>Personally identifiable information may include, but is not limited to: Email address, First name and last name, Usage Data
>Usage Data is collected automatically when using the Service
>Usage Data may include information such as Your Device's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that You visit, the time and date of Your visit, the time spent on those pages, unique device identifiers and other diagnostic data.
>We may share Your information with Our business partners to offer You certain products, services or promotions.
Laughably, the privacy policy states in several areas that they only collect, share, or retain data consistent with the privacy policy. E.g.
> The Company will retain Your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy.
And the privacy policy essentially provides for every purpose they would want to use your data. Sharing, for example:
> With Affiliates: We may share Your information with Our affiliates, in which case we will require those affiliates to honor this Privacy Policy. Affiliates include Our parent company and any other subsidiaries, joint venture partners or other companies that We control or that are under common control with Us.
> With business partners: We may share Your information with Our business partners to offer You certain products, services or promotions.
As an aside, I’ve started reviewing companies’ privacy policies, terms of service, etc. before I decide to sign up. This is coming from someone who has previously just clicked “I Agree” to whatever terms are there on signup (be nice).
If you haven't heard of it, "Terms of Service; Didn't Read" (https://tosdr.org/) can be a helpful addition to your review process.
Obviously not every site is covered, and you may want to review the terms yourself anyways, but I've found it pretty useful when I'm not in the mood to read thousands of words of legalese.
Aside-aside: I used to run a service called TOS Salad (probably even posted it here like 15 years ago) that monitored these policies and sent notifications when they changed. It was pretty crude stuff, mostly munging stuff with perl, but the notion was to detect key provisions that should be considered and material differences when things changed. With today's LLMs, it would be a lot better. I don't know if I'll pick it up again, but maybe someone else is inspired...
I'm [name-redacted], the guy who started this project.
We’re just getting started, and regarding privacy, I chose these terms to cover all bases and give us room to mistakes, learn and improve. Our intentions are good, and as the project evolves, we’ll continue to make things better.
The privacy policy is a litany of statements about how they collect all sorts of data and may share it with pretty much anyone under the sun.
Some of the more egregious ones I found:
Regarding using a social media provider to log in.
> We may collect Personal data that is already associated with Your Third-Party Social Media Service's account, such as Your name, Your email address, Your activities or Your contact list associated with that account.
Kind of a given if you’re logging in with a social media provider but still.
Regarding collection of your location.
> While using Our Application, in order to provide features of Our Application, We may collect, with Your prior permission: Information regarding your location. We use this information to provide features of Our Service, to improve and customize Our Service. The information may be uploaded to the Company's servers and/or a Service Provider's server or it may be simply stored on Your device.
Regarding sharing of your data.
> With Affiliates: We may share Your information with Our affiliates, in which case we will require those affiliates to honor this Privacy Policy. Affiliates include Our parent company and any other subsidiaries, joint venture partners or other companies that We control or that are under common control with Us.
> With business partners: We may share Your information with Our business partners to offer You certain products, services or promotions.
How we use your data section basically says we use it for everything and share it with everyone.
Same comment like the one before so writing to you the same:
I'm [name-redacted], the guy who started this project.
We’re just getting started, and regarding privacy, I chose these terms to cover all bases and give us room to learn and improve. Our intentions are good, and as the project evolves, we’ll continue to make things better.
As far as I understand OIDC and OAuth, this means that any tokens (the passwords) have to go through Eartho, no? So while this may help reduce sensing PII to the SP you are trying to authenticate towards, you are now effectively doing what decades of IT security teaching told you not to do: giving 3rd parties your password -- only that now it's in transparent and the end user isn't aware of it.
Oh.. sorry for that. Im the [name-redacted] the guy who started this project.
I know it's the privacy policy doesn't fit our values, we did it to give us room for mistakes and learn.
What is the market for this? Users use Google/Facebook logins because it’s one easy click and no one cares about privacy. Users who care don’t want a unified identity tied to all of their online activity, regardless of Eartho’s current privacy policy.
It’s early days, and I know it sounds ambitious. You might think this is just for privacy fans, but I believe it could become the go-to login for everyone—even those who aren’t privacy-focused—by being as convenient as Google. And with Google facing pressure over its competition with OpenAI, it feels like the right time to rethink who we trust with our logins.
I understand that trust is a big issue right now, both for users and developers. To address this, we’ve made it possible for users to connect with their existing identities, adding an extra layer of ease and trust as they transition to Eartho.
I totally respect your point, though. Thanks for the feedback!
Eartho sounds like a something a user wants. We have found that privacy is an added bonus, but that it is only one of many features a developer wants.
Adding yet another button that users don't understand confuses users.
I'm the founder of Hellō and we have a similar service that has cooperative governance. https://hello.coop/
FWIW it is a myth that Google uses where you login with Google for retargeting. Big Tech is always concerned about having to share user specific usage with US agencies. Google considers knowing where you login to be toxic data that they want to dump as quickly as possible. There are more than enough other signals from re-targetting.
Can you please provide a source for your information about Google handling login data? Your words are very interesting, but they would have more impact if you could provide a source.
As others have stated, and provided reference for it, it has not been deprecated...yet. However, i would imagine that a some point .IO will simply be turned over, sorry, sorry, sold over to an entity that manages TLDs like .pizza, .art, etc....Why? Because money; there's money to be made from .IO registrations....and if it stops being a CCTLD and becomnes a generic TLD...when there's more assurances that it will stay around, and hence more money to be made. I doubt it will disappear. ;-)
>Usage Data is collected automatically when using the Service
>Usage Data may include information such as Your Device's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that You visit, the time and date of Your visit, the time spent on those pages, unique device identifiers and other diagnostic data.
>We may share Your information with Our business partners to offer You certain products, services or promotions.
https://www.eartho.io/legal/privacy-policy
And so on...
Where does this company get the audacity to claim they are privacy-focused?