Better clarification about when you give data

[ghost]

Actual behavior

In your transparency report, you state that:

We will cooperate without Icelandic court orders in matters regarding sexual abuse of children and terrorism.

However, on pretty much every other part of the website, you talk about only sharing data with a valid Icelandic court order. In fact, on the page Icelandic privacy laws you state that:

It is illegal for us to share user data without a valid Icelandic court order.

Expected behavior

Based on the transparency report, you have not complied with any data requests. However, the above two statements cannot both be true, unless you plan on breaking Icelandic law. So, what are the real conditions when you give data? Has the law changed? If so, what's the case now? Did the law ever exist at all? Can you fix the website so that it doesn't contradict itself? Thanks!

[Godfry]

@PeacefulPotato You have a really good point. I am not a legal expert but I have consulted with them in the past about this topic. Here are my thoughts:

You are correct that it is illegal for us to share user data without a valid Icelandic court order. However, there are time-sensitive situations related to terrorism and child abuse in which the Icelandic government (And Icelandic people) may determine we are acting illegally by not cooperating without a court order. In these rare "double-bind" situations, we’re going to act in a way that best protects our user's civil liberties.

In regards to the wording on our site... If we explained all the intricacies of all our security claims with their associated legal implications, then our website would be a big block of text. We use our privacy policy, transparency report, and terms and conditions to flesh out all the intricacies of our service. Based on my understanding this is the industry standard, however, I'm going to review this with our legal team and we might make wording changes based on their feedback.

This is off topic but in my opinion, what's much more problematic is defining what "terrorism" is exactly.

1. Are you a terrorist if you have an opinion that differs from someone else's?
2. Are you a terrorist if you belong to an unpopular political party?
3. Are words violence? Can unpopular words be considered terrorism?

In the future, as society defines what terrorism is exactly I'll be looking to people like yourself for feedback and comments about how a security and privacy company should proceed.

Kind Regards,

[ghost]

I understand that "child abuse" is a violation of the terms of service. You also state in the privacy policy that by using the site you accept the privacy policy. However, you do not mention anything about "terrorism" nor do you mention sharing data with the government if the terms and conditions are broken or due to "terrorism" in the "Compliance and Cooperation with Regulatory Authorities" section, or any other section, of the privacy policy. You furthermore do not mention anything about sharing data with the government if the terms and conditions are broken or due to "terrorism" in the terms of conditions itself, and there are no links to the transparency report anywhere on the front page, in the footer, or in the "about", "tor browser", "help", "blog", or "features" pages. The only reason I found the transparency report at all was due to this review by Restore Privacy.

Suggestions

• Add a link to the transparency report in the header, footer, and/or front page, AND/OR
• Update the privacy policy's "Compliance and Cooperation with Regulatory Authorities" section, or any other section, to talk about giving data to Iceland law enforcement without a valid court order in cases of child abuse and/or terrorism, AND/OR
• Update the terms of conditions to talk about giving data to Iceland law enforcement without a valid court order in cases of child abuse and/or terrorism

This would be a big help. Thank you for taking my request into account.

[The-Hidden-Hand]

Thanks for your suggestions, we're considering them and let you know.

[Godfry]

I'm continuing to discuss this with my legal advisor and he's looking through various Icelandic legal documents. For now, he advised removing the phrase "We will cooperate without Icelandic court orders in matters regarding sexual abuse of children and terrorism" from the transparency report. We are strongly against terrorism and child abuse however including that phase in our transparency report creates confusion as you clearly outlined.