Last week, for the fifth year in a row, the Electronic Frontier Foundation released one of the most important annual reports in tech policy – even if most people have never heard of it.
In its “Who Has Your Back?” report, the San Francisco-based EFF grades a selection of tech companies on how well they defend their customers’ rights against government snooping: The EFF awards a gold star, half a star, or nada in each category.
Why should you, as a law abiding citizen, care about that? You shouldn’t – provided you never break the law, have never been suspected of breaking the law (and never will be), and have complete trust in government agencies at every level.
Otherwise, the EFF report should be required reading for anyone who lives at least part of their life online. And if you’ve never read it before, you might want to start by reading the one issued in 2011. That will tell you how far many of these companies have come – as well as how little, in this post-Snowden era, they have come to trust the government.
This year’s grades
Let’s start with the good news first. This year 8 companies got full gold stars in all five categories. According to the EFF, that means they follow industry best practices, tell their customers when the government demands their data, document their data retention policies, disclose when agencies request them to remove content, and actively oppose government-mandated “back doors” into their security.
This chart has been edited to reflect the 5-star winners (EFF).
They are: Adobe, Apple, the Sprint reseller Credo Mobile, Dropbox, the California Internet provider Sonic.net, Wikimedia, WordPress.com (disclosure: my blog’s host), and Yahoo (disclosure: Yahoo Tech’s parent firm).
Another firm, Wickr, got 4 gold stars and a non-applicable rating for disclosing content removal requests. That’s because this instant-messaging service destroys content shortly after it’s produced, so there’s nothing to disclose.
The other 16 tech firms, however, didn’t fare quite as well —including companies that won top marks in the EFF’s 2014 report.
That’s because the EFF decided to move the goal posts, based on news developments. For example, Facebook lost a star for not being transparent enough about about how it handles government requests to take down things people have shared on the social network—in particular, demands that it close accounts run by prison inmates.
Google, in turn, got only three stars. The search giant lost points for not committing to tell users after the fact about government requests for data made on an emergency basis or subject to a temporary gag order—and for not fully disclosing how long it keeps your data around. (The longer a company retains your data, the more likely someone working for a three-letter-agency will discover creative uses for it.)
Twitter also fell in the EFF’s estimation, losing a star for not pledging to disclose confidential government data requests after it’s handed over the goods.
On the other hand, two laggards in the EFF’s past surveys, Amazon and Comcast, now get something close to a passing grade. Both now publish “transparency reports” that tally up how many law-enforcement and national-security requests they field, a basic step we should expect from any company that holds data on millions of customers.
AT&T and WhatsApp only earned one star out of five possible, while Verizon got only two. For the most part, these companies fail to tell their customers when Uncle Sam comes knocking at their door.
Where we’ve come
What’s fascinating is how far some companies have come. In the 2011 Who Has Your Back? report, Yahoo ranked near the bottom, winning just a star for fighting for its users’ privacy in courts. It had no transparency report, the EFF judged it unwilling to defend user privacy in Congress, and it had not committed to tell its users about government requests for their data.
In the EFF’s 2011 transparency report, no company got high marks (EFF).
Then again, at that time most of the industry was doing no better or even worse. Apple, too, only earned one of four stars. Comcast, MySpace (remember them?), Skype and Verizon won none. Nobody got a full four-star rating.
And for the next two years, much of the industry didn’t feel compelled to do much better. We only learned in January of 2013 that Google had been demanding a warrant before disclosing stored e-mail—going beyond the letter of the incredibly weak Electronic Communications Privacy Act. Shortly after, Yahoo and Microsoft said they, too, had been holding law enforcement to that higher standard.
A couple of months later, after Microsoft followed Google and Twitter’s lead by posting its first transparency report, I asked Apple, Amazon, AT&T, Comcast, Facebook, Sprint, T-Mobile, Verizon Wireless, and Yahoo if they planned to post their own transparency reports. I received only noncommittal responses.
Now, all of those companies but T-Mobile have posted transparency reports. (Speaking as a T-Mobile subscriber: That’s being the wrong kind of #uncarrier.)
“When we started in 2011, only two companies on our list published transparency reports,” EFF deputy executive director and general counsel Kurt Opsahl e-mailed. “Now it is widely recognized as an industry standard.”
The EFF’s report is almost as notable for the companies that are missing from it. The current report doesn’t note T-Mobile’s lagging performance because it doesn’t profile that company at all. Sprint is absent too. And so is every large residential Internet provider after AT&T, Comcast, and Verizon—as in, the companies that most Americans can’t avoid doing business with, owing to the uncompetitive nature of broadband Internet.
“Generally, we look for companies with substantial numbers of customers who operate in the online space,” the EFF’s Opsahl wrote. “In some cases, we have rated smaller companies […] who show that that profitable businesses can still take their users’ privacy seriously.”
But the EFF’s study also omits one basic step any Web company can do to stop anyone from eavesdropping on you, not just the government: encrypt your communications. WhatsApp, for example, may not post a transparency report or tell users when a government agency inquires about them—but it did enable encryption across its service in November.
(Yahoo switched on full-time encryption for its Webmail in 2013; privacy advocates were not amused by the delay relative to competitors.)
There is a separate EFF encryption report, but that one saw its last update in November 2014 and focuses on Web security. That report excludes companies that use deploy e-mail encryption via “Transport Layer Security (TLS),” an important move that stops your messages from being read in transit without any effort on your part.
Not long ago these kinds of issues were things only policy wonks cared about, but they shouldn’t be anymore. As long as companies use data we provide to furnish intensely personalized services for free, we need to know that they do with that data.
We need to know that they have our backs and won’t sell us out when a law-enforcement or national-security official–one who can get us fined, jailed or worse–asks nicely. That has to be the new minimum.