
Who Has Your Back? Government Data Requests 2015 - FredericJ
https://www.eff.org/who-has-your-back-government-data-requests-2015
======
0xCMP
I'd like to point out something related to what others have already said.
First, they've pointed out the seemingly illogical picking of companies.
Snapchat but not Instagram (maybe part of facebook?) and AT&T but not
T-Mobile? etc.

Another issue here is that by looking at the past reports you see how quickly
one company is the favorite and soon becomes the ugly step child. The columns
with stars are also changing to what sound like very vague and lax
requirements compared to the year before.

I didn't see any explanation there why. For instance they took out the
"requires warrant" column. I wonder if companies are contributing to the EFF
and so the EFF feels the pressure to make these companies look good in the
face of this new Snowden era. For instance, isn't it great that Apple now has
5 stars as it's starting it's big "we're private" push while Google is now
very low compared to previous years? And how about twitter? They used to be a
poster child for good behavior as far as companies go.

~~~
sqeaky
You can read the description below the chart, they rolled the requires warrant
column into another column. A company must do both things to get a star.

------
ywecur
The only ones that actually have your back are those that use encryption to
make data collecting impossible.

~~~
jacquesm
This is about requests for _stored_ data and then the encryption is moot, that
mostly affects data in-flight or seized computers if the data is stored. In
the latter case you will probably be forced to cough up the decryption keys.

~~~
icebraining
Hence cperciva's "Playing chicken with cat.jpg":
[http://www.daemonology.net/blog/2012-01-19-playing-
chicken-w...](http://www.daemonology.net/blog/2012-01-19-playing-chicken-with-
cat-jpg.html)

When we're talking about protection against government data requests, only
companies that make sure they have access to the absolute minimum client
information they possible can do truly have our backs. Everyone else just has
good intentions.

~~~
jacquesm
Colin has it right. If you don't want to _ever_ compromise your clients data
make sure you can't read any of it. It's that simple. Anything else simply
won't do.

That's why I keep recommending tarsnap to customers.

~~~
stephenr
Or you could.. you know... recommend an appropriate client-side encryption
tool so they can then store the archive/backup data on the storage provider of
their choice...

~~~
frankzinger
The advantage of having client-side encryption built into tarsnap is that it
encrypts only after data deduplication and compression.

Obviously there could be a tarsnap option to stream the data to be uploaded
through an encryption program of your choice, but doing it just as you suggest
would nerf a few of tarsnap's prime advantages.

~~~
stephenr
I think you've misunderstood me.

Tarsnap is a combination client-side application and remote service.

I am suggesting instead to use/recommend one of the existing client-side tools
that work similar to the tarsnap client does, but don't lock the user into a
single service provider.

By using a client-side tool that just generates archives (and isn't tied to a
single storage service provider), you can store them _anywhere_ \- AWS,
iCloud, Google Drive, Rsync.net, a rented VPS, a friends computer, an external
hard drive, all of the above. You name it.

~~~
frankzinger
I understood what you said, I just didn't know that there were tools in
existence that are as good as or better than tarsnap at the archiving part
which allow you to specify the storage location.

Edit: I used 'specify the storage location' very loosely. I.e., I realise it
could mean simply piping the archive data to yet another program in the shell.

~~~
stephenr
Mostly these tools would expect a local storage location and you'd schedule
scp/rsync/whatever to copy to the destination of your choice.

~~~
frankzinger
Cool, could you please give me a few examples?

~~~
stephenbez
I use EncFS with Dropbox.

It's an almost completely transparent user-space filesystem. Basically you
store your files in a given folder, and it automatically stores a parallel
encrypted copy in a different folder.

[http://www.howtogeek.com/121737/how-to-encrypt-cloud-
storage...](http://www.howtogeek.com/121737/how-to-encrypt-cloud-storage-on-
linux-and-windows-with-encfs/)

~~~
frankzinger
Does it do data deduplication? Doesn't sound like it to me from skimming that
article.

