
Who Has Your Back 2014: Protecting Your Data From Government Requests - weeha
https://www.eff.org/who-has-your-back-government-data-requests-2014
======
scrrr
(with a little bit of sarcasm:)

Oh I guess then it's safe to put my data on the American cloud again.

Just kidding, wouldn't do it. And neither should you.

It's sad, but as a foreigner I don't see that, regarding government policies,
anything at all has changed since Snowden went public. I have nothing against
the USA taking various leadership roles. Biggest democracy, newest technology
etc, but since early 2000s it seems they are doing a bad job in many areas.

No thanks.

~~~
lgbr
What would make you think that foreign governments would be any better?
Supposedly privacy friendly European governments engage in plenty of
wiretapping[1][2][3]. What I find different about what happens in the US is
that these events are highly publicized, scrutinized, and court battles over
wiretapping are extremely expensive for the US government, compared to other
countries. I don't see that happening elsewhere.

1: [http://ccc.de/en/updates/2011/analysiert-aktueller-
staatstro...](http://ccc.de/en/updates/2011/analysiert-aktueller-
staatstrojaner)

2: [http://falkvinge.net/2012/04/02/sweden-paradise-lost-
part-1-...](http://falkvinge.net/2012/04/02/sweden-paradise-lost-
part-1-general-wiretapping/)

3:
[http://www.wsws.org/en/articles/2011/09/fran-s09.html](http://www.wsws.org/en/articles/2011/09/fran-s09.html)

~~~
izacus
Because there's a significant difference in influence I can assert to MY
governmnet and a FOREIGN (which includes US) government.

Consider just a lot of US surveillance laws: we non-US citizens might as well
be animals for the rights we have. Significantly different than what our own
local/EU privacy laws award us.

Also it is significantly easier to take legal action againsy my own government
agencies than US ones.

~~~
happyscrappy
Except people in CN, NZ and AU pretend they are not part of the 5 eyes and
don't appeal their own govs, just complain about US. Brilliant.

~~~
nisse72
Not sure about the others, but the Kiwis certainly have been appealing the
government to stop spying, and questioning New Zealand's role in 5 eyes:

[http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objecti...](http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10904220)

CN? When did China join 5 eyes?

~~~
happyscrappy
Oops. CA not CN, CA is the postcode for California and the TLD for Canada.
Good to see some pressure applied to the NZ gov but I think Dotcom muddles
things.

------
ronaldx
The EFF apparently cares a great deal about government surveillance but does
not comment on corporate surveillance.

Is it a coincidence that some of the 6 star corporations who supposedly "have
our back" are funding the EFF? Sigh.

A lot of the EFF's work seems to go into defending Google's rights rather than
defending individuals' rights. This is bizarre behaviour for a privacy
advocacy group. See also:
[https://twitter.com/EFF/status/466727797713825793](https://twitter.com/EFF/status/466727797713825793)

I find that I can no longer support the EFF's work.

~~~
emiliobumachar
Focusing on governments seems like a good focus. They are much more powerful,
have a much darker history of abusing that power, and opting out of giving
info to businesses is much more realistic, while still hard.

~~~
forgottenpass
There are a handful of private services for which the market is both cornered
by a handful of participants and a necessity to modern life. Opting out of
those is about as easy as opting out of laws, both of which require a form of
essentially going off grid or on the lam.

Also, it is important to realize that the consolidation of data by businesses
is exactly what makes it so easy for government to show up and say "I'll have
some of what he's having."

Businesses leverage their power over people to get at data they otherwise
wouldn't like to share.

Governments leverage their power over businesses to get at data they otherwise
wouldn't like to share.

You can argue that the power in question is different, and that's an important
piece of the conversation to have. But overstating that facet becomes a
smokescreen for an "it's OK for me to do, but don't do it to me" argument.

------
x1798DE
>Tell users about government data requests. To earn a star in this category,
Internet companies must promise to tell users when the government seeks their
data _unless prohibited by law_ , in very narrow and defined emergency
situations,[2] or unless doing so would be futile or ineffective.[3]

Those caveats make this a meaningless category, particularly the first one.
Nearly all the data requests that people are concerned about have been coming
with gag orders attached. Not to mention, how can the EFF even verify this?
One assumes the criteria are assessed by the companies' policies, not by their
actions, and that's clearly meaningless if the government is essentially
compelling them to lie, keep silent or "massage the truth".

