Internet companies are making it a standard practice to publish transparency reports and advocate for users’ privacy concerns with law enforcement and legislators. And while some do it well, there’s plenty of room for improvement among ISPs such as AT&T and Verizon, and large companies such as Apple, Amazon and Yahoo, according to an Electronic Frontier Foundation report published yesterday.
The EFF’s third annual “Who Has Your Back?” report evaluates service providers’ transparency and privacy with regard to government requests for access to user data. This year, 18 companies were evaluated in six categories, and only Twitter and Sonic.net met all six criteria sufficiently to merit recognition.
Others such as Dropbox, Google, and LinkedIn also rated highly. Google, which has been a forerunner in the past about its openness around government requests for data, took a couple of steps backward, in particular in the area of informing users of law enforcement demands. The EFF notes a change in its policy that introduced a level of ambiguity not present before. The policy change reads: “We notify users about legal demands when appropriate, unless prohibited by law or court order.”
“The nebulous language of ‘when appropriate’ is not the firm commitment that should be the gold standard for transparency around handing data to the government,” the EFF report said. “While we’re disappointed by Google’s decision to make its policy language so open-ended, we hope the strong commitments made by other major Internet companies will inspire Google to adopt a clearer public stance in the years to come.”
Twitter and LinkedIn, for example, state in their policies they notify users of requests unless prohibited by law enforcement or a court order.
Google, on the other hand got high marks for its stance on providing data around National Security Letters. In early March, Google revealed that it received fewer than 1,000 requests from federal authorities for financial communications data in 2,000 people; the national security letters, also sometimes called warrantless requests, circumvent judges or grand juries citing possible national security threats. They’re also accompanied by gag orders. Google’s revelation was a first for a major Internet company.
“Google deserves special recognition this year for challenging a National Security Letter,” the EFF report said. “Not every company has had the opportunity to defend user privacy in the courts, and sometimes companies will fight for users in court but be prevented from publicly disclosing this fact. However, we award a star in this category when a company goes above and beyond for its users, as Google did this year.”
The EFF evaluated the 18 companies in six categories: require a warrant for content of communications; tell users about government data requests; publish transparency reports; publish law enforcement guidelines; fight for users’ privacy rights in court; and fight for users’ privacy rights in Congress. The EFF said its evaluation was conducted by looking over each company’s terms of service, privacy policies, transparency reports and guidelines for law enforcement requests. They also took into consideration the companies’ public record in court and whether they are members of the Digital Due Process coalition which lobbies Congress on the need to improve communications law.
Since the EFF’s first report in 2011, it has noted a few trends, including the fact that more companies are giving users notice of law enforcement requests and that transparency reports are becoming standard practice; Microsoft and Twitter published their first reports this year. Seven of the 18 also published law enforcement guidelines that explain how they respond to demands for data.
This is also the first report where companies were evaluated as to whether they require a warrant supported by probable cause for content. Facebook is singled out as a leader in this category, which the EFF said was inspired by the 2010 U.S. v. Warshak decision that upheld that the Fourth Amendment protects email stored with email service providers and a warrant is required before seizure of any messages. The EFF said 11 of the 18 companies follow the Warshak rule: Dropbox, Facebook, Foursquare, Google, LinkedIn, Microsoft, Sonic.net, SpiderOak, Tumblr, Twitter and WordPress.
While there a number of privacy success stories, the EFF expressed concern over the poor showing by large ISPs, namely Verizon and AT&T. Verizon did not merit a rating in any of the six evaluation criteria, while AT&T was recognized for fighting for its users in Congress. Others with similar showings included Yahoo, Apple and Amazon.
“While there remains room for improvement in areas such as the policies of location service providers and cellphone providers like AT&T and Verizon,” the report says, “certain practices — like publishing law enforcement guidelines and regular transparency reports — are becoming standard industry practice for Internet companies.”