Oh I guess then it's safe to put my data on the American cloud again.
Just kidding, wouldn't do it. And neither should you.
It's sad, but as a foreigner I don't see that, regarding government policies, anything at all has changed since Snowden went public. I have nothing against the USA taking various leadership roles. Biggest democracy, newest technology etc, but since early 2000s it seems they are doing a bad job in many areas.
What would make you think that foreign governments would be any better? Supposedly privacy friendly European governments engage in plenty of wiretapping[1][2][3]. What I find different about what happens in the US is that these events are highly publicized, scrutinized, and court battles over wiretapping are extremely expensive for the US government, compared to other countries. I don't see that happening elsewhere.
My understanding is that, as a non US-citizen, I'd be generally considered 'fair game' for a lot of blanket surveillance that would not be applied to Americans. Maybe this is what scrrr is referring to? [Edit: I see this is what harkyns_castle alludes to as well.]
Because there's a significant difference in influence I can assert to MY governmnet and a FOREIGN (which includes US) government.
Consider just a lot of US surveillance laws: we non-US citizens might as well be animals for the rights we have. Significantly different than what our own local/EU privacy laws award us.
Also it is significantly easier to take legal action againsy my own government agencies than US ones.
Oops. CA not CN, CA is the postcode for California and the TLD for Canada. Good to see some pressure applied to the NZ gov but I think Dotcom muddles things.
May be that foreign governments aren't any better (but I bet that no EU government spend as much money as the USA in wiretapping), but if you're not an US citizen (and so no warranties are valid for you) I think it's better to have your data in a jurisdiction where you can defend yourself in court, if the need arises.
The difference between "other countries" and the US is that the US puts up a show of "human rights", "scrutiny", and "court battles" in order to show that they "care", whereas the other ones just do not bother.
Where are the results? Better yet, public scrutiny? Everything's a fucking national secret.
Foreign governments are certainly no better. However the government in the USA is certainly more capable and perhaps more motivated than most to act on the information it receives.
There is also familiarity with the government carrying out the surveillance to be taken into account. For most European countries, particularly the one that have been members of the EU for some time there is quite good rule of law and so the consequences of being monitored are potentially less severe. Looking at governments with lots of resources to spare or ones without a good rule of law then surveillance is likely to make people more nervous - which is exactly the intent.
You can't proselytize a rational worldview to irrational people.
The likely reality is that the U.S. has a lesser desire than most other governments to suppress liberty, privacy, and free expression, but their capability is so much greater in magnitude than the others that they end up being the worst offender in the world anyway.
So you can't just say that "every government is bad." Some have worse motives than others, and some are more competent than others. As a result, citizens of governments who are only in it for the bribes and mistresses and are otherwise somewhat bumbling incompetents (and I'm not naming names here), are likely safer than citizens of governments who believe they have a mission from God to be the sword and shield of the righteous, and hire thousands of the smartest people in the world to carry that mission out.
The point being that yes, all governments are a nonzero threat to all people, but severity equals risk multiplied by impact. You really have to address the shit that the U.S., Russia, and China are doing to the global network first.
> bumbling incompetents (and I'm not naming names here), are likely safer than citizens of governments who believe they have a mission from God to be the sword and shield of the righteous, and hire thousands of the smartest people in the world to carry that mission out
Yes bumbling Europeans are less dangerous but only because they have outsourced their intelligence to the US. China and Russia are more dangerous but only to their own population.
If a national spy agency had a rule against spying on non-citizens, it would not be much of a spying agency, would it? Additionally, outside of specific treaties, why should one country have certain obligations to other countries' citizens?
Of course no country has such an obligation per se. But if your government constantly attacks my infrastructure, why oh why should I even consider paying a penny for your service? Given that many American companies still market to users outside the US, this nevertheless seems to be the overall expectation.
It is not about spying or not spying, it is about spying on legitimate targets. All countries (should) have obligations to basic human rights. If I were a head of state, I would expect the U.S. to attempt to spy on me (and I would expect my country to stop them). As an private individual, I very much have the same rights under the U.S. constitution as do U.S. citizens. It is not OK to violate my right to to be free from unreasonable search and seizure. They should have to get a warrant to spy on me, just as they (should) have to do for an American.
Quite right, it'd be a terrible spy agency with those restrictions. I have no issue with warranted investigations, or prosecuting people doing bad things.
I'm arguing that broad, warrantless surveillance is a horrible, chilling thing to be doing. The fact that everyone is doing it doesn't make me feel better.
I've been constantly surprised about how little scrutiny that kind of statement has received in the media - American or otherwise. I thought it would've publicly raised more hackles here in New Zealand (but I guess we all ultimately just feel powerless in the face of such determined surveillance might).
Same thing in Australia, its surprised me also it's not picked up on more. But after the likes of George Brandis' comments (essentially that Snowden was a crook yada yada), I'm starting to not be surprised. The other thing which I find depressing are comments along the lines of "Oh, everyone is doing it, its fine". I don't see that, I think its a damn scummy thing to be doing.
