Twitter Gets Best “Privacy Score” In Useful But Flawed EFF Analysis

Digital privacy is a complex issue, little understood by the public. The Electronic Frontier Foundation (EFF), as part of its ongoing mission to educate the public, has released its third annual “Who’s Got Your Back” privacy scorecard for Internet companies.

Below is the 2013 scorecard. Compared with the previous two years (below), results appear to be improving overall. Twitter and ISP Sonic.net are the big winners with perfect scores. Dropbox, Google and LinkedIn also do well, while Apple, Amazon, AT&T, Verizon, MySpace (does it still exist?) and Yahoo essentially get failing grades.

The report is a useful, though incomplete, analysis. While it does a good job of exposing which companies defend users against potentially improper government and law-enforcement requests for information, there is no discussion of other critical areas of consumer privacy. Indeed, a major “front” in the ongoing debate over consumer privacy is “data mining” for ad targeting and tracking purposes. The report is essentially silent in that area.

As a result, these privacy scores and the secondary popular-media coverage of them may actually mislead the public into thinking that there are greater privacy protections at some of these companies than truly exist. As one example, Google and European regulators are engaged in a fierce debate over Google’s consolidated privacy policy and consumer data retention practices.

A more holistic analysis of consumer privacy might ding or demote Google accordingly. Apple, which essentially fails the EFF analysis, has actually has been well ahead of the curve in the mobile privacy arena. But, the company doesn’t get credit here for those efforts.

To call this a “privacy scorecard” is thus inaccurate and somewhat misleading. It’s much more of a “4th Amendment scorecard.”

Having said that, the 2013 EFF report expands its evaluation criteria. It includes a few new companies and drops others (because of acquisitions). The following were the criteria used by the EFF in this year’s report:

1. Require a warrant for content of communications. In this new category, companies earn recognition if they require the government to obtain a warrant supported by probable cause before they will hand over the content of user communications. This policy ensures that private messages stored by online services like Facebook, Google, and Twitter are treated consistently with the protections of the Fourth Amendment.
2. Tell users about government data requests. To earn a star in this category, Internet companies must promise to tell users when the government seeks their data unless prohibited by law. This gives users a chance to defend themselves against overreaching government demands for their data.
3. Publish transparency reports. We award companies a star in this category if they publish statistics on how often they provide user data to the government.
4. Publish law enforcement guidelines. Companies get a star in this category if they make public policies or guidelines they have explaining how they respond to data demands from the government, such as guides for law enforcement.
5. Fight for users’ privacy rights in courts. To earn recognition in this category, companies must have a public record of resisting overbroad government demands for access to user content in court.1
6. Fight for users’ privacy in Congress. Internet companies earn a star in this category if they support efforts to modernize electronic privacy laws to defend users in the digital age by joining the Digital Due Process Coalition.

Below are the 2011 and 2012 scorecards.

Don’t mistake what I’m saying. This is very useful information for consumers and potentially as a public shaming tool to try and motivate the evaluated companies to do a better job of protecting consumers against unwarranted (literally and figuratively) government surveillance and intrusion.

But if the EFF really wants this to be a “privacy scorecard” it needs to expand the scope of the analysis to include other, equally important measures of consumer privacy (i.e., data mining, tracking and data retention). Otherwise it should more prominently identify what it does capture: companies that do a better or worse job of protecting consumer data from government access.