AT&T, WhatsApp get low marks from EFF for data disclosure policies

The advocacy organization has overhauled its annual study of privacy practices to ask more of tech titans

A chart of the EFF's scores for its 2015 "Who Has Your Back" report

A chart of the EFF's scores for its 2015 "Who Has Your Back" report

The Electronic Frontier Foundation released the latest version of its annual "Who Has Your Back" report on tech companies' data disclosure policies Wednesday afternoon, giving perfect five-star ratings to companies including Apple, Adobe, Dropbox and Yahoo.

This year's publication is the fifth edition of the EFF's reporting on tech companies' policies around disclosing information to governments in response to data requests, and it brings major changes to the organization's framework.

"The criteria we used to judge companies in 2011 were ambitious for the time, but theyve been almost universally adopted in the years since then," the EFF said in its report.

Most of the criteria from the EFF's past reports have been rolled into a single framework for "Industry-accepted best practices," which have been adopted by all but one of the companies surveyed. The organization also judged companies on their willingness to inform users of government requests for their data, except when required by law or in emergency situations.

Under the new criteria, in order to earn a star for informing users about requests, a company now has to commit to telling affected users when a gag order about the request has been lifted or the emergency has passed.

In addition, each company now is judged on whether it discloses its policies for retaining data (such as what happens to a user's files after they are deleted), whether it discloses content removal requests, and whether the companies have advocated against the putting backdoors into encryption.

WhatsApp and AT&T scored lowest of all the companies in the report, each receiving just one star. The Facebook-owned messaging app was given a year to prepare for its first inclusion in the report, but it was the only company on the list that hadn't adopted the EFF's list of best practices, such as publicly requiring a warrant and publishing a transparency report.

AT&T hasn't changed much since its appearance on last year's report: While the company now publicly requires a warrant before disclosing data, AT&T still does not promise to inform users of data requests.

Twitter and Google both scored lower this year than last, because while both companies pledge to tell users about requests for their data, neither guarantees that it will tell them about a request after a gag order lifts or emergency conditions make it untenable to disclose anything. Twitter's policies say it may inform users after such a disclosure becomes possible, but the company won't guarantee that it will do so.

Microsoft missed two stars this year (compared to a perfect score last year) because it doesn't publicly disclose its policies on data retention and hasn't yet published a report on government content removal requests. The latter will be fixed later this year, though: the company told the EFF that it plans to disclose content removal requests by September. (It's not clear whether Microsoft plans to release a data retention policy.)

Interestingly, Tumblr's rating diverged from Yahoo's perfect score, because the social network doesn't follow its parent company's example of revealing its data retention policies and disclosing requests from governments to remove content. The company did not respond to an inquiry about whether it plans to change its policies.

Overall, the EFF said it was "pleased to see major tech companies competing on privacy and user rights." The advocacy group says it believes the adoption of policies it calls for in the scorecard is part of a broader shift by tech firms toward pushing back against government data requests.

Join the CSO newsletter!

Error: Please check your email address.

Tags business issuesdropboxamazon.comAdobe SystemsTumblrprivacyFacebookAppleYahooWhatsAppEFFGoogleMicrosoftat&tsecuritytwitter

More about AppleDropboxEFFElectronic Frontier FoundationFacebookGoogleMicrosoftTwitterYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Blair Hanley Frank

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place