This is exactly why I've become paranoid about what gets stored in cloud services, even ones I generally trust. The policy changes can happen overnight, and suddenly data you uploaded under one set of assumptions is now being used for something completely different.
To reduce this risk, either completely remove truly sensitive documents from cloud services or implement client-side encryption before uploading them anywhere. The key insight is that if the service can read your files to train models, you don't actually have privacy regardless of what the policy says today.
I'm building PrivaVault specifically because I got burned by a similar policy change last year. The approach is zero-knowledge encryption, where we literally can't read user documents even if we wanted to. Launching in 7 days if anyone wants to check it out, but honestly the broader principle applies: encrypt before it leaves your device, or don't be surprised when it ends up training someone's AI.
Personal data might include location or GPS data, your name
and billing address, and if you have to provide your ISP with a copy of your photo ID to prove you are 18 in order to get unfiltered access in the future, it probably will include that.
For global companies like Starlink, complying with the privacy laws of every country must be a nightmare. In fact, it really surprises me that they actually follow them to the letter in practice. I’d bet that internally and technically they aren’t fully complied with, but there’s no way to know
Frustrating they turn this on by default without an email to announce it. Only recent email I have from Starlink is advertising the 50GB roam plan changing to 100GB.
Starlink by virtue of being your ISP would have access to any DNS queries you send over the Internet over UDP port 53 in plain text. Starlink is also able to redirect those queries to their own servers. Even if you manually specify 8.8.8.8 or 1.1.1.1 Starlink can redirect traffic to their own DNS servers and return responses as if they came from those servers.
By itself DNS can tell a pretty detailed picture about you and what you do on the Internet without the need for SSL inspection or other deep packet inspection techniques.
I assume the traffic over Starlink is encrypted, so what exactly do they mean with "personal information"? Like the very basic customer details and everything they can get from their analytics?
For my taste the sentences are over the top and full of weasel words. It's not even something I'd call legalese because it just sounds so insincere.
- "We may share your personal information with our affiliates, service providers, and third-party collaborators" or
- “Share personal data with Starlink’s trusted collaborators to train AI models."
Initially I was very critical of GDPR but when I see these kind of vague formulations I'm really happy that as a European I can expect companies to provide an itemized list of people and companies they will share the data with, and what kind of security measures these subprocessors are employing.
There's still a lot of wiggle room for lawyers to work around GDPR limitation, but at least you'd know if their "trusted collaborators" and "affiliates" are Google or Facebook, are domiciled in a foreign country, or if they are just to some small data science consultancy.
This is exactly why I've become paranoid about what gets stored in cloud services, even ones I generally trust. The policy changes can happen overnight, and suddenly data you uploaded under one set of assumptions is now being used for something completely different.
To reduce this risk, either completely remove truly sensitive documents from cloud services or implement client-side encryption before uploading them anywhere. The key insight is that if the service can read your files to train models, you don't actually have privacy regardless of what the policy says today.
I'm building PrivaVault specifically because I got burned by a similar policy change last year. The approach is zero-knowledge encryption, where we literally can't read user documents even if we wanted to. Launching in 7 days if anyone wants to check it out, but honestly the broader principle applies: encrypt before it leaves your device, or don't be surprised when it ends up training someone's AI.
Personal data might include location or GPS data, your name and billing address, and if you have to provide your ISP with a copy of your photo ID to prove you are 18 in order to get unfiltered access in the future, it probably will include that.
For global companies like Starlink, complying with the privacy laws of every country must be a nightmare. In fact, it really surprises me that they actually follow them to the letter in practice. I’d bet that internally and technically they aren’t fully complied with, but there’s no way to know
So, use a good VPN. IMO, the main thing they’re actually useful for is protecting you against abuse from your own ISP.
I really hate this. Worse I just went into my account to opt out and whenever I try to save my preference it says "An error occurred".
Frustrating they turn this on by default without an email to announce it. Only recent email I have from Starlink is advertising the 50GB roam plan changing to 100GB.
This sounds bad. Does any other ISP do that? What sort of info could Starlink even see - the URLs?
Starlink by virtue of being your ISP would have access to any DNS queries you send over the Internet over UDP port 53 in plain text. Starlink is also able to redirect those queries to their own servers. Even if you manually specify 8.8.8.8 or 1.1.1.1 Starlink can redirect traffic to their own DNS servers and return responses as if they came from those servers.
By itself DNS can tell a pretty detailed picture about you and what you do on the Internet without the need for SSL inspection or other deep packet inspection techniques.
> the URLs
Only the domain ( https://en.wikipedia.org/wiki/Server_Name_Indication ).
I assume the traffic over Starlink is encrypted, so what exactly do they mean with "personal information"? Like the very basic customer details and everything they can get from their analytics?
For my taste the sentences are over the top and full of weasel words. It's not even something I'd call legalese because it just sounds so insincere.
Initially I was very critical of GDPR but when I see these kind of vague formulations I'm really happy that as a European I can expect companies to provide an itemized list of people and companies they will share the data with, and what kind of security measures these subprocessors are employing.There's still a lot of wiggle room for lawyers to work around GDPR limitation, but at least you'd know if their "trusted collaborators" and "affiliates" are Google or Facebook, are domiciled in a foreign country, or if they are just to some small data science consultancy.
https://starlink.com/legal/documents/DOC-1000-41799-67
Privacy policy here answers the question "What Personal Information Do We Collect? It's a lot.