Much is said about Google’s “don’t be evil” corporate motto. That is not what this post is about.
This is about corporate values — and a (rather smaller) company I have found myself appreciating because of their words and actions on the subject. This stuff can be easily overlooked when the market demands a rush to the lowest price, but to consumers like myself, it is possibly the most important thing.
This isn’t some murky sponsored post (although I do have an affiliate link at the bottom) — this is all genuine and from the heart.
I found out about Cloak through their co-branding with 1Password, my password manager of choice. They are a VPN service designed to give you a way to encrypt your traffic when you are connected to untrusted networks. Their service is technically brilliant, but what is more important than that is the honesty, openness and realism they have shown so far in their communications.
Well, what does that mean?
For a service I am sending all my internet traffic through, I needed a little bit more transparency. There has to be a mutual trust relationship — I won’t abuse their service and make their life difficult and they will treat my information with the privacy and respect it deserves.
Then, a few days ago, they updated their policies with a lot more detail. What happened to the excessively broad terms?
In the past, one of the items in our list of information we collect was “information necessary to make sure you’re not sending spam emails or doing other fundamentally evil things.” This is pretty broad and gave us a lot of leeway. Today we’re prepared to be much more specific: we keep the headers of all TCP connections and UDP sessions for about fifteen days (depending on the log rotation schedule; never more than sixteen).
And there’s lots more — including the technical detail on how they achieve this. (Their technical deep-dive is good too.)
So, they are being transparent and honest (as far as anyone but them can guarantee!) about what they do and don’t do. What is also important, though, is that they don’t make incredible claims about how much privacy they can give you, or that they will do things that are not possible.
Another key design point is that no information directly identifying a user or account is stored in the archives. Based on the IP data, it is ultimately possible to link a connection to a specific Cloak session, but those sessions are not stored on the same machine after the user disconnects.
So many companies answer questions about how they protect you from things in a patronising and deceptively incomplete way — “our security measures are robust”, “we use encryption that is twice as strong as is used for credit cards!” and so on.
It is a breath of fresh air that Cloak is honest about what is and is not possible.
What is my point? Corporate values are not just empty promises you broadcast to make people feel safer. If you act on them, consistently, you build trust and loyalty that is deeper and more meaningful.
Maybe this is “old fashioned”. Admittedly it is easier to do is a small company than a big one. But I’d like to see this happen more. Companies that follow this lead are much more likely to get my money, at least.