Privacy-friendly speed tests

TL;DR

With the requirements of the GDPR in mind, we conclude that the speed tests Astound speedtest, Cloudflare, Fast, Google Fiber, Internet Speed at a Glance and LibreSpeed are privacy-friendly.

Of these speed tests Cloudflare and Internet Speed at a Glance are the most privacy-friendly.

The least privacy-friendly speed tests are the Ookla Speedtest and SpeedCheck.

 

Contents

  1. Theory
    First we discuss what online privacy is and what aspects seems to be relevant
  2. Practice
    Secondly we test how privacy friendly speed tests are in practice
 

Theory: Our definition of online privacy

To know which speeds tests are privacy-friendly and which are not, it is important to know what exactly online privacy is.

Based on recurring elements mentioned in the collected definitions of online privacy further down this page, we will use this definition for online privacy.

Definition Online Privacy

Online privacy refers to the ability to control

  1. which data (if any) is shared
  2. when, how, and to what extent your data is shared
  3. when, how, to what extent and who can interrupt you

Collected definitions of online privacy

An internet search yields the following definitions of online privacy:

  1. (...) The standard definition of privacy incorporates two important elements: “the state of being alone and not being watched or interrupted by other people.” (...) Source: Bitdefender
  2. (...) Online privacy, also known as digital privacy or internet privacy, refers to your ability to protect and control your personal information while online (...) Source: Builtin
  3. (...) Online privacy, also known as internet privacy or digital privacy, refers to how much of your personal, financial, and browsing data remains private when you’re online (...) Source: Clario
  4. (...) The definition of online privacy is the level of privacy protection an individual has while connected to the Internet (...) Source: Winston & Strawn LLP
  5. (...) Online privacy can be defined as the level of protection that an individual and their personal data has while connected to the internet (...) Source: StudySmarter
  6. (...) Internet privacy involves the right or mandate of personal privacy concerning the storage, re-purposing, provision to third parties, and display of information pertaining to oneself via the Internet (...) Source: Wikipedia
  7. (...) data privacy is the measure of control that people have over who can access their personal information (...) Source: GDPR
  8. (...) Internet privacy refers to the ability to control the information shared online (...) Source: Smowltech
  9. (...) Internet privacy refers to the protection of personal and sensitive information of individuals while they use the internet (...) Source: DevX
  10. (...) Privacy is the assurance that your data is only seen by the parties you intend to view it (...) Source: Privacy Guides
  11. (...) Broadly speaking, privacy is the right to be let alone, or freedom from interference or intrusion (...) Source: IAPP
  12. (...) being able to choose who knows what about you (...) Source: San José Public Library
  13. (...) Internetprivacy (online privacy) (...) encompasses the ability of individuals to determine what information they share, with whom it is shared, and how that information is used (...) Source: Reputation X
  14. (...) a common understanding of privacy is the right to determine when, how, and to what extent personal data can be shared with others (...) Source: The Internet Society Uganda Chapter (PDF)
  15. (...) Privacy is about retaining the ability to disclose data consensually, and with expectations about the context and scope of sharing (...) Source: The Internet Society
  16. (...) Privacy etymologically means “state of being alone and not watched by others” (...) Source: GeeksforGeeks

How can a speed test optimally guarantee your privacy?

The W3C has created this list of principles regarding privacy for browser developers, authors of web specifications, reviewers of web specifications and web developers.

Some principles are:

  1. (...) System designers should not assume that particular information is or is not sensitive. Whether information is considered sensitive can vary depending on a person's circumstances and the context of an interaction, and it can change over time (...)
  2. (...) Whenever possible, processors should work with data that has been de-identified (...)
  3. (...) Information about privacy-relevant practices should be provided in both easily accessible plain language form and in machine-readable form (...)

Data minimisation

Therefore, if speed tests want to be safe in terms of online privacy, they should only use the essential data needed to perform the speed test. Note that data minimisation is also a GDPR principle.

