وَلَا تَجَسَّسُوا
wa lā tajassasū
“And do not spy on one another.”
Privacy comparison
What mainstream SSO actually does with your data.
The verse above is not decorative. It is the standard against which the SSO providers below are measured. Tajassusin classical fiqh and tafsīr commentary means the active uncovering of private affairs — including by means of inference, aggregation, and cross-reference. The data architectures of the dominant SSO providers institutionalize tajassus. UmmahPassport exists because Muslims should not have to participate in that, even passively.
Every claim about Google, Meta, Apple, or Microsoft below is grounded in either the company’s own published privacy policy, a public regulatory action, or a court ruling. We do not make claims we cannot point to a verifiable source for.
Side-by-side · 8 dimensions
Pick the column where your users’ data should live.
| Dimension | UmmahPassport | Meta | Apple | Microsoft | |
|---|---|---|---|---|---|
Business model Where does the SSO provider's revenue come from? | Individual donations + relying-party services. No ads, ever, per Charter §I. | ~77% of revenue from advertising (Alphabet 10-K filings, multi-year). SSO data feeds the ad business. | ~97% of revenue from advertising (Meta 10-K filings). SSO and login data are part of the ad-targeting infrastructure. | Hardware + services. Search Ads exists ($5B+ annually per public estimates) but Apple ID is not directly monetized. | Software + cloud. Microsoft Advertising is ~10% of revenue. Less ad-pressured than Google/Meta but still ads-adjacent. |
Data combination Is sign-in data combined with the provider's other data about you? | No. SSO data is not combined with anything else. We hold no "other data" to combine it with. | Yes. Google's privacy policy explicitly states they combine information across services. The €50M CNIL fine (2019) was specifically for lack of transparency and consent on cross-service data combination. | Yes. Meta combines Facebook Login data with Facebook profile, Instagram activity, WhatsApp metadata, and off-platform tracking (Pixel, App Events). | Limited combination. Apple's published policy commits to not building advertising profiles from Apple ID activity. Some service-improvement combination remains. | Yes, within Microsoft's enterprise stack. Azure AD / Entra activity is combined with Microsoft 365 telemetry, Bing, LinkedIn, etc. |
Third-party app telemetry Does the provider track which third-party apps you sign into? | We log auth events for security only — not for analytics, not for targeting. Logs are accessible to you via the audit page; older than 90 days are purged. | Yes. Every "Sign in with Google" event is logged in your Google account's security history and used for personalization signals per Google's privacy policy. | Yes. "Facebook Login" events are recorded; the Facebook Pixel and App Events SDK report user activity from inside third-party apps back to Meta. | Apple logs auth events for security. Apple states it does not use this data for advertising. Hide-My-Email further isolates third-party apps from your real address. | Yes. Azure AD captures detailed sign-in logs available to enterprise tenants and used internally by Microsoft for service improvement. |
Tracking SDKs embedded in your app Does adopting the provider's SSO put tracking SDKs into your app? | No SDK required. Server-side OIDC integration; no JavaScript loaded from us into your app. | Google's reference "Sign in with Google" button loads JavaScript from accounts.google.com; that script can set cookies and observe page behavior on the integrating page. | Facebook Login SDK is the recommended integration; it loads scripts from connect.facebook.net and shares device + browser data with Meta from inside your app. | Sign in with Apple uses a script loaded from appleid.cdn-apple.com. Apple's published policy commits to not using this for advertising profiling. | MSAL.js library or server-side integration. The library is open-source; Microsoft does receive telemetry from it. |
Regulatory record Documented fines or rulings related to user-data handling. | Project is new (2026 launch). Track record yet to build. Independent technical council audits are in the published Charter as the accountability mechanism. | FTC: $5B settlement on YouTube children's privacy (2019). CNIL: €50M for lack of GDPR transparency (2019). Multiple subsequent state AG actions in the US. | FTC: $5B settlement post-Cambridge Analytica (2019). Irish DPC: €265M for data scraping (2022) and €1.2B for unlawful EU→US data transfers (2023). 87 million users affected in Cambridge Analytica disclosure. | Smaller record than Google/Meta. Some App Tracking Transparency enforcement actions; broadly viewed by regulators as the comparatively privacy-respecting major. | Less consumer-data history. Microsoft itself has been a target of EU competition action (browser bundling), not primarily privacy enforcement. |
