Assessing Anonyome’s handling of MySudo user data using the Transparent Data Use Dial
One of the great things about the privacy and cyber security space is how it brings together a diverse group of people who share similar goals. Recently, I participated in a workshop led by the University of Queensland on information resilience, where I had the opportunity to meet interesting academics from UQ’s Institute of Social Science Research, namely Professor Rhema Vaithianathan and Professor Mark Western, who share a passion for the same problems that Anonyome was created to solve. Rhema and Mark come at the problem space from the social implications, where I tend to start from the technology. Gladly, we rapidly found common ground.
The Transparent Data Use Dial
At the workshop, Rhema and Mark introduced me to the transparent data use dial, a tool first used in New Zealand to that captures the important questions that New Zealand citizens most wanted answered about how a government agency or private organization might use their data. These questions are central to how trust is created and cultivated between an individual and an organization that processes their data.
How does Anonyome Labs and MySudo stack up?
In this section, I am going to use the transparent data use dial to self-assess how Anonyome Labs engages with users and handles their data when they use the MySudo app and its Sudo Platform back-end services. Publishing this self-assessment is a step towards improved transparency itself, but perhaps equally importantly, a mechanism to identify areas for future improvement. I acknowledge that I may have unconscious bias as I do this, but I will try and provide detail for each of the claims I am making.
Who will be using my data?
Anonyome Labs is the data controller for MySudo user data. Anonyome Labs does not share MySudo user data in any form in public data sources, nor does it sell or exchange MySudo user data with any third parties. Anonyome Labs will respond to properly served requests from law enforcement agencies. See https://anonyome.com/government-requests/ for more information.
What are the benefits and who will benefit?
Using MySudo helps a user keep their personal information private. This is achieved through the use of Sudo profiles, multiple of which can be created in order to separate different aspects of a user’s online and offline activities. Anonyome Labs benefits by providing subscription based access to the product – not from the user’s data itself.
What will my data be used for?
First and foremost, a MySudo user’s data is used to deliver the services requested. For example, when you compose and send an email from the MySudo app, the email is delivered to its intended recipients. MySudo user content, such as the content of email address or SMS messages, is never stored in a form that allows Anonyome Labs to read this content.
Anonyome Labs does use aggregate usage information to manage the MySudo product offering. For example, the trends in the total number of sessions, calls, messages, etc across all users are useful input to ensuring we continue to manage the health and performance of the Sudo Platform.
Is my data secure?
Anonyome has defined security policies and operational management procedures, all of which are reviewed periodically to ensure that they continue to be effective. The Sudo Platform environment used to support MySudo users has achieved PCI DSS Level 1 certification annually since 2017.
Will my data be anonymous?
A user is not required to provide their legal identity when using most of the capabilities offered in MySudo. This provides a level of anonymity which Anonyome Labs believes is an important component of a modern Internet. There are exceptions to this when a law or regulation requires Anonyome Labs to verify a user’s legal identity, such as a financial services or telephony industry regulation.
We mandate that anonymous users use MySudo in a lawful and respectful way. We refer to this as “responsible anonymity”. When a user’s MySudo activity no longer meets our definition of responsible anonymity, we are committed to taking actions such as limiting or suspending use of our services and responding to legitimate requests from law enforcement agencies. We refer to this as “anonymity with recourse”.
Anonyome uses app analytics to understand how users use MySudo and the Sudo Platform, in order to improve these services. Data minimization principles are applied to limit which app events are collected along with what data elements are contained within those events. For example, app analytics events contain no location information — IP address or geographical representation. Analytics data that is collected is de-identified through techniques including tokenization, hashing and redaction. These techniques allow analysis for app analytics purposes without requiring the original data to be available to the analytics system.
Can I see and correct data about me?
Yes. Anonyome Labs supports certain legal rights as described in the European Union’s General Data Protection Regulation (GDPR) and similar data protection regulations. For example, the right to access, the right to correction, the right to suspension of processing and the right to erasure. To exercise these rights, users may contact Anonyome Labs via email at firstname.lastname@example.org with their request.
Could my data be sold?
Will I be asked for consent?
Almost all of the data processing that Anonyome Labs provides on behalf of MySudo users is necessary for the nature of the services that are provided, such as telephony or email communications that the user initiates. In these cases, the lawful basis for processing is to meet the legitimate interest of the MySudo user.
Through the MySudo app settings, a user can control their consent choices for whether anonymized app analytics information can be collected, and whether they wish to receive non-essential information from the MySudo team on using MySudo.
I hope I’ve provided an understanding of how Anonyome Labs remains true to its original ethos of empowering users to protect their private information. We’re committed to playing our role in the massive social and technological change underway in the field of consumer privacy and cyber safety.