See earlier Who Has Your Back? reports: 2011, 2012, 2013, 2014, 2015, 2016.

Contents

Download Report

Download the complete Who Has Your Back? 2017: Protecting Your Data From Government Requests report as a PDF.

Executive Summary

In this era of unprecedented digital surveillance and widespread political upheaval, the data stored on our cell phones, laptops, and especially our online services are a magnet for government actors seeking to track citizens, journalists, and activists.

In 2016, the United States government sent at least 49,868 requests to Facebook for user data. In the same time period, it sent 27,850 requests to Google and 9,076 to Apple. These companies are not alone: where users see new ways to communicate and store data, law enforcement agents see new avenues for surveillance.

There are three safeguards to ensure that data we send to tech companies don’t end up in a government database: technology, law, and corporate policies. Technology—including the many ways data is deleted, obscured, or encrypted to render it unavailable to the government—is beyond the scope of this report. Instead, we’ll focus on law and corporate policies. We’ll turn a spotlight on how the policies of technology companies either advance or hinder the privacy rights of users when the U.S. government comes knocking, and we’ll highlight those companies advocating to shore up legal protections for user privacy.

Since the Electronic Frontier Foundation started publishing Who Has Your Back seven years ago, we’ve seen major technology companies bring more transparency to how and when they divulge our data to the government. This shift has been fueled in large part by public attention. The Snowden revelations of 2013 and the resulting public conversation about digital privacy served as a major catalyst for widespread changes among the privacy policies of big companies. While only two companies earned credit in all of our criteria in 2013 (at a time when the criteria were somewhat less stringent than today ), in our 2014 report, there were nine companies earning credit in every category.

Today, technology users expect tech companies to have transparency around government access to user data, and to stand up for user privacy when appropriate. And companies are increasingly meeting those expectations.

But there are still many companies that lag behind, fail to enact best practices around transparency, or don’t prioritize standing up for user privacy.

The role of Who Has Your Back is to provide objective measurements for analyzing the policies and advocacy positions of major technology companies when it comes to handing data to the government. We focus on a handful of specific, measurable criteria that can act as a vital stopgap against unfettered government access to user data. Through this report, we hope to galvanize widespread changes in the policies of technology companies to ensure our digital lives are not subject to invasive and undemocratic government searches.

Major Findings and Trends

Our major findings include:

Every company we evaluate has adopted baseline industry best practices, such as publishing a transparency report and requiring a warrant before releasing user content to the government.

Nine companies are receiving credit in all five categories: Adobe, Credo, Dropbox, Lyft, Pinterest, Sonic, Uber, Wickr, and Wordpress.

The four lowest performing companies are all telecoms: AT&T, Comcast, T-Mobile, and Verizon.

Amazon and WhatsApp’s policies fall short of other similar technology companies.

We are pleased to announce that nine companies earned stars in every category we evaluated in this year’s report: Adobe, Credo, Dropbox, Lyft, Pinterest, Sonic, Uber, Wickr and Wordpress. Not only that, but each of these companies has a track record of defending user privacy. Lyft and Uber both earned credit in each of our categories for both years they have been in our report. Credo and Sonic have earned credit for standing up for transparency and user privacy in every category we evaluate for as long as they have been included in our report. The other all-star companies—Adobe, Dropbox, Pinterest, Wickr, and Wordpress—have improved their policies over the years, and are recognized repeatedly in this annual report for adopting the best practices around privacy and transparency.

Earning credit in every category year after year is no small feat. EFF has made important adjustments to our criteria each year to ensure that our criteria are strong yet practical, and to work to eliminate loopholes and uncertainty in language. For example, a company that received credit for providing users notice of government requests in 2011 needed simply to state that the company had a policy of providing users with notice. Over the years, this category has become increasingly more stringent, so that today this category requires that users be notified before data is handed to the government except in limited and defined circumstances (see Overview of Criteria). The company must also promise to provide notice to the user after an emergency has been resolved or a gag order lifted. As a result, some companies that received credit in this category in the past find their policies do not meet the heightened standard.

Unfortunately, even as the industry as a whole has shifted toward transparency and privacy, there are many companies that are falling short. In particular, telecommunications companies like AT&T, Comcast, T-Mobile, and Verizon are failing to live up to larger tech industry practices. When it comes to adopting policies that prioritize user privacy over facilitating government data demands, the telecom industry for the most part has erred on the side of prioritizing government requests.

But telecommunications companies can do better. For example, Credo Mobile has repeatedly proven that telecom companies can adopt policies that earn credit in every category year after year. Similarly, Sonic, an ISP competitor to AT&T, Comcast, T-Mobile, and Verizon, has now earned credit in every category of EFF’s annual report for five years.

We were disappointed that two technology companies fell short of other online services: Amazon and WhatsApp. While both companies have adopted industry-accepted best practices of requiring a warrant for content, publishing law enforcement guidelines, and publishing a transparency report, and while we applaud both companies for advocating for reforms to overbroad NSA surveillance, these two companies are not acting as leaders in other criteria that we examine. They don’t have the strong public policies related to notifying users of government data requests that we have come to expect from tech companies, they don’t publicly promise to request judicial review of NSLs, and they aren’t meeting our criterion about not selling out users. We urge both Amazon and WhatsApp to improve their policies in the coming year so they match the standards of other major online services.

We are also concerned that too few companies are taking advantage of the powerful legal protections available to companies to protect user privacy. Congress created a new process in 2015 ensuring that technology companies have a right to request judicial review of the gag orders accompanying all National Security Letters (NSLs) that they receive. NSLs are akin to subpoenas requiring service providers—including technology companies, phone companies, and ISPs—to hand over data to the FBI about users’ private communications and Internet activity. These orders are almost always accompanied by gag orders preventing the recipients from ever revealing the letter’s existence and which have contributed to widespread abuse of this investigatory tool. Many companies are not yet taking full advantage of the newly enacted authority to request judicial review of the gag orders accompanying NSLs. Technology companies that had previously led the way on user transparency and privacy by earning credit in every one of EFF’s categories – including Facebook, Google, and Twitter – have not yet publicly committed to requesting judicial review of all NSLs. In fact, fewer than half of the companies we evaluated have made this commitment: Adobe, Airbnb, Apple, Credo, Dropbox, Lyft, Pinterest, Slack, Sonic, Uber, Wickr, and Wordpress. We applaud these companies that have taken a public stand to ensure judicial oversight of gag orders and urge others within the technology space to do the same.

It’s also clear that the technology industry is working to overhaul some of the fundamentally flawed laws in the United States around government access to user data. Twenty-one of the companies we evaluated have publicly called for significant reforms to Section 702, as enacted by the FISA Amendments Act of 2008. This is the law underpinning much of the NSA’s mass surveillance of the Internet. In an ever-changing landscape of technology policy, it is not enough to sit on the sidelines; technology companies can and should join their users in advocating for technology user rights in the halls of Congress.

Overview of Criteria

Only publicly available positions can qualify for credit in this report. Positions, practices, or policies that are conveyed privately or internal corporate standards, regardless of how laudable, are not factored into our decisions to award companies credit in any category.

Requiring public documentation serves several purposes. First, it ensures that companies cannot quietly change an internal practice in the future in response to government pressure, but must also change their publicly posted policies—which can be noted and documented. Second, by asking companies to put their positions in writing, we can examine each policy closely and prompt a larger public conversation about what standards tech companies should strive for. Third, it helps companies review one another’s policies around law enforcement access, which can serve as a guide for startups and others looking for examples of companies standing up for user privacy.

In this report, we strive to offer ambitious but practical standards. To that end, we only include criteria that at least one technology company has already adopted. This ensures that we are highlighting existing and achievable best practices, rather than theoretical policies.

Each year, we review the criteria we used in prior years and make any adjustments that may be necessary to ensure the report is keeping pace with modern technology policy trends. A full explanation of the criteria from prior years is available in the full reports for each year.

We analyzed five criteria for this report.

Follows Industry-Wide Best Practices. This is a combined category that measures companies on three criteria (which were each listed separately in some earlier reports):

The company must have a public, published policy requiring the government to obtain a warrant from a judge before the company discloses the content of user communications.

The company must have published a transparency report since April 1, 2016, and the report should include useful data about how many times governments sought user data and how often the company provided user data to governments.

The company must have public, published law enforcement guides explaining how it responds to data demands from the government.

Companies must fulfill all three criteria in order to receive credit.

Tells Users About Government Data Requests. To earn a star in this category, technology companies must promise to tell users when the U.S. government seeks their data in advance of turning over any data unless prohibited by law, in very narrow and defined emergency situations, or unless doing so would be futile or ineffective. Notice gives users a chance to defend themselves against overreaching government demands for their data, and thus we do not credit companies that delay notice to a user based on any other justification from an agency—for instance, where the agency claims notice might jeopardize an investigation, delay a trial, or otherwise deserves confidentiality. We recognize that in emergency situations involving danger of death or serious physical injury to any person, prior notice may not be possible. However, companies must have public-facing policies in place to give the user notice when the gag expires or the emergency is over.