~~~
lukesandberg
> Nearly all the data requests that people are concerned about have been
> coming with gag orders attached.

citation? most data requests are run of the mill subpoenas (in non-criminal
cases), gag orders only apply to a fairly small subset of user data requests.

~~~
x1798DE
I'm talking about the requests people are concerned about, not nearly all the
data requests that are made. I may be way off-base here, but I think that most
people are not particularly uncomfortable with the idea that law enforcement
could get a warrant to seize their data from a judge based on probable cause
and would do so without putting the company under a gag order - that's what we
expect from the constitution. I think people are much less comfortable with
being caught in a suspicionless surveillance net based on a warrant issued by
a FISA "court" with no transparency and no adversarial hearing process, and
those are generally issued with national security gag letters.

------
etiam
The PRISM companies have been _saying_ they 'have our backs' since that story
broke, and it's more clear than ever that they were lying in those statements.
(notably, see the material in Glenn Greenwald's recent book _No Place to Hide_
about direct surveillance agency access to severs, in spite of coordinated
statements from the companies denying precisely that. Not that most people
found them credible back then.)

What I'd like to know is who is _acting_ to protect their users, and for a lot
of the of the entries on this list I have negligible levels of trust that
words and actions tell the same story.

Still, all the star categories here are at least somewhat verifiable, and
giving bad actors credit for improving is a good thing. I think this has
limited value as a guide to what companies can be trusted, but great value as
a survey about the response of U.S. society to the Snowden releases, and these
trends look somewhat encouraging. Thanks EFF, for pointing the spotlight.

------
Cieplak
It's funny that no one talks about credit card companies actually selling
personal data to the highest bidder: [http://www.businessinsider.com/credit-
cards-sell-purchase-da...](http://www.businessinsider.com/credit-cards-sell-
purchase-data-to-advertisers-2013-4)

Not very hard to deanonymize a person's every card purchase.

~~~
maxerickson
It would be awesome if you deanonymized yourself and wrote it up.

Edit: (I mean from publicly available data, didn't realize how ambiguous that
was until I reread it)

~~~
ctb_mg
Pretty intrigued by this! However, if the data is sold by CC companies, is it
truly "public"? Regardless, would you even be able to target an individual
without spending lots of money to buy a large batch of "anonymized" spending
data?

~~~
maxerickson
I guess it would have been better to say "generally available" data.

So anything you could buy would be fine, but no stealing or fraud.

------
sspiff
They are basing this largely on statements by the companies in question, not
on their actions or any proof that these companies actually abide by their
promises. Seems a bit hollow to me.

~~~
rurounijones
Criteria like "Tell users about government data requests. To earn a star in
this category, Internet companies must promise to tell users when the
government seeks their data _unless prohibited by law_ " doesn't inspire
confidence either.

~~~
lukesandberg
what would a reasonable criteria be? Should the EFF create criteria that could
only be met by criminals?

The main issue with the gag orders that people are concerned about is not that
they are fundamentally wrong, but that they are ripe for abuse. Many of these
companies are publishing some data about these kinds of orders, so within the
limits of the law they are doing everything possible.

------
salar
If people are interested in a more in-depth view about this, check out
[https://transparency-reports.silk.co/](https://transparency-
reports.silk.co/). It covers other countries too and has more raw data on both
companies and governments.

The EFF collaborated with us [1] on this and we're very excited about being
able to provide the data in an accessible and easily comparable way on the
web.

[1] [https://www.eff.org/press/releases/which-tech-companies-
help...](https://www.eff.org/press/releases/which-tech-companies-help-protect-
you-government-data-demands)

------
junto
It is indeed a sad state of affairs when you have to read the title
"Protecting Your Data From Government...".

It highlights the fact that government no longer works for us; that that
majority of people either do not care about the issue, or they do care and
democracy is a farce.

Of those options, I firmly believe that democracy is a farce.

My 90 year old Gran's father was one of the founder's of the British Labour
Party. She says that if someone starts a revolution she she join in. She
thinks she is too old to start it, and to be fair she is blind and deaf so
she's doing pretty well. We need more people like her.

~~~
junto
Purely out of interest, why the downvotes?

I'm curious as to whether my pessimism about government, or my disillusionment
with democracy or my 90 year old Gran's revolutionary tendencies caused
offence?

