Skip to comments.Who Has Your Back - Protecting Your Data from Government Requests
Posted on 06/18/2015 11:26:30 AM PDT by Swordmaker
We live digital livesfrom the videos shared on social networks, to location-aware apps on mobile phones, to log-in data for connecting to our email, to our stored documents, to our search history. The personal, the profound, and even the absurd are all transcribed into data packets, whizzing through the fiber-optic arteries of the network.
While our daily lives have upgraded to the 21st century, the law hasnt kept pace. To date, the U.S. Congress hasnt managed to update the 1986 Electronic Communications Privacy Act to acknowledge that email stored more than 6 months deserves identical protections to email stored less than 6 months. Congress also dragged its feet on halting the NSAs indiscriminate surveillance of online communications and has yet to enact the strong reforms we deserve. Congress is even on the precipice of making things far worse, considering proposals that would mandate government backdoors into the technology we rely on to digitally communicate.
In this climate, we increasingly look to technology companies themselves to have the strongest possible policies when it comes to protecting user rights. Which companies will stand by users, insisting on transparency and strong legal standards around government access to user data? And which companies make those policies public, letting the worldand their own usersjudge their stances on standing up for privacy rights?
(Excerpt) Read more at eff.org ...
Apple earns five stars in this years Who Has Your Back report. This is Apples fifth year in the report, and it has adopted every best practice weve identified as part of this report. We commend Apple for its strong stance regarding user rights, transparency, and privacy.
Industry-Accepted Best Practices. Apple requires a warrant before giving content to law enforcement, stating in its law enforcement guidelines:
Law enforcement is required to obtain a search warrant that is issued upon a probable cause showing for search warrants requesting user content.
In addition to a law enforcement guide, Apple publishes a transparency report.
Inform users about government data demands. Apple promises to provide advance notice to users about government data demands and will delay notice only in limited circumstances:
Apple will notify its customers when their personal information is being sought in response to legal process except where providing notice is prohibited by the legal process itself, by a court order Apple receives (e.g., an order under 18 U.S.C. §2705(b)), or by applicable law or where Apple, in its sole discretion, believes that providing notice could create a risk of injury or death to an identifiable individual or group of individuals, in situations where the case relates to child endangerment, or where notice is not applicable to the underlying facts of the case.
Disclose data retention policies. Apple publishes information about its data retention policies, including retention of IP addresses and deleted content. It includes a range of details in its legal process guidelines, for example:
Connection logs are retained up to 30 days.
See Apples legal process guidelines for more detailed information.
Disclose content removal requests. Apple discloses the number of times governments seek the removal of user content or accounts and how often the company complies, including formal legal process as well as informal government requests.
Pro-user public policy: oppose backdoors. In a public, official written format, Apple opposes the compelled inclusion of deliberate security weaknesses. In its statement on government information requests, Apple states:
In addition, Apple has never worked with any government agency from any country to create a back door in any of our products or services. We have also never allowed any government access to our servers. And we never will.
If you want on or off the Mac Ping List, Freepmail me.
Microsoft earns three stars in this years Who Has Your Back report. This is Microsofts fifth year in the report, and it has adopted several of the best practices we are highlighting. We appreciate what Microsoft has done to stand up for user transparency and privacy, but it still has more work to do. In particular, Microsoft should make clear its data retention policies and disclose what government content removal requests it receives.
Industry-Accepted Best Practices. Microsoft requires a warrant before giving content to law enforcement, stating in its law enforcement guidelines:
Microsoft requires an official, signed document, issued pursuant to local law and rules. Specifically, we require a subpoena or equivalent before disclosing non-content, and only disclose content in response to a warrant or court order. Microsoft's compliance team reviews government demands for user data to ensure the requests are valid, rejects those that are not valid, and only provides the data specified in the legal order.
In addition to a law enforcement guide, Microsoft publishes a transparency report.
Inform users about government data demands. Microsoft promises to provide advance notice to users about government data demands and will delay notice only in limited circumstances:
Microsoft will give prior notice to users whose data is sought by a law enforcement agency or other governmental entity, except where prohibited by law. We may also withhold notice in exceptional circumstances, such as emergencies, where notice could result in danger (e.g., child exploitation investigations), or where notice would be counterproductive (e.g., where the users account has been hacked). Microsoft will also provide delayed notice to users upon expiration of a valid and applicable nondisclosure order unless Microsoft, in its sole discretion, believes that providing notice could result in danger to identifiable individuals or groups or be counterproductive.
Disclose data retention policies. Microsoft does not publish information about its data retention policies that includes information about retention of IP addresses and deleted content.
Disclose content removal requests. Microsoft does not disclose the number of times governments seek the removal of user content or accounts. Microsoft informs us that they will be publishing this in September.
