Electronic Frontier Foundation calls on major Internet companies to protect user privacy
Three supporters of WikiLeaks have been locked in a months-long court battle with the U.S. government following demands for data associated with their Twitter accounts, and the case has given rise to a campaign calling for improved transparency and user privacy protection across the board, spearheaded by the Electronic Frontier Foundation (EFF).
Last December, the U.S. Department of Justice ordered Twitter to turn over data linked to the accounts of Birgitta Jonsdottir, Rop Gonggijp, and Jacob Appelbaum as part of a federal investigation of WikiLeaks. Jonsdottier is a member of the Icelandic Parliament; Gonggijp is an Icelandic businessperson; and Appelbaum is Seattle-based Web programmer. All three were WikiLeaks affiliates and part of the team that prepared a video aired by the organization in 2010 featuring classified military footage documenting civilian deaths at the hands of U.S. troops.
EFF and the American Civil Liberties Union (ACLU) came to the defense of the targeted Twitter users, challenging the constitutionality of the government's demand and characterizing it as "an improper and overbroad fishing expedition." The case is ongoing.
Meanwhile, EFF has formulated a new online campaign hinging on one critical aspect of this unfolding saga: what Twitter did when the DOJ came looking for user data. "Twitter took one look at this and said this is a terrible thing," said EFF activist Rainey Reitman.
The federal demand was initially accompanied by a gag order prohibiting Twitter from notifying its users that an investigation was underway. But Twitter balked and within days, the judge partially unsealed the documents, allowing the tech company to legally notify its users. Twitter then notified the WikiLeaks supporters via e-mail that it would respond to the request in 10 days unless a legal process was initiated. If it hadn't done so, there wouldn't be a case — and the three users would have remained in the dark. For this, EFF recognized Twitter as part of its new campaign targeting 12 of the largest tech companies. The "Who has your back?" campaign calls on social-media sites, e-mail hosting services, and Internet service providers to adhere to four transparency and privacy guidelines.
EFF is asking companies to strengthen the language in their privacy policies by committing to never share information with the government unless it's legally necessary and to notify users whenever possible. They're asked to be transparent about how often they share data with the government, documenting it regularly. Companies should publish their law-enforcement guidelines, according to EFF, and join with the Digital Due Process Coalition, which is working to upgrade the 1986 Electronic Communications Privacy Act to modernize surveillance laws for the Internet age.
Companies' progress in satisfying EFF's demands is charted on a website displaying gold stars for sufficient transparency and privacy policies. By press time, Twitter was in second place, with Google in the lead. They were the only two companies that won recognition in the categories "tell users about data demands" and "be transparent about government requests." Each company also had earned credit for defending user privacy in court.
Apple, Comcast, MySpace, Skype, and Verizon were all tied for last place, with no evidence of following EFF-recommended practices. Amazon and Yahoo each won recognition for defending user privacy in court, yet fell short when it came to policies on government data requests. (According to news reports from 2005, a Chinese journalist was imprisoned for e-mailing comments to a democracy group in New York after Yahoo turned over his user data to the Chinese government.) Microsoft, Facebook, and AT&T earned only a single star each for joining the Digital Due Process Coalition.
"I think it's pretty safe to assume that all of these companies are receiving requests from the government for information," Reitman said, noting that not a single one had responded to say it simply hadn't received any requests. "We chose those companies which we felt had the greatest quantity of data about consumers."
An amicus brief filed by online privacy researchers on behalf of the WikiLeaks supporters suggests that consumers are often in the dark about privacy policies. A 2007 study at UC Berkeley found that only 1.4 percent of participants reported reading user license agreements often and thoroughly, while 66.2 percent admitted to rarely reading them.
The Guardian contacted all 12 companies for comment, but only received responses from Facebook and Microsoft.
"Like all service providers, we must respond to lawful requests to provide information," a Microsoft spokesperson wrote via e-mail. "We take our responsibility to protect our customers' privacy very seriously, and we have specific processes in place when responding to such requests. Additionally, we participate in the Global Network Initiative through which we have agreed to certain principles in responding to government demands." The Global Network Initiative was recently slammed by a Forbes columnist for having "only barely functioned" since its creation in 2008.
Facebook's Simon Axten responded via e-mail: "We scrutinize every request for legal sufficiency before responding and employ a dedicated team of [certified information privacy professionals] to manage these requests. We never disclose user content in response to U.S. legal process unless that process is a search warrant that has been reviewed and signed by a judge."
Axten noted that Facebook had fought for user privacy against civil litigants and resisted all requests from private parties. Most government user data requests directed at Facebook aren't related to freedom of speech, but to crimes such as child kidnapping.
"I've heard that argument from them before," Reitman noted when asked to respond. "It would be easier to understand if ... they were transparent about publishing their law enforcement guidelines and producing regular reports."