Edit: sounds like EncFS has some significant security issues:
[http://sourceforge.net/p/encfs/mailman/message/31849549/](http://sourceforge.net/p/encfs/mailman/message/31849549/).
No recent information in that discussion, so I don't know whether it's all
been resolved. Here's an HN discussion of the audit:
[https://news.ycombinator.com/item?id=7384730](https://news.ycombinator.com/item?id=7384730)

------
Splendor
I'm interested in why the EFF chose these companies to rate. For example,
rating AT&T and Verizon but not Sprint and T-Mobile seems odd to me. Rating
Snapchat but not Instagram almost makes sense becuase they're rating Facebook,
but then they've rated WhatsApp separately.

~~~
ethanbond
The ATT/VZW/Sprint/TM differentiation is weird, but Instagram versus Whatsapp
doesn't seem strange... Instagram doesn't _honestly_ seem like a hugely
valuable target. That's not to say I'm comfortable with them giving up info
freely, but I'd be much more concerned about my WhatsApp data being turned
over than my Instagram data.

I'd rather lists like these not be polluted by things like that.

------
suprgeek
Usually the EFF does a good job with these reports but you got to wonder with
a company like Dropbox.

\- Condi Rice is on the Board of directors - an avowed supporter of NSA
warantless wiretaps

\- Users cannot control thier Keys such that it becomes impossible for them
handover data to the Govt. even if they complied to the NSL or whatever other
BS demand

And they get 5 stars for "Having our Backs" (!)

~~~
lighthazard
They also scan user files for copyright protection and a few years ago had
some clear breaches of trust between users and the company.

~~~
numbsafari
The point of this effort is to elicit change from these organizations. If
having breaches "a few years ago" means never getting a star, why would a
company care?

------
afsina
Why does Google have only 3 stars?

~~~
learnstats2
Particularly since I recall that Google had _six_ stars last year.

Has Google gotten so much worse in the last year? Or has it perhaps stopped
funding the EFF?

 _Edited to add citation:_
[http://www.theregister.co.uk/2014/10/14/assange_bollocks_goo...](http://www.theregister.co.uk/2014/10/14/assange_bollocks_google_eff/)

~~~
magicalist
This is covered quite well (multiple times) by the article. The categories are
not the same as last year.

~~~
learnstats2
I agree that the changes are covered, but I disagree that they are covered
well.

The following companies have gone from at least one star below Google to at
least one star above Google, on a 4-6 star rating system, in the last year:
Adobe, LinkedIn, Wickr, Wikimedia, Wordpress.

despite no company materially changing their terms in that time.

How is this a robust or meaningful measure, in that case? The exceptionally
large variation is not addressed.

Why has this happened? In my opinion, it's because the 2014 report is bogus
(two of the categories are "published a report"), and most probably it was
just permitted to be bogus because Google were heavily funding the EFF in
2014.

~~~
npizzolato
Three of the stars last year -- "requires a warrant", "publishes transparency
reports", and "publishes law enforcement guidelines" \-- were merged into a
single star "follows industry best practices". According to the report, a
company has to do all three of those things to qualify.

It's perfectly reasonable for the EFF to evolve how they're rating companies
as the years go on. After all, the privacy landscape changes and they're
trying to push companies to making some changes. That explains the drop in
stars. According to the EFF, Google is doing things that are now considered
standard, and they're no longer on the forefront of defending privacy.

Your accusations of bias because Google isn't funding the EFF are, frankly,
ridiculous.

~~~
learnstats2
>Three of the stars last year were merged

If that were the only major difference, Google would still have 4 stars with
the 5th undecided. Google now have 3 stars.

>Your accusations of bias because Google isn't funding the EFF are, frankly,
ridiculous.

To be clear, I am not accusing EFF of bias _against_ Google.

Other privacy organisations have literally accused the EFF of lobbying for
Google. From Wikipedia:

"In 2011, the EFF received $1 million from Google as part of a settlement of a
class action related to privacy issues involving Google Buzz. EPIC and seven
other privacy-focused nonprofits protested that that the plaintiffs lawyers
and Google had, in effect, arranged to give the majority of those funds "to
organizations that are currently paid by Google to lobby for or to consult for
the company.""

Since then, the EFF spoke up loudly against the right to be forgotten (Google
Spain v AEPD and Mario Costeja González), even though this is considered a
privacy basic by EU data protection principles.

------
yuvadam
Curious if there's any project that aggregates all the transparency data data
into a nice CSV, could be useful to chart and track trends.

------
dimino
The stars should link to sources of each of these categories, that'd be cool.

------
ytdht
Microsoft opposes backdoors but not some process that is very similar that
allows "legitimate legal requests" to be fulfilled ...

