Who Cares About Your Data Privacy?
EFF thinks it’s time to expect more from Silicon Valley. They designed a report to take the basic principles of Who Has Your Back up a notch and see which companies were still leading the pack. Already, EFF’s newest report has had a similar effect on the industry as a whole, encouraging companies large and small to strive for more when it comes to standing by their users. In the months since they first told the companies what this year’s criteria would be, there has been a significant improvement in company practices.
► Nine Companies Receive All Available Stars: Adobe, Apple, CREDO, Dropbox, Sonic, Wickr, Wikimedia, WordPress.com, and Yahoo
► AT&T, Verizon, and WhatsApp Lag Behind Industry in Standing by Users
► Overwhelming Majority of Tech Companies Oppose GovernmentMandated Backdoors
- Industry-Accepted Best Practices. This is a combined category that measures companies on three criteria (which were each listed separately in prior years’ reports):
- Does the company require the government to obtain a warrant from a judge before handing over the content of user communications?
- Does the company publish a transparency report, i.e. regular, useful data about how many times governments sought user data and how often the company provided user data to governments?
- Does the company publish law enforcement guides explaining how they respond to data demands from the government? Companies must fulfill all three criteria in order to receive credit
2. Tell users about government data requests. To earn a star in this category, Internet companies must promise to tell users when the U.S. government seeks their data unless prohibited by law, in very narrow and defined emergency situations, or unless doing so would be futile or ineffective. Notice gives users a chance to defend themselves against overreaching government demands for their data. The best practice is to give users prior notice of such demands, so that they have an opportunity to challenge them in court. EFF has thus adjusted our criterion from prior years. They now require that the company provide advance notice to users except when prohibited by law or in an emergency and that the company also commit to providing delayed notice after the emergency has ended or when the gag has been lifted. As EFF were drafting last year’s report, they let the companies know that we were going to make this adjustment for 2015 to give them a full year to implement procedures to give delayed notice when appropriate.
3. Publicly disclose the company’s data retention policies. This category awards companies that disclose how long they maintain data about their users that isn’t accessible to the user—specifically including logs of users’ IP addresses and deleted content—in a form accessible to law enforcement. If the retention period may vary for technical or other reasons, the company must disclose that fact and should publish an approximate average or typical range, along with an upper bound, if any. EFF awarded this star to any company that discloses its policy to the public—even if that policy is one that EFF strongly disagrees with, for instance, if the company discloses that it retains data about its users forever.
4. Disclose the number of times governments seek the removal of user content or accounts and how often the company complies. Transparency reports are now industry standard practices. EFF believes that companies’ responsibility to be transparent includes not only disclosing when governments demand user data, but also how often governments seek the removal of user content or the suspension of user accounts and how often the company complies with such demands. They award a star in this category to companies that regularly publish this information, either in their transparency report or in another similarly accessible form. Companies should include formal legal process as well as informal government requests in their reporting, as government censorship takes many forms.
5. Pro-user public policies: opposing backdoors. Every year, EFF dedicates one category to a public policy position of a company. For three years, they acknowledged companies working publicly to update and reform the Electronic Communications Privacy Act. Last year, they noted companies who publicly opposed mass surveillance. This year, given the reinvigorated debate over encryption, they are asking companies to take a public position against the compelled inclusion of deliberate security weaknesses or other compelled back doors. This could be in a blog post, in a transparency report, by publicly signing a coalition letter, or though another public, official, written format. EFF expects this category to continue to evolve, so that they can track industry players across a range of important privacy issues.