Skip to main content

Openly Operated wants to make privacy policies actually mean something

Openly Operated wants to make privacy policies actually mean something

Share this story

Illustration by Alex Castro / The Verge

In the world of tech, privacy has become a selling point. Apple promises that “What happens on your iPhone, stays on your iPhone.” Google claims it’s making privacy more than a “luxury good.” Facebook CEO Mark Zuckerberg claims “the future is private.” But consumers are often still at the mercy of companies. We have to trust that platforms aren’t secretly tracking us or using our data to train facial recognition algorithms — and that their privacy policies, which can be vague or impenetrable, offer any real protection.

Johnny Lin and Rahul Dewan, the co-creators of a new standard called Openly Operated, want to change this. Openly Operated is a set of guidelines for auditing how apps and web services deal with user data, like a combination of a report card and a seal of approval. But it’s also a bid to change the terms of the privacy debate — as Lin puts it, to get past the sense that when ordinary users think about privacy, they figure “I’m screwed anyway, so why should I care?”

A hypothetical mock-up of what Openly Operated privacy notices might look like.
A hypothetical mock-up of what Openly Operated privacy notices might look like.
OpenlyOperated.org

An OO-certified app or site must meet three criteria. First, it needs to demonstrate “a basic level of transparency” by making its code and infrastructure — among other things — public and fully documented. Second, it needs to lay out its policy in the form of “claims with proof,” establishing what user data is collected, who can access it, and how it’s being protected. Third, those claims must be evaluated by an OO-certified auditor who then makes the audit results public.

The site OpenlyOperated.org, for example, is OO-certified. (It’s one of two OO-certified services right now, alongside Lin and Dewan’s Confirmed VPN.) Its audit report lists several easily readable and footnoted claims about the site, including the claim that your email address is kept totally private — even from the site’s operators. It then includes details about the encryption system that makes this possible, plus statements from cybersecurity consultants who corroborate the claims. While companies can already run privacy audits, Openly Operated’s branding is supposed to promise a certain level of depth, in addition to guaranteeing transparency.

“We’ve kind of created this system today where the privacy policy is totally an afterthought.”

Lin (a former iCloud engineer) and Dewan (creator of the iOS second screen app Duet Display) wrote a popular study of shady iOS apps in 2017. Now, they want Openly Operated to nudge consumers toward apps and sites that value privacy and transparency, while giving companies an incentive to behave well. “We’ve kind of created this system today where the privacy policy is totally an afterthought for smaller companies. And for bigger companies, it becomes unmanageable, because you started out as a smaller company,” says Lin. “People before were taught to move fast and break things. Our solution is no, slow down — because when you do that user privacy goes in the backseat.”

“Openly Operated” evokes the term “open source,” and it requires open source software. The project’s goal is to evaluate specific promises about companies’ behavior, though, not just their code. It shares broad goals with legal frameworks like Europe’s GDPR laws, but it’s voluntary and more focused on transparency than specific practices. And it’s not necessarily devoted to pulling behemoths like Facebook on board; it seems more like a way to lay the groundwork for the next generation of popular services.

OO certification, notably, doesn’t specify a particular level of privacy. Companies could still do things like sell targeted ads or deal with data brokers. They’d just need to spell this out in the terms of service. “We don’t actually stop companies from dealing with third parties if that’s what they want to be open and honest about and if that’s the agreement they have with users,” says Lin.

Similarly, the system seems best equipped for platforms that take a hands-off approach to data. A site like OpenlyOperated.org might promise an encryption scheme that prevents anybody from seeing email addresses, but it’s less clear how to make meaningful promises about sharing publicly accessible information — or information that’s shared with non-OO-certified companies. Flickr owner Yahoo created a research data set from public user photos, for example, but drew controversy when one specific company accessed the data for facial recognition training.

Openly Operated isn’t trying to solve every problem itself

Openly Operated seemingly isn’t attempting to solve all these problems itself. Instead, Lin hopes that it will give companies reason to change their practices, whether that means sharing less data or building encryption infrastructure that lets them prove their claims. “I don’t believe there’s a limit to clever ideas that people can come up with,” he says. “I think often people just need to think a little bit harder and take an extra few minutes to design something that may be kind of counterintuitive to the developer but better for the user.”

All this relies on Openly Operated gaining a user base. The program technically launched in April, but it’s only coming out of stealth mode this month, and Lin says that “our priority is creating a transparency standard that puts the user first,” so sales and partnerships “haven’t been a strong focus” so far. Lin and Dewan will be fighting against the fact that people really do have a sense of learned helplessness around privacy. Even if users think it’s important, they’re very accustomed to giving it up.

The Openly Operated site lists a number of potential benefits for companies, including the fact that other companies might be more comfortable dealing with a partner that’s spelled out its security practices well. Unlike ordinary users, however, companies may be better equipped to navigate existing auditing programs — and have less need for a clearly readable standard.

But amid discussions of how to regulate data protection, Openly Operated lays out an attractive paradigm for privacy. It imagines a world where apps’ terms of service get evaluated in the same way as their interfaces or feature sets, and where the onus is on companies to earn users’ trust, not dazzle them with big claims or grudgingly submit to evaluations. “Our vision is that in the future, every [app and site] review comes with a section that also says: ‘And are they audited? Do we have any major privacy concerns that we can definitively point at and look at? Are they transparent?’” says Lin. “We’re trying to raise the bar.”

