Suggestion to add clearer caveats to privacy tool recommendations

A few years ago, a recommendation I gave to someone new to privacy tools and paying for Email backfired. He switched from Tuta back to Outlook and probably will think twice about following my advice again.

The discussion this week on PG about losing your aliases when downgrading your Proton subscription has made me think we could put stronger caveats when we advise privacy tools.

EDIT (post several comments): I just want to clarify I am not suggesting PG does any hand holding regarding losing features when you stop paying. The Proton discussion made me think about a bigger issue regarding giving some warnings to users new to things like encrypted email, using aliases, etc.

PG’s Email aliasing page does already have this:

In turn, however, you are placing trust in the aliasing service to continue functioning.

but doesn’t point out that if you can no longer afford to pay for the service, you’re in a serious bind with all your account logins, which you’ll probably have to reset one at a time.

I feel the onus should first of all be on companies like Proton to be up front about not just the privacy benefits, but also some of the hurdles that might be ahead when adopting their privacy tools. For example, I had a fairly steep learning curve with Mullvad VPN, as I’d never used a privacy VPN before, and discovered I couldn’t print on my local network anymore without adjusting the settings, would have to switch it off for government sites and Reddit (?), etc.

When we, privacy advocates, recommend tools, it might also be worth considering adding stronger caveats to our recommendations, so that they don’t end up backfiring, leading to users becoming wary of privacy tools as a whole (as my friend did).

Perhaps there could be a ‘Caveats and warnings’ subheading with every PG tool recommendation.

As much as i think certain areas of recommendation require careful consideration and clarification of limits, I do also fear that having a “Caveats and warnings subheading with every PG tool recommendation” could easily lead to warning fatigue, and cause the readers eyes to glaze over and give up before even trying in the first place. Thus worsening the situation instead of actually helping to properly inform the reader of the select important limitations of certain recommendations, and limitations inherent to certain technologies themselves.

The audience for privacy guides is “primarily adults who use technology.” It is not reasonable to write with the assumption that all readers lack an elementary understanding of economics.

All adults use technology. The next part clarifies:

Don’t dumb down content as if you are addressing a middle-school class, but don’t overuse complicated terminology about concepts average computer users wouldn’t be familiar with.

What I’m talking about is onboarding people (average computer users) to privacy tools, and doing that in a considered way.

I do get the point and generally agree, but it may not be realistic to list all such caveats for each and every recommendation listed. The problem isn’t a general privacy-related technology, but rather a specific company policy, which may change over time.

It’s an issue I never gave much thought to, until I read that Proton discussion this week. It is indeed a bit of a nightmare to undo account logins with aliases if you stand to lose those aliases.

It is clear to me that a lot of people are reasonably competent in technology without understanding email aliases, or even email providers and emails in general.

Email seems simple- you have an address, send mail to other addresses from yours, and receive mail at from other addresses at yours- when the underlying technology and real world implications aren’t really.

“This is what happens in different situations” would likely help a lot of people reading about email and alias services.

What is your point? Your suggestion is about dumbing down content to far below a middle-school level.

Telling regular adult users, many of whom may not yet know what an email alias is, about the potential downsides of using email aliases is at primary school level? You must be joking.

When I open PG I see this:

image989×601 57.3 KB

“Start Your Privacy Journey”

Maybe I am missing the point but I am not sure I see the reason to say this explicitly. This, to me, should be something an average consumer can deduce on their own. If users are purchasing products that they are at risk of not being able to afford, they have other issues they should be focused on.

What is easy for one person to understand can be hard for another, depending on their specific abilities and life history. This applies to both middle schoolers and adults.

I find this fact obvious too, but there are many “obvious” things I didn’t understand until someone told me. If I had only ever used gmail then this might be one of them.

Surely you are above putting words into my mouth. I am saying that the fact that a paid service requires you to continue to pay the subscription to maintain access to the service is not exactly rocket science.

That’s a fair point. I tend to think its a bit out of scope to have PG do that much hand-holding for users but I can accept other people don’t see it that way.

I don’t disagree with you on this specific instance (pay for service, stop paying don’t get service). But the other points on your general ideas aren’t as encouraging and dismissive. Yes, PG should not write the ToS for every service as people need to learn it on their own. But also PG should raise awareness of footguns and things worth considering before utilizing a critical service. Doesn’t even need to be a a flashing neon sign, a quick blurb on “ensure you understand how aliases are used should you need to cancel or migrate providers” isn’t exactly harmful.

But that’s not my point with this post. I’m saying that on PG, when recommending something like using email aliases to someone new to them, it is helpful to point out what the long-term implications could be.

Similarly, with encrypted email, it might be worth warning someone in advance that the search functionality is nowhere near what someone might be used to on Gmail.

The idea is to give a heads up to people new to privacy tools about some of the implications of their use that they won’t know about, and many of us do, from our experience using them.

I don’t really agree with the Proton thread OP’s gripes about losing features that are part of a paying service when he stopped paying, but reading through that thread made me realise there is a broader issue about recommending privacy tools.

The argument that no one could misunderstand this or think it works that way is weakened not only by people thinking that, but because you also can apparently keep receiving alias emails in some services.

Like with simple login:

When your subscription ends, all aliases you created continue working normally, both on receiving and sending emails. Concretely:

• All aliases/domains/directories/mailboxes you have created are kept and continue working normally.
• You cannot create new aliases if you exceed the free plan limit, i.e. have more than 10 aliases.

I think this does mean you could not only sub for one month and switch all your accounts over, but you could also make eg 500 placeholder alias and continue to use them for new accounts. Not that I’d do this when it isn’t their intent and duckduckgo voluntarily offer unlimited, but “what happens when sub expires” can be impacted by various situations and policies.