Privacy Policy Update

Today, we published an update to Gliph’s Privacy Policy. Privacy is a foundational aspect of the Gliph platform, so we’d like to explain exactly what changes have been made and why.

Introduction Section

Changed: “Your Privacy is our Mission” to “Introduction”
Reason: We felt this was too splashy. This document is an outline of privacy considerations for Gliph users.

Removed: “Your Facet information is, by default, kept private.”
This graphic shows the difference in what it is like to have a Name or pseudonym versus only having a gliph.Reason: Many users have given us feedback that it is too confusing to see people as Gliph’s only. In our own use of Gliph, we notice that in the great majority of cases, people do want to be seen as either their First Name or Pseudonym, rather than a symbol-based username. It is just much easier to recognize who is who.

For this reason, during sign-up and while editing profile we will set certain facets to Public by default if we feel it dramatically improves the overall Gliph experience. We will still provide you the option to set them to Private before they are saved the first time, or at any time after initial setup.

Removed: “We provide the platform; you have the control.”
Reason: We don’t feel like this adds information to the privacy policy.

Changed: “How safe is your information on Gliph? We encrypt all of your Facet information and Gliph messages using the AES-256 cryptography algorithm and a private key generated from your secret password. The AES-256 encryption algorithm is the only one approved by the National Security Agency (NSA) for transmitting information classified as Top Secret. [NSA Suite B Cryptography]”

to:

“We encrypt all private Facet information and Gliph messages using the AES-256 cryptography algorithm and a key generated from your secret password. ”

Reason:  We believe when used properly, AES-256 is a solid cryptography algorithm to protect information. However, revelations around the NSA’s surveillance program degraded trust in the agency and therefore we do not wish to highlight their approval of the algorithm in our Privacy Policy.

Since we’re discussing this passage, we also want to share more information about  how personal data is protected in Gliph.

First some terminology:

  • Facet – A piece personal information saved in your Gliph account like your First Name or Phone Number. You choose the privacy and discoverability settings on each of your Facets and you can choose to share a Facet with other Gliph users.
  • Private Facet – A Facet that is only displayed to other Gliph connections or Groups you have explicitlychosen to share them with.
  • Discoverable Facet – A Facet that is not in open display to the public, but may be discovered and associated with your Gliph account if someone knows to search for it.
  • Public Facet – A Facet that may be openly displayed to anyone on the Internet visiting your Gliph profile or to a logged-in Gliph user that views your profile.
  • Account Facet – A Facet that is accessible to Gliph’s system (and administrators), but not other users unless explicitly shared, set to Public or Discoverable. Current Account Facets are your personal gliph and your email address.

Saying something is encrypted does not necessarily mean it is being stored securely. Here are some more details about the security you can expect from these different privacy settings:

  • Private Facets are encrypted and may only be decrypted in conjunction with a key generated from your secret password. You may enforce complete privacy from Gliph administrators via an optional setting that removes the ability to reset the password on your account. (See our blog on Lockdown Privacy Protection).
  • Discoverable, Private Facets are encrypted but also hashed. If Gliph’s database was compromised, Facets with this setting may be less secure than Non-Discoverable, Private Facets.
  • Public Facets are encrypted, however their encryption keys are stored in plaintext. This means if Gliph’s database was compromised, these Facets would not be stored securely. The Facet content must be accessible without your password. Therefore, it is necessary for Gliph to have access to the encryption key for that Facet.
  • Shared Facets are encrypted, and the Facet key is shared with the other user or users. That Facet key is then encrypted again using a connection specific key. The security of Private Facets you share depends on both you and the other party keeping your passwords secret and may be strengthened by having all parties turn on Lockdown Privacy Protection.

To summarize, Gliph not only takes measures to protect its database, it has specific additional measures to protect the data. How you use the service and interact with others will affect how securely we can protect your information.

Removed: “Please review our privacy policy below. We worked hard to make it simple and understandable and we will continue to improve upon it. Let us know if you any questions or suggestions.”
Reason: These words do not add useful information to the Privacy Policy.

Gliph Privacy Mission Statement Section

Changed:

  • We do use trusted service providers (such as Mixpanel) to help provide us with information about the use of our services, but only after anonymization. Our trusted service providers cannot see your Facet information.

to:

  • We do use trusted service providers to assist in sending email and to help provide us with information about the use of our services. Our trusted service providers do not have access to your private facet information. Your email address is an exception; it may be shared to assist in sending you email from Gliph.

Reason: We removed the reference to Mixpanel, because the example is likely not familiar to most people. We also changed language about how information is shared with trusted service providers:

The idea of a Trusted Third Parties may not be familiar to everyone. It is generally a service that assists Gliph in getting something done. For example, sending email is a bigger concern than it may seem. We rely on a Trusted Service Provider to help deal with delivery and spam issues.

We also removed the word “anonymization” because that word means different things to different people and is better explained under “Information We Collect” below.

Changed:

  • We keep your Facet information and Gliph messages encrypted by AES-256 with a private key generated by the password only you know. The only exception is your email address.

to:

  • We keep your Facet information and Gliph messages encrypted with a key generated by a password only you know.

Reason:  We cleaned up the language to clarify and avoid repetition. We removed the sentence about Email address because as clarified above, even Public Email Address Facets technically are encrypted.

Privacy Policy Section

Changed: [Last Updated Date]

Changed:

  1. Information You Provide to Us
    We receive and store only the information you provide to us, including the Facet information you choose to add. Information you provide as Facet information may include your name, email address, Twitter handle, website and other information. We store your Facet information on our servers and encrypt them as described below (See “How We Protect Information”). Except for your email address, we cannot see your Facet information unless you choose to share them with us and/or make them public. You can choose not to add certain Facet information, but this may limit your ability to take advantage of certain services or features we offer.

to:

  1. Information You Provide to Us
    We receive and store only the information you provide to us, including the Facet information you choose to add. Information you provide as Facet information may include your name, email address, Twitter handle, website address, profile photo, and other information. We store your Facet information on our servers and encrypt them as described below (See “How We Protect Information”). Except for your email address, we cannot see your Facet information unless you choose to share them with us and/or make them public. You can choose not to add certain Facet information, but this may limit your ability to take advantage of certain services or features we offer.

Reason: We plan on adding optional Profile Photos to Gliph, We will be treating these types of photos as Facet information.

Changed:

Other Users
Please keep in mind that any information you make public on Gliph will be accessible by other users and may be used by them. However, you control the Facet information you keep private and you decide what you choose to share with others.

to:

Other Users
Please keep in mind that any information you make public or discoverable on Gliph will be accessible by other users and may be used by them. However, you control the Facet information you keep private and you decide what you choose to share with others.

Reason: We wanted to clarify that if you set a Facet to discoverable, it may be indirectly accessible to other Gliph users. For example, if you want to be found by your friends on Facebook we must set your Facebook Facet to discoverable which will allow friends to make a connection between your Facebook identity and Gliph identity.

 

Changed:

How We Protect Information

We use a variety of security measures, including encryption and authentication tools to make security a priority. Your Facet information and Gliph messages are encrypted by AES-256 with a private key. Only you know your password; we do not. Besides your email, we don’t have access to your Facet information or Gliph messages.

To:

How We Protect Information

We use a variety of security measures, including encryption and authentication tools.

Reason: We shortened this paragraph because the language is unnecessarily repetitious introduction to this section.

Conclusion

These changes allow us to continue to protect personal data and communications. They also clarify language so it is accurately representing our user experience. We hope this entry has been helpful and appreciate hearing your feedback: privacy@gli.ph.