Promises Not to Sell Out Users. To earn credit, a technology company must have a public policy that ensures data is not flowing to the government outside of its law enforcement guidelines—for example, through voluntary contracts or via a third party vendor who sells data to the government. We look for two things: first, some indication that the law enforcement guidelines fully describe data disclosures to the government; and second, that third parties (such as vendors and contractors) must adhere to the disclosure standards set forth by the company policies. Statements that indicate a company does not disclose user data to third parties will also suffice for the second part of our standard. We review corporate policies to ensure that there are no unusual exceptions for certain types of vendors, contractors, or other third parties who would then not be bound by the corporate policies. We allow exceptions for companies and third parties that, to the extent allowed by law, voluntarily share data with law enforcement or intelligence agencies directly for emergency access, to report crimes where the company or its customers are themselves victims, or to share computer security threat indicators.

Stands Up to NSL Gag Orders. Secret government requests for user data are a significant problem made all the worse by the indefinite gag orders that accompany them. Since the passage of the USA FREEDOM Act in mid-2015, companies have a new way to push back against one type of indefinite gag order: those accompanying National Security Letters (NSLs). To earn a star in this category, companies must publicly commit to invoking the available statutory procedures to have a judge review every indefinite NSL gag order the company receives.

Pro-User Public Policy: Reform 702. This year, Congress will be reviewing the surveillance powers of the National Security Agency, specifically considering whether to reauthorize Section 702, as enacted under the FISA Amendments Act of 2008. This provision of law is the legal lynchpin for the NSA’s mass Internet surveillance that impacts the communications of countless Americans. We are awarding credit to companies that support reforming Section 702 in order to reduce the collection of information on innocent people. Public positions in support of allowing this provision of law to expire completely will also receive credit, as this would also have the effect of reducing the surveillance of innocent people. Commitments must be formal, in the company’s own name, and either in writing or part of Congressional testimony. Only statements after June 2, 2015 will qualify. Note that this category does not award credit for supporting reforms that do not reduce the collection of data on people (for example, reforms that increase transparency around surveillance practices), though we acknowledge that oversight and other reforms also serve an important role.

We expect this category to continue to evolve in the coming years, so that we can track industry players across a range of important privacy issues.

Deep Dive and Analysis of Select Corporate Policies

Follows Industry-Wide Best Practices

Over the last seven years, certain transparency practices that once seemed unusual have become the default. This year, all twenty-six of the companies we evaluated received credit for adopting industry-accepted best practices of publishing law enforcement guides, requiring a warrant before disclosing user content to the government, and publishing a transparency report.

However, there are some companies striving to make this information more useful and accessible. We are especially impressed by the transparency report from Twitter, which allows users to download a CSV of data, displays a month-by-month trend graph for government data requests on a per-country basis, and provides a map that showcases global trends in government data requests at a glance. It also provides a narrative analysis of interesting changes and trends in the data.

We also appreciate that many companies require a warrant not only for stored content such as videos and messages, but also for location data. Facebook’s warrant requirement is a strong example of this:

A search warrant issued under the procedures described in the Federal Rules of Criminal Procedure or equivalent state warrant procedures upon a showing of probable cause is required to compel the disclosure of the stored contents of any account, which may include messages, photos, videos, timeline posts, and location information.

The warrant for content standard was inspired by the 2010 decision in United States v. Warshak, a case in which the Sixth Circuit Court of Appeals held that the Fourth Amendment protects email stored with email service providers, and the government must have a search warrant before it can seize those messages. This decision was critical for Internet privacy, but is only the opinion of one appeals court—and so is not binding throughout the entire country. When we first introduced the warrant for content standard to our Who Has Your Back report in 2013, many companies did not receive credit. We are glad to see that every company in our report now meets this standard.

Every company in our report also publishes law enforcement guidelines. These documents help provide a glimpse into the process and standard companies use for analyzing government requests for user data. It may, for example, indicate whether companies charge the government for providing user data. We encourage companies to charge money for fulfilling government requests for user data as this will serve as a small but measurable financial disincentive from submitting overly broad requests for user information.

Tells Users About Government Data Requests

Of the twenty-six companies we evaluated, sixteen promised to tell impacted users before surrendering data to the government. While companies could delay notification for a limited set of emergencies, a gag order, or when providing notice would be futile, companies had to commit to providing notice after the emergency was over or the gag had expired.

A particularly strong example of this type of notification policy is Pinterest’s policy, which has clear, strong language indicating that notice will be provided after a court or emergency situation has expired:

Yes, our policy is to notify users of Law Enforcement Requests by providing them with a complete copy of the request before producing their information to law enforcement. We may make exceptions to this policy where: we are legally prohibited from providing notice (e.g. by an order under 18 U.S.C. § 2705(b));

an emergency situation exists involving a danger of death or serious physical injury to a person;

we have reason to believe notice wouldn't go to the actual account holder (e.g. an account has been hijacked) In cases where notice isn't provided because of a court order or emergency situation, our policy is to provide notice to the user once the court order or emergency situation has expired.

Wordpress has a similarly strong, clear policy, stating that it will give users a copy of the legal process and will provide a user with 7 days or more to legally challenge the order, and even provides additional delay if the user indicates she will be challenging the request:

It is our policy to notify users and provide them with a copy of any civil or government legal process regarding their account or site (including formal requests for private information), unless we are prohibited by law or court order from doing so. In those cases, we will notify users and provide them with a copy of the legal process when the prohibition expires. If a request for information is valid, we will preserve the necessary information before informing the user. In most cases, upon notification to the user, that user will be provided with either 7 days or the amount of time before the information is due, whichever is later, during which time the user may attempt to quash or legally challenge the request. If, prior to the deadline, we receive notice from user that he or she intends to challenge a request, no information will be delivered until that process concludes. We also review the information requests received and may lodge our own challenge to the scope or validity of legal process received, on behalf of a user, whether or not the user pursues his/her own legal challenge.

Promises Not to Sell Out Users

This is the first year that we’ve included this criterion in our Who Has Your Back report, and we found a wide range of policies among technology companies.

This category was inspired by a policy promoted by Twitter late last year in the wake of a contentious U.S. presidential election that resulted in widespread political upheaval. Twitter’s policy is designed to prevent its API developers from creating tools that could be utilized by the government for surveillance. This policy, promoted in 2016 but apparently extant prior to that, is in place even though Twitter accounts are public by default and commonly used for public discourse. Twitter’s policy states:

To be clear: We prohibit developers using the Public APIs and Gnip data products from allowing law enforcement — or any other entity — to use Twitter data for surveillance purposes. Period. The fact that our Public APIs and Gnip data products provide information that people choose to share publicly does not change our policies in this area. And if developers violate our policies, we will take appropriate action, which can include suspension and termination of access to Twitter’s Public APIs and data products.

Other technology companies have followed Twitter’s example. Microsoft offers especially strong language on this topic:

Q: Do you enable third parties to assist governments in conducting voluntary surveillance of your customers? A: We are aware of reports that some providers have developed tools that third parties use to voluntarily assist governments in conducting surveillance of that provider’s users. We do not design tools to enable voluntary surveillance of our users. If we ever provide third parties with access to data about our customers, we expect those third parties to handle that data appropriately, meaning that they should not assist governments in voluntary, widespread surveillance of users. Instead, these third parties should ensure that they only disclose personal data about users in compliance with applicable law or in response to valid legal orders.

Stands Up to NSL Gag Orders

EFF has challenged both NSLs and the gag orders that accompany them in court. In 2013 we won a landmark decision in the Northern District of California in which a federal judge declared one of the statutes underlying NSLs unconstitutional.

EFF has championed legislative reform in Congress to rein in NSLs. In 2015, substantive reforms to NSLs were included in a package of surveillance reforms known as the USA FREEDOM Act. Providers who receive NSLs are now allowed to request that the FBI initiate judicial review of NSL gag orders, which places a prior restraint on the company without judicial involvement. However, this check on overbroad NSL gag orders is only useful to the extent that companies choose to invoke it.

Tech companies should not be gagged from discussing government surveillance requests without a judge ever getting involved. Although the NSL statute remains unconstitutional in this regard, it still grants NSL recipients the right to request judicial review of every NSL gag order (a process known as “reciprocal notice”). Within the existing law, this is the right standard for technology companies.

This is the first year our Who Has Your Back report has encouraged companies to adopt a public policy of always requesting judicial review of NSL gag orders. Of the companies we examined, only twelve companies out of twenty-six met our standard.

Wordpress offered especially strong language, which includes a promise to publish a redacted version of the NSLs it receives:

It is our policy to invoke the “reciprocal notice” procedure in 18 U.S.C. § 3511 for any national security letters (NSLs) served on Automattic. This process ensures that a court will review all non-disclosure orders issued with NSLs we may receive. If and when a non disclosure order is lifted, our policy is to share the contents of the NSL with any affected users (where possible), as well as to publish a redacted version of the NSL.

Apple also has a strong policy related to reciprocal notice:

In addition, if Apple receives a National Security Letter (NSL) from the U.S. government that contains an indefinite gag order, Apple will notify the government that it would like the court to review the nondisclosure provision of the NSL pursuant to USA FREEDOM. The government then has 30 days to let the court know why the nondisclosure should remain in effect or can let Apple know that the nondisclosure no longer applies. If Apple receives notice that the nondisclosure no longer applies, it will notify the affected customer(s) pursuant to Apple’s customer notice policies.

