There’s always been a small but sizable core of people concerned about protecting their privacy as much as possible, even in today’s connected age, but the post-Edward Snowden era has seen a major uptick in interest when it comes to keeping your life to yourself. Unfortunately what most people have found is that the corporate landscape in telecommunications is split in its dedication to protecting customer privacy.
This is partly because of the legal environment. Forget the NSA’s ability to tap the Internet backbone at will. Every single communication you engage in through a service you don’t operate yourself is considered fair game for the government thanks to the Third Party Doctrine, under which Americans’ Fourth Amendment protections against unreasonable search and seizure are surrendered the moment they hand any information over to a third party. As Julian Sanchez wrote in a piece published by Bloomberg this summer, “Simply by using modern technology, Americans have — for the most part unwittingly — abandoned the Fourth Amendment’s protection for a vast and growing portion of their intimate activities.”
There are a few ways to deal with protecting your privacy in such an environment. The first is to stop dealing with third parties entirely, but unless you’re prepared to go off the grid entirely that’s not realistic for most people. Then there’s just giving up on the idea of privacy in today’s world, but if you’re looking into the options that isn’t likely to appeal to you. The final, feasible option is to try to deal as much as possible with companies that are dedicated to putting up roadblocks to overzealous investigation by the government.
This turns out to be a more difficult thing than one might expect simply because every company deals with government requests for customer data in different ways. The Electronic Frontier Foundation publishes a report every year called Who Has Your Back? It profiles how vigilant different internet corporations are with the data you provide to them through a number of criteria, ranging from whether the company requires a warrant for user data, tells users about government data requests, or publishes transparency reports, to whether it publishes law enforcement guidelines and fights for users’ privacy rights in court or in Congress. The results show no real standard for how companies deal with government requests for user data.
The worst offenders are easy to spot on EFF’s chart. Verizon – the same company that has been handing over metadata to the NSA for years under an order from the FISA Court – has no record of standing up for customers in any of the categories measured in the EFF report. The NSA’s PRISM partners at Apple and AT&T are nearly identical to Verizon with the exception of their membership in the Digital Due Process coalition, which lobbies Congress to create due process standards for communications data on par with what the protections we enjoy in the physical world – but almost every company in the report is also a member of the group.
The best companies are also easy to spot. Twitter and internet service provider Sonic.net were the only two companies to receive commendation in every category, including going to court to challenge government requests for their users’ data. Online backup service Spideroak, cloud storage provider Dropbox, and social network LinkedIn got stars in every category except going to court for their users because they’ve not yet had any cases in which to do so. WordPress doesn’t publish a transparency report and has never fought a court case for its users, but otherwise it hits every checkbox.
The rest of the companies are a grab-bag. Amazon lobbies Congress for due process protections online and has gone to court to protect the privacy of its customers’ book purchases, but it publishes no transparency reports or guidelines for law enforcement requests. Comcast publishes guidelines and challenged an IRS subpoena on behalf of its users a decade ago, but it requires no warrant to access its users’ data. Google gets stars in every category except one of the most crucial: notifying its users when the government requests their data. (The company says it does so “when appropriate,” but doesn’t mention how it determines the appropriate action to take.) Google’s sometime-competitor and fellow NSA PRISM partner Microsoft gets stars in most categories, but it’s never gone to court for its users and won’t commit to informing users when the government requests their data. Facebook does require a warrant for content but won’t tell its users about them. And only about half the companies publish transparency reports detailing just how often the government asks for their users’ data.
The biggest problem is that the third-party privacy landscape is in constant flux, as a glance back at the last few years of the Who Has Your Back? report shows. Just as the government’s privacy protections are mostly a matter of policy these days instead of law, most companies’ dedication to user privacy is likewise a matter of policy and therefore subject to change at any moment. Twitter in particular is going to be a test case in this regard since its reputation for hardline privacy protection was built long before it went public this month. Nobody knows if a public company riding the wave of one of the biggest IPOs in history can maintain such a staunch alignment with its users. The record of other social networking companies like Myspace, Facebook, and Google suggests it probably can’t – but none of them had an overwhelmingly positive reputation to lose, either.