I think the article and the report fail to mention what other organizations and companies are able to access your data. Several of these companies are known for using your data as a direct source of income and selling ads or using your likeness for financial gain. Companies like Dropbox, Wikimedia, and Adobe don't use your personal directly for financial gain. Companies like Google, Facebook, and LinkedIn use the data you provide them for direct financial gain. Sure, you know this going in, but they are still selling information about you to other parties.
To this effect, yes, it is nice to know what they are reporting to governments, but it'd also be nice to know what they are reporting to NGOs as well.
I think we need to draw a distinction between selling data about individuals to third parties and showing ads based on understanding of a user's interests. People may disagree with both but lumping the two together just confuses the debate.
OK, I might be a bit biased because I work for one of the companies involved, but the scoring system seems kind of silly to me. Companies get one star for fulfilling each of the six criteria but they don't seem equally important to me:
1. requiring a warrant for data
2. telling users about government data requests
3. publishing transparency reports
4. publishing law enforcement guidelines
5. fighting for users' privacy in courts
6. and publicly opposing mass surveillance
1. Seems like the most important to me, followed by 2. and 5.
It seems silly that companies could get three "stars" in this analysis but not even require a warrant for data.
I'm surprised that not requiring a warrant for content is a thing. My understanding was that warrants being required for content was statutory.
I took a look at Snapchat's law enforcement guide[0], and it does say that they will turn over everything they have with only a subpoena. However, the records they say they will provide all look like metadata, not content. The guide mentions "Log of the last 200 snaps sent and received (similar to phone record)", but I believe they are talking about metadata associated with the snaps, not the pictures themselves. "Phone records", in this context, refers to phone metadata (logs containing numbers called, etc.). This Techcrunch post[1] also says that Snapchat deletes photos from its servers as soon as they are delivered.
If the reason that Snapchat doesn't require warrants is that they keep fewer records than other providers, and don't have the type of records for which a warrant is required, that should not be considered a privacy negative for them.
The EFF's report also claims that AT&T and Comcast don't require a warrant for content. However, that isn't because either company has been implicated in actually handing over content without a warrant; it's just because they don't explicitly mention requiring a warrant. But, again, as far as I understand, requiring a warrant for content is in the statutes.[2]
Surprised to see amazon here. Mmm. You know if I shop for stuff all of a sudden everyone seems to know. Every website will show me related ads. Now that I think of it..
Also all browsing, including your cart, is served over HTTP until you go to the checkout page. You can't browse over https even if you explicitly ask for it. They don't need to ask Amazon for data if they have a router between you and them.
One of the reasons why I believe GOOG moved toward defaulting to HTTPS is not for your security, but to ensure that only they have a copy of your browsing history, research interests, etc.
Once someone in the middle has a copy, the value of their trove of data falls precipitously.
I'm surprised as well that Amazon doesn't use HTTPS, they have a lot to gain by being the only one that knows you're interested in a particular book and not anyone else. It could help them get the sale instead of competitors relentlessly targeting ads against you as soon as you express an interest to their site.
Look at the address bar in your browser while on the site. No padlock icon. If you switch the URL to https://, you're redirected back to http://. You don't need any special tools.
I know the article was about technology companies, but I find it interesting that there wasn't a single reference or comparison to the trustworthiness of government with data. It would seem that with all the recent leaks/news/reports, that this would at least have been brought up.
In other news, Amazon is a surprise. Then again, it is a surprise (head scratcher) that they still do not use https everywhere. Snapchat on the other hand is....snapchat. Nothing is gone forever this day in age.
I feel like this totally picks on Snapchat. So they run an ephemeral data service, but probably don't profit so much like Google or Facebook to do anything in court.
If a company doesn't have any data to hand over, that should give a few points, not just ignore it.
To this effect, yes, it is nice to know what they are reporting to governments, but it'd also be nice to know what they are reporting to NGOs as well.