Which companies can you trust with your data?

On July 10th, the Electronic Frontier Foundation (EFF) released a report called “Who has your back?”, that contains a detailed analysis of the privacy practices of major tech companies.

You can find the press release here: https://www.eff.org/press/releases/att-verizon-other-telco-providers-lag-behind-tech-industry-protecting-users

Each company has been evaluated on the bases of 5 criteria (describe below) and has been assigned a star if it meets the respective criterion. This implies that a company that earns 5 stars is doing an outstanding job in taking care of the privacy of its customers.

Here, we present a summary of the results of the analysis.

According to the report, nine companies received full score (5 stars): Adobe, Credo, Dropbox, Lyft, Pinterest, Sonic, Uber, Wickr, and WordPress. These companies have shown improvements over the years, standing up for transparency and user privacy protection.

Differently, at the bottom of the list we find big telecommunication companies: AT&T, Comcast, T-Mobile, and Verizon. All these companies seem to meet the minimum standard in privacy protection and transparency, as they all earned just one star in the basic category “follows industry-wide practices”.

As users become more aware of privacy concerns and require a certain level of transparency and accountability, these companies may need to step up their game in privacy protection or may risk losing precious customers to younger companies, such a Sonic, that are prioritizing users’ privacy and transparent practices.

What are the criteria?

These are the 5 criteria:

  1. Follows industry-wide practices: Over the years, technology industries have elaborated practices that are nowadays commonly adopted by companies that operate in it. The EFF metric is based on three main of these practices:
  • The company must have a public, published policy requiring the government to obtain a warrant from a judge before the company discloses the content of user communications.
  • The company must have published a transparency report since April 1, 2016, and the report should include useful data about how many times governments sought user data and how often the company provided user data to governments.
  • The company must have public, published law enforcement guides explaining how it responds to data demands from the government.

While every company earned its star in this category, some companies put additional effort in trying to make their practices transparent and accessible to users.

For example, Twitter allows users to download a CSV of data and provides a map that showcases global trends in government data requests at a glance.

We explored Twitter’s transparency report and can confirm that the information is readily accessible. Here some interesting trends that we could find.

The most recent available trends (for the period July to December 2016), shows that Twitter received 2,304 account information requests in the United States, followed by Japan with about 977 and United Kingdom with 681. When it comes to requests to remove content from the platform, for the same period (July to December 2016), Turkey leads with 2,232 removal requests from government agency, policy and others. France follows with 1,334 and then Russia with 519.

2. Tells users about government data requests: Companies need to have a policy regarding customers notification of Law Enforcement requests.

3. Promises not to sell out users: Companies adopted a policy to protect their users by not designing and prohibiting tools that could be used by third parties to enable voluntary surveillance of our users.

4. Stands up to NSL gag orders: Companies should have a public policy of always requesting judicial review of NSL gag orders.

5. Pro-user public policy: EEF awarded credit to those companies who are taking a stand in the debate around NSA surveillance and about the reduction of online data collection . Specifically, credit was awarded to companies that supported reforms to limit data collection under 702 as well as for companies who supported letting the law expire entirely.