Research onesignal.com privacy implications

[chmac]

Would be great to get a clear, concise summary of:

• What data onesignal.com collect
  • How much personally identifiable information is necessary to give them as part of using the service for example.
• What they do with that data
  • Are they permitted to sell personally identifiable information?
• Do they have any statements about EU privacy laws? Often EU companies are restricted from using US services like this, but maybe they have some kind of statement covering their position, etc.

[mrkvon]

Still WIP and messy. Already some insight.

https://onesignal.com/privacy_policy https://onesignal.com/tos

Disclaimer: I'm not a lawyer. I'm a dilletante. I don't fully understand the legal context of the research.

TLDR

onesignal.com collects a lot of data, including email addresses, location, behaviour, probably also the text of the notifications users receive. They try to label the users (i.e. sports fan if you're often around stadiums (how far can this go?)) and predict their behaviour.

They make money by selling the data to their Clients (i.e. to ad companies for making personalized advertising).

They will keep the data as long as they need to meet their purposes.

To say something nice: At least they are quite clear about their attitude in their Privacy Policy. With examples etc. They're rather foggy about it in their FAQ, though.

The questions by @chmac

• I haven't found any mentions about EU Law in Privacy Policy nor ToS.
• They don't force you to provide any info. They get the data when you use the service.
• I haven't found any promise to not sell personal info (look better?). On contrary they sell data i.e. so the clients may do targeted advertising. I'll look for more detail later.

My impression?

I advise not to use this service. I would not choose them for my projects. I perceive them as Big Brother Service. However, i'm rather sensitive to this, so you better make your own judgement.

Slightly more detail

Users = us Clients = brands, ad companies, the ones who pay

• They collect email addresses, location (mobile location or IP address geolocation), all kinds of system information and configuration, unique identifiers, info about apps people use, how people interact with the apps (timestamps).

• They collect push notifications which people receive. Would this include the peoples' conversations from email notifications?

• They label users: i.e. if you're often near sport stadium, you'll become a "sport fan". (Isn't this one creepy?)

• They try to predict what users will do in future

• They or their clients (the ones who pay for the data) may connect the data, match ip addresses, email addresses and other info across devices etc.

• They say they generally hash the email addresses when they provide them to Clients, but don't promise they will.

• They don't promise anonymization.

Detail with quoting (read the bold text for overview)

SDK - software development kit End Users - trustroots members Clients - onesignal's partners, advertisers, ... (the bodies who want the data)

What they collect

Web SDK

• Web pages visited that have implemented the SDK, and information about those visits (e.g., session duration, time-stamp, referring URLs)
• What push notifications an End User has been sent (is this the actual text of notification, or not? I.e. text of the messages?)
• ... transactions and interactions with apps and websites IP address, from which geographic location may be inferred, as well as system configuration information Email address which we may (in our discretion) hash or otherwise deidentify (they don't promise the deidentifying though!) ... browser [info], such as, browser language type and version of operating system (e.g., Android, iOS); network provider; language setting; time zone A unique cookie identifier, which may uniquely identify an End User (such as in de-identified or anonymous form).

Mobile SDK

[installed] Apps ... [and some usage info] Purchases made within an app. ... transactions and interactions with apps and websites Mobile advertising identifiers, such as iOS IDFAs and Android Advertising IDs (“Mobile IDs”). (They may associate these ids with other data.) Precise Location information, generally an End User’s lat/long data (i.e., GPS-level data) or WiFi information, which we may associate with Mobile IDs, and which may be collected whether or not an app is in use. Email address ... IP address ... [system configuration information] Information associated with or related to devices, such as device type (e.g., mobile, tablet); type and version of operating system (e.g., Android, iOS); network provider; mobile browser (e.g. Safari, Chrome, etc.); language setting; time zone; and network status type (such as WiFi).

How they use it

TODO - they give a lot of detail.

To Provide Services to Marketers, Advertisers and Platforms They Work With

[simison]

Looks like https://www.pushwoosh.com is an identical big service, with smart/safe terms and free for our scale.

https://www.pushwoosh.com/privacy-policy/ https://www.pushwoosh.com/terms-of-use/

[simison]

@mrkvon suppose we can go ahead with Pushwoosh.com instead and forget about Onesignal. Closing this.

Thanks a bunch for research. :thumbsup:

(If there are some other big gateways worth considering, follow ups @ #394)

[nicksellen]

Pushwoosh does not support Remote API [1] in the free tier [2].

[1] http://docs.pushwoosh.com/docs/createmessage [2] https://www.pushwoosh.com/pricing/

[simison]

Oh, that’s unfortunate. I didn’t imagine there would be any other way than via API.

On 28 Mar 2017, at 9.51, Nick Sellen notifications@github.com wrote:

Pushwoosh does not support Remote API [1] in the free tier [2].

[1] http://docs.pushwoosh.com/docs/createmessage [2] https://www.pushwoosh.com/pricing/

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub, or mute the thread.

[chmac]

I'd be very happy to see what @mrkvon makes of onesignal.com. It seems to be an option that would scale with us, and so I think it makes sense to wait for a more detailed review of their offer from a privacy perspective.

[simison]

@chmac, @mrkvon wrote above:

I advise not to use this service.

[chmac]

Aha, I see, the original comment was updated so it didn't arrive by email. Got it.

[simison]

@chmac I looked at Boxcar.io last night — I like how their API/documentation is more simple than Onesignal's. It's just 7e/mo (or free up to 100 devices) so not breaking the bank.

They also have big customers so no problem there.