Designing for Privacy - the TunnelBear Map
At TunnelBear, we spend a lot of time thinking about your personal information and how we can prevent ourselves from coming into contact with it. Preventing your IP address from being collected is something we pay particularly close attention to.
Identifying all the ways we can potentially see your IP when you interact with TunnelBear, and removing those possibilities before they happen, takes consistent effort. As we create, test and implement new features we need to ensure we’re not storing your IP address anywhere.
One example of this challenge is how we figure out where to place your Bear on the map when you open TunnelBear. Having a starting point for your tunnel helps you choose the right tunnel for your needs, but to do that we need to display your location without storing your IP on our servers.
How your device figures out where you start on the TunnelBear map
TunnelBear operates a GeoIP2 database that gives your device a way of finding your starting location, without us having to store your IP address.
Whenever you connect to TunnelBear, your device sends a request to our GeoIP2 database. The database then returns location coordinates that your device can use to place you on the TunnelBear map.
The GeoIP2 lookup is done with your IP momentarily processed in memory. The instant we return your device’s request, your IP is wiped from memory so that our server never stores it.
When your TunnelBear app receives your location coordinates, they’re temporarily stored locally on your device to create the map visualization. When you connect from a new IP, the old location data stored on your phone is replaced with your new coordinates.
Storing your location data on your device only, and not on our server, allows your TunnelBear to connect faster to the right server for your needs, while making sure we never know where you are.
Designing for privacy
Approaching new feature from a privacy-first perspective means every new feature has its data requirements rigorously evaluated to ensure we don’t collect personally identifiable information. In some cases this means limiting a new feature, in other cases it means certain features are never built at all.
. . .every new feature has its data requirements rigorously evaluated. . .
With the map, we’ve found a way to use something sensitive, like your IP address, in a way that respects your privacy and creates a better TunnelBear experience. By thinking through how to design for privacy, we’re able to provide fun features without the need to store personal data.