EFF's new "Who Has Your Back?" report examines the policies of major Internet companies — including ISPs, email providers, cloud storage providers, location-based services, blogging platforms, and social networking sites — to assess whether they publicly commit to standing with users when the government seeks access to user data.
When you use the Internet, you entrust your conversations, thoughts, experiences, locations, photos, and more to companies like Google, AT&T and Facebook. But what do these companies do when the government demands your private information? Do they stand with you? Do they let you know what’s going on?
In this annual report, the Electronic Frontier Foundation examined the policies of major Internet companies — including ISPs, email providers, cloud storage providers, location-based services, blogging platforms, and social networking sites — to assess whether they publicly commit to standing with users when the government seeks access to user data. The purpose of this report is to incentivize companies to be transparent about how data flows to the government and encourage them to take a stand for user privacy whenever it is possible to do so.
We compiled the information in this report by examining each company’s published terms of service, privacy policy, transparency report, and guidelines for law enforcement requests, if any. We also considered the company’s public record of fighting for user privacy in the courts and whether it is a member of the Digital Due Process coalition, which encourages Congress to improve outdated communications law. Finally, we contacted each company to explain our findings and gave them an opportunity to provide evidence of improved policies and practices. These categories are not the only ways that a company can stand up for users, of course, but they are important and publicly verifiable. In addition, not every company has faced a decision about whether to stand up for users in the courts, but we wanted to particularly commend those companies who have done so when given with the opportunity.
Evaluation Criteria
This year, we evaluated companies on six criteria. This is a departure from previous years in which we evaluated four criteria but awarded half-stars in two of them.
This year, we divided the “Transparency” category from previous reports into two separate categories. In the past, we’ve given companies a half-star for publishing a transparency report on how often user data is given to the government and a half-star for publishing law enforcement guidelines on sharing data with the government. This year, we awarded a full star to recognize each of these two best practices.
In addition, we added a new category: requiring a warrant before disclosing contents of user communications to law enforcement. In 2010, the Sixth Circuit Court of Appeals held in United States v. Warshak that the Fourth Amendment to the U.S. Constitution protects user communications stored with an Internet provider, and law enforcement generally must get a warrant to access the content of those communications. While we believe this is a critically important decision and correctly recognizes constitutional protection for electronic communications stored with third parties, it isn’t Supreme Court precedent and therefore doesn’t officially apply to all jurisdictions. This year, we’re awarding stars to companies that publicly commit to requiring a warrant when the government seeks user content.
For the 2013 report, we used the following six criteria to assess company practices and policies:
– Require a warrant for content of communications. In this new category, companies earn recognition if they require the government to obtain a warrant supported by probable cause before they will hand over the content of user communications. This policy ensures that private messages stored by online services like Facebook, Google, and Twitter are treated consistently with the protections of the Fourth Amendment.
– Tell users about government data requests. To earn a star in this category, Internet companies must promise to tell users when the government seeks their data unless prohibited by law. This gives users a chance to defend themselves against overreaching government demands for their data.
– Publish transparency reports. We award companies a star in this category if they publish statistics on how often they provide user data to the government.
– Publish law enforcement guidelines. Companies get a star in this category if they make public policies or guidelines they have explaining how they respond to data demands from the government, such as guides for law enforcement.
– Fight for users’ privacy rights in courts. To earn recognition in this category, companies must have a public record of resisting overbroad government demands for access to user content in court.
– Fight for users’ privacy in Congress. Internet companies earn a star in this category if they support efforts to modernize electronic privacy laws to defend users in the digital age by joining the Digital Due Process Coalition.
Results Summary: New Industry Trends
We first published this report in 2011 to recognize exemplary corporate practices. We selected practices that at least one service provider was engaging in for each category we measured. Two years later, we’re pleased to see that some of the best practices we’ve been highlighting in this campaign are becoming industry standards.
In particular, we see that more and more Internet companies are formally promising to give users notice of law enforcement requests for their information unless prohibited from doing so by law or court order. This year, the companies earning a star in this category include Dropbox, Foursquare, LinkedIn, Sonic.net, SpiderOak, Twitter, and WordPress. We were disappointed to see Google backslide in this category, introducing ambiguity into its policy and in the process losing the half-star it had earned in previous years.
Annual transparency reports are also becoming a standard practice for major Internet companies. We’re thrilled to see a growing number of companies publishing transparency reports, and we especially commend Microsoft and Twitter for publishing their first transparency reports this year. We are also seeing a shift that we hope will be adopted across Internet companies more broadly: two Internet companies — Google and Microsoft — have published figures regarding National Security Letters, secretive government demands for user information that are typically accompanied by gag orders.
We also saw a dramatic increase in the number of companies publishing law enforcement guidelines. Seven companies — Comcast, Foursquare, Google, Microsoft, SpiderOak, Tumblr, and WordPress — earned stars in this category for the first time this year.
In the category of protecting user privacy in the courts, Google deserves special recognition this year for challenging a National Security Letter. Not every company has had the opportunity to defend user privacy in the courts, and sometimes companies will fight for users in court but be prevented from publicly disclosing this fact. However, we award a star in this category when a company goes above and beyond for its users, as Google did this year.
More companies are also fighting for user privacy on Capitol Hill as part of the Digital Due Process Coalition. Foursquare, Tumblr, and WordPress earned stars in this category for the first time in 2013.
We’re happy to report that several of the companies included in last year’s report have significantly improved their practices and policies concerning government access to user data. Comcast, Google, SpiderOak, and Twitter earned two new stars this year while Microsoft earned three new stars. Foursquare went from zero stars in 2012 to four in 2013.
Blogging platforms Tumblr and WordPress are new to the report this year, but are already making a strong showing. Tumblr earned recognition in three categories: publishing details about how it responds to law enforcement demands, requiring a warrant for content, and standing up for user privacy in Congress. We awarded WordPress stars in each of these categories, too, as well as a fourth star for promising to inform users about government access requests.
This year two companies received all six possible stars: Sonic.net and Twitter. We are extremely pleased to recognize the outstanding commitment each of these companies has made to public transparency around government access to user data.
While we are pleased by the strides these companies have made over the past couple years, there’s plenty of room for improvement. Amazon holds huge quantities of information as part of its cloud computing services and retail operations, yet does not promise to inform users when their data is sought by the government, produce annual transparency reports, or publish a law enforcement guide. Facebook has yet to publish a transparency report. Yahoo! has a public record of standing up for user privacy in courts, but it hasn’t earned recognition in any of our other categories. Apple and AT&T are members of the Digital Due Process coalition, but don’t observe any of the other best practices we’re measuring. And this year — as in past years — MySpace and Verizon earned no stars in our report. We remain disappointed by the overall poor showing of ISPs like AT&T and Verizon in our best practice categories.
