Digital rights organization the Electronic Frontier Foundation (EFF) has published its fifth annual Who has your back? report into online service providers’ transparency and privacy practices when it comes to government requests for accessing user data.
The organization notes a general transformation among major Internet players to be more transparent with users about data requests over the past four years. But for its latest report it’s tightened evaluation criteria, arguing that “it’s time to expect more from Silicon Valley”.
The report awards companies up to a maximum of five stars for performance in various areas, such as following what the EFF judges as “industry-accepted best practices”; telling users about government data demands; disclosing policies on data retention disclosing government content removal requests; and taking what it dubs a “pro-user” public policy position and specifically opposing government mandated backdoors in digital services.
Industry-accepted best practice (which gains a company one star) here breaks down to mean the company requires a warrant before handing over user content; publishes regular transparency reports; and publishes law enforcement guides. The EFF notes a full 23 of the 24 companies in this year’s report have adopted these standard principles.
No to government-mandated backdoors
The inclusion of a public position opposing backdoors follows debate in the wake of the Snowden revelations about the role of encryption, with some governments and intelligence agencies calling for companies to eschew strong encryption. “This year, given the reinvigorated debate over encryption, we are asking companies to take a public position against the compelled inclusion of deliberate security weaknesses or other compelled back doors,” writes the EFF.
In order to qualify for this star companies need to have blogged about their support for not deliberately weakening security, or detailed their pro-encryption position in a transparency report, or by publicly signing a coalition letter, or though another “public, official, written format”.
The EFF says it found strong support almost across the board for opposing government-mandated backdoors, with 21 of the 24 companies evaluated taking a public stance against weakening security and endanger user privacy via backdoors.
“ISPs, cloud storage providers, webmail providers, and social networks are overwhelmingly aligned in rejecting government-mandated security weaknesses,” it notes.
Overall who’s doing well?
The EFF has awarded nine companies a full complement of stars (albeit some host little or no content so certain criteria may not apply). The nine are: Adobe, Apple, CREDO, Dropbox, Sonic, Wickr, Wikimedia, WordPress.com, and Yahoo. So there’s plenty of room for improvement across the tech industry generally.
The nine companies are commended for the full complement of pro-privacy and transparency positions, as well as — this year — for taking a public stance in defense of encryption.
Companies doing well but still with a little room for improvement include Facebook, LinkedIn, Pinterest, reddit and Twitter, which all have four stars.
The EFF notes that Facebook is still failing to fully disclose when it blocks content or closes accounts in response to government requests:
While Facebook does report on some content restriction internationally, it does not provide transparency into ways it cooperates with the U.S. government to block content and remove accounts. For example, EFF learned through a public-records request that Facebook processed 74 requests from California prison officials in 2014 to suspend inmate profiles. These takedowns requests are not disclosed in Facebook’s transparency report.
For Twitter, the EFF also wants to see it strengthen its policy for notifying users of government requests. Currently Twitter only specifies that it “may” provide notice to a user “after an emergency has ended or a gag has been lifted” (i.e. in instances where it is prohibited from notifying a user prior to disclosure).
“While we appreciate Twitter’s forward progress on this issue, we urge it to go further and promise to give all users notice of government attempts to access their data,” writes the EFF.
LinkedIn needs to start reporting government requests to block content and accounts in order to improve its four-star rating.
For Pinterest to get top marks it needs to disclose more detail in its data retention policies — with the EFF noting its current policies are not detailed enough to meet its standards.
While reddit just misses a full complement because it has not publicly defended encryption. “We urge reddit to take an official stance opposing government mandated backdoors,” says the EFF.
Newbie entrant this year, Slack, also has four stars. The report says Slack needs to improve its policies around providing users notice of government requests and clarify its data retention policies with regard to IP addresses to improve on that rating.
And who generally sucks?
The two companies singled out with “especially poor results” are U.S. telcos AT&T and Verizon (the latter is of course the company that’s in the process of buying TechCrunch’s parent company, AOL. #lolz). The EFF notes it’s a trend identified by its prior research for large telecom providers to fail to keep pace with the rest of the tech sector. And, let’s be honest, telcos lagging behind is hardly news — so it’s not like they only suck at privacy.
AT&T’s poor performance appears to be down to a failure to keep pace with the EFF’s new stricter criteria, as it notes the company “adopted all of the best practice we recognized in prior years’ reports”, adding: “We applaud those commitments and urge the company to integrate the new 2015 standards.”
For Verizon, the verdict is more ‘must do better’ — with the EFF saying it should have a stronger policy of informing users of government requests, disclose its data retention policies, and take a public position opposing back doors. The telco does not promise to provide advance notice to users about government data demands, and it does not publish information about its data retention policies, including retention of IP addresses and deleted content (perhaps this is why?).
Neither AT&T nor Verizon have taken a public stance against government mandated backdoors. The only other company assessed by the EFF this year to have also failed to have come out in public support of strong encryption is reddit, as noted above (reddit is also one of several newbies added in this year’s report).
Another of the new companies this year is Facebook-owned messenger app WhatsApp. The EFF notes it hasn’t done well either, despite being given a year’s notice of its inclusion, with just one star to its name. “WhatsApp earned credit for its parent company Facebook’s public policy position opposing backdoors and nothing else,” the EFF writes.
Middling performers, with three stars, are Amazon, Comcast, Microsoft, Google, Snapchat and tumblr.
Amazon is lauded for having a “turning point” year, with the company publishing a transparency report, law enforcement guidelines and opposing backdoors — but it still needs to strengthen its policy of notifying users of law enforcement requests and being clearer on its data retention policies, says the EFF.
Meanwhile Google is still failing to provide enough transparency about its data retention policies to achieve a higher rating. “Google publishes some information about log data and deleted data, but it is not complete and representative of all its services and thus does not qualify for a star,” notes the report.
The full EFF report can be found here (or PDF).
This report was updated to correct the EFF’s rating for Slack which the report initially stated as three stars — but subsequently corrected to four.
Comment