Executive Summary
We entrust our most sensitive, private, and important information to technology companies like Google, Facebook, and Verizon. Collectively, these companies are privy to the conversations, photos, social connections, and location data of almost everyone online. The choices these companies make affect the privacy of every one of their users. So which companies stand with their users, embracing transparency around government data requests? Which companies have resisted improper government demands by fighting for user privacy in the courts and on Capitol Hill? In short, which companies have your back?
These questions are even more important in the wake of the past year's revelations about mass surveillance, which showcase how the United States government has been taking advantage of the rich trove of data we entrust to technology companies to engage in surveillance of millions of innocent people in the US and around the world. Internal NSA documents and public statements by government officials confirm that major telecommunications companies are an integral part of these programs. We are also faced with unanswered questions, conflicting statements, and troubling leaked documents which raise real questions about the government's ability to access to the information we entrust to social networking sites and webmail providers.
The legal landscape is unsettled. The Electronic Frontier Foundation and other organizations have filed constitutional challenges to mass surveillance programs. Both Congress and President Obama are negotiating legislative reform that could curtail or even end bulk surveillance programs, while other Congressional proposals would instead enshrine them into law. In multiple recent public opinion polls, the American people attest that they believe government surveillance has gone too far.
In this fourth-annual report, EFF examines the publicly-available policies of major Internet companiesincluding Internet service providers, email providers, mobile communications tools, telecommunications companies, cloud storage providers, location-based services, blogging platforms, and social networking sitesto assess whether they publicly commit to standing with users when the government seeks access to user data. The purpose of this report is to allow users to make informed decisions about the companies with whom they do business. It is also designed to incentivize companies to adopt best practices, be transparent about how data flows to the government, and to take a stand for their users' privacy in Congress and in the courts whenever it is possible to do so.
The categories we evaluate in this report represent objectively verifiable, public criteria and so cannot and do not evaluate secret surveillance. We compiled the information in this report by examining each company's published terms of service, privacy policy, transparency report, and guidelines for law enforcement requests, if any. As part of our evaluation, we contacted each company to explain our findings and to give them an opportunity to provide evidence of improving policies and practices.
Evaluation Criteria
We used the following six criteria to assess company practices and policies:
1.
Require a warrant for content of communications. In this category, companies earn recognition if they require the government to obtain a warrant from a neutral magistrate and supported by probable cause before they will hand over the content of user communications to the government. This policy ensures that private messages stored by online services like Facebook, Google, and Twitter are treated consistently with the protections of the Fourth Amendment.
2.
Tell users about government data requests. To earn a star in this category, Internet companies must promise to tell users when the government seeks their data unless prohibited by law, in very narrow and defined emergency situations, or unless doing so would be futile or ineffective. Notice gives users a chance to defend themselves against overreaching government demands for their data. The best practice is to give users prior notice of such demands, so that they have an opportunity to challenge them in court, but we also recognize that prior notice is not always possible, for instance in emergency situations.
3.
Publish transparency reports. We award companies a star in this category if they publish useful data about how many times government sought user data and how often they provide user data to the government. Until recently, companies were not allowed to include national security requests in transparency reports, and such reporting is still strictly limited by the government, but the government has recently allowed the companies to provide some transparency about those requests.
4.
Publish law enforcement guidelines. Companies get a star in this category if they make public their policies or guidelines explaining how they respond to data demands from the government, such as guides for law enforcement.
5.
Fight for users' privacy rights in courts. This star recognizes companies who have publicly confirmed that they have resisted overbroad government demands for access to user content in court.
6.
Publicly oppose mass surveillance. Tech companies earn credit in this category by taking a public policy position opposing mass surveillance.
Results Summary: Transparency Reports, Notice to Users and Opposition to Mass Surveillance Become Industry Trends
Transparency Reports, Notice to Users and Opposition to Mass Surveillance Become Industry Trends
Major Findings in 2014:
-Apple, CREDO Mobile, Dropbox, Facebook, Google, Microsoft, Sonic, Twitter, and Yahoo Top Chart, Receive 6 Stars Each
-Apple, Adobe, Internet Archive, Credo, Dropbox Facebook, Foursquare, Google, LinkedIn, Lookout, Microsoft, Pinterest, Sonic, SpiderOak, Tumblr, Twitter, Wikimedia, Wickr, WordPress, and Yahoo Promise to Give Notice to Users
-Apple, Yahoo Show Enormous Improvements in Government Access Policies
-Overwhelming Number of the Companies We Reviewed, even Major ISPs like AT&T, Verizon and Comcast Are Now Issuing Transparency Reports
-Majority of Tech Companies (but only one Telecom) Publicly Oppose Mass Surveillance
-CREDO Mobile Demonstrates That Telecom Companies Can Champion Transparency, Resistance to Government Access Requests
-Snapchat, AT&T, and Comcast Lag Behind Others in Industry
In Wake of Snowden Disclosures, More Companies Revised Policies About Government Access to User Data
This year, we saw major improvements in industry standards for informing users about government data requests, publishing transparency reports, and fighting for the user in Congress. For the first time in our four years of Who Has Your Back reports, every company we reviewed earned credit in at least one category.