Pro-User Public Policy: Reform 702

Every year, we dedicate one category to a public policy position of a company. In prior years, we have acknowledged positions such as working to update and reform the Electronic Communications Privacy Act, opposing government backdoors in cryptography, and opposing mass surveillance.

As Congress considers this year whether to reauthorize Section 702, we are rating technology companies on whether they stand against Internet surveillance that impacts millions of innocent Internet users, both in the United States and abroad.

For the better part of a decade, EFF has been fighting unconstitutional Internet surveillance by the NSA in the courts. We encourage Congress to let this overbroad and much-criticized surveillance authority expire entirely at the end of this year. We also recognize that many believe that the reauthorization process is a key legislative moment to enact larger reforms against NSA surveillance. As our legislators examine these authorities, it is important that they remember that these programs are fundamentally flawed because they collect data on hundreds of millions of law-abiding technology users. It is impossible to bring these surveillance programs in alignment with the constitution without addressing this overbroad data collection.

We are thus awarding credit to those companies who are helping shape the public debate around NSA surveillance by urging Congress to reduce the collection of data on innocent people. We offered credit for companies that supported reforms to limit data collection under 702 as well as for companies who supported letting the law expire entirely.

The technology community was largely united in its call to Congress. Twenty-one of the twenty-six companies we evaluated received credit in this category. Most of these companies signed a letter to the Judiciary Committee Chairman that supported a range of substantive reforms to Section 702, including reforms to rein in data collection as well as additional oversight and transparency.

It should come as no surprise that technology companies want to see real limitations on NSA data collection. Their users can hardly be expected to continue to entrust their most sensitive information to the tech industry when they fear wholesale copies of that information could end up in NSA databases. NSA surveillance programs have also endangered tech efforts to expand into overseas markets, with European regulators questioning U.S. surveillance policies and hesitating over American companies entering European markets with U.S. privacy policies.

Raising the Floor

As we look back on seven years of reporting on the privacy policies and law enforcement guidelines of major technology companies, Who Has Your Back offers users a lot of hope. Public scrutiny has helped raise the floor on technology companies, so that every company we evaluated in 2017 has adopted at least some of the practices that were considered envelope-pushing in 2011. Innovation is not just for technology products, but also for the privacy and transparency practices of Silicon Valley.

There’s still significant work to be done to defend user privacy and shed light on government attempts to surveil our digital lives. We offer this report as a tool for helping us get there.

Company Reports

Adobe

Adobe earns five stars in this year’s report. This is Adobe’s third year in Who Has Your Back, and it has adopted all of the industry best practices we recognize in this report, including publishing a transparency report, requiring a warrant for content, and publishing its guidelines for law enforcement requests. Adobe promises to inform users before disclosing their data to the government, has a published policy of requesting judicial review of all National Security Letters, and supports substantive reforms to rein in NSA surveillance. Adobe also forbids third parties from allowing Adobe user data to be used for surveillance purposes. We applaud Adobe’s policies related to transparency and user privacy.

Follows industry-wide best practices. Adobe publishes a transparency report and law enforcement guidelines. It requires a warrant before giving user content to law enforcement, stating in its transparency report:

No Customer Content Disclosed Without A Search Warrant: Adobe does not disclose customer content stored in our cloud services (such as photos, videos or documents) unless we receive a search warrant issued upon a showing of probable cause under relevant state or federal law. We received search warrants in all 29 matters where we disclosed customer content.

And in its law enforcement guidelines:

[W]e require a search warrant issued upon a showing of probable cause under relevant state or federal law before we will turn over user content stored on our servers, such as photos, videos, documents, form responses, or email messages.

Tells users about government data requests. Adobe promises to provide advance notice to users about government data demands, including delayed notice after a gag order expires, stating in its law enforcement guidelines:

It is Adobe policy to give notice to our customers whenever someone seeks access to their information unless we are legally prohibited from doing so. For example, if we receive a Delayed Notice Order (DNO) under 18 USC Section 2705(b), we will delay notice for the time period specified in the order and then notify the customer once the order expires. Please make sure any DNO you serve on Adobe is time-limited and expires on a specific date or after a specific period (such as 90 or 180 days).

And in its transparency report:

No Delaying Customer Notice Unless We Are Legally Obligated To Do So: As we did last year, this year we rejected a number of requests from governments to delay notice to our users because the requests were made informally. We only delay notice to our customers where we are legally obligated to do so -- for example, when we receive a delayed notice order (DNO) issued by a court. We then notify our customer of the government request for their data after the DNO expires.

Promises not to sell out users. Adobe prohibits third parties from allowing Adobe user data to be used for surveillance purposes. From its law enforcement guidelines:

Valid legal process is required before disclosure.

Adobe’s privacy policy states:

Adobe works with companies that help us run our business. These companies provide services such as delivering customer support, processing credit card payments, and sending emails on our behalf. In some cases, these companies have access to some of your personal information in order to provide services to you on our behalf. They are not permitted to use your information for their own purposes.

Adobe’s requirement for legal process before disclosing user data plus its prohibition against third parties using information for their own purposes is the basis for our reading that Adobe’s public-facing policies would prohibit it from sharing data to be used for surveillance.

Stands up to NSL gag orders. When receiving a National Security Letter with an indefinite gag order, Adobe requests review by a judge. From its law enforcement guidelines:

Indefinite DNOs are not constitutionally valid and we challenge them in court.

Pro-user public policy: Reform 702. Adobe has publicly called for reforms to Section 702 to curtail the surveillance of innocent people. Adobe was a signatory on a joint letter sent to the House Judiciary Committee Chairman and published on the Computer & Communications Industry Association website, which stated:

As you consider reforms to Section 702, we recommend that you adopt the following changes. First, reauthorization legislation should codify recent changes made to “about” collection pursuant to NSA’s Upstream program. This reform would merely codify changes already embraced by the U.S. government with the imprimatur of the Foreign Intelligence Surveillance Court (FISC) to correct deficiencies that implicate the constitutional rights of U.S. citizens…

Airbnb

Airbnb earns three stars in this year’s report. This is Airbnb’s second year in Who Has Your Back, and it has adopted a number of industry best practices, including publishing a transparency report, requiring a warrant for content, and publishing its guidelines for law enforcement requests. Airbnb has a published policy of requesting judicial review of all National Security Letters, and supports substantive reforms to rein in NSA surveillance. However, there is room for improvement. We urge Airbnb to commit to providing prior notice to users about government data requests, and only delaying notice for limited reasons. We also urge Airbnb continue to clarify its policies related to third-party access of their user data, either by making explicit that there is no third-party access or by stating explicitly that third parties are forbidden from allowing Airbnb user data to be used for surveillance purposes.

Follows industry-wide best practices. Airbnb publishes a transparency report and law enforcement guidelines. It requires a warrant before giving user content to law enforcement, stating in its law enforcement guidelines:

1. For content of communications, a search warrant issued under the procedures described in the US Federal Rules of Criminal Procedure (or equivalent state warrant procedures) is required.

Tells users about government data requests. Airbnb promises to provide advance notice to users about government data demands, but does not make clear whether it will inform users of government requests after a gag has been lifted or an emergency resolved. In addition, its exceptions for delaying notification are broader than physical bodily harm. It states in its law enforcement guidelines:

Please note that Airbnb, Inc. has a policy of using commercially reasonable efforts to notify users in the United States when we receive legal process from a third party requesting user data. Generally, except where a court order (and not just the request for information itself) requires delayed notification or no notification, or except where notification is otherwise prohibited by law or where we, in our sole discretion, believe that providing notice would be futile, ineffective or would create a risk of injury or bodily harm to an individual or group, or to our property, we will endeavor to provide reasonable prior notice to the relevant user of the request for user data in the event the user wishes to seek appropriate protective relief.

Promises not to sell out users. Airbnb does not explicitly state that it prohibits third-party access to its user data, nor does it say that third parties are prohibited from allowing Airbnb user data to be used for surveillance purposes. As a result, our reading of Airbnb’s public-facing policies would not prohibit it from sharing data to be used for surveillance.

Stands up to NSL gag orders. When receiving a National Security Letter with an indefinite gag order, Airbnb requests review by a judge. From its law enforcement guidelines:

Consistent with its policy of providing users notice of government-issued legal process for user data, Airbnb will request that the government initiate judicial review of any non-disclosure order issued in connection with a national security letter and has done so for any such letter it has received (if any).

Pro-user public policy: Reform 702. Airbnb has publicly called for reforms to Section 702 to curtail the surveillance of innocent people. Aibnb was a signatory on a joint letter sent to the House Judiciary Committee Chairman and published on the Computer & Communications Industry Association website, which stated:

As you consider reforms to Section 702, we recommend that you adopt the following changes. First, reauthorization legislation should codify recent changes made to “about” collection pursuant to NSA’s Upstream program. This reform would merely codify changes already embraced by the U.S. government with the imprimatur of the Foreign Intelligence Surveillance Court (FISC) to correct deficiencies that implicate the constitutional rights of U.S. citizens…

Amazon

Amazon earns two stars in this year’s report. This is Amazon’s sixth year in Who Has Your Back, and it has adopted a number of industry best practices, including publishing a transparency report, requiring a warrant for content, and publishing its guidelines for law enforcement requests. Amazon also supports substantive reforms to rein in NSA surveillance. However, there is room for improvement. We urge Amazon to promise to inform users before disclosing their data to the government and to create a public policy for requesting judicial review of all National Security Letters. We urge Amazon to continue to clarify its policies related to third-party access of its user data, either by making explicit that there is no third-party access or by stating explicitly that third parties are forbidden from allowing Amazon user data to be used for surveillance purposes.

