Illustration by Alexander Ho for TIME

Google, Yahoo and Microsoft long ago agreed to a code of conduct for operating in repressive countries after suffering intense criticism for helping China’s censors and police. Instead of blindly cooperating with authorities, the companies pledged to push back as much as possible to protect user privacy and freedom of expression.

On Wednesday, the three technology giants received a report card showing whether they lived up to their promises. In fact, in their first full test, they all received passing grades, according to Global Network Initiative, the non-profit group that created the code of conduct.

“It’s a big deal that they passed muster given the sensitivity of the issue,” said Bennett Freeman, a G.N.I. board member and vice president at Calvert Investments, a socially conscious mutual fund company. “These companies have learned—often the hard way—that they have to respect privacy and freedom of expression.”

But the evaluations are limited in scope. Independent assessors only looked at how the companies handled a fraction of the government demands they received. Furthermore, the assessors had no way to dig into issues exposed by Edward Snowden, the former National Security Agency contractor who disclosed documents appearing to show widespread spying. Participating companies couldn’t discuss secret demands for user information by federal authorities investigating national security cases nor could they address the revelations about clandestine spying by U.S. or foreign intelligence services.

“It’s commendable that these companies are really taking steps to create a paper trail and require some kind of process and follow the rule of law,” said Danny O’Brien, international director for the Electronic Frontier Foundation, a digital rights group. “But the question you end up asking is ‘What’s happening outside the rule of law?’”

Initially, the E.F.F. was a member of the Global Network Initiative. But in October, it pulled out because it had lost confidence that corporate members could speak freely about their internal privacy and security because of secrecy laws and government pressure. Snowden’s documents showed that spy agencies have broad access to personal information online. Whether the agencies have direct access from the big tech companies, as some of the documents suggest, or indirectly by taping undersea cables is unclear.

“If a government can’t get what it wants from Microsoft, Google and Yahoo, it might just go down a level and go to the telecom companies,” O’Brien said. “This report doesn’t give the companies a clean bill of health,” he continued, “but it shows they’re at least thinking about privacy.”

G.N.I. was founded in 2008 following a series of unflattering revelations about the Internet industry’s human rights record. To gain a foothold in China, Google had created a censored version of its search engine. Meanwhile, Yahoo had turned over information to the Chinese authorities that led to the arrest and imprisonment of several dissidents.

In joining G.N.I., companies hoped to polish their tarnished reputations and avoid repeating some of their past mistakes. They agreed to a code of conduct that required them to narrowly interpret any legal demands for user information and to make sure legal procedures are followed. Members of the group, which included academics, socially conscious investors and human rights advocates, hoped that the code of conduct would become standard in the technology industry much like similar efforts by the garment and energy and mining industries. In fact, the group has failed to attract major tech companies beyond the three initial members, Google, Yahoo and Microsoft.

The only big company to join later, Facebook, did so last year. No major hardware and telecom companies are members.

Independent assessors evaluate participating companies as to whether they comply with G.N.I.’s code of conduct. They make sure that proper procedures are in place and review how companies handled government demands for user information and removing online content. With the three companies, the assessors looked at 59 cases from July 2011 to June 2013. They represent just a small portion of the thousands of government requests received by the companies over that period.

The report gave some examples of cases the assessors reviewed, all of which appeared to be handled favorably by the companies. But it left out some of the specifics like company names and the governments that contacted them.

One company turned down a request by a judge in Latin America to remove content posted online that was critical of his rulings. Instead, the company demanded that the judge provide a court order, which he did not do. In another case, a U.S. state law enforcement official issued a subpoena for the contents of a user’s email account. The company rejected the order and responded that it required a search warrant instead for such information.

Google declined to comment on the report while Yahoo did not reply to a request to discuss the matter.

Although all three companies passed the test, they assessors found room for improvement. In particular, they complained that some companies withheld documents by citing attorney-client privilege. It also discussed the challenges companies face with acquisitions in determining human rights risks and recommended they conduct more due diligence.

The report also laid out the inability to get details about any national security letters that the companies received. The opacity reinforced the consensus that government reform is needed so that companies can be more transparent about how they respond, the report said. Google, Yahoo and Microsoft have all filed suit to share the number of national security letters they receive with the public. Those suits are still pending.

Deirdre Mulligan, a law professor at University of California at Berkeley who focuses on technology and who is a G.N.I. member, said that she hoped more companies would eventually join the program beyond the three that took part in the assessment. Facebook did not do so this time because it is a newcomer

“You have to start somewhere,” she said. “While it’s only three companies, they have an inordinate reach across the globe.”