These changes in policy were likely a reaction to the releases of the last year, which repeatedly pointed to a close relationship between tech companies and the National Security Agency. Tech companies have had to work to regain the trust of users concerned that the US government was accessing data they stored in the cloud. This seems to be one of the legacies of the Snowden disclosures: the new transparency around mass surveillance has prompted significant policy reforms by major tech companies.
We are pleased to announce that nine companies earned stars in every category: Apple, CREDO Mobile, Dropbox, Facebook, Google, Microsoft, Sonic, Twitter, and Yahoo. In addition, six companies earned stars in all categories except a court battle: LinkedIn, Pinterest, SpiderOak, Tumblr, Wickr, and WordPress. We are extremely pleased to recognize the outstanding commitment each of these companies has made to their users. CREDO Mobile, a new addition to this year's report, demonstrated through its exemplary policies that it is possible for a telecom to adopt best practices when it comes to transparency and resistance to government demands.
We added several other new companies to our report this year, including the Adobe, Internet Archive, Lookout, Pinterest, Snapchat, Wickr, and Wikimedia. Each of these companies has a significant user base and some hold huge amounts of sensitive user data that could be the target of invasive government investigations. Most of them scored quite well.
However, Snapchat stands out in this report: added for the first time this year, it earns recognition in only one category, publishing law enforcement guidelines. This is particularly troubling because Snapchat collects extremely sensitive user data, including potentially compromising photographs of users. Given the large number of users and nonusers whose photos end up on Snapchat, Snapchat should publicly commit to requiring a warrant before turning over the content of its users' communications to law enforcement. We urge them to change course.
Improvements Since 2013
We saw two companies make enormous improvements in the last year: Apple and Yahoo.
In 2013, Apple earned only one star in our Who Has Your Back report. This year, Apple earns 6 out of 6 stars, making remarkable progress in every category.
Similarly, Yahoo jumped to earning credit in all 6 categories this year. Yahoo deserves special recognition because it fought a many-year battle with the Foreign Intelligence Surveillance Court, defending user privacy in a secret court battle that it was forbidden from discussing publicly until July of 2013, but it also made great strides in other areas.
Microsoft also jumped to 6 stars, promising to give notice and in protecting a user in the courts.
Facebook has also made notable improvements over the years, moving from one star in 2011, to 1.5 stars in 2012, to 3 stars in 2013, and finally to 6 stars in this year's report.
Warrant for Content
We are pleased to note that more companies are publicly committed to requiring warrants from law enforcement before handing over user data, including for the first time Amazon, Apple, Verizon, and Yahoo. We were particularly impressed by the strong language in Tumblr's policies when it comes to warrants:
A search warrant issued under the procedures described in the Federal Rules of Criminal Procedure or equivalent state warrant procedures, based on a showing of probable cause, is required to compel disclosure of the stored contents of any account, such as blog posts or messages
. Requests must come from appropriate government or law enforcement officials; Tumblr will not respond to requests from other sources.
User Notification
The Who Has Your Back report was partially inspired by Twitter's fight to tell users that their data was being sought as part of the WikiLeaks investigation in 2010. Since then, we have rated companies on whether they promise to tell users about government demands for their data. More companies are promising to inform users about government data requests, including for the first time Facebook, Microsoft, Apple, Tumblr and Yahoo. And we're pleased that Google has revised its user notification policy to remove some vague language it had added last year. As a result, we reinstated Google's star in the notice category.
LinkedIn has particularly clear language describing its commitment to notify users of government data demands, and pointing out to law enforcement the proper legal mechanism to use when an investigation might require delayed notice:
When our Members trust LinkedIn with information about their professional lives, they expect to have control over their data. Thus, LinkedIn's policy is to notify Members of requests for their data unless it is prohibited from doing so by statute or court order. Law enforcement officials who believe that notification would jeopardize an investigation should obtain an appropriate court order or other process that specifically precludes Member notification, such as an order issued pursuant to 18 U.S.C. §2705(b).
Transparency Reports & Law Enforcement Guides
Annual transparency reports are also becoming a standard practice for major communications companies. In fact, almost all of the companies we examined have now published transparency reports. For the first time, we are seeing major telecom companies publishing transparency reports, including AT&T, Comcast, CREDO Mobile, and Verizon. We are particularly glad to see Facebook's recent transparency report, which we have anticipated for many years.