Follows industry-wide best practices. Amazon publishes a transparency report and law enforcement guidelines. It requires a warrant before giving user content to law enforcement, stating in its law enforcement guidelines:

Amazon will not release customer information without a valid and binding legal demand properly served on us. Amazon objects to overbroad or otherwise inappropriate demands as a matter of course. Amazon distinguishes between content and non-content information. We produce noncontent information only in response to valid and binding subpoenas. We do not produce content information in response to subpoenas. We may produce non-content and content information in response to valid and binding search warrants.

Tells users about government data requests. Amazon promises to provide advance notice to users about government data demands, but does not make clear that it will provide notice after a gag order expires or an emergency is over, stating in its law enforcement guidelines:

Unless it is prohibited from doing so or has clear indication of illegal conduct in connection with the use of Amazon products or services, Amazon notifies customers before disclosing content information.

Promises not to sell out users. Amazon does not explicitly state that it prohibits third-party access to its user data, nor does it say that third parties are prohibited from allowing Amazon user data to be used for surveillance purposes. Its privacy notice states:

Protection of Amazon.com and Others: We release account and other personal information when we believe release is appropriate to comply with the law; enforce or apply our Conditions of Use and other agreements; or protect the rights, property, or safety of Amazon.com, our users, or others. This includes exchanging information with other companies and organizations for fraud protection and credit risk reduction. Obviously, however, this does not include selling, renting, sharing, or otherwise disclosing personally identifiable information from customers for commercial purposes in violation of the commitments set forth in this Privacy Notice.

As a result, our reading of Amazon’s public-facing policies would not prohibit it from sharing data to be used for surveillance.

Stands up to NSL gag orders. Amazon does not have a public policy of requesting judicial review of all National Security Letters it receives. From its transparency report:

National security requests include National Security Letters (“NSLs”) and court orders issued under the Foreign Intelligence Surveillance Act (“FISA”). Our responses to these requests depend on the nature of the request. Amazon objects to overbroad or otherwise inappropriate national security requests as a matter of course.

Pro-user public policy: Reform 702. Amazon has publicly called for reforms to Section 702 to curtail the surveillance of innocent people. Amazon was a signatory on a joint letter sent to the House Judiciary Committee Chairman and published on the Computer & Communications Industry Association website, which stated:

As you consider reforms to Section 702, we recommend that you adopt the following changes. First, reauthorization legislation should codify recent changes made to “about” collection pursuant to NSA’s Upstream program. This reform would merely codify changes already embraced by the U.S. government with the imprimatur of the Foreign Intelligence Surveillance Court (FISC) to correct deficiencies that implicate the constitutional rights of U.S. citizens…

Apple

Apple earns four stars in this year’s report. This is Apple’s sixth year in Who Has Your Back, and it has adopted a number of industry best practices, including publishing a transparency report, requiring a warrant for content, and publishing its guidelines for law enforcement requests. Apple promises to inform users before disclosing their data to the government, has a published policy of requesting judicial review of all National Security Letters, and explicitly states that third parties are forbidden from allowing Apple user data to be used for surveillance purposes. We urge Apple to support substantive reforms to rein in NSA surveillance.

Follows industry-wide best practices. Apple publishes a transparency report and law enforcement guidelines. It requires a warrant before giving user content to law enforcement, stating on its government information requests page:

We apply the highest U.S. legal standard, and we require a search warrant for all U.S. requests for content.

From its law enforcement guidelines:

For all requests from government and law enforcement agencies within the United States for content, with the exception of emergency circumstances (defined in the Electronic Communications Privacy Act 1986, as amended), Apple will only provide content in response to a search warrant issued upon a showing of probable cause.

From its most recent transparency report:

Any government agency seeking customer content from Apple must obtain a search warrant issued upon a showing of probable cause.

Tells users about government data requests. Apple promises to provide advance notice to users about government data demands, including delayed notice after a gag order expires, stating in its law enforcement guidelines:

Q: Do you notify users of legal process? A: Yes, Apple’s notice policy applies to account requests from law enforcement, government and private parties. Apple will notify customers and account holders unless there is a non-disclosure order or applicable law prohibiting notice, or where Apple, in its sole discretion, reasonably believes that such notice may pose immediate risk of serious injury or death to a member of the public, the case relates to a child endangerment matter, or where notice is not applicable to the underlying facts of the case.

It also states in its law enforcement guidelines:

Apple will notify customers/users when their Apple account information is being sought in response to legal process from government, law enforcement, or third parties, except where providing notice is explicitly prohibited by the legal process itself, by a court order Apple receives (e.g., an order under 18 U.S.C. §2705(b)), by applicable law or where Apple, in its sole discretion, believes that providing notice creates a risk of injury or death to an identifiable individual, in situations where the case relates to child endangerment, or where notice is not applicable to the underlying facts of the case. After 90 days Apple will provide delayed notice for emergency disclosure requests except where notice is prohibited by court order or applicable law or where Apple, in its sole discretion, believes that providing notice could create a risk of injury or death to an identifiable individual or group of individuals or in situations where the case relates to child endangerment. Apple will provide delayed notice for requests after expiration of the non-disclosure period specified in a court order unless Apple, in its sole discretion, reasonably believes that providing notice could create a risk of injury or death to an identifiable individual or group of individuals, in situations where the case relates to child endangerment, or where notice is not applicable to the underlying facts of the case.

Promises not to sell out users. Apple prohibits third parties from allowing Apple user data to be used for surveillance purposes. In its government information requests page, Apple states:

We contractually require our service providers to follow the same standard we apply to government information requests for Apple data.

In its law enforcement guidelines, Apple states:

Apple is committed to maintaining the privacy of the users of Apple products and services (“Apple users”). Accordingly, information about Apple users will not be released without valid legal process.

Notably, Apple has language in its privacy policy that is not as strong:

It may be necessary − by law, legal process, litigation, and/or requests from public and governmental authorities within or outside your country of residence − for Apple to disclose your personal information. We may also disclose information about you if we determine that for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate.

Nonetheless, based on the clear and prominent placement of the legal process requirement in the law enforcement guidelines, and the clear and prominent commitment to ensure Apple service providers adhere to Apple’s government information requests policy when providing data to the government, our reading of Apple’s public-facing policies would prohibit it from sharing data to be used for surveillance.

Stands up to NSL gag orders. When receiving a National Security Letter with an indefinite gag order, Apples requests review by a judge. From its government information requests page:

In addition, if Apple receives a National Security Letter (NSL) from the U.S. government that contains an indefinite gag order, Apple will notify the government that it would like the court to review the nondisclosure provision of the NSL pursuant to USA FREEDOM. The government then has 30 days to let the court know why the nondisclosure should remain in effect or can let Apple know that the nondisclosure no longer applies. If Apple receives notice that the nondisclosure no longer applies, it will notify the affected customer(s) pursuant to Apple’s customer notice policies.

Pro-user public policy: Reform 702. Apple has not publicly called for reforms to Section 702 to curtail the surveillance of innocent people.

AT&T

AT&T earns one star in this year’s report. This is AT&T’s sixth year in Who Has Your Back, and it has adopted a number of industry best practices, including publishing a transparency report, requiring a warrant for content, and publishing its guidelines for law enforcement requests. However, there is room for improvement. We urge AT&T to promise to inform users before disclosing their data to the government, create a public policy of requesting judicial review of all National Security Letters, and support substantive reforms to rein in NSA surveillance. We urge AT&T to clarify its policies related to third-party access of its user data, either by making explicit that there is no third-party access or by stating explicitly that third parties are forbidden from allowing AT&T user data to be used for surveillance purposes.

Follows industry-wide best practices. AT&T publishes a transparency report and law enforcement guidelines. It requires a warrant before giving user content to law enforcement, stating in its most recent transparency report:

Except in emergency circumstances, a search warrant or probable cause court order is required for all real-time precise location information (like GPS) and realtime content (such as content obtained through wiretaps). Stored content (like stored text and voice messages) generally also requires a warrant.

Tells users about government data requests. AT&T does not promise to provide advance notice to users about government data demands.

Promises not to sell out users. AT&T does not explicitly prohibit third-party access to its user data, nor does it say that third parties are prohibited from allowing AT&T user data to be used for surveillance purposes.