That said, an online speed test should -in theory- only require an IP address during the test to know who to show the web page to.

Consciously and unconsciously shared data

In addition to the IP address, much more information is often shared unnoticed by your browser with the web server. Examples of this include the operating system of your computer, the dimensions of the computer screen, the browser used, the fonts installed on your computer and the website where you clicked on a link to “this” page. Seemingly trivial technical information required to display a web page correctly.

However, such data can easily be used to estimate what kind of Internet user you are (an average Windows user, a geek, an Apple fan).

Device Info and WhatLeaks are websites that provide insight into what information your browser shares when you visit a website.

Note that the EFF has created a website called Cover Your Tracks, which helps you understand how easy it is to identify and track your browser based on how it appears on websites.

If you use Cover Your Tracks, you will see that your browser's fingerprint is also analyzed. A browser fingerprint is a brief identifier based on the unique combination of properties of your browser.

Device fingerprinting can collect long-term data from your browsing history, even if you try to avoid tracking by, for example, refusing cookies.

PrivacyTests.org contains the results of open source testing of web browser privacy. If you doubt the security of your browser based on the Cover Your Tracks results, it is best to use a more secure browser.

Cookies and similar technologies

Data can also be shared unnoticed with cookies and similar technologies. Many cookies do not pose a privacy problem. A specific type of cookies, namely tracking cookies, can infringe on your privacy.

Scientific research into correct cookie use

The Amsterdam Law School concluded March 2024 in the Automated Large-Scale Analysis of Cookie Notice Compliance study (PDF) that the vast majority of websites using cookies contained at least one privacy violation.

Some of their are:

  1. 26.1% websites do not declare adequate data collection purposes in their cookie notices
  2. 56.7% cookie notices do not include an option to opt out of consent
  3. 65.4% websites with an opt out option collect users’ data despite explicit negative consent
  4. 73.4% websites collect users’ data even when users do not interact with the cookie notice
  5. 90.2% websites contained at least one privacy violation. These violations are summarized as red bars in Fig. 4.

An overview of cookie related privacy violations (from the study Automated Large-Scale Analysis of Cookie Notice Compliance of the Amsterdam Law School)

Companies such as Google realize that tracking cookies are not desirable. Hence it is concluded that Tracking Cookies are Dead.

Similar technologies are web tracking technologies like web beacons, Supercookies (Evercookies) and the earlier mentioned browser fingerprint. So it is clear that there are many many options to track you.

Given emerging technologies such as Global Privacy Control, it increasingly appears that nuance is lacking and it is becoming all or nothing. Yes, you can follow me and build a profile. Or no, you're not allowed to know anything about me.

That being said, it is high time to make a judgment about the privacy-friendliness of speed tests.

 

Practice: Privacy-friendly speed tests

To assess how privacy-friendly speed tests are, we look at the following aspects:

  1. How your IP address is used
  2. How cookies (if any) are handled
  3. Whether advertisements are shown
  4. Are you sufficiently informed
  5. Can you make contact regarding privacy issues

Because a little privacy-friendly is like being a little pregnant, we consider a speed test to be privacy-friendly if it scores well on all these aspects.

Your IP address

It's difficult to figure out what's happening to your IP address when you use a speed test.

The number of options to find out is limited. You can read the privacy policy and try to find out how the speed test handles your IP address. You can also contact the privacy officer to ask what happens to your IP address.

We have done the above for this research and do not dare to draw firm conclusions for most speed tests.

It seems like almost all speed tests have no interest in your IP address and don't do anything special with it. In most cases, the IP address is stored in a technical log. Only M-Lab is known to store the IP address for research purposes (although there is debate within M-Lab as to whether this is actually necessary).