State / law-enforcement requests How is the provider positioned re: government data requests? | Charter §I locks the project against state funding. Charter §III locks against state-friendly back doors. Transparency reports begin Year 1. | Google's own Transparency Report shows tens of thousands of US government data requests per year, vast majority complied with at least in part. | Meta's Government Requests Report shows hundreds of thousands of requests globally per year, ~75% compliance rate in the US. | Apple publishes transparency reports; receives fewer requests than Google/Meta on a per-user basis; comparatively higher friction for requesting parties. | Publishes transparency reports; comparable government-request volume to Apple on a per-account basis. |
Right to delete Can you delete your account and have data removed? | Yes, within 30 days per Charter §IV. Audit log of mass-deletion events published. | Yes, available via Google account controls. Deletion of Google account also deletes Gmail, Drive, etc. — significant friction. | Yes, available via account settings. Deletion of Meta account is reversible for 30 days; backup retention period not always clear. | Yes, via privacy.apple.com. Deletion of Apple ID is a significant action affecting purchases, devices, iCloud. | Yes, via account.microsoft.com privacy dashboard. Enterprise data governed by tenant policies, not user-controlled. |
Open source Can independent researchers audit the actual code? | SSO server, relying-party SDK, and security-sensitive code are open source per Charter §VI. | No. SSO server is proprietary. Some client libraries are open source. | No. SSO server is proprietary. | No. SSO server is proprietary. | Partial. MSAL libraries are open source. Server-side Azure AD code is proprietary. |
Military / state-surveillance contracts Does the SSO provider's parent company hold contracts with militaries or surveillance agencies? | No. Charter §I locks the project against state funding of any kind. No DOD, no intelligence agency, no foreign military contracts — ever. | Yes. Project Maven (Pentagon AI for drone targeting, 2018, partly walked back after employee protest). Project Nimbus ($1.2B contract with Israeli government incl. military and intelligence, joint with Amazon, 2021). Google Cloud + Palantir partnership (Feb 2024). | Documented coordination with state actors on content moderation per leaked internal documents ("Facebook Files," 2021). Meta's parent has no direct military contracts of the scale below, but the data flows are unrestricted. | Comparatively limited. Apple has resisted some FBI device-unlock demands publicly. iCloud is still subject to subpoena / NSL. Apple paused but did not fully renounce the 2021 client-side CSAM scanning proposal. | Yes. HoloLens IVAS contract ($21.9B with US Army, 2021). One of four prime cloud vendors on the DOD's JWCC contract (2022). Microsoft Azure + Palantir partnership (2022). |
Palantir / mass-surveillance ecosystem Does the provider's infrastructure host Palantir Gotham/Foundry — the platform underlying ICE, FBI, and NYPD operations including the documented surveillance of Muslim communities? | No. UmmahPassport infrastructure does not run Palantir products and does not host on cloud providers that have Palantir as a flagship customer for security-state workloads. | Yes. Google Cloud is an official Palantir AIP host platform per Google's Feb 2024 announcement of the partnership. | Not a Palantir host but maintains data partnerships and a long history of intelligence-community research access (e.g., CrowdTangle). | Apple does not host Palantir products in its consumer cloud. Apple does store iCloud data on Google and Amazon cloud infrastructure, transitively touching those vendors. | Yes. Azure announced a Palantir partnership in 2022; Palantir Foundry runs on Azure for selected customers. |
What makes UmmahPassport structurally different
Privacy as a structural property, not a marketing claim.
Privacy claims that depend on a company promising to behave well are weak. Privacy properties that emerge from how the project is structured — what the business model is, what data exists in the first place, what the published charter forbids — are strong. The list below is the second kind.