From its privacy policy:

1. Do you share my Personal Information internally? Yes. Our products and services are developed, managed, marketed and sold by a variety of our affiliated companies. We may share Personal Information internally, including with affiliated companies that may have different privacy policies. When we do this we require the affiliated company or companies to protect the Personal Information in a way consistent with this Privacy Policy. We may also combine Personal Information with data derived from an application that has a different privacy policy. When we do that, this Privacy Policy applies to the combined data set…. Are there any other times when you might provide my Personal Information to other non-AT&T companies or entities? Yes. We share your Personal Information with other, non-AT&T companies that perform services for us, like processing your bill. Because we take our responsibility to safeguard your Personal Information seriously, we do not allow those companies to use it for any purpose other than to perform those services, and we require them to protect it in a way consistent with this Privacy Policy. Companies that perform these services may be located outside the United States or the jurisdiction where you reside. If your Personal Information is shared with these companies, it could be accessible to government authorities according to the laws that govern those jurisdictions. There are also occasions when we provide Personal Information to other non-AT&T companies or other entities, such as government agencies, credit bureaus and collection agencies, without your consent. Some examples include sharing to: Comply with court orders, subpoenas, lawful discovery requests and other legal or regulatory requirements, and to enforce our legal rights or defend against legal claims;

Obtain payment or make refunds for products and services that appear on your AT&T billing statements, including the transfer or sale of delinquent accounts or refund obligations to third parties for collection or payment.

Enforce our agreements and protect our rights or property;

Assist with identity verification and e-mail address validation;

Respond to lawful requests by public authorities, including to meet national security or law enforcement requirements;

Notify, respond or provide information (including location information) to a responsible governmental entity in emergency or exigent circumstances or in situations involving immediate danger of death or serious physical injury; and

Notify the National Center for Missing and Exploited Children of information concerning child pornography of which we become aware through the provision of our services.

AT&T makes a clear statement that third parties with whom it shares users’ personal information are required to adhere to the standards of AT&T’s privacy policy. AT&T also outlines in its policies how it responds to various types of government data demands, and makes clear it rejects other data requests from the government. However, AT&T includes a carve-out in its privacy policy to “assist with identity verification and e-mail address validation” as well as “respond to lawful requests by public authorities, including to meet national security or law enforcement requirements.” As a result, our reading of AT&T’s public-facing policies would not prohibit it from sharing data to be used for surveillance.

Stands up to NSL gag orders. AT&T does not have a public policy of requesting judicial review of all National Security Letters it receives.

Pro-user public policy: Reform 702. AT&T has not publicly called for reforms to Section 702 to curtail the surveillance of innocent people.

Comcast

Comcast earns one star in this year’s report. This is Comcast’s sixth year in Who Has Your Back, and it has adopted a number of industry best practices, including publishing a transparency report, requiring a warrant for content, and publishing its guidelines for law enforcement requests. However, there is room for improvement. We urge Comcast to promise to inform users before disclosing their data to the government, create a public policy of requesting judicial review of all National Security Letters, and support substantive reforms to rein in NSA surveillance. We urge Comcast to clarify its policies related to third-party access of its user data, either by making explicit that there is no third-party access or by stating explicitly that third parties are forbidden from allowing Comcast user data to be used for surveillance purposes.

Follows industry-wide best practices. Comcast publishes a transparency report and law enforcement guidelines. It requires a warrant before giving user content to law enforcement, stating in its law enforcement guidelines:

Comcast requires a warrant for the release of all content data regardless of the amount of time the content has been in electronic storage.

Tells users about government data requests. Comcast does not promise to provide advance notice to users about government data demands. Its published policy reads:

The contents of email communications in storage will only be produced in response to a state or federal warrant. In such situations where the communications have been in storage for 180 days or less, this may be done by without notice by law enforcement to the subscriber by law enforcement. For email communications in storage for over 180 days, notice to the subscriber by law enforcement is required.

Promises not to sell out users. Comcast does not explicitly prohibit third-party access to its user data, nor does it say that third parties are prohibited from allowing Comcast user data to be used for surveillance purposes. As a result, our reading of Comcast’s public-facing policies would not prohibit it from sharing data to be used for surveillance.

Stands up to NSL gag orders. Comcast does not have a public policy of requesting judicial review of all National Security Letters it receives.

Pro-user public policy: Reform 702. Comcast has not publicly called for reforms to Section 702 to curtail the surveillance of innocent people.

CREDO Mobile

CREDO earns five stars in this year’s report. This is CREDO’s third year in Who Has Your Back, and it has adopted all of the industry best practices we measure in this report, including publishing a transparency report, requiring a warrant for content, and publishing its guidelines for law enforcement requests. CREDO promises to inform users before disclosing their data to the government, has a published policy of requesting judicial review of all National Security Letters, and supports substantive reforms to rein in NSA surveillance. CREDO also explicitly forbids third parties from allowing CREDO user data to be used for surveillance purposes. We applaud CREDO’s policies related to transparency and user privacy.

Follows industry-wide best practices. CREDO publishes a transparency report and law enforcement guidelines. It requires a warrant before giving user content to law enforcement, stating in its law enforcement guidelines:

CREDO requires third parties to obtain a U.S. subpoena, court order, or warrant (for example, in the case of a request for content) in order to obtain CREDO customer information.

Tells users about government data requests. CREDO promises to provide advance notice to users about government data demands, including delayed notice after a gag order expires, stating in its law enforcement guidelines:

For criminal legal process: CREDO will notify customers upon receipt of criminal legal process seeking information about their accounts unless such notification is prohibited by law. There is a 21-day waiting period before disclosure of account information, unless CREDO is compelled by law to respond earlier. When CREDO is prohibited from notifying a customer before complying with criminal legal process, CREDO will provide notification once the legal prohibition expires. For Emergency Requests: CREDO will notify customers when information about their accounts has been provided in response to an emergency request.

It also clarifies in a footnote of its transparency report how it understands emergency requests:

CREDO evaluates emergency requests to ensure they satisfy the requirements of 18 USC § 2702(c)(4) and/or (b)(8).

Promises not to sell out users. CREDO explicitly prohibits third parties from allowing CREDO user data to be used for surveillance purposes. It states in its transparency report:

CREDO requires law enforcement entities to obtain a U.S. subpoena, court order, or warrant in order to obtain CREDO customer information and does not voluntarily provide third parties special access to user data for the purpose of surveillance.

Stands up to NSL gag orders. When receiving a National Security Letter with an indefinite gag order, CREDO requests review by a judge. From its transparency report:

In the case of NSLs, CREDO is committed to using all available statutory procedures to ensure that each request to CREDO accompanied by an indefinite gag is reviewed by a judge. CREDO has fought for the right to disclose each NSL it has received in the past and will continue to do so.

Pro-user public policy: Reform 702. CREDO has said it would not support reauthorizing Section 702 as it is currently written, stating in a recent transparency report:

We are working for full repeal of the USA PATRIOT Act and FISA Amendments Act.

And:



ICREDO opposed reauthorization of the PATRIOT Act's Section 215 before the USA Freedom Act was passed (a bill CREDO opposed) and opposes the reauthorization of FISA Section 702 as it is currently written.

Dropbox

Dropbox earns five stars in this year’s report. This is Dropbox’s sixth year in Who Has Your Back, and it has adopted all of industry best practices we measure in this report, including publishing a transparency report, requiring a warrant for content, and publishing its guidelines for law enforcement requests. Dropbox promises to inform users before disclosing their data to the government, has a published policy of requesting judicial review of all National Security Letters, and supports substantive reforms to rein in NSA surveillance. Dropbox also explicitly forbids third parties from allowing Dropbox user data to be used for surveillance purposes. We applaud Dropbox’s policies related to transparency and user privacy.

Follows industry-wide best practices. Dropbox publishes a transparency report and law enforcement guidelines. It requires a warrant before giving user content to law enforcement, stating in its law enforcement handbook:

Dropbox will only provide user content, whether in files or otherwise, in response to a search warrant.

Tells users about government data requests. Dropbox promises to provide advance notice to users about government data demands, including delayed notice after a gag order expires, stating in its law enforcement handbook:

Dropbox's policy is to provide notice to users about all law enforcement requests for their information prior to complying with the request, unless prohibited by law. We might delay notice in cases involving the threat of death or bodily injury, or the exploitation of children. If you have a legal basis to delay Dropbox from notifying the user in a particular case, please provide legal justification (such as a court order) when serving the subpoena or warrant. Once the basis for the non-disclosure has expired, we will give notice to the user.

Promises not to sell out users. Dropbox prohibits third parties from allowing Dropbox user data to be used for surveillance purposes. From its government data request principles:

We’ve seen reports that governments have been tapping into data center traffic of certain service providers. We’ve also seen reports that service providers have tools designed to give law enforcement access to user data directly or via third parties. Dropbox opposes these activities and would fight any attempt to require us to participate in them. Governments should always request user data by contacting online services directly and presenting legal process. This allows services like Dropbox to scrutinize the data requests and resist where appropriate.

As a result, our reading of Dropbox’s public-facing policies would prohibit it from sharing data to be used for surveillance.

Stands up to NSL gag orders. When receiving a National Security Letter with an indefinite gag order, Dropbox requests review by a judge. From its government data request principles:

We believe in providing notice to our users when a government requests their information and have fought in court to do so. However, government requests frequently include a court-granted non-disclosure order, which prohibits us from giving notice to the affected user. In cases where we receive a non-disclosure order, we notify the user when it has expired. Dropbox is also committed to following the USA FREEDOM Act. This ensures that courts have the opportunity to review non-disclosure obligations for any National Security Letters we may receive. We believe services like Dropbox should always be permitted to provide notice to affected users, and will continue advocating for this important goal.

