Apple, AT&T, and Verizon fall short in protecting your data

EFF releases its annual report on whether companies are fighting to keep customers' personal data from the government

Every year the Electronic Frontier Foundation releases a report that looks at major Internet-related companies -- Internet service providers, companies with services in the cloud, and the like -- and asks a probing question: What does the company do to keep customers' personal information out of the government's hands? The 2013 EFF report just hit, and it contains a few surprises. But be careful what you read into the report, until you understand the methodology behind it.

The examined companies could receive a gold star in each of six categories:

  • If the company requires a warrant before releasing information to the government.
  • If the company notifies customers when their information has been requested (except when prohibited by law).
  • If the company publishes a report about how many government requests it has fulfilled.
  • If the company has published formal guidelines on how it responds to information requests from governmental bodies.
  • If the company has ever fought a request for information in the courts. "[N]ot all companies will be put in the position of having to defend their users before a judge, but those who do deserve special recognition."
  • If the company belongs to the Digital Due Process Coalition, a group that is pushing the U.S. Congress to rewrite the (largely outmoded) Electronic Communications Privacy Act of 1986.

Of the companies surveyed, only Twitter and Sonic.net lit up the boards with six stars, and Dropbox, LinkedIn, and SpiderOak fell short only in the "fought a request" category -- quite possibly through no fault of their own.

Google also drew five stars, with a zero for its customer notification policy. If you read the whole report, you'll see that Google has recently waffled in its notification policy, claiming:, "We notify users about legal demands when appropriate, unless prohibited by law or court order." The weasely "when appropriate" cost the Googlies a star.

At the same time, Google drew a great deal of praise for challenging a request for search logs, a specific request for information about the subject of a WikiLeaks investigation, and for standing up to a National Security Letter -- a request for information, alleging a national security interest, that doesn't require a warrant. "Because of the government's demands for secrecy, service providers are simply the only ones who can stand up and push back, and we hope Google's example will inspire others," the EFF said.

Microsoft failed in both the notification arena and in its "fought a request" stance. Microsoft's statement on "Sharing of Your Personal Information" contains no mention of notification to users. The lack of a "fought a request" star speaks volumes, particularly because Microsoft readily admits it complies with National Security Letters.

Near the bottom of the list? Apple. The only star Apple scored was for joining the Digital Due Process coalition -- basically, the company signed a check. As the EFF says, "Apple and AT&T are members of the Digital Due Process coalition, but don't observe any of the other best practices we're measuring. And this year -- as in past years -- MySpace and Verizon earned no stars in our report. We remain disappointed by the overall poor showing of ISPs like AT&T and Verizon in our best practice categories."

This story, "Apple, AT&T, and Verizon fall short in protecting your data," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies