I don't think this "benchmark" is that relevant anymore. It feels way too simplistic post-Snowden revelations.
I think we need a more comprehensive benchmark, that also includes the type of security they use (perfect forward secrecy, 128+ bits of security), as well as stuff like not tracking your private conversations, and so on.
While many of the companies there fail even at this benchmark, it makes it sound like a few of them that have 4+ stars are very "privacy-focused", and that you should feel very "safe" with them, and again, post-Snowden revelations, I don't think that's so true anymore.
In a new benchmark, companies like Google and Linkedin would probably get 2/5 stars, or 3/5 at most. Maybe make it out of 10, so you can still include other companies that may have privacy level at 1/10, or 3/10, which is harder to show in this 5/5 type of rating.
If a company that tracks everything receives a "top privacy rating", I don't think the benchmark used is very useful.
"I don't think this "benchmark" is that relevant anymore...If a company that tracks everything receives a "top privacy rating", I don't think the benchmark used is very useful."
I think it is a useful comparison, but only part of the picture as you say. For example, Google gets high marks in this EFF survey but, as you rightly point out, you also have to balance that against the amount and type of data that Google (and other companies) collect about users.
I don't doubt that Google has a strong committment to security. But security and privacy, although closley related, are not the same thing. Even if Google stops the NSA snooping on their data, that doesn't stop Google from continuing to collect as much data about you as they possibly can. Google's comments relating to the NSA revelations have all been couched in terms of security (but not a word about privacy or the volume of data they collect). So yes, better security will protect your data from government eyes, but it won't necessarily stop companies collecting as much data as they can about you.
Just to be clear, there's no comparison between Google collecting user data and a secretive Goverment agency with questionable motives and intentions collecting data - one is obviously an order of magnitude worse. But that doesn't mean it's fine for companies to track users unhindered just because they're not the NSA. And Google arguably tracks more than anyone else. Isn't it time we also had transparency reports from these companies about the data they collect?
It should be noted that this is related to protect your privacy from government attempts to to access such data.
Given LinkedIn's MD5 password leak, the LinkedIn Intro "MITM", and the fact that LinkedIn asks users for their e-mail and e-mail password, when I read the title I assumed it would be related to security issues and not legal issues.
This report was published in early 2013, and it appears the only update since the beginning of May was for MySpace[0]. The report doesn't take into account any of the new information we acquired in 2013 or the "transparency reports" some of these companies have added. As others have pointed out, considering what we know now, the approach (or at least the categories) probably isn't particularly relevant anymore--we need to take much more into consideration. I'm looking forward to what the EFF comes up with for this year.
Turns out this is a policy assessment of those companies and whether they publicly stand on the side of users when the government attempts to seek access to private data.
This a 6 point assessment:
1. Require a warrant for content of communications.
2. Tell users about government data requests.
3. Publish transparency reports.
4. Publish law enforcement guidelines.
5. Fight for users’ privacy rights in courts.
6. Fight for users’ privacy in Congress.
Anyone knows how relevant this is for non-US citizens? If FBI wants my gmail, will Google still require a court order? What court would be the relevant one?
Given the NYPD's jurisdiction one would think they wouldn't be sending agents out for 'anti-terror' work in foreign nations or writing missives on the Nairobi mall attack.
I guess this chart only applies to American values of "you", "your data" and "government".
And the stars in the column "Fights for users’ privacy rights" seems like a sick joke, given the massive international anti-privacy lobbying of some of those companies.
A report like this could become another track from which privacy respecting companies (against the Govt.) can differentiate them selves from others.
If sonic.net (to pick one from random)consistently keeps touting "Five stars from the EFF for protecting your privacy" then runs ads where they show how poorly their competition are doing, this might sway customers.
Unfortunately this report needs an addendum -
Companies that made the ultimate sacrifice (Shut Down) rather than cooperate with Big Brother - LavaBit, SilentCircle et al.
Apple has a good revenue stream without collecting private data and exploiting that and if they both respected private data and stood up to the government then they could be a viable safe haven. I think that Apple is missing an opportunity.
That's cool so many of these companies are fighting for users' privacy rights in Congress. I was surprised to see Comcast alongside Google in fighting for privacy rights in courts as well.
#1 problem with this is that it is based on policy language, not actual measured behavior. Behavior is hard to measure, but especially in this area, where lying is both common and sometimes required by law, policy wording isn't so meaningful.
For example, it doesn't include a measure of security against government hackers, or internal "hackers" doing govt bidding.
How much did LinkedIn donate to EFF? They talk about transparency, yet I can't find their donors list? Or any info whatsoever how they are funded... Strange
I think we need a more comprehensive benchmark, that also includes the type of security they use (perfect forward secrecy, 128+ bits of security), as well as stuff like not tracking your private conversations, and so on.
While many of the companies there fail even at this benchmark, it makes it sound like a few of them that have 4+ stars are very "privacy-focused", and that you should feel very "safe" with them, and again, post-Snowden revelations, I don't think that's so true anymore.
In a new benchmark, companies like Google and Linkedin would probably get 2/5 stars, or 3/5 at most. Maybe make it out of 10, so you can still include other companies that may have privacy level at 1/10, or 3/10, which is harder to show in this 5/5 type of rating.
If a company that tracks everything receives a "top privacy rating", I don't think the benchmark used is very useful.