Pro-user public policy: Reform 702. Dropbox has publicly called for reforms to Section 702 to curtail the surveillance of innocent people. Dropbox was a signatory on a joint letter sent to the House Judiciary Committee Chairman and published on the Computer & Communications Industry Association website, which stated:

As you consider reforms to Section 702, we recommend that you adopt the following changes. First, reauthorization legislation should codify recent changes made to “about” collection pursuant to NSA’s Upstream program. This reform would merely codify changes already embraced by the U.S. government with the imprimatur of the Foreign Intelligence Surveillance Court (FISC) to correct deficiencies that implicate the constitutional rights of U.S. citizens…

Facebook

Facebook earns four stars in this year’s report. This is Facebook’s sixth year in Who Has Your Back, and it has adopted a number of industry best practices, including publishing a transparency report, requiring a warrant for content, and publishing its guidelines for law enforcement requests. Facebook promises to inform users before disclosing their data to the government and supports substantive reforms to rein in NSA surveillance. Facebook also explicitly states that third parties are forbidden from allowing Facebook user data to be used for surveillance purposes. We urge Facebook to create a public policy of requesting judicial review of all National Security Letters.

Follows industry-wide best practices. Facebook publishes a transparency report and law enforcement guidelines. It requires a warrant before giving user content to law enforcement, stating in its law enforcement guidelines:

A search warrant issued under the procedures described in the Federal Rules of Criminal Procedure or equivalent state warrant procedures upon a showing of probable cause is required to compel the disclosure of the stored contents of any account, which may include messages, photos, videos, timeline posts, and location information.

Tells users about government data requests. Facebook promises to provide advance notice to users about government data demands, including delayed notice after a gag order expires, stating in its law enforcement guidelines:

Our policy is to notify people who use our service of requests for their information prior to disclosure unless we are prohibited by law from doing so or in exceptional circumstances, such as child exploitation cases, emergencies or when notice would be counterproductive. We will also provide delayed notice upon expiration of a specific non-disclosure period in a court order and where we have a good faith belief that exceptional circumstances no longer exist and we are not otherwise prohibited by law from doing so. Law enforcement officials who believe that notification would jeopardize an investigation should obtain an appropriate court order or other appropriate process establishing that notice is prohibited. If your data request draws attention to an ongoing violation of our terms of use, we will take action to prevent further abuse, including actions that may notify the user that we are aware of their misconduct.

Promises not to sell out users. Facebook prohibits third parties from allowing Facebook user data to be used for surveillance purposes. Its platform policy reads:

Protect the information you receive from us against unauthorized access, use, or disclosure. For example, don't use data obtained from us to provide tools that are used for surveillance.

And its privacy policy reads:

Vendors, service providers and other partners. We transfer information to vendors, service providers, and other partners who globally support our business, such as providing technical infrastructure services, analyzing how our Services are used, measuring the effectiveness of ads and services, providing customer service, facilitating payments, or conducting academic research and surveys. These partners must adhere to strict confidentiality obligations in a way that is consistent with this Data Policy and the agreements we enter into with them.

As a result, our reading of Facebook’s public-facing policies would prohibit it from sharing data to be used for surveillance.

Stands up to NSL gag orders. Facebook does not have a public policy of requesting judicial review of all National Security Letters it receives.

However, Facebook does read the NSL statute very narrowly, stating:

We interpret the national security letter provision as applied to Facebook to require the production of only 2 categories of information: name and length of service.

While Facebook does not qualify for a star in this section, we applaud its reading of the statute, especially the fact that it does not turn over IP address information in response to an NSL.

Pro-user public policy: Reform 702. Facebook has publicly called for reforms to Section 702 to curtail the surveillance of innocent people. Facebook was a signatory on a joint letter sent to the House Judiciary Committee Chairman and published on the Computer & Communications Industry Association website, which stated:

As you consider reforms to Section 702, we recommend that you adopt the following changes. First, reauthorization legislation should codify recent changes made to “about” collection pursuant to NSA’s Upstream program. This reform would merely codify changes already embraced by the U.S. government with the imprimatur of the Foreign Intelligence Surveillance Court (FISC) to correct deficiencies that implicate the constitutional rights of U.S. citizens…

Google

Google earns four stars in this year’s report. This is Google’s sixth year in Who Has Your Back, and it has adopted a number of industry best practices, including publishing a transparency report, requiring a warrant for content, and publishing its guidelines for law enforcement requests. Google promises to inform users before disclosing their data to the government and supports substantive reforms to rein in NSA surveillance. Google prohibits third parties from allowing Google user data to be used for surveillance purposes. We urge Google to create a public policy of requesting judicial review of all National Security Letters.

Follows industry-wide best practices. Google publishes a transparency report and law enforcement guidelines. It requires a warrant before giving user content to law enforcement, stating in its legal process page:

But Google requires an ECPA search warrant for contents of Gmail and other services based on the Fourth Amendment to the U.S. Constitution, which prohibits unreasonable search and seizure.

Tells users about government data requests. Google promises to provide advance notice to users about government data demands, including delayed notice after a gag order expires. The following language is not yet live on Google’s site as of the date of publication, but will be posted in July 2017 on its legal process page:

If you receive a legal request concerning my account, will you tell me about it? If Google receives ECPA legal process for a user's account, it's our policy to notify the user via email before any information is disclosed unless such notification is prohibited by law. We will provide delayed notice to users after a legal prohibition is lifted, such as when a statutory or court ordered gag period has expired. We might not give notice when, in our sole discretion, we believe that notice would be counterproductive or exceptional circumstances exist involving danger of death or serious physical injury to any person. In such cases, we will provide delayed notice if we later determine that those circumstances no longer exist. In cases where the account in question is an enterprise hosted account, notice may go to the domain administrator, or the end user, or both. We review each request we receive before responding to make sure it satisfies applicable legal requirements and Google's policies. In certain cases we'll push back regardless of whether the user decides to challenge it legally. If the request appears to be legally valid, we will endeavor to make a copy of the requested information before we notify the user.

Promises not to sell out users. Google prohibits third parties from allowing Google user data to be used for surveillance purposes.

From its FAQ on law enforcement access:

Does Google give governments direct access to user data? We require that requests for user data be sent to Google directly and not through any sort of "back door" direct access by the government. Our legal team reviews each and every request, and frequently pushes back when requests are overly broad or don’t follow the correct process. We have taken the lead in being as transparent as possible about government requests for user information.

From its developer agreement:

You are not permitted to access, aggregate, or analyze Google user data if the data will be displayed, sold, or otherwise distributed to a third party conducting surveillance.

As a result, our reading of Google ’s public-facing policies would prohibit it from sharing data to be used for surveillance.

Stands up to NSL gag orders. Google does not have a public policy of requesting judicial review of all National Security Letters it receives.

However, Google does read the NSL statute narrowly, stating:

Under the Electronic Communications Privacy Act (ECPA) 18 U.S.C. section 2709, the FBI can seek ‘the name, address, length of service, and local and long distance toll billing records’ of a subscriber to a wire or electronic communications service. The FBI can’t use NSLs to obtain anything else from Google, such as Gmail content, search queries, YouTube videos or user IP addresses.

While Google does not qualify for a star in this section, we applaud its reading of the statute, especially the fact that it does not turn over IP address information in response to an NSL.

Pro-user public policy: Reform 702. Google has publicly called for reforms to Section 702 to curtail the surveillance of innocent people. Google was a signatory on a joint letter sent to the House Judiciary Committee Chairman and published on the Computer & Communications Industry Association website, which stated:

As you consider reforms to Section 702, we recommend that you adopt the following changes. First, reauthorization legislation should codify recent changes made to “about” collection pursuant to NSA’s Upstream program. This reform would merely codify changes already embraced by the U.S. government with the imprimatur of the Foreign Intelligence Surveillance Court (FISC) to correct deficiencies that implicate the constitutional rights of U.S. citizens…

LinkedIn

LinkedIn earns four stars in this year’s report. This is LinkedIn’s fifth year in Who Has Your Back, and it has adopted a number of industry best practices, including publishing a transparency report, requiring a warrant for content, and publishing its guidelines for law enforcement requests. LinkedIn promises to inform users before disclosing their data to the government and supports substantive reforms to rein in NSA surveillance. LinkedIn also explicitly states that third parties are forbidden from allowing LinkedIn user data to be used for surveillance purposes. We urge LinkedIn to create a public policy of requesting judicial review of all National Security Letters.

Follows industry-wide best practices. LinkedIn publishes a transparency report and law enforcement guidelines. It requires a warrant before giving user content to law enforcement, stating in its law enforcement guidelines:

We require a search warrant to produce any Member Content responsive to law enforcement Data Requests.

Tells users about government data requests. LinkedIn promises to provide advance notice to users about government data demands, including delayed notice after a gag order expires, stating in its law enforcement guidelines:

7. Will LinkedIn notify Members of Requests for account data? Yes. LinkedIn’s policy is to notify Members of Requests for their data unless we are prohibited from doing so by statute or court order. Law enforcement officials who believe that notification would jeopardize an investigation should obtain an appropriate court order or other valid legal process that specifically precludes Member notification, such as an order issued pursuant to 18 U.S.C. §2705(b). When a Request is accompanied by a nondisclosure order, LinkedIn will notify the affected Member(s) as soon as the order is overturned or expires on its own terms. Please note that nondisclosure orders should be as narrow in scope and duration as circumstances permit, and that LinkedIn does not provide advance notice to the Requesting party that a nondisclosure order is expiring; it is up to the Requesting party to calendar the nondisclosure period and to keep LinkedIn apprised of any modifications or extensions.

