Two years since Edward Snowden became a household name, technology companies are competing like never before for privacy bragging rights. In that race, Google may have just dropped out of the lead group. And WhatsApp faceplanted at the starting line.
In the Electronic Frontier Foundation's annual "Who's Got Your Back" privacy scorecard that rates companies' protection of their users' data from government surveillance and censorship, Google slipped for the first time, receiving only three stars out of five in the civil liberties group's ratings. Google had a perfect score in 2014, and some of the best scores in the tech industry for the three earlier years in which the EFF issued its report.
Google's rating still vastly outperforms the lowest performers in the study---WhatsApp, AT&T and Verizon. But given Google's past leadership in fighting government data requests and the enormous cache of information the company collects on its users, the company's behavior is "disappointing," says EFF staff attorney Nate Cardozo, who worked on the study. "We feel confident that companies can always be doing more, and we like to reward companies for leading the pack," says Cardozo. In at least two categories of privacy protection, "Google’s no longer there."
The EFF faulted Google on a pair of major points: The web giant no longer tells users the full extent of its data retention, a lack of transparency that the EFF says has grown as Google has launched more products and services. And the company hasn't committed to telling the subjects of law enforcement data requests that the government took their information after any gag order on that surveillance has expired---a policy that could keep some surveilled users in the dark about their privacy's violation long after it's legally necessary to do so.
The EFF’s Cardozo points to situations where law enforcement might secretly demand a user’s data, and then soon find that the request was mistaken, or that the user wasn’t actually involved in a crime. Even then, Google wouldn’t be obliged by its policies to tell the user that his or her data had been handed over to the feds. “In that case, you still deserve to know that the government was investigating you and swept up your data,” says Cardozo. “Without the promise to give notice after a gag order expires, you never would know. And that’s not ok.”
The EFF says it asked Google in March to commit to revealing data requests for which the gag order had expired. Cardozo says he was surprised that by June Google still didn't change its policy, despite its history of being ahead of other tech companies in transparency around legal surveillance.
Twitter, which also has had perfect scores in some previous EFF ratings, lost a star in the latest report for the same expired gag order issue. But Apple and Dropbox both met the EFF’s standards and earned perfect scores. Neither Google nor Twitter responded to WIRED's request for comment.
Still, the EFF's knocks on Google and Twitter don't compare to its far more severe criticisms of WhatsApp. The report calls out the messaging company for not publishing any information on how often it hands user data over to the government, not promising to alert users about those disclosures, and not even committing to require a warrant from law enforcement before coughing up its users' private data.
Cardozo says that the EFF warned WhatsApp a year ago that it would be included in the report, and yet it barely budged on its privacy practices. "We were very optimistic they’d get policies and procedures in place after the Facebook acquisition," Cardozo says. "Facebook is lawyered up and they know how to create these policies. WhatsApp didn’t, and that’s disappointing."
The Facebook-owned startup has hinted that it's trying to win over users' trust on privacy from government surveillance; Its cofounder Jan Koum has talked publicly about the lessons of his childhood in surveillance-ridden KGB-era Soviet Ukraine and claimed that Whatsapp is designed to foil eavesdropping. The company has also adopted the end-to-end encrypted messaging system Textsecure for its Android messages.
But it hasn't backed those privacy stances up with strong policies against government surveillance, and even its encrypted messaging system hasn't been extended to iOS, applied to group messaging instead of one-to-one messages, or submitted to open source scrutiny of its protections. "Whatsapp is competing in a market where other companies see privacy and civil liberties as a way to differentiate themselves," says Chris Soghoian, the lead technologist at the American Civil Liberties Union. "They need to get with the program."
AT&T and Verizon scored equally badly in the EFF's ratings, with only one and two stars out of five, respectively. They failed, according to the EFF, to fight against surveillance backdoors in their products, they don't reveal their data retention policies, and they don't try to notify users when they become the target of government eavesdropping. All of that continues a long tradition of the telecom companies not matching their tech peers' commitment to privacy. Neither Verizon nor AT&T nor Whatsapp responded to WIRED's request for comment. "The report indicates a generational shift; The tech companies are doing better than the old-school carriers," says Cardozo. "AT&T and Verizon need to do better in terms of protecting users’ data."
Given those carriers' abysmal privacy performance, it may seem unfair to pick on Google for its more marginal slippage in its protection of users' sensitive data. But Cardozo argues that the world's biggest data collecting company deserves to be held to a higher standard. "They hold absolutely vast amounts of user data," he says. "[Google] has data on all of us. And because of that they really need to try harder to meet the best practices that other companies in the field have met."