EFF believes that National Security Letters (NSLs)secretive FBI orders for user data accompanied by a gag provisionare a violation of the Constitution. We are currently litigating a challenge to the NSL statute, and a federal district court recently held that NSL gags are unconstitutional but stayed the order while the government appeals. We think it is vital that companies are as forthcoming as legally allowable about these national security requests to help shed light on government abuses of contested surveillance powers.
Several companies, including Apple, AT&T, Comcast, Credo, Dropbox, Facebook, Google, Internet Archive, LinkedIn, Lookout, Microsoft, Pinterest, Tumblr, Verizon, Wickr, WordPress, and Yahoo deserve particular recognition for including information about national security requests, such as National Security Letters they have received (if any). While companies are gagged from discussing specifics about National Security Letters that they receive, they are now permitted to publish general information about how many NSLs were received in a year and how many accounts were affected. Several companies stated that they fought government demands brought under national security laws even while being gagged, fights that are particularly important since the secrecy means that users cannot stand up for themselves.
As with transparency reports, the overwhelmingly number of companies we examined have published their law enforcement guidelines, some directly and some, like Facebook and Microsoft, with a user-friendly interactive guide.
Fighting for Users in the Courts
One category we're tracking deserves special discussion: standing up for users in court. It is important to note that not every company has been presented with an opportunity to go to court to challenge the government over user privacy and that sometimes companies are gagged when they do. Some companies have never received an overbroad subpoena, others may have convinced the FBI to withdraw one, and still others may be subject to a gagyet none of those circumstances would merit a star.
Thus, just because a particular company doesn't have a star in the fifth column, it doesn't necessarily mean that it doesn't have your backit just means that we cannot verify that it has been put into a situation where it has needed to defend user privacy in court. At the same time, standing up for users in court is a vital check on overbroad government data demands. We want to recognize those companies that have fought for their users in court so they can receive credit and so their stories can inspire others.
In particular, this past year we finally learned that Yahoo had engaged in a multi-year battle in the secret FISA Court, though it did not receive a star for several years in our report because it was prevented for publicizing this fact. We also learned that Microsoft had resisted a request for user data stored in Ireland. We commend Yahoo, Microsoft, and other companies that have fought for user privacy in courts.
Fighting for Users in Congress
In years past, we have given credit for standing up in Congress to companies that participated in the Digital Due Process coalition, which encourages Congress to improve the outdated Electronic Communications Privacy Act. While this remains an important goal, in the wake of the Snowden revelations, this year focuses on the fight in Congress over mass surveillance. As a result, this year we are rating companies on whether they have taken a public policy position opposing mass warrantless surveillance.
This is because such positions are an important demonstration to users and because company participation, especially public participation, is so important for the Congressional debate given the key role that companies play in the government's surveillance strategy (both wittingly and unwittingly). It's also within reach for every company we track.
Mass surveillance of law-abiding users infringes on fundamental individual rights of free expression and privacy, and the specter of mass data collection threatens user trust all around the world. Every technology company should stand by its users and urge Congress to end warrantless mass surveillance programs once and for all. While this report only tracks response to US government demands, taking a stand against US government activity can also help companies stand strong against requests from foreign governments.
We are pleased to note that many of the major Internet companies and even some telecommunication companies have taken a public stand, many through the Reform Government Surveillance coalition but also through the StopWatchingUs coalition. WordPress (and its parent company Automattic), demonstrated leadership in demanding an end to mass spying by creating a WordPress plug-in that allowed users to oppose mass spying on their own WordPress blogs, in addition to issuing a public statement opposing warrantless surveillance.
Conclusions
This has been a watershed year for companies taking a stand for user privacy, with more companies than ever publishing transparency reports and law enforcement guides, and publicly opposing mass surveillance. But there is still room for growth.
Transparency reports have become the industry standard for major tech companies, but Adobe, Amazon, Foursquare, Myspace, Wikimedia and Snapchat have yet to publish a report.
Additionally, Comcast has grown into a leading ISP and is seeking to grow significantly with its purchase of Time Warner Cable. It should step up to be a leader in protecting its growing number of customers. AT&T and Verizon issued transparency reports, but remain near the bottom of the pack despite their key role in the communications infrastructure. Amazon has a tremendous amount of user data, both from its direct retail businesses and from its hosting services through Amazon Web Services, but it fails to let users, and potential users, evaluate their policies and understand how law enforcement seeks to gain access to data stored with them.
This report is encouraging, with many companies heading in the right direction, especially based on where we started in 2011. Yet the report also makes clear that the law has fallen woefully behind in protecting users as users increasingly rely on changing technologies. This past year confirmed that the government has been relying on legal uncertainties and technological innovations to push for as much access as possible to user information, stretching policy, statutory interpretation, and constitutional law past the breaking point.
Too often, technology companies are the weak link, providing the government with a honeypot of rich data. We must strengthen their ability to resist overbroad data demands and bring light to the flow of data from corporate servers to the government.
t:
