http://www.theguardian.com/technology/2015/nov/03/data-protection-failure-google-facebook-ranking-digital-rights

World's biggest tech companies get failing grade on data-privacy rights

Firms such as Google and Facebook didn't offer users basic disclosures about privacy and censorship. 'The best-scoring company got a D,' says thinktank

Sam Thielman

3 November 2015

The world's top tech companies are failing when it comes to privacy and freedom of expression, according to the most comprehensive assessment to date of their user agreement policies.

Tech firms including US giants Facebook, Google and Microsoft, Europe's top mobile companies Vodafone and Orange, China's Tencent, and South Korea's Daum Kakao (which makes the 140 million-user-strong KakaoTalk) were among the public companies surveyed in an ongoing project called Ranking Digital Rights.

All of the firms failed to offer their users basic disclosures about privacy and censorship, according to the survey, which was conducted by the New America Foundation thinktank. One didn't even provide user agreements in the proper language.

"There are no 'winners'," said the group in its executive summary. "Even companies in the lead are falling short."

Given a percentage grade on privacy, freedom of expression and their commitment to those values based on an exhaustive analysis of their user agreements, no single company scored an aggregate grade above 65%. "On the one hand, it's not like nobody's trying at all, but the best-scoring company got a D," said Rebecca MacKinnon, who runs the ranking project.

The low scores, each out of a possible 100%, highlight serious deficits at a time when data breaches frequently attributed to carelessness affect entities from married dating site Ashley Madison [1] to CIA director John Brennan. [2] They also illustrate how little control users have over the posts and videos they create on tech companies' platforms.

Google was the highest scorer on the index of 16 publicly traded companies -- eight web-based firms and eight telecoms -- with 65%. The lowest was Mail.ru, the Russian email service often used [3] to create spam accounts, which had a score of 13%.

While users need tech companies, said MacKinnon, tech companies need users as well. She hopes the database will offer people across the globe a new ability to make informed choices about exactly how their data is being used. And the companies will be pressed to do more, if the findings are any indication:

* Only six companies of the 16 surveyed scored at least 50% in the poll.

* Seven companies -- nearly half -- scored less than 22%, demonstrating "a serious deficit of respect for users' freedom of expression and privacy", the report found.

* Tech firms universally failed to disclose internal censorship. If Google decides to edit or remove someone's content, the report found, it does not feel the need to publicly disclose either that it has done so or why.

* When it came to whether web-based companies allowed encryption of private content and control access, the average score across all eight was 6%.

* Transparency varies wildly within a single company: Facebook owns WhatsApp and Instagram, but disclosures at its flagship product and Instagram were far better than those at WhatsApp, which sometimes did not even publish privacy agreements in the correct language.

* While local laws block companies from disclosing national security-related government requests in some countries, in every case the survey identified ways that the companies could improve their standing even without changes to extant laws.

* Despite the revelations about their cooperation with the National Security Agency (NSA), US companies were far from the worst offenders. European companies, notably Orange, had serious cooperation issues as well.

"The picture is quite remedial," said MacKinnon. "Part of the problem is that this is a new world with the internet, and we are so dependent on these companies that we really need them to get it right. And they have a lot of work to do."

MacKinnon said clarity for users was vital and a lack of it could have serious consequences.

"About a year and a half ago, Syrian opposition groups started getting locked out of Facebook and having photos taken down because they were 'against terms of service'," she said. "There was no clarity about why or how those terms of service are being enforced. And a lot of activists that depend on Facebook feel like the opacity, given how dependent people are on the platform, is not socially responsible."

"Users are left in the dark about many company practices affecting freedom of expression and privacy," wrote the researchers. "Disclosure about collection, use, sharing and retention of user information is poor.

Staff attorney Nate Cardozo of the Electronic Frontier Foundation said that despite the trend toward better privacy standards in the wake of revelations about domestic spying, tech companies liked to keep things unclear, even at companies that pride themselves on free speech and privacy. "It would be very difficult for the policy people and the lawyers within Twitter to make a business case for handicapping itself in the terms of service," Cardozo said. "The business people say 'Hey, this is great, we can make the choice on case by case basis.'"

Overall, the group determined that while disclosures were becoming more common -- including deep reports on government requests for data [4] -- they were often couched in terms that only regulators could understand. Rarely do users have any recourse when their data was censored or disclosed without their consent, the group said.

MacKinnon said the indicators would need to improve if the companies were going to succeed in multiple regions.

"If they don't earn the trust of the user, it's going to be much harder to succeed as a multinational company and earn the trust of users across borders," she said. "A French user might trust the French government, but they don't trust the NSA. These companies have to prove that they're doing everything they can in this imperfect world where you have governments everywhere that at least someone thinks is infringing on their rights."

The index, created in conjunction with data analysis firm Sustainalytics, took more than two years [5] to compile and parsed user agreements, privacy policies, terms of service and corporate reports for statements relating to user rights, then used them to answer 31 multi-part questions, returning to each company for right of reply and changing the indicators if policies were updated or altered. The questions were derived from standards [6] for privacy and free expression across multiple public and private groups, including the United Nations.

MacKinnon said remained optimistic the industry would improve its privacy efforts over time. "This is the test you take at the beginning of the class where everybody fails, and then you get to work, and then everybody's going to improve," she said.

Interactive: Total Score

[1] http://www.theguardian.com/business/2015/oct/01/experian-hack-t-mobile-credit-checks-personal-information

[2] http://www.theguardian.com/technology/2015/oct/19/cia-director-john-brennan-email-hack-high-school-students

[3] http://krebsonsecurity.com/tag/mail-ru/

[4] http://www.theguardian.com/world/2014/feb/03/microsoft-facebook-google-yahoo-fisa-surveillance-requests

[5] https://rankingdigitalrights.org/project-documents/work-plan/

[6] https://rankingdigitalrights.org/project-documents/elements/