Enlarge/ This isn’t the relationship you want to see between a company with access to your private data and its affiliates.
44 with 33 posters participating, including story author
When we covered subscription-based search engine startup Neeva in June, most reader focus wasn’t on the search engine itself so much as its privacy policy, which left much to be desiredparticularly given the option Neeva gives its users to search their email via the service. Shortly after publication, Neeva CEO Sridhar Ramaswamy reached out to Ars to discuss what went wrong and how the company planned to fix it.Updated privacy policy
- The especially noxious Affiliates and Advertising Partners sections of Neeva’s original Privacy Policy have been entirely removed.
- The earlier reference to advertising was also removed. The major impact here is to what degree you might expect a third-party tracking cookie to show up inside Neeva itself.
- The last update to Neeva’s privacy policy tightens its policies on data retention.
Ramaswamy told Ars that the company’s intention was to provide a secure and privacy-respecting platform from the start. But, he addedand we’re paraphrasing here”lawyers will be lawyers,” and it was “on him” that he had not inspected the policies drafted by the company’s legal counsel closely enough. He told us that he heard our readers’ feedback loud and clear, and he pledged to overhaul the policy to bring it in line with the company’s actual vision.
The gallery above displays the three areas in the policy that have changed since the call with Ars. Both references to third-party advertisingand tracking technologies associated with such advertisinghave been entirely removed. The major impact here lies in expectations for third-party intrusions into the Neeva site itself, and it’s an important onethere isn’t much point in paying a monthly subscription in return for privacy if your search metadata might be leaking to the public giants you’re trying to avoid in the first place.
The section on “Affiliates” was also cleanly removed. Although it consisted of a single line only”Affiliates. We may share personal information with our affiliated companies”that single line, now removed, effectively nullified nearly every possible guarantee of privacy.
Under “Third Party Disclosure,” an odd “data sale canary” statement”We have not sold consumers’ personal information in the preceding 12 months”was replaced with the much clearer “We do not and never have sold consumers’ personal information.” The relationship of Neeva, its service providers, and consumer data also received some clarification.
Finally, Neeva’s data retention policy received an update and expansion. It now clearly states that automatically collected data will be deleted after 90 days and that customer-provided information (such as logins and payment credentials) will be kept “only as long as necessary to fulfill the purpose(s) for which it was collected.” Exceptions include laws, audits, and Terms of Service enforcement.
The only thing we weren’t certain about is why data retention might be necessary to enforce ToS. We reached out to Ramaswamy again for clarification:
Example situation where this might apply: We cancel an account for abusing our terms of service and need to ensure that variants of the account don’t come back… Obviously, we would do this only under situations where there was a problem.
Ramaswamy also issued a public statement expounding on what was changed in the privacy policy and why, along with hints as to what price point the service’s users can expect to see once it goes live.
Focus on features
- C++ programmers generally get treated to information on sexually transmitted diseases when searching for help with functions in the Standard Library.
- We pointed out that anyone searching for “std::” rather than “std” is unlikely to want information about gonorrhea. A week later, Neeva had a fix.
Privacy-policy gaffes weren’t all that Ramaswamy wanted to talk with Ars about. He explained that the company’s vision revolves in part around providing better and more nimble service to a necessarily smaller group of customers than the large, free search engines can or will. He told us that user feedback submitted through text boxes in the Neeva interface directly populated the company’s private GitHub repository with new tickets, and he went on to stress how generally open to feature requests the company is.
By the time Ars spoke to Ramaswamy, the comment section on our original coverage was very activeand one complaint about search engines in general had made quite a splash. Ars reader sir_trackmenot complained:
Std::(anything) on Google always includes “I have these sores, is it a STD thing” results which pisses me off. Does someone in my office have an STD that they’re looking up?
Several pages later, fyo added more detail:
Searching (std list), without the parentheses, I get a “featured snippet” with a list of sexually transmitted diseases, followed by over two pages of std::list stuff before the next disease link shows up.
Searching (std::list) I get no featured snippet, but just under half a page of results (4) before the disease links take over.
Searching (“std::list”) is even worse. Now the top 3 hits are disease links, followed by a mix lead by a Microsoft docs page for the c++ standard library list class which doesn’t actually include the phrase “std::list” anywhere on the page or in source (but since it is about the std::list class, it’s not necessarily a *bad* result, just not what one would expect when using quotation marks).
When we pointed this out to Ramaswamyand suggested treating “std::” as an entirely different search term than “std” alonehe excitedly declared that this would be an easy fix and that this was exactly the kind of feedback the company looks for from subscribers. A week later, he forwarded us a before-and-after gallery of searching the term std::list on Neeva demonstrating the impact that the fix made.
Caution is still advised
We believe it’s a good sign that Neeva responded rapidly to feedback with clarifications to its privacy policy, both simplifying and tightening it. Such responsive and substantial changes are a good sign of the company’s bona fide intent to provide the sort of privacy most users will expect from a search engine.
While this is well and good for search of publicly indexed datawebpages, weather reports, and so forthwe’re not sure it goes far enough, or even can go far enough, for users who choose to provide their email to Neeva to be indexed also. It’s difficult to overstate the amount of damage that can be done by a bad actor with access to someone’s email accountjust ask Wired writer Mat Honan, whose online life got rolled up like a rug eight years ago by an attacker who wanted his three-letter Twitter handle.
Even with all the good intentions in the world, providing a third party service credentials to access your email account represents substantial additional risk. The information in that account can be used to gain access to nearly every service imaginableboth online and, increasingly, offline as well. Even more care needs to be taken with business emailan employer’s own confidentiality policies can easily be violated by giving third parties access to a company email account.
