Enlarge /. This is not the relationship you want to see between a company with access to your private data and its affiliates.

When we reported on subscription-based search engine startup Neeva in June, most readers focused less on the search engine itself than on its privacy policy, which left something to be desired – especially given the option Neeva offers its users, their emails to browse through the service. Shortly after the release, Neeva's CEO Sridhar Ramaswamy contacted Ars to discuss what went wrong and how the company wanted to fix the problem.

Privacy policy updated

  • The particularly harmful sections for partners and advertisers in Neeva's original privacy policy have been completely removed.

    Jim Salter

  • The previous advertisement notice was also removed. The biggest impact is the extent to which a third-party tracking cookie can be expected to be displayed in Neeva itself.

    Jim Salter

  • With the recent update of Neeva's privacy policy, the data retention policy has been tightened.

    Jim Salter

Ramaswamy told Ars that the company's intention from the start was to provide a secure and privacy-friendly platform. But he added – and we're going to rewrite it here – "lawyers will be lawyers," and "on him," he hadn't examined the guidelines developed by the company's legal adviser closely enough. He told us that he had heard our readers' feedback loud and clear and promised to revise the guidelines to align them with the company's actual vision.

The above gallery shows the three areas in the policy that have changed since calling Ars. References to third-party advertising and tracking technologies associated with this advertising have been completely removed. The main impact here is in expectations that third parties will intrude on the Neeva website itself, and this is important – it doesn't make much sense to pay a monthly subscription in return for privacy if your search metadata may be shared with the public giants They try to avoid in the first place.

The section on "partners" has also been removed cleanly. Although it consisted of only one line – "Partner. We may share personal information with our affiliates" – this single line, which has now been removed, has voided almost every possible guarantee of data protection.

Under "Third Party Disclosure", a strange "Canarian Data Declaration" – "We have not sold consumer personal data in the past 12 months" – has been replaced by the much clearer statement "We have never and never sold consumer data". "The relationship between Neeva, its service providers and consumer data has also been clarified.

Finally, Neeva's data retention policy was updated and expanded. It is now clarified that data collected automatically will be deleted after 90 days and that information provided by the customer (such as registrations and payment credentials) "will only be kept for as long as is necessary to fulfill the purposes for which it was collected." "" Exceptions are laws, audits and the enforcement of terms of use.

The only thing we weren't sure about is why data retention may be required to enforce ToS. We asked Ramaswamy again for clarification:

Example situation in which this could be the case: We terminate an account due to abuse of our terms of use and have to make sure that variants of the account do not return … Of course, we would only do this in situations where a problem occurred.

Ramaswamy also made a public statement outlining what has been changed in the privacy policy and why, and what price users of the service can expect when going live.

Focus on features

  • C ++ programmers generally get information about sexually transmitted diseases when looking for help in the standard library for functions.


  • We have pointed out that anyone looking for "std ::" instead of "std" is unlikely to want information about gonorrhea. A week later, Neeva had a solution.


Privacy gaffes weren't everything Ramaswamy wanted to talk to Ars about. He explained that the company's vision is partly to provide a necessarily smaller group of customers with better and more agile service than the large, free search engines can or will. He told us that user feedback provided through text fields in the Neeva interface directly filled the company's private GitHub repository with new tickets, and further emphasized how generally open the company is to corporate requests.

When Ars spoke to Ramaswamy, the comment section on our original reporting was very active – and a complaint about search engines in general had caused a sensation. Ar's reader sir_trackmenot complained:

Std: ūüôĀ ‚Äč‚Äčanything) on ‚Äč‚ÄčGoogle always includes "I have these wounds, it's an STD thing", which annoys me. Does someone in my office have a sexually transmitted disease they're looking for?

A few pages later, fyo added further details:

If I search (standard list) without the brackets, I get a "featured excerpt" with a list of sexually transmitted diseases, followed by more than two pages of standard material before the next disease link is displayed.

Search (std :: list) I do not get an excerpt, but almost half a page with results (4) before the disease links are applied.

The search ("std :: list") is even worse. Now the top 3 hits are disease links, followed by a mix managed by a Microsoft document page for the list class of the C ++ standard library that doesn't include the expression "std :: list" anywhere on or in the page the source contains (but since then) it's about the std :: list class, it's not necessarily a * bad * result, just not what you'd expect if you used quotes.

When we pointed this out to Ramaswamy – and suggested treating "std ::" as a completely different search term than "std" alone – he excitedly explained that this was an easy fix and that this was exactly the type of feedback that it was Company sees for subscribers. A week later, he forwarded us to a before and after gallery with the search for the term std :: list on Neeva, in which the effects of the fix were demonstrated.

Caution is still required

We believe this is a good sign that Neeva has responded quickly to feedback with clarifications to its privacy policy that both simplify and tighten it. Such responsive and significant changes are a sign of the company's serious intention to provide the kind of data protection that most users expect from a search engine.

While this is good and good for finding publicly indexed data – websites, weather reports, etc. – we are not sure whether it will go far enough or even go far enough for users who want to send their email to Neeva can also be indexed. It's hard to overestimate the damage a bad actor can do if someone else's email account is accessed. Just ask Wired writer Mat Honan, whose online life was rolled up like a rug eight years ago by an attacker who wanted his three. Letter Twitter handle.

Despite all the good intentions in the world, providing third-party credentials to access your email account represents a significant additional risk. The information in this account can be used to gain access to almost every conceivable service – both online as well as increasingly offline. Even more care needs to be taken with business emails. An employer's confidentiality policy can easily be violated by granting third parties access to a corporate email account.


Please enter your comment!
Please enter your name here