The following speed tests indicate that they do nothing at all with your IP address:

  1. Cloudflare
  2. Open Speed Test
  3. SpeedSmart
  4. TestMy.net

Cookies

We have extensively investigated how cookies are used through the following tests: Counting cookies, Strictly necessary cookies, Users' consent, Speed tests with a cookie wall and Accept all cookies.

Based on these tests, we concluded that only speed tests without cookies do nothing, absolutely nothing wrong with cookies.

These speed tests are:

  1. Astound speedtest
  2. Cloudflare
  3. Fast
  4. Google Fiber
  5. Internet Speed at a Glance
  6. LibreSpeed

Note that based on the Strictly necessary cookies test we conclude that all speed tests tested that use cookies do not comply with the cookie law (and therefore do not comply with the GDPR).

This is consistent with the above-mentioned research by the Amsterdam Law School.

Advertisements

The presence or absence of advertisements is about half and half. We consider the following speed tests to be privacy-friendly because they don't show advertisements:

  1. Astound speedtest
  2. Bredbandskollen
  3. Cloudflare
  4. Comparitech
  5. Fast
  6. Google Fiber
  7. Internet Speed at a Glance
  8. LibreSpeed
  9. M-Lab
  10. N Perf
  11. SamKnows
  12. SpeedOf.me API Sample Page
  13. SpeedSmart
  14. Speedtest4.PHP
  15. Which Broadband Speed Test
  16. Xfinity xFi Speed Test

Information

An important condition for having control over your online privacy is that you are well informed.

We have therefore checked which speed tests have a privacy policy and whether it is easy to read.

Toast has by far the most readable privacy policy.

With a reading time of over fifteen minutes, we suspect that the privacy policy of the speed tests below are rarely or never fully read:

  1. Ookla Speedtest
  2. Google Fiber
  3. Cloudflare
  4. Astound speedtest
  5. Which Broadband Speed Test
  6. SpeedCheck
  7. M-Lab

Note that the Ookla Speedtest and Google Fiber have by far the longest privacy policies with an estimated reading time of over 40 minutes.

Although Cloudflare has an extensive privacy policy, they clearly indicate in their pop-up banner what they do with your IP address. Therefore, we cannot say that Cloudflare provides bad information to its users. On the contrary, Cloudflare informs its speed test users very well.

That said, these speed tests have a relative fine privacy policy:

  1. Cloudflare
  2. Internet Speed at a Glance
  3. SamKnows
  4. TestMy.net
  5. Toast

Contact

All speed tests have a contact option.

However when we use these contact options to ask what happens to your IP address most contacts don't react at all within 9 weeks.

The following contacts responded quickly:

  1. Internet Speed at a Glance
  2. M-Lab
  3. N Perf
  4. Open Speed Test
  5. SpeedSmart
  6. TestMy.net
 

Conclusions

Based on our findings we created a Venn diagram of privacy friendly speed tests.

A Venn diagram which shows the several privacy aspects

This Venn diagram clearly shows that Cloudflare and Internet Speed at a Glance are the most privacy-friendly speed tests.

Second best are SpeedSmart and TestMy.net.

  1. Cloudflare is ads-free, cookie-free and informative. Besides that they handle your IP-address privacy friendly
  2. Internet Speed at a Glance is ads-free, cookie-free and informative and has a usable contact
  3. SpeedSmart is ads-free, handles your IP-address privacy friendly and has a usable contact
  4. TestMy.net is informative, handles your IP-address privacy friendly and has a usable contact

We consider the Ookla Speedtest and SpeedCheck to be the least privacy-friendly speed tests.

They place an excessive number of cookies and have a privacy policy with a reading time of more than fifteen minutes.

Check, check, double check

There are online tools that allow you to check to what extent a website complies with the GDPR. When we test the speed tests with Sovy GDPR scan and 2GDPR, we find that the Sovy GDPR scan does not produce meaningful results and that the 2GDPR test does not actually add anything to the cookie tests we previously performed.

These online tests offer no added value, apart from a first impression.