~~~
XorNot
Because the world doesn't want for examples of what civil wars look like, yet
still you advocate for them.

~~~
jnbiche
Revolutions are not necessarily violent, nor necessarily lead to civil war:

[http://en.wikipedia.org/wiki/Velvet_Revolution](http://en.wikipedia.org/wiki/Velvet_Revolution)

[http://en.wikipedia.org/wiki/Orange_Revolution](http://en.wikipedia.org/wiki/Orange_Revolution)

[http://en.wikipedia.org/wiki/Overthrow_of_Slobodan_Milo%C5%A...](http://en.wikipedia.org/wiki/Overthrow_of_Slobodan_Milo%C5%A1evi%C4%87)

~~~
XorNot
If you're not willing to participate in, and accept the conclusions of, your
democracy in the first place, what makes it likely you'd be willing to do so
in any other system?

Those revolutions were about asserting an effective democracy, not a
particular policy platform. The governments they removed were actively rigging
elections, not just successfully attracting the majority of the vote and
implementing polices you didn't like.

~~~
junto
Just to play devil's advocate here, what if there were only two parties you
could effectively vote for, because the system was rigged in such a way that
regardless of which party you voted for, the actual underlying system still
penalised the majority whilst benefitting the corporation.

To be fair, my use of the word 'revolution' was misleading. I meant
fundamental change, and not a violent overthrow of government. I did not
realise and was naieve to the fact that many people only see revolution as a
word that is both negative and violent.

~~~
XorNot
It's too broad of a problem to describe. Different places have different
problems. But you're also phrasing the issue in terms of non-participation. Is
it impossible to join the political parties and work for change from within
them?

So long as the vote itself is not rigged (something which gets _questionable_
in the US I'd say) then in many cases its very much a matter of playing well
with others, and actually having the support of the populace on your side.

There's also more layers of government that are important then just the
federal. Local councils have a fair amount of power to influence policy
implementation in their areas, states more so and representatives of both have
louder voices for broadcasting dissent.

You seem to be using revolution to describe "getting enough supporters to vote
for you". And if you can do that, then you can get yourself elected into
office at some level of government (or someone you feel does represent you)
and start effecting change.

------
Zirro
I am happy to see the significant increase in stars, but I do wonder if the
same rules apply to both US and non-US users. The report is vague regarding
this.

~~~
rmc
Probably not. The US legal requirement for a warrent don't apply to non-
USAians.

~~~
logfromblammo
It applies equally to non-U.S. nationals. The U.S. just ignores the
requirement because those people don't have standing to sue in U.S. courts,
and the U.S. has the de facto ability to ignore rulings by other courts.

The Constitution tends not to refer to "nationals" or "citizens" but to
"people", as the general intent was to limit the things the government was
allowed to do, not to whom they could do those things. The likely argument
then, as it would be now, is that if the U.S. can blanket-surveil a foreigner,
they could easily convert those same capabilities to a U.S. national.

------
skrebbel
Significantly more stars than in 2013! [1]

This is a very good development, and it also suggests that these kinds of
publications may have some positive effect in encouraging more companies to,
well, "have your back".

[1] [https://www.eff.org/who-has-your-back-2013](https://www.eff.org/who-has-
your-back-2013)

~~~
higherpurpose
I think they changed the categories, and now they are only about whether they
fight against the government or not, and even those aren't that great. Take
AT&T for example. Yes, they "publish transparency reports", but very
weak/misleading ones. They don't publish everything. AT&T gives NSA the whole
firehose to their cables, and they still get to get a star for "publishing
transparency reports" which don't even include that important tidbit of
information?

They have nothing to do with how invasive their privacy policies are against
their users, how much they track you, how good of an encryption they use or
anything like that. Maybe they should make a separate benchmark for all of
those, too, if they're not going to integrate them anymore. Because soon we'll
be seeing headlines like "Facebook has 5/5 stars on privacy!" \- which is just
misleading to most people.

------
herrschindler
So the EFF is now becoming the lobby for the US surveillance companies?

Several of these companies built their business model on commercial
surveillance of their users with the purpose of monetizing their data directly
or indirectly.

And these are the companies that are supposed to "have my back"? Really?

