Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

EFF Reviews Privacy Practices of Online Service Providers

During 2016, the US government made 49,868 requests to Facebook for user data; 27,850 requests to Google; and 9,076 requests to Apple. Governments will not stop making these requests, since the internet has become a major avenue for mass surveillance. The real issue is to what extent internet companies will seek to protect their users’ data from unwarranted government intrusions.

During 2016, the US government made 49,868 requests to Facebook for user data; 27,850 requests to Google; and 9,076 requests to Apple. Governments will not stop making these requests, since the internet has become a major avenue for mass surveillance. The real issue is to what extent internet companies will seek to protect their users’ data from unwarranted government intrusions.

Each year, the Electronic Frontier Foundation (EFF) publishes an annual ‘Who Has Your Back’ analysis of the basic privacy policy of major online service providers. It looks at five primary characteristics:

• Best privacy practices (including a satisfactory public, published policy and a published transparency rep ort)

• Informs users about government data requests (in advance of actually handing over any data)

• Refusal to hand over data without legal requirement (including by leakage or sale to third parties)

• Stands up National Security Letter (NSL) gag orders (with a public pledge to invoke the right to seek judicial review of all indefinite gag orders)

• Has a pro-user public policy (including support for reform of Section 702 of the FISA Amendments Act that will reduce the collection of information on innocent people).

A star is awarded for each category satisfied by the provider. This year (PDF), nine out of 26 evaluated companies have been awarded five stars: Adobe, Credo, Dropbox, Lyft, Pinterest, Sonic, Uber, Wickr, and WordPress. 

Advertisement. Scroll to continue reading.

Telecoms companies generally perform poorly. “When it comes to adopting policies that prioritize user privacy over facilitating government data demands,” notes the report, “the telecom industry for the most part has erred on the side of prioritizing government requests.” Particularly at fault here are AT&T, Comcast, T-Mobile, and Verizon — all with a single star in the ‘best practices’ category.

This is not, however, universal in telecoms. “Credo Mobile [5 stars] has repeatedly proven that telecom companies can adopt policies that earn credit in every category year after year. Similarly, Sonic [5 stars], an ISP competitor to AT&T, Comcast, TMobile, and Verizon, has now earned credit in every category of EFF’s annual report for five years.”

Some technology companies that have been high performers in previous years have dropped from that position this year — for example, Facebook, Google and Twitter. All three have so far failed to publicly commit to requesting judicial review of all NSLs. Fewer than half of the reviewed companies have actually made that commitment: Adobe, Airbnb, Apple, Credo, Dropbox, Lyft, Pinterest, Slack, Sonic, Uber, Wickr, and WordPress. 

“We applaud these companies that have taken a public stand to ensure judicial oversight of gag orders and urge others within the technology space to do the same,” says EFF.

Failure to be awarded all five stars should not in itself suggest a complete failure in user privacy concern — only that the company could do even better. For example, of Google, EFF says, “This is Google’s sixth year in Who Has Your Back, and it has adopted a number of industry best practices, including publishing a transparency report, requiring a warrant for content, and publishing its guidelines for law enforcement requests. Google promises to inform users before disclosing their data to the government and supports substantive reforms to rein in NSA surveillance. Google prohibits third parties from allowing Google user data to be used for surveillance purposes.”

Its failure to win five stars this year is solely down to the lack of a public policy to demand a judicial review on NSL letters. “We urge Google to create a public policy of requesting judicial review of all National Security Letters,” says EFF. On its own, this doesn’t mean that Google does not have such a policy (it may or it may not), it simply has not publicly avowed the policy.

Apple is another tech giant that just falls short of five stars. Unlike Google, it does have a publicly stated policy of demanding a judicial review on all NSLs. Apple’s published policy states, “If Apple receives a National Security Letter (NSL) from the U.S. government that contains an indefinite gag order, Apple will notify the government that it would like the court to review the nondisclosure provision of the NSL pursuant to USA FREEDOM .”

Apple is not, however, specifically campaigning for the reform of Section 702. 

Two companies criticized by EFF are Amazon and WhatsApp, both receiving just 2 stars. While EFF praises WhatsApp’s move to adopt end-to-end encryption by default for its billion users, its policies still lag behind. Amazon has been rated number one in customer service, yet it hasn’t made the public commitments to stand behind its users’ digital privacy that the rest of the industry has.

“The tech industry as a whole has moved toward providing its users with more transparency,” comments EFF senior staff attorney Nate Cardozo; but telecommunications companies — which serve as the pipeline for communications and Internet service for millions of Americans — are failing to publicly push back against government overreach. Both legacy telcos and the giants of Silicon Valley can and must do better. We expect companies to protect, not exploit, the data we have entrusted them with.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Privacy

Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Application Security

Open banking can be described as a perfect storm for cybersecurity. At one end, small startups with financial acumen but little or no security...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Government

The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.