The Electronic Frontier Foundation (EFF) has released the latest version of its 'Who Has Your Back?' report and accompanying infographic, and it makes for interesting reading. Once you appreciate that what the EFF is talking about here is how good, measured as a response to a handful of yes or no questions, a bunch of leading tech companies are at protecting our data from government snooping requests. It's not about privacy in the larger scheme of things, just from that particular angle.
That said, let's look at how the EFF came to the conclusions that can be seen in the accompanying graphic. Essentially the organisations concerned were asked, on a yes or no basis remember, if they fulfilled five criteria when it comes to privacy expectations regarding government snooping in the post-Snowden era: follows industry-accepted best practice, informs users about government data access demands, discloses data retention policy, discloses government content removal requests and if it has pro-user public policy which opposes encryption back doors. Here's the broad breakdown.
When it comes to 'following industry accepted best practice relating to government demands upon data access just about every company questioned. The notable exception being Whatsapp, with the messaging app failing to be awarded a star in the EFF chart courtesy of two transgressions: it didn't require a warrant before handing user data over to the man, and it didn't publish any kind of transparency report either. Oops.
Moving on, what about how the companies fared on 'informing users about government data demands' then? This category essentially was all about ensuring that the organisation concerned had some kind of policy in place which promised to give users notice in advance (or after a required period of silence) of any data being passed over to law enforcement. Although more than half the companies questioned did get the star, and the EFF had notified all of them that they were adding this new category a year ago to give them time to prepare for it, there were some pretty notable exceptions. Amongst them Amazon, Google, Snapchat and Twitter, although Google and Twitter do have a policy in place to notify users except when an emergency exists or following a lifted embargo.
Amazon and Google, along with WhatsApp again, also failed the 'disclosing data retention policies' requirement category. This one looks at transparency relating to deleted data. Although the EFF didn't require companies to actually physically delete all data, it did require that they were clear about what actually happens to 'deleted' data. AT&T, Microsoft, Pinterest, Tumblr and Verizon join those companies already mentioned in failing what you would think would be a pretty easy to pass privacy test.
OK, so what about the sticky question of disclosing government content removal requests then? Unsurprisingly, given that it was the inspiration for the inclusion of this category, Facebook failed to make the grade on this one. Facebook has an Inmate Account Takedown Request form use by prison officials to prevent inmates from accessing social media. Along with Facebook, LinkedIn, Microsoft and Tumblr also failed in disclosing how often they either take down content or close down accounts when requested by the government.
Which brings us nicely to perhaps the most current and controversial of the categories, whether the company has a pro-user public policy when it comes to opposing government-mandated encryption back doors. The really good news is that the vast majority of them do, with most tech companies taking the line that introducing deliberate vulnerabilities is not a sensible approach to security. However, the bad news (and potentially bad news for the companies concerned now that the news is out) is that three of them do not oppose that viewpoint, or at least have not publicly announced their opposition. Those three companies are AT&T, Verizon and Reddit.
Here's what the EFF has to say about its report findings:
"We are pleased to see major tech companies competing on privacy and user rights. Practices that encourage transparency with users about government data requests are becoming the default for companies across the web. While we’re only able to judge a small selection of the tech industry, we believe this is emblematic of a broader shift. Perhaps invigorated by the ongoing debates around government surveillance and in response to growing public attention around these issues, more and more companies are voluntarily speaking out about government data requests and giving users tools to fight back. We think that this type of transparency can help prompt broader discussion and systematic change about how and when governments access user data and perhaps eventually prompt Congress to clarify and improve the privacy laws for digital data. We also recognize that technology companies are in a position to know about and resist overbroad government requests, so we need to do everything within our power to encourage them to speak out and fight back. In handing our data to these companies, we’ve handed them a huge responsibility to do what they can to stand up for privacy. We’re pleased that many of the companies we evaluated are stepping up to the task."