An Electronic Frontier Foundation survey published last week gave AT&T, Verizon and WhatsApp the thumbs down when it comes to protecting user privacy. Google and Twitter also got a black eye.
The five were among 24 companies the EFF evaluated on criteria worked out over the past four years.
WhatsApp, now owned by Facebook, also took criticism in the EFF’s fifth annual report, Who Has Your Back?
On the plus side, nine companies — Adobe, Apple, Credo, Dropbox, Sonic, Wickr, Wikimedia, WordPress.com and Yahoo — received the top rating, five stars, in each category.
“While we’re happy that the tech industry has made great strides over the last few years, there’s still much to be done,” said EFF staff attorney Nate Cardozo.
The EFF’s Criteria
The EFF used five criteria to assess the practices and policies of the 24 participating companies:
- whether the company implements industry-accepted best practices, such as whether the company requires demands for customer data to be accompanied by a signed court warrant before handing over information, whether the company publishes a transparency report, and whether it publishes guides explaining how it responds to such demands;
- whether the company tells users about government requests for their data unless prohibited by law, or only in very narrow and defined emergency situations, or unless doing so would be futile or ineffective;
- whether the company publicly discloses its data retention policies;
- whether the company discloses how many times government bodies ask it to remove user content or accounts and how often it complies; and
- whether the company opposes backdoors.
Twenty-one of the 24 companies evaluated publicly opposed backdoors.
The Telco Walk of Shame
Verizon Wireless and AT&T scored especially poorly, continuing a years-long trend of telcos lagging behind the rest of the tech sector, the EFF noted.
“It’s great that AT&T and Verizon are releasing transparency reports in the wake of Snowden,” said EFF’s Cardozo, referring to NSA whistle-blower Edward Snowden’s massive leaks.
Still, “there’s absolutely no excuse for their silence on the issue of encryption and government-mandated backdoors,” he told the E-Commerce Times.
The companies’ behavior reflects a long-established pattern. Back in 2012, Verizon was blasted for bragging it was monitoring subscribers’ app usage and browsing habits.
In 2014, there was an uproar when news surfaced that Verizon Wireless and AT&T were using supercookies. Public outrage led both carriers to stop.
Further, AT&T readily handed over user data to the Bush administration on request.
“Both companies operate in heavily regulated areas and recognize that the government has unusual power over them,” explained Rob Enderle, principal at the Enderle Group.
“They are therefore used to complying with requests like this in order to avoid escalations that could massively damage their business models,” he told the E-Commerce Times.
The criticism of WhatsApp’s privacy practices also might have been expected.
The United States Federal Trade Commission last year warned Facebook and WhatsApp about their obligation to protect consumers’ privacy in advance of Facebook’s buying the smaller firm.
Facebook in 2011 settled FTC charges that it deceived consumers by not keeping its privacy promises.
Naked Security in January reported that WhatsApp’s then-new service, WhatsApp Web, had privacy holes that could expose photos sent from a user’s mobile device and then deleted.
The firm in February revealed that a WhatsApp feature let people track users’ status and any changes they made to their content and settings, even if they changed their privacy settings.
Reports in March indicated that WhatsApp’s 800 million users’ phones could be hijacked through the application.
Facebook should take the heat, Enderle said, because it’s the parent company, but “nothing should stop WhatsApp from taking action on its own.”