No advertising business, ever
Charter §I commits the project to no advertising business. This is the deepest privacy guardrail: the structural absence of the incentive to surveil. Every other SSO provider on this page is either an ad business or owned by one.
Minimum-claim handoff
When a partner app requests sign-in, we send only the claims that app explicitly requested and the user explicitly approved on the consent screen. No silent profile enrichment. No "bonus" claims piggybacking on the response.
Open-source implementation
The SSO server, the relying-party SDK, and the security-sensitive code are open source. Anyone with cryptographic literacy can verify that our privacy promises are implemented in the actual code, not just in marketing copy.
User-visible audit log
On your UmmahPassport dashboard you see every third-party app that has accessed your account, every login event, every claim that was shared. You can revoke any app's access immediately and the revocation is enforced at the token-introspection layer.
EU data residency option
EU users can opt to have their UmmahPassport identity stored on EU infrastructure, isolating them from the post-Schrems-II legal uncertainty around US-based SSO providers.
No third-party tracking pixels
We do not load Meta Pixel, Google Analytics, TikTok Pixel, or any other ad-tech SDK on UmmahPassport pages. Our own analytics is self-hosted and cookieless, served same-origin so nothing leaves our infrastructure, and it sets no identifying cookies.
Specific risk to Muslim users
For Muslim users, the linkage isn’t theoretical.
The infrastructure described above does not exist in the abstract. It has been applied to Muslim communities and Muslim-facing apps in documented, public ways. We name the cases below precisely so the risk is concrete, not hypothetical.
- 01
Muslim Pro / X-Mode → US Special Operations Command
In November 2020, Vice / Motherboard published an investigation showing that the X-Mode SDK, embedded in the Muslim Pro prayer-time app (~98M downloads at the time) and in Salaat First, was selling granular location data downstream to US military customers including US Special Operations Command. Muslim Pro removed the SDK after the reporting. The incident demonstrates that mainstream SDKs embedded in Muslim-facing apps have, in living memory, fed pseudonymized location streams into the surveillance machinery.
- 02
NYPD Demographics Unit surveillance of Muslim communities
The Associated Press's Pulitzer-Prize-winning 2011 investigation revealed the NYPD operated a Demographics Unit (later Zone Assessment Unit) that mapped, monitored, and infiltrated Muslim communities across the Northeast US — mosques, student associations, businesses, restaurants. The Unit was officially disbanded in 2014. The City of New York settled related lawsuits (Hassan v. City of New York; Raza v. City of New York) for $33M+ in 2018. The records of who was surveilled were never fully destroyed.
- 03
Palantir ICE / DHS contracts and Muslim-immigrant impact
Palantir Gotham has powered ICE's Investigative Case Management system since the early 2010s under contracts cumulatively exceeding $100M, publicly verifiable via federal procurement databases (USAspending.gov) and through FOIA releases obtained by organizations including Mijente, Just Futures Law, and Brennan Center for Justice. Muslim immigrants and refugees from the targeted countries of the 2017 "Muslim ban" Executive Orders are among the documented affected populations.
- 04
FBI watchlists and no-fly list disparities
The FBI's Terrorist Screening Database / no-fly list has been the subject of multiple federal lawsuits — Latif v. Holder, Tanzin v. Tanvir, Fikre v. FBI — establishing that the database disproportionately includes Muslim Americans without due process. Watchlist information flows into commercial-data ecosystems via licensed data brokers, which is one of the channels by which SSO providers' partner ecosystems can re-contact those identifiers.
- 05
Why this matters for SSO specifically
Every "Sign in with Google/Meta/Microsoft/Apple" event creates a record at a provider whose parent has documented commercial relationships with the surveillance ecosystem named above. A Muslim user signing into a Muslim charity, a Muslim political-organization platform, or a Muslim mental-health service is creating an authenticated linkage between their identity and that app on that provider's infrastructure. That linkage is a target. Mitigating the risk does not require believing any specific provider is currently weaponizing the data — it requires recognizing the linkage exists and is structurally available to any government that compels disclosure or contracts for downstream use.
