The Electronic Frontier Foundation released the latest version of its annual "Who Has Your Back" report on tech companies' data disclosure policies Wednesday afternoon, giving perfect five-star ratings to companies including Apple, Adobe, Dropbox and Yahoo.
This year's publication is the fifth edition of the EFF's reporting on tech companies' policies around disclosing information to governments in response to data requests, and it brings major changes to the organization's framework.
"The criteria we used to judge companies in 2011 were ambitious for the time, but theyve been almost universally adopted in the years since then," the EFF said in its report.
Most of the criteria from the EFF's past reports have been rolled into a single framework for "Industry-accepted best practices," which have been adopted by all but one of the companies surveyed. The organization also judged companies on their willingness to inform users of government requests for their data, except when required by law or in emergency situations.
Under the new criteria, in order to earn a star for informing users about requests, a company now has to commit to telling affected users when a gag order about the request has been lifted or the emergency has passed.
In addition, each company now is judged on whether it discloses its policies for retaining data (such as what happens to a user's files after they are deleted), whether it discloses content removal requests, and whether the companies have advocated against the putting backdoors into encryption.
WhatsApp and AT&T scored lowest of all the companies in the report, each receiving just one star. The Facebook-owned messaging app was given a year to prepare for its first inclusion in the report, but it was the only company on the list that hadn't adopted the EFF's list of best practices, such as publicly requiring a warrant and publishing a transparency report.
AT&T hasn't changed much since its appearance on last year's report: While the company now publicly requires a warrant before disclosing data, AT&T still does not promise to inform users of data requests.
Twitter and Google both scored lower this year than last, because while both companies pledge to tell users about requests for their data, neither guarantees that it will tell them about a request after a gag order lifts or emergency conditions make it untenable to disclose anything. Twitter's policies say it may inform users after such a disclosure becomes possible, but the company won't guarantee that it will do so.
Microsoft missed two stars this year (compared to a perfect score last year) because it doesn't publicly disclose its policies on data retention and hasn't yet published a report on government content removal requests. The latter will be fixed later this year, though: the company told the EFF that it plans to disclose content removal requests by September. (It's not clear whether Microsoft plans to release a data retention policy.)
Interestingly, Tumblr's rating diverged from Yahoo's perfect score, because the social network doesn't follow its parent company's example of revealing its data retention policies and disclosing requests from governments to remove content. The company did not respond to an inquiry about whether it plans to change its policies.
Overall, the EFF said it was "pleased to see major tech companies competing on privacy and user rights." The advocacy group says it believes the adoption of policies it calls for in the scorecard is part of a broader shift by tech firms toward pushing back against government data requests.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.