Today’s Storystream

Feed refreshed Two hours ago Dimorphos didn’t even see it coming

T
Thomas RickerTwo hours ago
Check out this delightful DART Easter egg.

Just Google for “NASA DART.” You’re welcome.


R
Twitter
Richard Lawler12:00 AM UTC
A direct strike at 14,000 mph.

The Double Asteroid Redirection Test (DART) scored a hit on the asteroid Dimorphos, but as Mary Beth Griggs explains, the real science work is just beginning.

Now planetary scientists will wait to see how the impact changed the asteroid’s orbit, and to download pictures from DART’s LICIACube satellite which had a front-row seat to the crash.


M
The Verge
We’re about an hour away from a space crash.

At 7:14PM ET, a NASA spacecraft is going to smash into an asteroid! Coverage of the collision — called the Double Asteroid Redirection Test — is now live.


Asian America learns how to hit back

The desperate, confused, righteous campaign to stop Asian hate

Esther WangSep 26
E
Twitter
Emma RothSep 26
There’s a surprise in the sky tonight.

Jupiter will be about 367 million miles away from Earth this evening. While that may seem like a long way, it’s the closest it’s been to our home planet since 1963.

During this time, Jupiter will be visible to the naked eye (but binoculars can help). You can check where and when you can get a glimpse of the gas giant from this website.


E
Twitter
Emma RothSep 26
Missing classic Mario?

One fan, who goes by the name Metroid Mike 64 on Twitter, just built a full-on 2D Mario game inside Super Mario Maker 2 complete with 40 levels and eight worlds.

Looking at the gameplay shared on Twitter is enough to make me want to break out my SNES, or at least buy Super Mario Maker 2 so I can play this epic retro revamp.


R
External Link
Russell BrandomSep 26
The US might still force TikTok into a data security deal with Oracle.

The New York Times says the White House is still working on TikTok’s Trump-era data security deal, which has been in a weird limbo for nearly two years now. The terms are basically the same: Oracle plays babysitter but the app doesn’t get banned. Maybe it will happen now, though?


R
Youtube
Richard LawlerSep 26
Don’t miss this dive into Guillermo del Toro’s stop-motion Pinocchio flick.

Andrew Webster and Charles Pulliam-Moore covered Netflix’s Tudum reveals (yes, it’s going to keep using that brand name) over the weekend as the streamer showed off things that haven’t been canceled yet.

Beyond The Way of the Househusband season two news and timing information about two The Witcher projects, you should make time for this incredible behind-the-scenes video showing the process of making Pinocchio.


R
External Link
Russell BrandomSep 26
Edward Snowden has been granted Russian citizenship.

The NSA whistleblower has been living in Russia for the 9 years — first as a refugee, then on a series of temporary residency permits. He applied for Russian citizenship in November 2020, but has said he won’t renounce his status as a U.S. citizen.


E
External Link
Emma RothSep 26
Netflix’s gaming bet gets even bigger.

Even though fewer than one percent of Netflix subscribers have tried its mobile games, Netflix just opened up another studio in Finland after acquiring the Helsinki-based Next Games earlier this year.

The former vice president of Zynga Games, Marko Lastikka, will serve as the studio director. His track record includes working on SimCity BuildIt for EA and FarmVille 3.


A
External Link
Vietnam’s EV aspirant is giving big Potemkin village vibes

Idle equipment, absent workers, deserted villages, an empty swimming pool. VinFast is Vietnam’s answer to Tesla, with the goal of making 1 million EVs in the next 5-6 years to sell to customers US, Canada and Europe. With these lofty goals, the company invited a bunch of social media influencers, as well as some auto journalists, on a “a four-day, multicity extravaganza” that seemed more weird than convincing, according to Bloomberg.


J
James VincentSep 26
Today, 39 years ago, the world didn’t end.

And it’s thanks to one man: Stanislav Petrov, a USSR military officer who, on September 26th, 1983, took the decision not to launch a retaliatory nuclear attack against the US. Petrov correctly guessed that satellite readings showing inbound nukes were faulty, and so likely saved the world from nuclear war. As journalist Tom Chivers put it on Twitter, “Happy Stanislav Petrov Day to those who celebrate!” Read more about Petrov’s life here.


Soviet Colonel who prevented 1983 nuclear response
Photo by Scott Peterson/Getty Images
J
The Verge
James VincentSep 26
Deepfakes were made for Disney.

You might have seen the news this weekend that the voice of James Earl Jones is being cloned using AI so his performance as Darth Vader in Star Wars can live on forever.

Reading the story, it struck me how perfect deepfakes are for Disney — a company that profits from original characters, fans' nostalgia, and an uncanny ability to twist copyright law to its liking. And now, with deepfakes, Disney’s most iconic performances will live on forever, ensuring the magic never dies.


E
External Link
Hurricane Fiona ratcheted up tensions about crypto bros in Puerto Rico.

“An official emergency has been declared, which means in the tax program, your physical presence time is suspended,” a crypto investor posted on TikTok. “So I am headed out of the island.” Perhaps predictably, locals are furious.


R
The Verge
Richard LawlerSep 26
Teen hacking suspect linked to GTA 6 leak and Uber security breach charged in London.

City of London police tweeted Saturday that the teenager arrested on suspicion of hacking has been charged with “two counts of breach of bail conditions and two counts of computer misuse.”

They haven’t confirmed any connection with the GTA 6 leak or Uber hack, but the details line up with those incidents, as well as a suspect arrested this spring for the Lapsus$ breaches.