Don't list vendors that expose data to third party marketing companies

[ph00lt0]

Websites of vendors such as solokeys and onlykeys should not be listed.
We shouldn't endorse companies that don't understand how privacy law works and how to protect data of their customers.

• Visitors of PG to the idea that they can order a product to obtain better privacy (whether it is through security or something else) should have the confidence that they are not being send to a vendor that has doubtful privacy practices.
• Alternative stores can be listed for certified / audited products.

[TommyTran732]

Some random trackers mean nothing. Whether we recommend something like the Yubikey or the Onlykey or not depends on the merits of the keys, not how many "trackers" they have on their sites.

Are you really gonna not use a security key because the vendor has google analytics on their website?

What about Google Pixels? We recommend that users buy the phone dirextly from Google. Are we really going to not recommend people buy from Google's own store simply because they are Google?

This does not serve any coherent threat model. I don't think we should go through with it.

[ph00lt0]

It's more about how to obtain those devices, not about the product itself. If you can list it with a trustworthy merchant fine.
Yubikeys can be obtained without risking this and are a great alternative.

The problem here are third parties, getting data of the users without them being aware of this. The companies by doing so actually violate the GDPR. I was not speaking about GA btw, there are worse things on their websites.

As mentioned on the Solokey discussion, buying directlly at Google is a different story. There it is clear to the average user that they share data with Google. With the stores mentioned you have no idea where your data is ending up. That being said I would like to recommend people to buy their phone when possible in cash whenever possible so your IMEI is not linked to your bank account in any form. But that is an entirely different discussion imo.

[jonaharagon]

The difficulty in the security space is finding vendors that make actually secure products, much less vendors which also adhere to privacy-first ideological principals.

Currently, generally (extremely, extremely broadly) speaking, we have two main requirements for recommendations:

1. The recommendations need to be secure, security is a prerequisite to privacy.
2. When it comes to software you run locally or hardware you own (like a Solokey), you need to be able to operate them in a manner which allows you to control how your data is being used and shared. This is the privacy element of all of our recommendations.

Solokeys (and Onlykeys) fit both of these criteria, because trackers on their website/storefront have no bearing on the operation of their products. If you buy a Solokey or Onlykey, you never have to visit their website again, which is why the storefront itself has minimal bearing on the recommendations we're making.

If we extend a privacy requirement to the process of obtaining the things we recommend, I think that would change a lot of our recommendations right out of the gate. In a perfect world Solokey/Onlykey/etc wouldn't be using Big Tech trackers on their website, yes, but with limited options we've kind of got to take what we can get, realistically speaking.

https://github.com/privacyguides/privacyguides.org/discussions/956#discussioncomment-2621783