Promises not to sell out users. LinkedIn explicitly prohibits third parties from allowing LinkedIn user data to be used for surveillance purposes. From its transparency report:

We know that our members' concerns over surveillance extend to the private sector as well. When it comes to data about LinkedIn members, we set limits on data use to ensure that our customers and participants in our API programs share our goals and put our members first. Such limits prohibit using or sharing LinkedIn information for surveillance purposes.

As a result, our reading of LinkedIn’s public-facing policies would prohibit it from sharing data to be used for surveillance.

Stands up to NSL gag orders. LinkedIn does not have a public policy of requesting judicial review of all National Security Letters it receives.

Pro-user public policy: Reform 702. LinkedIn has publicly called for reforms to Section 702 to curtail the surveillance of innocent people. LinkedIn was a signatory on a joint letter sent to the House Judiciary Committee Chairman and published on the Computer & Communications Industry Association website, which stated:

A s you consider reforms to Section 702, we recommend that you adopt the following changes. First, reauthorization legislation should codify recent changes made to “about” collection pursuant to NSA’s Upstream program. This reform would merely codify changes already embraced by the U.S. government with the imprimatur of the Foreign Intelligence Surveillance Court (FISC) to correct deficiencies that implicate the constitutional rights of U.S. citizens…

Lyft

Lyft earns five stars in this year’s report. This is Lyft’s second year in Who Has Your Back, and it has adopted all of the industry best practices we measure in this report, including publishing a transparency report, requiring a warrant for content, and publishing its guidelines for law enforcement requests. Lyft promises to inform users before disclosing their data to the government, has a published policy of requesting judicial review of all National Security Letters, and supports substantive reforms to rein in NSA surveillance. Lyft also explicitly forbids third parties from allowing Lyft user data to be used for surveillance purposes. We applaud Lyft’s policies related to transparency and user privacy.

Follows industry-wide best practices. Lyft publishes a transparency report and law enforcement guidelines. It requires a warrant before giving user content to law enforcement, stating in its law enforcement guidelines:

We will require a warrant for requests for content of communications between Users or for prospective location data.

Tells users about government data requests. Lyft promises to provide advance notice to users about government data demands, including delayed notice after a gag order expires, stating in its law enforcement guidelines:

It is our policy to provide notice to Users before producing their information in response to a criminal investigation by law enforcement unless (i) we are prohibited by law from doing so, (ii) we have reason to believe the subject’s Lyft account has been compromised such that the notice would go to the wrong person, or notice would otherwise be counterproductive or would create a risk to safety, or (iii) it is an emergency request and prior notice would be impractical (in which case we may provide notice after the fact). Law enforcement officials who do not want their request disclosed should provide an appropriate court order or process establishing that notice is prohibited, or provide sufficient detail for Lyft to determine whether a request falls into one of the exceptions above. Regulatory or other non-criminal requests for information are not within the scope of this policy. In the event that information is provided subject to a gag order or disclosed pursuant to an emergency request, Lyft will provide notice to its users of these government demands if Lyft is thereafter notified that the gag order or the emergency has expired.

And it also states in its law enforcement guidelines:

We have a process for evaluating requests on an emergency basis where an emergency situation exists involving an immediate threat of death or serious bodily harm to a person. Requestors must email LER@lyft.com with the subject line 'Emergency Disclosure Request' and describe in detail the nature of the emergency. We review these requests on a case-by-case basis. Please note that we will only review and respond to emergency requests from law enforcement, and will not respond to emergency requests sent to this address by non-law enforcement officials. Non-law enforcement officials aware of an emergency situation should immediately and directly contact local law enforcement officials.

Promises not to sell out users. Lyft prohibits third parties from allowing Lyft user data to be used for surveillance purposes. In its developer agreement, it states:

You will not… use the Platform or Service to investigate, track or surveil Lyft Users, or to obtain information on Lyft Users, information on Lyft Users, in a manner that would require valid legal process.

As a result, our reading of Lyft’s public-facing policies would prohibit it from sharing data to be used for surveillance.

Stands up to NSL gag orders. When receiving a National Security Letter with an indefinite gag order, Lyft requests review by a judge. From its law enforcement guidelines:

Lyft will challenge any National Security Letter it receives, and will require the government to obtain an order from a court requiring its compliance.

Pro-user public policy: Reform 702. Lyft has publicly called for reforms to Section 702 to curtail the surveillance of innocent people. Lyft was a signatory on a joint letter sent to the House Judiciary Committee Chairman and published on the Computer & Communications Industry Association website, which stated:

As you consider reforms to Section 702, we recommend that you adopt the following changes. First, reauthorization legislation should codify recent changes made to “about” collection pursuant to NSA’s Upstream program. This reform would merely codify changes already embraced by the U.S. government with the imprimatur of the Foreign Intelligence Surveillance Court (FISC) to correct deficiencies that implicate the constitutional rights of U.S. citizens…

Microsoft

Microsoft earns four stars in this year’s report. This is Microsoft’s sixth year in Who Has Your Back, and it has adopted a number of industry best practices, including publishing a transparency report, requiring a warrant for content, and publishing its guidelines for law enforcement requests. Microsoft promises to inform users before disclosing their data to the government and supports substantive reforms to rein in NSA surveillance. Microsoft also explicitly states that third parties are forbidden from allowing Microsoft user data to be used for surveillance purposes. We urge Microsoft to create a public policy of requesting judicial review of all National Security letters.

Follows industry-wide best practices. Microsoft publishes a transparency report and law enforcement guidelines. It requires a warrant before giving user content to law enforcement, stating in its law enforcement requests report:

Microsoft requires an official, signed document issued pursuant to local law and rules. Specifically, we require a subpoena or equivalent before disclosing non-content, and only disclose content in response to a warrant or court order. Microsoft's compliance team reviews government demands for user data to ensure the requests are valid, rejects those that are not valid, and only provides the data specified in the legal order.

Tells users about government data requests. Microsoft promises to provide advance notice to users about government data demands, including delayed notice after a gag order expires. The following language is not yet live on Microsoft's site as of the date of publication, but will be posted in July 2017 on its legal process page:

Q: Does Microsoft notify users of its consumer services, such as Outlook.com, when law enforcement or another governmental entity in the U.S. requests their data? A: Yes. Microsoft will give prior notice to users whose data is sought by a law enforcement agency or other governmental entity, except where prohibited by law. We may also withhold notice in exceptional circumstances, such as emergencies, where notice could result in danger (e.g., child exploitation investigations), or where notice would be counterproductive (e.g., where the user’s account has been hacked). Microsoft will also provide delayed notice to users when we determine that the circumstances that caused us to withhold notice at the time the request was made have expired (e.g., a valid court order prohibiting customer notification expires).

Promises not to sell out users. Microsoft prohibits third parties from allowing Microsoft user data to be used for surveillance purposes. Its law enforcement requests report states:

Q: Do you enable third parties to assist governments in conducting voluntary surveillance of your customers? A: We are aware of reports that some providers have develop tools that third parties use to voluntarily assist governments in conducting surveillance of that provider’s users. We do not design tools to enable voluntary surveillance of our users. If we ever provide third parties with access to data about our customers, we expect those third parties to handle that data appropriately, meaning that they should not assist governments in voluntary, widespread surveillance of users. Instead, these third parties should ensure that they only disclose personal data about users in compliance with applicable law or in response to valid legal orders.

As a result, our reading of Microsoft’s public-facing policies would prohibit it from sharing data to be used for surveillance.

Stands up to NSL gag orders. Microsoft does not have a public policy of requesting judicial review of all National Security Letters it receives.

Pro-user public policy: Reform 702. Microsoft has publicly called for reforms to Section 702 to curtail the surveillance of innocent people. Microsoft was a signatory on a joint letter sent to the House Judiciary Committee Chairman and published on the Computer & Communications Industry Association website, which stated:

As you consider reforms to Section 702, we recommend that you adopt the following changes. First, reauthorization legislation should codify recent changes made to “about” collection pursuant to NSA’s Upstream program. This reform would merely codify changes already embraced by the U.S. government with the imprimatur of the Foreign Intelligence Surveillance Court (FISC) to correct deficiencies that implicate the constitutional rights of U.S. citizens…

Pinterest

Pinterest earns five stars in this year’s report. This is Pinterest’s third year in Who Has Your Back, and it has adopted a number of industry best practices, including publishing a transparency report, requiring a warrant for content, and publishing its guidelines for law enforcement requests. Pinterest promises to inform users before disclosing their data to the government and supports substantive reforms to rein in NSA surveillance. Pinterest also prohibits third parties from allowing Pinterest user data to be used for surveillance purposes and has instituted a public policy of requesting judicial review of all National Security Letters it receives. We applaud Pinterest’s policies related to transparency and user privacy.