Pro-user public policy: oppose backdoors. In a public, official written format, Microsoft opposes the compelled inclusion of deliberate security weaknesses. John Frank, Microsofts Deputy General Counsel and Vice President of Legal and Corporate Affairs, stated:
Were also seeing officials around the world try to limit security measures such as encryption without making progress on the stronger legal protections that people deserve. The bottom line is that while governments only request data on a very small fraction of our customers, governments are seeking to alter the balance between privacy and public safety in a way that impacts everyone.
As we have said before, there are times when law enforcement authorities need to access data to protect the public. However, that access should be governed by the rule of law, and not by mandating backdoors or weakening the security of our products and services used by millions of law-abiding customers. This should concern all of us.
Google earns three stars in this years Who Has Your Back report. This is Googles fifth year in the report, and it has adopted some of the policies we are highlighting, including the best practices from prior reports. Nonetheless, there is room for improvement. Google should take a stronger position in providing notice to users about government data requests after an emergency has ended or a gag has been lifted. Furthermore, Google should provide transparency into its data retention policies.
Industry-Accepted Best Practices. Google requires a warrant before giving content to law enforcement, stating in its law enforcement guidelines:
But Google requires an ECPA search warrant for contents of Gmail and other services based on the Fourth Amendment to the U.S. Constitution, which prohibits unreasonable search and seizure.
In addition to a law enforcement guide, Google publishes a transparency report.
Inform users about government data demands. Google promises to provide notice to users about government data requests and, in most cases, promises to make sure the notification happens before the data is turned over. However, Google does not commit to providing notice after an emergency has ended or a gag has been lifted:
If Google receives ECPA legal process for a user's account, it's our policy to notify the user via email before any information is disclosed. (If the account is an Enterprise Apps hosted end user account, notice may go to the domain administrator, or the end user, or both.) This gives the user an opportunity to file an objection with a court or the requesting party. If the request appears to be legally valid, we will endeavor to make a copy of the requested information before we notify the user.
There are a few exceptions to this policy:
A statute, court order or other legal limitation may prohibit Google from telling the user about the request;
We might not give notice in exceptional circumstances involving danger of death or serious physical injury to any person;
We might not give notice when we have reason to believe that the notice wouldnt go to the actual account holder, for instance, if an account has been hijacked.
We review each request we receive before responding to make sure it satisfies applicable legal requirements and Google's policies. In certain cases we'll push back regardless of whether the user decides to challenge it legally.
Disclose data retention policies. Google publishes some information about log data and deleted data, but it is not complete and representative of all its services and thus does not qualify for a star.
Disclose content removal requests. Google does an exemplary job disclosing the number of times governments seek the removal of user content or accounts and how often the company complies, including formal legal process as well as informal government requests.
Pro-user public policy: oppose backdoors. In a public, official written format, Google opposes the compelled inclusion of deliberate security weaknesses. Google signed a coalition letter organized by the Open Technology Institute, which stated:
We urge you to reject any proposal that U.S. companies deliberately weaken the security of our products Whether you call them front doors or back doors, introducing intentional vulnerabilities into secure products for the governments use will make those products less secure against other attackers. Every computer security expert that has spoken publicly on this issue agrees on this point, including the governments own experts.
Their platforms are walled gardens, negating the alleged positive qualities.
A lack of a star in columns 2 and 4 are, to me, the most disturbing.
I could not discern the titles on the columns of the charts, for they were both fuzzy and of colors hard to read.
What government requests? The Communist Chinese, through the inactions of the U.S. government, have every bit of information about me, as the hack that was recorded, extends back to 1985.
Really? You really do not know what you are talking about. Apple has a lot of open source software. . . and contributes a lot of their software to the Open Source products, the latest is HealthKit. Some of the others are WebKit, which drives many of the browsers you probably use: CUPS, the printer driver used by UNIX, Linux, and many other open source printing systems. and even Apple's own underlying operating system is UNIX, the ultimate open source software. Even Safari, Apple's browser's code is available for users to see. What you cannot do in iOS is freely load crap un-curated software that will compromise the security of the ecosystem. For that reason Android has 97% of the malware in the Mobile market and iOS has less than 1% and that is on the jailbroken iOS devices.
Yes, there are always "vulnerabilities" but exploiting those vulnerabilities is far harder with a walled garden approach. Allowing anything in, willy-nilly, and the platforms would not be secure or safe.
Thank you for the clarification on the chart.
Tip o' the ol' beaverskin cap to Swordmaker for the ping!!
Microsoft’s data retention policies are not public but are available upon request to EA and Premier customers. I can tell you, without breaching NDA, that they’re much better than Google.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.