Usage insights without the surveillance - Is it possible?

Hi, there 👋 I’m Jakob, the CTO at Cardboard. I want to tell you about Pulse, a tool we built to help companies stop paying for software nobody actually uses, without turning employees into a surveillance subject.

These unused licenses, “zombie subscriptions”, quietly drain company budgets. Money that, frankly, would be better spent on company retreats and lavish lunches, if you ask me.

We built Pulse as a usage insights tool, which immediately raises a red flag for many people when it comes to privacy. To explain why it shouldn’t, I should start by telling you two things about myself:

1. My tin foil hat is well worn when it comes to technology. I get the heebie-jeebies whenever I use a free product; am I the user or the product? What is going on behind the scenes? What kind of personal information do they gather about me? Who do they sell it to? At times I take it to almost unpragmatic ends. I’ve DeGoogle’d myself, having to change my @gmail address across online accounts too many to count. I persistently urge my colleagues to use Firefox rather than Chrome, meeting empty stares in return. The list goes on. I’m that guy at the office.
   
2. I, together with colleagues of mine, built Cardboard Pulse, a usage insights tool which identifies software you are paying for, but don’t actually use.
   

How do I square these two things, you might ask? I, a self-proclaimed stickler for privacy, built surveillance software to allow your boss to snoop into your browser history, seeing if you are working when you should, and what you are doing on your own free time?

Well, the answer is that we didn’t.

1. We don’t allow your boss to snoop on when exactly you are working.
2. We don’t allow your boss to see your browser history.

Those are two magical words, you see, when it comes to building privacy-first software. It’s just as much what you don’t do, than what you do build. When creating commercial software, you are presented with endless opportunities to sacrifice a seemingly miniscule amount of user privacy in favor of some other goal. Those things quickly add up, and you end up having built something that would make Zuckerberg proud.

So in this article I want to tell you about all those things we decided not to do when building Cardboard Pulse in order to create a privacy-first zombie subscription killer while not giving even the most ardent privacy advocate any sort of heebie-jeebies.

Minimalism — applies to data just as much as your living space

Our usage insights tool uses your browser history to identify which software you are using. On the face of it, that might sound Bad™, but here the devil is in the details. We have put a lot of effort into how to do this without invading your privacy. Alternative solutions out there provide the same insight we do by uploading the entirety of your browser history to “the cloud” and processing it. This has huge privacy implications, as the browser history is deeply personal for most people, and you shouldn’t have to provide that data to anyone, even your employer.

So how do we do it then? Let’s start by two tricks: filtering and masking.

• Client side filtering - Only send data from the browser to the server if it is identified beyond a doubt to be relevant.
• Client side masking - When a piece of data is identified as relevant, strip the data down to the bare minimum before sending it to the server.

This is a tad bit abstract, so let’s describe how our server, Cardboard, communicates with the browser extension, Pulse...

Pulse: The user has opted into providing their employer, Acme Inc., with data about which subscriptions they actually use. What subscriptions does Acme Inc. handle through Cardboard?

Cardboard: Acme Inc. uses GitHub (github.com), Linear (linear.app), and Notion (notion.so).

Pulse: Today the user has visited linear.app and notion.so.
Cardboard: Thanks! Please let me know if the user uses anything else.

That’s it, there’s not much more to it! Notice how little data is actually being shared by the browser extension to the server…

• Nothing about which exact URLs have been visited - otherwise we would be able to snoop on how you have used the software.
• Nothing about exact timestamps or durations - otherwise we would be able to snoop into when you are working.
• Nothing about any other subscriptions - otherwise we would be able to snoop into services which have nothing to do with what your employer is managing through Cardboard.

In other words, Pulse always errs on the safe side when deciding what to send to the server. If there is no legitimate interest, or the data can be twisted for nefarious purposes, it is not sent in the first place. And this brings us into…

Curation — a watchful eye looking out for the end user

In addition to applying filtering and masking, we also curate the list of subscriptions we allow the extension to report on. In other words, we explicitly disallow the extension from reporting usage of certain services and subscriptions even though they are managed through Cardboard. Reasons for such exclusion are:

1. The service might be of a sensitive nature, such as an occupational health care service.
2. The service might be used for personal reasons in addition to work, such as LinkedIn.
3. There is no legitimate business reason to keeping track of the service, such as a commercial airline used for work travel.

Again, here we always decide to err on the safe side in favor of user privacy. Even though it might be of interest who is using LinkedIn Sales Navigator, for instance, it is impossible with our privacy-first approach to do that without starting to track personal use of LinkedIn.

Putting my money where my mouth is

All of these decisions (and more unmentioned ones!) result in a browser extension I can honestly say I trust completely, even as a privacy‑neurotic person. That statement may carry less weight coming from someone who helped build it, so I decided to remove the need for trust entirely.

I’ve made my own Cardboard Pulse profile publicly available here. While regular Pulse profiles are private, of course, I’ve explicitly opted into making mine public so anyone can inspect exactly what data is visible, and just as importantly, what isn’t.

Building privacy-first software isn’t about grand gestures. It’s about the accumulation of small, deliberate decisions to not collect data you could have collected, to not build features that would compromise trust, and to not take shortcuts that trade privacy for convenience.

At Cardboard, we believe you shouldn’t have to choose between effective workplace tools and your personal privacy. If you’re curious to see Pulse in action, or if you’re a fellow tin foil hat wearer who wants to dig into the technical details, we’d love to hear from you. After all, the best privacy advocates are the skeptical ones.

Photo by Kai Chen / Chen Media