An honest framing
We are not claiming any specific mainstream SSO provider currently weaponizes Muslim users’ identity data. We are pointing out that the same companies hold contracts with the militaries and agencies that have, in living memory, surveilled Muslim communities — and that those companies’ commercial partnerships make the data routinely available to ecosystem actors who do weaponize it. UmmahPassport exists because that risk is, structurally, unaddressable while the SSO sits on infrastructure adjacent to those agencies. We removed the adjacency.
Sources for every claim above
Read the receipts.
The comparison matrix names specific regulatory actions and figures. Each is sourced to a publicly accessible document. We invite you to verify any claim that seems surprising.
Google revenue mix (~77% advertising)
Alphabet Inc. Form 10-K, annual filings 2023–2024. Public on SEC EDGAR.
Project Maven (Google + Pentagon)
Reported in the New York Times and Gizmodo, 2018. Confirmed by Google employee open letter and subsequent Google statement on contract non-renewal.
Project Nimbus ($1.2B Google + Amazon + Israeli government)
Israeli Finance Ministry announcement, April 2021. Subsequent reporting in The Intercept (2022) on Nimbus's military and intelligence components.
Google Cloud + Palantir partnership
Joint Palantir and Google Cloud announcement, February 2024 — Palantir AIP available on Google Cloud Platform.
Microsoft HoloLens IVAS contract
US Army contract announcement, March 2021. $21.88B ceiling over 10 years.
Microsoft Azure + Palantir partnership
Joint announcement, August 2022. Palantir Foundry available on Azure.
AWS C2S CIA cloud + Palantir on AWS GovCloud
Original $600M CIA C2S contract announced 2013, since expanded under the C2E successor program (2020). Palantir Federal services run on AWS GovCloud per Palantir's published partner directory.
Muslim Pro / X-Mode data sale to US military
Vice / Motherboard investigation, November 16, 2020: "How the U.S. Military Buys Location Data from Ordinary Apps."
NYPD Demographics Unit
Associated Press investigation 2011–2012 (Pulitzer Prize winner). Hassan v. City of New York; Raza v. City of New York; $33M+ settlement reached January 2018.
Palantir ICE contracts
USAspending.gov, FOIA releases tracked by Mijente's "Who's Behind ICE?" reporting and Brennan Center for Justice records.
Meta revenue mix (~97% advertising)
Meta Platforms Inc. Form 10-K, 2023 fiscal year. Public on SEC EDGAR.
CNIL €50M fine against Google
CNIL deliberation SAN-2019-001, January 2019. "Lack of transparency, inadequate information and lack of valid consent regarding ads personalization."
FTC $5B settlement with Meta
FTC v. Facebook, Inc., No. 19-cv-2184 (D.D.C. 2019). Stems from Cambridge Analytica disclosure.
Irish DPC €265M and €1.2B fines against Meta
Data Protection Commission of Ireland enforcement actions, 2022 and 2023 respectively.
Cambridge Analytica scope (~87M affected)
Facebook congressional testimony, April 2018; affected-user figure published by Facebook.
Schrems II ruling on EU→US data transfers
Court of Justice of the European Union, Case C-311/18, July 2020. Invalidated the EU-US Privacy Shield framework.
FTC $5B YouTube children's privacy settlement
United States v. Google LLC and YouTube, LLC, FTC and NY AG, September 2019.
Mainstream provider transparency reports
Google: transparencyreport.google.com. Meta: transparency.meta.com. Apple: apple.com/legal/transparency. Microsoft: microsoft.com/en-us/corporate-responsibility/lerr.
Privacy policies and transparency reports are updated regularly by the named providers. If you find a claim that is no longer accurate based on the current document, write to us at corrections@ummahpassport.com and we will issue a versioned correction within 7 days — same right of reply we extend to anyone we publish about.