Snapchat snapped up the worst rating – one measly star – out of all the companies ranked by the Electronic Frontier Foundation (EFF) in its fourth annual Who Has Your Back report – a rating of who does what when the US government goes after user data.
The one thing Snapchat does right, data rights-wise, is to publish law enforcement guidelines, the EFF found when rating 26 major internet companies.
Those companies included internet service providers, email providers, mobile communications tools, telecommunications companies, cloud storage providers, location-based services, blogging platforms, and social networking sites.
Mind you, Snapchat wasn’t the only company that fell short in user data protection criteria, including its failure to publish transparency reports.
Companies were assessed based on a total of six criteria: requiring a warrant for data, telling users about government data requests, publishing transparency reports, publishing law enforcement guidelines, fighting for users’ privacy in courts; and fighting for users’ privacy rights in the US Congress.
The ratings aren’t exhaustive, given that the EFF can only evaluate objectively verifiable, public criteria for its reports, and thus cannot and does not evaluate secret surveillance.
Snapchat and other low-ranking companies aside (Amazon and AT&T both rated only two stars) the news isn’t all glum. It’s actually looking pretty good, at the industry level.
In the past year, Edward Snowden’s whistle-blowing has resulted in consumers growing increasingly vigilant; more aware of government, corporate and data brokers’ manhandling of our data; and far more critical of companies that play fast and loose with it.
As the EFF notes, the near-constant headlines about surveillance and the activities of intelligence agencies such as the US National Security Agency (NSA) have given rise to an unsettled legal landscape:
The Electronic Frontier Foundation and other organizations have filed constitutional challenges to mass surveillance programs. Both Congress and President Obama are negotiating legislative reform [Editor's note: links added] that could curtail or even end bulk surveillance programs, while other Congressional proposals would instead enshrine them into law. In multiple recent public opinion polls, the American people attest that they believe government surveillance has gone too far.
This has all contributed to what the EFF says are major improvements in industry standards for informing users about government data requests, publishing transparency reports, and fighting for users in Congress.
In fact, for the first time in four years of the “Who Has Your Back” reports, every company the EFF reviewed earned credit in at least one category.
That’s a big improvement over the EFF’s original report in 2011, when neither Comcast, Myspace, Skype, nor Verizon received any stars at all.
In contrast, nine companies earned straight As, achieving a star in every criteria: Apple, CREDO Mobile, Dropbox, Facebook, Google, Microsoft, Sonic, Twitter, and Yahoo.
The EFF sees the improving landscape as likely being a legacy of the Snowden disclosures, as the public’s distrust of tech companies has lit a fire under those companies’ efforts to protect our data:
These changes in policy were likely a reaction to the releases of the last year, which repeatedly pointed to a close relationship between tech companies and the National Security Agency. Tech companies have had to work to regain the trust of users concerned that the US government was accessing data they stored in the cloud. This seems to be one of the legacies of the Snowden disclosures: the new transparency around mass surveillance has prompted significant policy reforms by major tech companies.
Apple in particular is this year’s poster child when it comes to protecting our privacy. The EFF notes that the company only earned one star for the past three years, but after making “remarkable progress” in every category, now it’s rated at six stars.
One thing in particular that Apple and other companies are doing that merits a pat on the back is sharing information about national security requests – in particular, national security letters (NSLs), which are subpoenas that come with gag orders.
In spite of the gag orders, which prevent companies from divulging specifics about the NSLs, some companies are publishing general information about how many they received in a year and how many user accounts were affected.
Besides Apple, the list includes AT&T, Comcast, Credo, Dropbox, Facebook, Google, Internet Archive, LinkedIn, Lookout, Microsoft, Pinterest, Tumblr, Verizon, Wickr, WordPress, and Yahoo.
Several of the companies have stated that they fought the government over demands brought under national security laws even while they were gagged by NSLs.
That’s good, and important, work.
Those are fights on behalf of users, who, given the strictures of secrecy, are in the dark about investigations and can’t fight for themselves.
Other companies that the EFF singled out for praise:
- Yahoo jumped to earning credit in all 6 categories this year. The EFF gave it special recognition after fighting a many-year battle with the Foreign Intelligence Surveillance Court (also known as FISA), defending user privacy in a secret court battle that it was forbidden from discussing publicly until July 2013, as well as making great strides in other areas.
- Microsoft also jumped to 6 stars, after promising to tell users about any government requests, and for protecting a user in the courts.
- Facebook has also made notable improvements over the years, moving from one star in 2011, to 1.5 stars in 2012, to 3 stars in 2013, and finally to 6 stars in this year’s report.
In spite of the good news, there’s still plenty of room for improvement, though, the EFF says.
We’re still not getting transparency reports from Adobe, Amazon, Foursquare, Myspace, Wikimedia or Snapchat.
Amazon controls an enormous amount of user data from its direct retail businesses and from its hosting services through Amazon Web Services, but the company doesn’t let users or potential users evaluate its policies to understand how law enforcement tries to get at that data.
For its part, Snapchat made its debut on the list this year.
It’s far from surprising that the mobile message service company still has a long, long way to go when it comes to protecting user privacy.
The upshot: Snapchat’s required to be monitored by a privacy auditor for the next 20 years.
Snapchat wrote on its blog that it made “mistakes” in the early days of the company, but that is has “fixed” the problems that have plagued the company in recent months.
As the EFF report finds, it’s still got some fixing to do.
Its tech company brethren have made tremendous strides in the past year. Companies like Twitter have for years been setting a wonderful example of how to fight for users – in fact, Twitter inspired the EFF to run the report, it notes.
Here’s hoping that Snapchat, and other low-scoring companies, this year decide to model their transparency and user data protection policies after companies such as Twitter or the many companies that have managed to zoom from a feeble rating to a stellar one.Follow @NakedSecurity