certification is that a compliance check, which might usually take weeks, can often be completed in just a few hours… usually, the time it takes to read the ISO Report, which is great!
You can find proof of their certificate here: ISO Certificate Directory | Schellman
About Asset Tracking, this was essentially what the company I was helping was looking for: HERE Asset Tracking | Real-Time Asset Visibility | Solutions | HERE. Unfortunately I can’t offer more specific details as I’m still bound by confidentiality obligations.
Okay this looks great.
I am still not sure what criterias we should settle on.
Just to be clear, what advantages does Here WE GO has open over Organic Maps and OSMAND~ respectively
Mainly live traffic info, and for some countries also better map material
Does this include better nav recommendation or is it just for info?
sounds a hack alot like security by obscurity. Sorry but this makes not much sense to me.
Also i really want to emphasize that audits are not some “golden standard”. It is really the bare minimum usually although I like to see that they did that, you shouldn’t overvalue it.
Requiring an NDA for ISO 27701 reports isn’t security by obscurity. It’s simply a practical decision. For-profit businesses with closed-source code often use proprietary processes, tools, or methodologies to ensure security and privacy. Naturally, they don’t want to reveal these details publicly, as doing so could expose sensitive business information to competitors or even bad actors.
ISO reports (like 27001 and 27701) are also highly technical and tailored to the specific risks and needs of the company. Sharing them openly could lead to misunderstandings by non-specialists, creating unnecessary concerns or confusion. On top of that, these reports might contain sensitive details about employees, customers, or partners, which could violate privacy laws or expose private information.
Saying this is security by obscurity is simply not correct. A company that subjects itself to these audits and is willing to share the reports (even under an NDA) shows it’s not relying on secrecy. In fact, it’s the opposite. They’re demonstrating transparency by undergoing an independent review of their practices.
As for audits being the “bare minimum,” that depends on the type of audit. Some companies rely only on internal or non-standardised audits, which are often more about PR than real security. ISO 27001 and 27701, on the other hand, are internationally recognised as the gold standard for security and privacy. Achieving these certifications takes serious effort and covers nearly every aspect of an organisation’s practices. Sure, no audit is perfect, but these are far from just the bare minimum.
That said, I’m not here to defend closed-source businesses. I’d love to see more transparency, which is why I’m a strong supporter of prioritising the use of fully open-source software (especially when it’s powered entirely by the community).
However, I recognise that not everyone will use open-source software, and there isn’t always a perfect open-source solution for every use case. For this reason, I believe closed-source businesses should go the extra mile to ensure privacy and security through internationally recognised audits like ISO 27001 and 27701. The more transparent a company is (even if it’s closed-source) the more trust it earns from its customers.
As much as I wish everyone would rely solely on open-source, community-driven software, that’s just not realistic. Closed-source businesses will continue to exist, and it’s important to encourage them to adopt strong standards for privacy and security to build trust and accountability.
Well yeah lets just agree to disagree on ISO audit value. When doing software due diligence I never settle for companies that believe that ISO proofs they are doing everything right. In my eyes it is a good that those standards are there but it really is a minimum and high-over of what one should do to be in control. It doesn’t tell me that they actually are.
It is a valueable framework but you need to see the scope and details under it to actually know the value of an “approved” stamp. Risk assesements are often consisting of massive gabs and flaws. People wrongly assume full legal compliance with such certifications. Just saying you have passed the audit tells me nothing more than just fullfilling some mimimum standards that all companies really should (not that all do).
I wouldnt be so sure of that tbh. The rest was good info. But i would argue that unfortunately many European companies are not being compliant with GDPR.
General privacy practises are mostly better in the EU but it definitely is not a garantee.
I think there is more awareness and respect of privacy in EU companies because of GDPR. But as you said, not a guarantee.
While i dont really like that HERE has their Facebook login shit it doesnt seem to connect to Facebook otherwise.
The opt-in buttons are all dark patterns; deceptive button colours (same as seen in the report of EDPB on cookiebanners here: https://edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf) as seem in the screenshots of @Encounter5729. It is not quite what the GDPR stipulates.
It makes it hard for me to recommend using such. Is it holestically really any better than using Google Maps? Google does no longer have such dark patterns, although it took some fights.
I am not going to argue for including Google, (lol), but they do show you very transparently what data they have on you and allow you to delete the history, even automated.
I am just wondering besides anti monopolistic factors if it is actually bringing you more privacy at all.
Anyway I am up for the test I will try using it and compare it just to also test the usability for some time. I am currently still using Google Maps as I also find that Organic Maps just isn’t it for public transport and lacking live traffic. I do use Organic Maps for keeping locations and navigation when i require more privacy.
I don’t know how we can check the certifications except for going to each company one by one, but I am sure all Meta, Google, Microsoft and many other privacy invasive companies have ISO certificates at the highest level. Typically there is a granularity within those such as Soc-1 or soc2.
Google actually is known to not offer much assurances making it hard to be complaint with them. Also the reason authorities fined schools who used Google before and only than google changed things(Google’s use of student data could effectively ban Chromebooks from Denmark schools - The Verge). Microsoft is better at this but you really need to fight for it making small organizations not being able to get the same privacy.
They have ISO 27001 certification for various products, just not the consumer facing ones. ISO 27001 Certification - Analytics Help
