AT&T, Verizon, WhatsApp not protecting user privacy, says EFF report

In the Electronic Frontier Foundation's most recent "Who's Got Your Back?" annual report, nine companies earned full five-star ratings. But the EFF is concerned that some companies haven't prioritized their users' data.

The Electronic Frontier Foundation's 2015 "Who Has Your Back" annual report on government data requests and transparency was released on Wednesday.

Electronic Frontier Foundation

June 19, 2015

American telecommunications companies AT&T and Verizon have been given poor ratings in this year’s “Who Has Your Back?” report, published by the Electronic Frontier Foundation. The EFF, a digital rights and Internet civil liberties group, has released this report annually for the past five years to highlight consumer privacy standards and alleged civil liberty breaches among the industry’s leading companies.

The report surveyed 24 leading tech companies, and found nine to be compliant with all standards criteria, earning five stars. Two companies — AT&T and Facebook's WhatsApp — earned only one star in the report. The rating system is used by the nonprofit digital watchdog to assess whether technology companies are abusing their users, or if they’re allowing their users to be abused by government or legal powers.

The EFF outlines that previous reports had pushed companies to adopt new standards of practice. “We’re proud of the role our annual report played in pushing companies to institute these changes,” the report says. “But times have changed, and now users expect more.”

NSA revelations: A timeline of what's come out since Snowden leaks began

Several new categories were added to this year’s study, highlighting company transparency, privacy, and encryption standards. Specifically, this report assesses five criteria. A company must: communicate to users about government data requests, publicly disclose company data retention policies, publicly disclose frequency of government requests for content removal and company compliance, and oppose “backdoor” policies to encryption standards. A fifth, “best practices” criteria takes the place of all past report criteria, and focuses on companies that adopt industry standards for user privacy.

For a company to be compliant with the EFF’s “best practices”, it must require a warrant before handing over user content, publish regular transparency reports, and publish law enforcement guides. The EFF communicates with each company surveyed in order to encourage standards of practice, and notes that companies have improved in following these practices over the past four years. Only one company surveyed – WhatsApp – did not meet standards for “best practice.”

Of the 24 surveyed, Adobe, Apple, Credo, Dropbox, Sonic.net, Wikimedia, Wordpress, and Yahoo received a perfect five-star rating. Many tech giants, such as Facebook, Google, and Microsoft, fell directly in the middle with three stars. Most commonly, companies were not transparent about government data requests.

At the bottom of the list falls wireless network carriers AT&T and Verizon, which, one TechCrunch writer notes, follows a trend of telecom companies falling behind the rest of the tech sector. According to the report, WhatsApp, the messaging start-up recently acquired by Facebook, has not disclosed any information about its data practices or encryption standards, despite being given “a full year to prepare for its inclusion.” The only star earned by the company was through a policy of its parent company, Facebook.

These annual reports have focused mostly on transparency of company-to-user interactions regarding possible abuses of data. The focus on consumer privacy has only increased since Edward Snowden leaked National Security Agency documents detailing government-sponsored data collection programs. For the EFF, this rating system is a way to show which products users can “trust” with their information in an age of heightened privacy restrictions.

NSA revelations: A timeline of what's come out since Snowden leaks began

The EFF also understands that companies can have poor internal practices that could harm user data. Part of their evaluation centered on whether or not a company had integrity when following through with public statements. Though Facebook discloses some information about government data requests, the company fails to publicly provide information on when it closes or blocks accounts based on government requests.

The report details that an overwhelming majority of companies that oppose “backdoor” regulations for encryption standards. The proposal by law enforcement, which 21 of those surveyed opposed, would eschew product encryption standards to allow government officials a “backdoor” into user data. The only three companies to not publicly oppose these regulations are AT&T, Verizon, and Reddit.

The EFF says it hopes that this report pressures the industry to wholly adopt better consumer privacy standards.