Over the weekend, Kevin Mitnick tweeted a comment after reading our privacy policy. I responded with a couple of tweets but thought a more comprehensive response was warranted, because he raises a good point.

The first is to state clearly that we are not aiming to be a privacy/anonymity tool -- a la TOR -- for end users. The idea behind developing Silo was to create a secure browsing environment that is physically separate from the users device and local network. Most of our customers are businesses looking to contain the risks of accessing the web.

Having said that, there are attributes of using our service that might seem like they cater to those looking for privacy/anonymity. For instance, we present websites with our IP, not that of the user. We also filter various forms of scripts and active web content to deliver a clean page to our users and keep the user’s device free of typical browsing footprints like history and cookies.

We also have a configuration of our service that is specifically designed for InfoSec researchers looking to misattribute their location and browser fingerprint for the purposes of forensic investigation. So it’s perhaps understandable that we’ll get compared to things that aren’t quite equivalent.

As with any cloud service, we do collect some data in order to give customers roll up reporting of their users’ activity. We purge this data on a 90-day basis and retain only anonymized traffic statistics for internal capacity planning. We also allow a customer to encrypt all their data within our service using their own encryption key. If customers choose to do this, only they will have the ability to extract and access their data.


Finally, regarding the issue that Kevin raised of what we will disclose and to whom. This is where we need to take on his feedback and review some of the words in our privacy policy.

Here’s our intention: We believe your data is your data, no one else’s. We have no intention of sharing it with others for monetary gain or any other reason. What we do capture is disclosed, and as stated above, we provide a mechanism for you to encrypt all your data if you want. At the same time, we don’t want people using our service for things that are clearly illegal, and we defer to the legislators and the courts to determine that standard. We want to cooperate with law enforcement if they are investigating someone’s activity and release that data (if we have it). But it needs to be a formal request against a specific user.

That’s where we ran into trouble with Kevin. We made reference to “unethical” activity, which is not objectively defined. The way we worded it, it begs the question as to who is the arbiter of unethical activity. Clearly it’s not us, and we don’t want it to be. That’s the part of our privacy policy that we’ll revisit with this feedback and try to clarify.

We'll make an update to the privacy policy, and per our terms of service, we'll inform our users of the changes.