When it comes to online privacy, many consumers assume that their service provider, or the websites they are browsing, have the users’ best interest in mind and that these companies won’t simply hand over your information to authorities. These people are mistaken, as are those who believe that no online companies make user privacy a priority. The truth, as usual, is a bit from column A and a bit from column B.
The privacy-loving folks at the Electronic Frontier Foundation recently released their third annual Who’s Got Your Back? report covering online service providers’ transparency and privacy practices regarding government access to data.
As you can see from the image above, each of the companies was rated on the following six categories:
1. Require a warrant for content of communications
A star is awarded in this category for companies with policies that specifically state that authorities must provide a warrant in order to look at the content of a users’ communications. The EFF lauds Facebook’s policy in particular for not just requiring a warrant but also saying that the warrant is needed for things that some might consider to be semi-public, like Wall posts and location data.
Just because a company does not receive a star in this category doesn’t mean that it will necessarily hand over user content without a warrant; it just means that an un-starred company does not have a policy explicitly stating it requires a warrant.
Some companies maintain that a 2010 U.S. Circuit Court of Appeals ruling in U.S. v Warshak sets the precedent that government authorities must have a warrant to obtain access to user e-mails. However, as the EFF points out — and as we mentioned in this story about the IRS’s policy on reading consumers’ e-mails — this is not a Supreme Court precedent, and is really only binding in the region covered by the Sixth Circuit.
2. Tell users about government data requests
Even when a warrant is obtained for users’ information, the company may not have a policy of actually telling the user about it. The seven companies receiving a star from the EFF in this category each have a public policy to tell users when the government seeks their data, except in cases where that disclosure is prohibited by law.
“Promising to give notice should be an easy commitment to make,” writes the EFF, “the company doesn’t have to take a side, it merely has to pass on important information to the user.”
The EFF took away a previously earned half-star for Google because its language on this topic no only states [italics for emphasis] “We notify users about legal demands when appropriate.”
Meanwhile, LinkedIn’s policy is commended for its policy, which is clear for the user and also contains the following information for law enforcement:
Law enforcement officials who believe that notification would jeopardize an investigation should obtain an appropriate court order or other process that specifically precludes member notification, such as an order issued pursuant to 18 U.S.C. §2705(b).
3. Publish transparency reports
The category in which the fewest stars were given by the EFF, with only 6 of the 18 companies publishing reports on how frequently they provide user data to government authorities. On the up side, this is up from only 4 companies the previous year, so here’s hoping the trend continues.
Microsoft, one of the two companies to get its first star in this category, published its first transparency report in March, detailing not just the number of requests it received from authorities around the world, but how many were honored.
4. Publish law enforcement guidelines
To earn this star, a company must have a public statement on how it responds to data demands from the government.
The EFF believes that a proper set of law enforcement guidelines would include details on the following:
• Whether a company requires a warrant for content
• What types of data a company retains, and what kind of legal process the company requires for law enforcement to obtain various kinds of information
• How long data is generally held by the company, and how long will it be held in response to a retention request
• Whether the company has an exception for emergency or other kinds of disclosures
• Whether the company asks for reimbursement for the costs incurred in complying with a request for data
5. Fight for users’ privacy rights in courts
This one is a little trickier, as not all companies on the list have been compelled to fight for their users’ privacy rights in courts.
“The lack of a star in this category should not be interpreted as a statement that the company failed to stand up for users when it had the chance,” writes the EFF. “Instead, this category serves as special recognition for companies that were faced with a decision to defend user privacy in court, took action to defend that privacy, and could to publicly disclose their efforts.”
Oddly enough, this is the only of the six categories in which Yahoo earned a star — for successfully getting the Justice Dept. to back down on a request to view a user’s e-mail without probable cause.
It will be interesting to see if Yahoo’s purchase of Tumblr, which has stars in 3 categories this year, will result in that company’s policies being weakened or the bolstering of both businesses’ guidelines.
6. Fight for users’ privacy in Congress
Given that many privacy laws predate the creation of the wheel, most companies in the EFF survey have advocated — either directly to lawmakers or by joining the Digital Due Process Coalition — for the modernization of these laws.
Only Yahoo, Comcast, Verizon (and MySpace, but honestly… it’s not 2005 anymore so no one really cares) failed to earn stars in this category.
You can read the entire EFF report here.