The Electronic Frontier Foundation released the fifth annual report where it showcases the results of its thorough studies of the mainstream Internet companies in regard to their privacy and security related practices. For four years now the EFF has been keeping tabs open on the major Internet companies and service providers, evaluating their privacy policies that are available publicly, which is something users do quite rarely. Nevertheless, we all want to know whether the mainstream companies whose services we use daily in our highly digital lives really watch our backs against the snooping governments.
The EFF admits that ever since it started reviewing these policies on an annual basis, the privacy and security practices across the Internet have undergone a major transformation. In most cases, the EFF admits that the tech giants started publishing their own annual reports about government data requests. In many cases, the companies publicly state they provide users with a notice when the governmental agencies seek access to their data.
The EFF bases its evaluation on five main criteria and evaluates whether the companies meet them based on publicly available documents and reports published by these companies. Over the course of four years, the EFF has changed these criteria because the challenges the Internet poses in 2015 have changed significantly from those present in 2011.
“We think it’s time to expect more from Silicon Valley,” says the report.
It goes without saying that the reports published by this highly acknowledged organization does its share of not only shaping public opinion about the tech giants, but also forcing the mainstream Internet companies and service providers to adopt some changes to their practices. And so, let’s take a look at the “Who Has Your Back” report results.
The Evaluation Criteria
- Industry accepted best practices criterion measures companies based on whether the company requires the government agnecy to obtain a warrant before handing over the user content, whether the company publishes a regular transparency report, outlining how many times governments wanted the access to user data, and whether the company publishes law enforcement guides where dwells on how it responds to the government data demands;
- Tell users about government data requests criterion, which sees whether the Internet companies are warning their users when the government seeks the user data, unless it’s prohibited by law, which is quite a very narrow window of situations. This is fair practice that lets users defend themselves against unfair governmental snooping, and according to the EFF the best practice is to give prior notice to users, that is before the company has handed the data to the government;
- Publicly disclose the company’s data retention policies criterion sees whether the companies disclose for how long they keep the user data that isn’t accessible to the user himself. This includes user IP addresses and deleted content accessible to surveillance agencies. The company should explicitly disclose its retention terms;
- Disclose the number of times government seeks the removal of user content or accounts, and how often the company complies criterion sees that the companies disclose information about how often governments want to remove, or explicitly sensor user content or suspend specific user accounts;
- Pro-user public policies: opposing backdoors criterion probably speaks for itself. Knowing that the government demands the Internet companies and service providers to intentionally leave vulnerabilities, that is backdoors, in their software to let the government exploit them to snoop on large amounts of users. Given the reignited debate over encryption and mass surveillance, the EFF is asking the Internet companies to make a public statement about their positions Pro or against the deliberate inclusion of backdoors into their software in response to the government request.
And the winner is…
The results are somewhat predictable, yet a bit contradictory, especially if we take into account the two years of revelations based on the documents obtained by Edward Snowden.
Whole lot of nine companies got five stars – Adobe, Apple, Credo, Dropbox, Sonic, Wickr, Wikimedia, WordPress.com and Yahoo.
A little distraction from the report: according to Edward Snowden, Yahoo, Dropbox (with Condoleeza Rice in its board) and Apple are active participants in the transnational surveillance ring, even though they publicly acknowledge they oppose the government mandated backdoors.
WhatsApp, AT&T and Verizon Are the Worst
AT&T, Verizon and WhatsApp have been ranked the worst in protecting the user privacy and data.
Verizon and AT&T received particularly poor results, which is a trend for the large telecom companies to fail in protecting user privacy. WhatsApp, despite the fact that the parent company Facebook has been ranked pretty good, lags behind having failed to adopt the practices used as criteria in this report.
WhatsApp had an entire year to prepare to be included in the report. Neither does the company publicly require a warrant before handing over user content, nor does it publish a transparency report, nor does it inform users of government requests or discloses its data retention policies. The only thing the EFF gives credit to WhatsApp is for Facebook to publicly oppose backdoors. So, the next time you open your WhatsApp, think twice what kind of information you disclose using it. Even though the company states that it doesn’t have the user content and it stays on the user device, there is a ton of private information accessible to the app installed on your handheld device – see those app permissions.
The EFF has analyzed the overall of 24 companies, and it’s a noteworthy fact that WhatsApp and AT&T met only one criterion of five, with Verizon meeting two criteria.
What About the Tech Giants?
Interestingly, Microsoft and Google got three stars each, which doesn’t meet the high standards mark. All the while the two companies have been trying to force the public opinion to believe they’re the leaders in protecting their users, especially when they claim they deserve the user respect and trust.
Wickr Did Pretty Good
As if opposed to WhatsApp, Wickr has earned the four-star rating, and this is the second time the app is evaluated by the EFF. The EFF admits Wickr has adopted a strong stance regarding transparency, privacy and user rights by requiring a warrant before handing over user content to law enforcement, by publishing a transparency report, and by promising to give advance notice to users about government data requests. Wicker also publishes its data retention policies, including IP and deleted content:
“Undelivered messages are deleted after seven days, and we retain non-message data, for example types of messages, for as long as you use the Wickr services and for an indefinite time thereafter… All messages are stored in encrypted form on end-user’s device. Users choose how long the message is viewable before it is deleted. Deleted messages cannot be recovered.”
Among the newcomers in the report was not only WhatsApp, but also Slack and reddit. The latter two did pretty good, even though they did not meet all the criteria on the list. Once again, WhatsApp earned that star only thanks to its parent company Facebook public position on opposing backdoors, and Mark is certainly good at talking.
A Little Less Conversation, A Little More Action, Babe
The EFF underlines the service providers, the Internet companies, webmail providers, cloud storage companies and social networks must reject government mandated backdoors not only in their public stance, but in practice.
If you care to read the entire report head over to the EFF website.
If you would like to find out more about Wickr, we included it in our List of Encrypted Chat Apps last year.