Security Experts:

EFF Reviews Privacy Practices of Online Service Providers

During 2016, the US government made 49,868 requests to Facebook for user data; 27,850 requests to Google; and 9,076 requests to Apple. Governments will not stop making these requests, since the internet has become a major avenue for mass surveillance. The real issue is to what extent internet companies will seek to protect their users' data from unwarranted government intrusions.

Each year, the Electronic Frontier Foundation (EFF) publishes an annual 'Who Has Your Back' analysis of the basic privacy policy of major online service providers. It looks at five primary characteristics:

• Best privacy practices (including a satisfactory public, published policy and a published transparency rep ort)

• Informs users about government data requests (in advance of actually handing over any data)

• Refusal to hand over data without legal requirement (including by leakage or sale to third parties)

• Stands up National Security Letter (NSL) gag orders (with a public pledge to invoke the right to seek judicial review of all indefinite gag orders)

• Has a pro-user public policy (including support for reform of Section 702 of the FISA Amendments Act that will reduce the collection of information on innocent people).

A star is awarded for each category satisfied by the provider. This year (PDF), nine out of 26 evaluated companies have been awarded five stars: Adobe, Credo, Dropbox, Lyft, Pinterest, Sonic, Uber, Wickr, and Wordpress. 

Telecoms companies generally perform poorly. "When it comes to adopting policies that prioritize user privacy over facilitating government data demands," notes the report, "the telecom industry for the most part has erred on the side of prioritizing government requests." Particularly at fault here are AT&T, Comcast, T-Mobile, and Verizon -- all with a single star in the 'best practices' category.

This is not, however, universal in telecoms. "Credo Mobile [5 stars] has repeatedly proven that telecom companies can adopt policies that earn credit in every category year after year. Similarly, Sonic [5 stars], an ISP competitor to AT&T, Comcast, TMobile, and Verizon, has now earned credit in every category of EFF's annual report for five years."

Some technology companies that have been high performers in previous years have dropped from that position this year -- for example, Facebook, Google and Twitter. All three have so far failed to publicly commit to requesting judicial review of all NSLs. Fewer than half of the reviewed companies have actually made that commitment: Adobe, Airbnb, Apple, Credo, Dropbox, Lyft, Pinterest, Slack, Sonic, Uber, Wickr, and WordPress. 

"We applaud these companies that have taken a public stand to ensure judicial oversight of gag orders and urge others within the technology space to do the same," says EFF.

Failure to be awarded all five stars should not in itself suggest a complete failure in user privacy concern -- only that the company could do even better. For example, of Google, EFF says, "This is Google's sixth year in Who Has Your Back, and it has adopted a number of industry best practices, including publishing a transparency report, requiring a warrant for content, and publishing its guidelines for law enforcement requests. Google promises to inform users before disclosing their data to the government and supports substantive reforms to rein in NSA surveillance. Google prohibits third parties from allowing Google user data to be used for surveillance purposes."

Its failure to win five stars this year is solely down to the lack of a public policy to demand a judicial review on NSL letters. "We urge Google to create a public policy of requesting judicial review of all National Security Letters," says EFF. On its own, this doesn't mean that Google does not have such a policy (it may or it may not), it simply has not publicly avowed the policy.

Apple is another tech giant that just falls short of five stars. Unlike Google, it does have a publicly stated policy of demanding a judicial review on all NSLs. Apple's published policy states, "If Apple receives a National Security Letter (NSL) from the U.S. government that contains an indefinite gag order, Apple will notify the government that it would like the court to review the nondisclosure provision of the NSL pursuant to USA FREEDOM ."

Apple is not, however, specifically campaigning for the reform of Section 702. 

Two companies criticized by EFF are Amazon and WhatsApp, both receiving just 2 stars. While EFF praises WhatsApp's move to adopt end-to-end encryption by default for its billion users, its policies still lag behind. Amazon has been rated number one in customer service, yet it hasn't made the public commitments to stand behind its users' digital privacy that the rest of the industry has.

"The tech industry as a whole has moved toward providing its users with more transparency," comments EFF senior staff attorney Nate Cardozo; but telecommunications companies -- which serve as the pipeline for communications and Internet service for millions of Americans -- are failing to publicly push back against government overreach. Both legacy telcos and the giants of Silicon Valley can and must do better. We expect companies to protect, not exploit, the data we have entrusted them with."

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.