~~~
rectangletangle
Companies never "have anyone's back." They exist to generate revenue; this
isn't intrinsically bad. However, this should preclude any form of blind
trust.

------
7schlaefer
I'm somewhat unsure about the significance of this stars, it seems too much
like a PR checklist.

~~~
Centigonal
I think that's what the EFF's going for.

------
Oras
Facebook is fighting for users' privacy? is it the joke of the day?!

~~~
weland
It's fighting for users' privacy as in fighting for how much of that ton of
information they're gathering can be _withheld_. Otherwise, yeah, I know a few
really attractive ladies who are fucking for virginity.

~~~
x1798DE
It's not surprising that Google and Facebook would be huge advocates against
government and other use of their databases - I imagine the renewed fervor
about end-to-end encryption and the increased skepticism of cloud services is
really going to hurt their business model. A secret kept by two people is
almost as private as one kept by just one. (Not saying that they'll succeed or
even that they have an incentive to succeed 100% of the time, just that I
imagine the lack of trust now is going to start hurting soon, if it's not
already.)

------
ikawe
From the article:

> CREDO Mobile, a new addition to this year’s report, demonstrated through its
> exemplary policies that it is possible for a telecom to adopt best practices
> when it comes to transparency and resistance to government demands.

I'd never heard of Credo Mobile before.

Regardless of the intentions of Credo, since they appear to be leasing
Sprint's towers, doesn't that ultimately put Credo's customers at the whim of
Sprint in terms of who gets wiretapped / transparency reports / etc?

Or is it possible for a tenant on the infrastructure to be reasonably assured
that outsiders can't intrude into their communications.

I know very little about it, but what I've seen of cell network security
research, makes me assume that no such security exists for tenants leasing
towers.

------
TallGuyShort
The problem with this list is that I can't tell if the starred company ALWAYS
does the relevant action, or HAS done the relevant action at times. Does
Google always tell users about govt requests for data? Or does Google
sometimes tell users about govt requests for data? Because recent revelations
indicated the government could retrieve their data without Google even being
involved in each transaction, and they were legally barred from revealing
fine-grained details about requests. But they did publicly oppose that policy
after the fact and fought (or at least appeared to) the policy after it was
revealed. So they get a star in that category now?

It's a bit like charting a flip-flopping political candidate's stances on
issues. Does candidate X support issue Y? Yes! Does candidate X oppose issue
Y? ... yes!

------
butler14
microsoft really earnt their 5 stars, what with them working covertly with the
FBI to break SSL

~~~
obeleh
Got any link where I can read about msft doing that?

------
rtnl
Could anyone explain how that list was assembled?

Why aren't there any of the services that actually have our backs on this
list? Companies such as [https://MyKolab.com](https://MyKolab.com) clearly
seem to belong on that list.

------
mherdeg
I'm surprised that this EFF report doesn't include Reddit.

~~~
jedberg
reddit doesn't really have any of your personal data. They _may_ have an email
address, but that's about it. They may also have an IP address, but as long as
your ISP is good, even if law enforcement gets that it won't help much.

~~~
cbr
Reddit has PMs.

------
Zigurd
How many of these companies have made key exchange and Web of trust easy to
use and have put your data completely out of reach of snoops?

I know of one that makes the use of private keys and encrypted payload easy:
Carbonite. Anyone else? Anyone? Bueller?

------
akandiah
Six stars for Apple! It's the first time that it's received such an accolade
from the EFF.

------
freechoice22
Lets all just trust these corporations who went behind our backs since start
of the 90s.

EFF reports clearly shows now that the major corporations which backstabbed us
are doing all they can now to serve our interests and not other agendas. Herd
the sheep, and sheep will not say a thing. Well done EFF, show me the way to
herd the sheep.

~~~
kaybe
While it might not be believable it could give the companies and the people
inside pushing for these things some positive reinforcement. It has to be very
clear what is not acceptable and what will create good and bad press. They
will most probably keep doing it in the dark, but at least everyone involved
knows it's wrong and could endanger their business. That's a first step.

------
kordless
Where's Rackspace, dammit?

------
hellbreakslose
Apple had 1 star last year. This year has 5/5

~~~
scrollaway
Yeah, bit of a silent hero; would not have expected that.