Follows industry-wide best practices. Pinterest publishes a transparency report and law enforcement guidelines. It requires a warrant before giving user content to law enforcement, stating in its law enforcement guidelines:

To compel Pinterest to provide any user's content, you must obtain a valid search warrant.

Tells users about government data demands. Pinterest promises to provide advance notice to users about government data demands, including delayed notice after a gag order expires, stating in its law enforcement guidelines:

Yes, our policy is to notify users of Law Enforcement Requests by providing them with a complete copy of the request before producing their information to law enforcement. We may make exceptions to this policy where: we are legally prohibited from providing notice (e.g. by an order under 18 U.S.C. § 2705(b));

an emergency situation exists involving a danger of death or serious physical injury to a person;

we have reason to believe notice wouldn't go to the actual account holder (e.g. an account has been hijacked) In cases where notice isn't provided because of a court order or emergency situation, our policy is to provide notice to the user once the court order or emergency situation has expired.

Promises not to sell out users. Pinterest prohibits third parties from allowing Pinterest user data to be used for surveillance purposes.

From its developer guidelines:

You’re responsible for following all laws, regulations and industry codes, as well as our terms and policies, including our community guidelines and privacy policy.

And:

Our developer API should only be used for direct-to-consumer integrations that help people discover and do what they love.

From its law enforcement guides:

What does Pinterest require to produce user information? For U.S. Law Enforcement You must obtain a valid subpoena, court order or search warrant ("Law Enforcement Request") to compel Pinterest to provide any user's information. To compel Pinterest to provide any user's content, you must obtain a valid search warrant.

As a result, our reading of Pinterest’s public-facing policies would prohibit it from sharing data to be used for surveillance.

Stands up to NSL gag orders. When receiving a National Security Letter with an indefinite gag order, Pinterest requests review by a judge. From its law enforcement guidelines:

If we receive a National Security Letter (NSL) from the U.S. government that includes an indefinite non-disclosure order, our policy is to ask the government to seek judicial review of the order pursuant to the USA FREEDOM Act.

Pro-user public policy: Reform 702. Pinterest has publicly called for reforms to Section 702 to curtail the surveillance of innocent people. Pinterest was a signatory on a joint letter sent to the House Judiciary Committee Chairman and published on the Computer & Communications Industry Association website, which stated:

As you consider reforms to Section 702, we recommend that you adopt the following changes. First, reauthorization legislation should codify recent changes made to “about” collection pursuant to NSA’s Upstream program. This reform would merely codify changes already embraced by the U.S. government with the imprimatur of the Foreign Intelligence Surveillance Court (FISC) to correct deficiencies that implicate the constitutional rights of U.S. citizens…

Slack

Slack earns four stars in this year’s report. This is Slack’s second year in Who Has Your Back, and it has adopted a number of industry best practices, including publishing a transparency report, requiring a warrant for content, and publishing its guidelines for law enforcement requests. Slack has a published policy of requesting judicial review of all National Security Letters and supports substantive reforms to rein in NSA surveillance. Slack also prohibits third parties from allowing Slack user data to be used for surveillance purposes. We call on Slack to inform users before disclosing their data to the government.

Follows industry-wide best practices. Slack publishes a transparency report and law enforcement guidelines. It requires a warrant before giving user content to law enforcement, stating in its law enforcement guidelines:

Slack requires a search warrant issued by a court of competent jurisdiction (a federal court or a court of general criminal jurisdiction of a State authorized by the law of that State to issue search warrants) to disclose Customer Data.

Tells users about government data demands. Slack promises to provide advance notice to users about government data demands, including delayed notice after a gag order expires, but it allows for a broad set of exceptions to this policy, stating in its law enforcement guidelines:

Slack will notify Customer before disclosing any of Customer’s Customer Data so that the Customer may seek protection from such disclosure, unless Slack is prohibited from doing so or there is a clear indication of illegal conduct or risk of harm to people or property associated with the use of such Customer Data. If Slack is legally prohibited from notifying Customer prior to disclosure, Slack will take reasonable steps to notify Customer of the demand after the nondisclosure requirement expires.

Hence, Slack does not earn credit in this category.

Promises not to sell out users. Slack prohibits third parties from allowing Slack user data to be used for surveillance purposes. From its law enforcement guidelines.

Slack is committed to the importance of trust and transparency for the benefit of our Customers and does not voluntarily provide governments with access to any data about users for surveillance purposes.

In addition, its data request policy states:

Requests for Customer Data by Individuals Third parties seeking access to Customer Data should contact the Customer regarding such requests. The Customer controls the Customer Data and generally gets to decide what to do with all Customer Data.

Its terms of service state:

Compelled Access or Disclosure The Receiving Party may access or disclose Confidential Information of the Disclosing Party if it is required by law; provided, however, that the Receiving Party gives the Disclosing Party prior notice of the compelled access or disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party's cost, if the Disclosing Party wishes to contest the access or disclosure.

As a result, our reading of Slack’s public-facing policies would prohibit it from sharing data to be used for surveillance.

Stands up to NSL gag orders. When receiving a National Security Letter with an indefinite gag order, Slack requests review by a judge. From its law enforcement guidelines:

In addition, if Slack receives a National Security Letter with an indefinite non-disclosure requirement, Slack will initiate procedures for judicial review pursuant to 18 U.S.C. § 3511.

Pro-user public policy: Reform 702. Slack has publicly called for reforms to Section 702 to curtail the surveillance of innocent people, stating in its transparency report:

We support codifying reforms to Section 702 of the Foreign Intelligence Surveillance Act expiring this year in order to reduce the overly broad collection of information.

Snap Inc.

Snap Inc. (previously known as Snapchat) earns three stars in this year’s report. This is Snap’s third year in Who Has Your Back, and it has adopted a number of industry best practices, including publishing a transparency report, requiring a warrant for content, and publishing its guidelines for law enforcement requests. Snap also supports substantive reforms to rein in NSA surveillance and has a public policy forbidding third parties from allowing Snap user data to be used for surveillance purposes. However, there is room for improvement. While Snap promises to inform users before disclosing their data to the government, it does not publicly promise to provide delayed notice when prior notice was impossible due to emergency or a gag order. Snap also does not have a published policy of requesting judicial review of all National Security Letters.

Follows industry-wide best practices. Snap publishes a transparency report and law enforcement guidelines. It requires a warrant before giving user content to law enforcement, stating in its law enforcement guidelines:

Process required for message content: A federal or state search warrant is required for requests that include message content.

Tells users about government data demands. Snap promises to provide advance notice to users about government data demands, but does not commit to providing delayed notice after a gag order expires, stating in its law enforcement guidelines:

It is our policy to notify Snapchat users when we receive legal process seeking their records, information, or content. We recognize two exceptions to this policy. First, we will not notify users of legal process where providing notice is prohibited by a court order issued under 18 U.S.C. § 2705(b) or by other legal authority. Second, where we, in our sole discretion, believe an exceptional circumstance exists, such as cases involving child exploitation or the threat of imminent death or bodily injury, we reserve the right to forgo user notice.

Promises not to sell out users. Snap prohibits third parties from allowing Snap user data to be used for surveillance purposes. From its transparency report:

And to be perfectly clear: We do not voluntarily provide any government with access to user data for surveillance purposes, whether directly or through third parties.

As a result, our reading of Snap’s public-facing policies would prohibit it from sharing data to be used for surveillance.

Stands up to NSL gag orders. Snap does not have a public policy of requesting judicial review of all National Security Letters it receives.

Pro-user public policy: Reform 702. Snap has publicly called for reforms to Section 702 to curtail the surveillance of innocent people. Snap was a signatory on a joint letter sent to the House Judiciary Committee Chairman and published on the Computer & Communications Industry Association website, which stated:

As you consider reforms to Section 702, we recommend that you adopt the following changes. First, reauthorization legislation should codify recent changes made to “about” collection pursuant to NSA’s Upstream program. This reform would merely codify changes already embraced by the U.S. government with the imprimatur of the Foreign Intelligence Surveillance Court (FISC) to correct deficiencies that implicate the constitutional rights of U.S. citizens…

Sonic

Sonic earns five stars in this year’s report. This is Sonic’s fifth year in Who Has Your Back, and it has adopted all of the industry best practices we measure in this report, including publishing a transparency report, requiring a warrant for content, and publishing its guidelines for law enforcement requests. Sonic promises to inform users before disclosing their data to the government, has a published policy of requesting judicial review of all National Security Letters, and supports substantive reforms to rein in NSA surveillance. Sonic also explicitly forbids third parties from allowing Sonic user data to be used for surveillance purposes. We applaud Sonic’s policies related to transparency and user privacy.

Follows industry-wide best practices. Sonic publishes a transparency report and law enforcement guidelines. It requires a warrant before giving user content to law enforcement, stating in its law enforcement guidelines:

Sonic will not provide user content without a U.S. search warrant.

Tells users about government data demands. Sonic promises to provide advance notice to users about government data demands, including delayed notice after a gag order expires, stating in its law enforcement guidelines:

Sonic will notify customers upon receipt of criminal legal process seeking information about their accounts unless prohibited by law… Please note: If due to emergency threat to life, or legal process prohibits notification, Sonic will notify customer after