Privacy concerns - What data is collected by Mylio App (not website)?

I am considering to pay for a Mylio license as I really like the privacy-oriented approach of the software.

Photos are stored on devices so users keep ownership, and are encrypted before being optionally sent to a cloud.

However, privacy is not only about where the pictures are stored, but also about which (meta)data are collected by Mylio / its partners. For aggregator companies, metadata data are the most interesting part of our photos files.

  • I took a look at the debug console in Mylio and noticed a lot of requests to Google servers, like:
2021/10/12 17:42:11.942 210 Callback (Status 70): https://www.google-analytics.com/collect, Handle: 0x0000000000CC0008
2021/10/12 17:42:02.379 1C4 CallbackResponse - requestId: 30,  result: ,  statusCode: 200,  time: 18,  url: https://www.google-analytics.com/collect,  payLoadSize: 35
2021/10/12 17:41:51.823 1C4 Callback (Status 60): https://www.google-analytics.com/collect, Handle: 0x0000000000CC0004

I do not use Google Drive with Mylio. Which data are collected exactly? Are some of my photos’ metadata sent to Google?

  • There are also many requests to Mylio servers, like:
2021/10/12 17:42:38.062 B58 Callback (Status 70): https://merkle3account.mylio.com/accounts/XXXredactedXXX/ping, Handle: 0x0000000000CC0008
2021/10/12 18:27:59.342 010 Status request complete called https://merkle3account.mylio.com/accounts/XXXredactedXXX/ping: handle: (0000000000CC000C)

I do understand that a few requests need to be made to Mylio’s server, e.g. to check the license. But is it necessary to have dozens of requests per minutes? What is the purpose of this?

  • I also wonder if the face recognition and OCR features are performed locally on the device, or if they are sent to a cloud to be processed and returned to the device?

  • More generally speaking, I was surprised to find no privacy policy in the App.
    For a quite privacy-focused solution, this seems to me as a bare minimum. But maybe I missed something? I only found the privacy policy that covers the website: Privacy Policy - Mylio.

I hope someone at Mylio can provide more info.

Thanks in advance to the Mylio Team and the community!

1 Like

No idea on the Google Analytics - but the Mylio servers are not (just) for licensing. They’re used for a variety of technical purposes:

Mylio’s servers are required to negotiate direct “peer” connections between Mylio devices over the Internet thru firewalls (STUN, Signal, etc protocols) - where the devices normally can’t “see” each other on the network. Depending on your network config in some cases the Mylio servers may also need to provide packet-relay service between firewalled Mylio devices over the Internet (TURN protocol).

Also if you use any of Mylio’s 3rd-party Cloud service options - Mylio’s servers also cache some of your non-image database information (mostly replication state, I believe) - in order to allow asynchronous syncing between the cloud and your devices (eg devices not always turned on/connected).

1 Like

Hello there - I will surface this request to our CEO, but there’s a few things I’m happy to share and respond to.

1 - all Image processing (Face recognition, OCR, etc.) is done on the devices - that’s the way the app is designed and we don’t even have a cloud server presence for this sort of work. What’s cool (IMO) is that whatever devices you have online can share that workload, so the processing is not happening redundantly.
2 - None of your photos metadata is kept outside of your devices, and definitely not shared with any third party services. We do capture generic trend activity and data (like what devices types or OS is used the most, for example) but that’s all anonymized. We are in the photo organization business and SAAS model, capturing and selling data is in no way part of our business model.

Thanks for these preliminary answers
.

It would be nice to know in which state data is passing through Mylio’s servers (encrypted, E2E encrypted) and how long data is kept.

Same; more (official) info would be appreciated.

This is good to hear!

I believe what you say, but if Google code is in Mylio’s App, then it really depends on the way it is implemented and what data Google has access to.

If Google analytics js code has access to all the keywords displayed in Mylio while browsing pictures, then ultimately we are not that far off from putting everything in Google Photos. Theoretically, I might run into ads on the web based on the keywords captured by Google Analytics within Mylio - despite Mylio not using/selling those info at all.

But again, a Privacy Policy, or at least a page with more transparent description of what data leaves the devices to which company (Mylio or third party) would solve this kind of questions, as it really depends on how things are implemented… (Is that something planned?)

1 Like

Hello. I am that infamous (?) CEO. To answer the last question first, we do plan to have a Privacy Policy; it is one more thing on our list of things to do. Right now, for example, Dedup and Cloud Sharing are high on that list.

We do use Google Analytics but it does not have access to metadata and particularly not to keywords. Face recognition is done entirely locally and none of that work every leaves your devices. As described above the information we do keep in the cloud is primarily to either confirm who you are or to allow machines to connect with each other over the internet.

Does this help?
David

Privacy and Google Analytics do not go together (even if Google Analytics is used differently).

1 Like

True, there are competing alternatives to collect app usage data other than Google in order to get the desired data and respect the customers privacy at the same time.

It is an issue that Google Analytics is used (no matter how). Google Analytics has NOTHING to do in applications, especially when advertised with privacy.
I hope that Google Analytics will be removed.

2 Likes