Apart from being tech companies, what do Adobe, Dropbox, Lyft, Pinterest, Sonic, Uber, Wickr and WordPress have in common?
The answer is that privacy group the Electronic Frontier Foundation (EFF) this week awarded all of them a maximum five-star rating for disclosing, documenting and, in some cases, resisting government access to the growing volumes of data they hold on their hundreds of millions of users.
Companies awarded only four stars across the five criteria measured include Google, Apple, Facebook, LinkedIn, Microsoft and Yahoo. Below this we enter a netherworld of companies (discussed below) given lower ratings where users should, presumably, start asking questions.
Anyone wanting more detail on the criteria can study the EFF’s explanation but the exercise can be best be summed up in the report’s title “Who has your back?” To be clear, these are all measures of publicly stated policy and practice, not technology: this isn’t about how good a company’s encryption gubbins is.
The most interesting category (a new addition) is whether companies “promise not to sell out users”: in other words, not give up user data to intelligence agencies or third parties using some kind of quiet back channel.
This brings us to the meat of the report – which companies have been doing a bit of “selling out”, probably without anyone other than the EFF noticing it.
The obvious bad guys are telecoms companies – Verizon, Comcast, T-Mobile and AT&T – awarded a derisory one star each. This is because:
When it comes to adopting policies that prioritize user privacy over facilitating government data demands, the telecom industry for the most part has erred on the side of prioritizing government requests.
This matters because every user needs a telecoms provider to connect to the internet. The fact they are accommodating to official surveillance (whether legally mandated or optional) is a far bigger deal than the fact that companies like Adobe and Dropbox aren’t.
More surprising is the under-performance (two stars) of WhatsApp, which has been at the centre of making hard-to-surveil encryption mainstream, much to the chagrin of governments across the world. No matter – it is lumped a “sell-out” offender just like the telcos, largely because its data-sharing policies are vague – interestingly, more more so than those of its parent company Facebook.
And how on earth did the ride-sharing Uber earn five stars? Most likely because the report measures behaviour in the last year, a period which (despite numerous controversies) Uber actually tightened its privacy settings and policies.
An apparent weakness of the the EFF’s report is its bias towards the US. In the past, this might have been seen as presenting an optimistic picture of privacy because it was assumed the US had better protections in place and a government interested in privacy.
No longer, indeed it is striking that the two countries that light up the global heat map of information requests are the US and the UK, both of which have turned against the presumption of privacy in the last five years.
Arguments rage about whether such intrusion is justified by threats such as terrorism, or even sustainable. Democratic governments depend on consent and public opinion can change rapidly. Perhaps what matters most is simply that what is going on is noticed and documented by someone.