Doing high-quality privacy evaluations requires work, but the tools to do it are freely available.
Over the last year, we have been hard at work on our privacy evaluations.
However, no one needs to wait for us to run an evaluation. From the outset, our goal has been to be as transparent as possible. Our core toolkit is publicly accessible -- and has been for months.
Our toolkit can be used by anyone with an interest in privacy and security, from a vendor who wants to evaluate their own software to a student interested in learning more about the tools they're required to use in school.
- To start, run a triage of the application. Our triage process is here.
- Then, run a transparency evaluation. The transparency evaluation gives a very clear sense of what is and isn't covered in a policy. For many vendors, the transparency evaluation will be the stopping point of this process, as weak spots in terms will be evident.
- The transparency evaluations shows what is or isn't covered in a policy. The next step -- the qualitative evaluation -- provides insight into the protections offered in a set of policies.
- As we indicate when we define our triage process, certain conditions can highlight a need for a more detailed information security review. Our information security primer highlights our core processes and our infosec toolkit.
Four additional resources are also relevant here:
- Check whether policy language has been borrowed from other apps. While this isn't necessarily a bad thing, it's good to know.
- Perform targeted searches for specific issues in a policy. This is useful for seeing coverage of selected, focused concerns.
- Get a sense of the technical sophistication used to deliver a policy. If there are issues with basic HTML around policies, it's a potential flag for other technical issues.
- Read the background resources we consulted when creating our evaluations. This list is by no means comprehensive, but it's a good start.
Finally, we're constantly revising, updating, and (hopefully) improving our work. We have no illusions that we're getting everything right, and we see our work as a partnership with everybody else in the space. We talk -- constantly, continuously -- with vendors, teachers, district staff, parents, and other privacy advocates. If anyone reading this has a good idea about how to make the work better, we want to hear it -- so please, be in touch.