>In particular I find the constant harking back to "Well, we don't spy on US citizens, only everyone else." particularly annoying.
It is annoying, but there is a reason why it is being said. Laws (are supposed to) prohibit (more or less) the US spying on its own citizens without cause. It is written into the constitution (more or less). Foreigners don't have that protection under law. Whether that should be changed or not is a different question than are these programs legal under current laws.
Sorry to nitpick and slightly OT, but more people voted in the elections in India these past weeks than the US has citizens. A staggering half billion plus.
You mean "cloud" all by itself. Don't let the current focus on the NSA fool you into believing that other countries aren't taking low hanging fruit like "your data on a remote server" for their intelligence.
I'd like to hope there are some governments out there without that kind of mentality. Even if not, most countries wouldn't or couldn't be pumping in this kind of cash [1] to broad-spectrum warrantless hoovering. I imagine it'd be a lot more than the below figures too if you take into account contractors and creative accounting.
To say its all about 'terrorism' is laughable, and I wonder just how many trade deals etc have fallen foul of this, or how many people manipulated into doing what the likes of George Bush wanted. How could you trust doing business with someone in the US after these revelations? Just blatant lies all over the place, from the top echelons down. They've made it to the point where if you wanted to develop something you don't want them to grab, it means an air-gapped workstation. That probably doesn't have much mileage either.
It wouldn't matter if there were governments that wouldn't spy on you. That you don't put your data on a server in the US isn't going to stop the NSA, that you didn't put it in the UK isn't going to stop GCHQ, and so on.
This idea that you just put your data in Europe and it's safer is just laughable. The treat is pervasive, it is intelligence agencies working together all around the world. It doesn't stop at any national border.
> top echelons down
I can't tell if you're being humourous or not, but the Snowden releases weren't really new information, they were proof of what information that had leaked out over the past decades.
Everyone does it. The US gov treats it own stuff the same way, air gapping sensitive information and operating a national scale private internet.
The issue in my mind is that we are literally at war with individuals, and we focus on the symptoms instead of root causes. We have been assassinating, subverting, bribing and observing individual enemies of the state for over a decade.
Has doing this done anything to make us safer, as in how we felt in the 80s before international terrorism?
That is my problem with the debate. While some people DO get up in arms about the U.S. government's activities, it is always phrased in such a way as, "You can't do this to American citizens!" What about non-citizens? What happened to "All [people] are created equal?"
> While some people DO get up in arms about the U.S. government's activities, it is always phrased in such a way as, "You can't do this to American citizens!" What about non-citizens?
Non-citizens, presumably, can set up their own governments to secure the blessings of liberty for themselves and their posterity -- but they aren't the people for whom the people of the United States ordained and established the Constitution of the United States to secure the blessings of liberty.
> What happened to "All [people] are created equal?"
All may be created equal, but the United States government wasn't created to serve all.
That's not to say there aren't limitations on the powers that the US government should apply against non-citizens, but from the very beginning citizens and non-citizens have been by design situated differently with respect to the US government.
The EFF apparently cares a great deal about government surveillance but does not comment on corporate surveillance.
Is it a coincidence that some of the 6 star corporations who supposedly "have our back" are funding the EFF? Sigh.
A lot of the EFF's work seems to go into defending Google's rights rather than defending individuals' rights. This is bizarre behaviour for a privacy advocacy group. See also: https://twitter.com/EFF/status/466727797713825793
I find that I can no longer support the EFF's work.
No, they spend an enormous time commenting on actions by private companies, including corporate surveillance. Maybe you've just paid attention for the last few days?
Meanwhile reliable critics of Google like Cory Doctorow have also been criticizing the ruling by the European Court of Justice, and if you read the link in that tweet
you'll see that the implications of that ruling actually are troubling. I think on the contrary, implying that being troubled by the ruling is equivalent to "defending Google's rights rather than defending individuals' rights" is disingenuous and intellectually lazy.
You can disagree with them, but it shouldn't be hard to empathize here: imagine someone who strongly believes in an American-style right to free speech; surely it's not beyond the realm of possibility that that person can't be both a vociferous defender of individual's rights while also worried about how this ruling will itself erode those rights?
If you believe that an (American style) right to free speech overrides the right to individiual privacy, you are not a privacy campaigner.
If you believe that Google and Facebook deserve full marks on any measure of privacy, and that deserves to be one of your key press releases, you are not a privacy campaigner.
I empathise with these attitudes amongst proponents of free speech, yes, even though I don't agree. If Cory Doctorow supports this, I disagree with him but I am not outraged. However, I don't empathise here: not at all. Here, I am outraged. EFF put 'privacy' as one of their key areas of work and they are amongst the best known privacy campaign groups.
When the European principles of Data Protection are upheld correctly (which rarely happens), the EFF creates a campaign which is against that ruling and in favour of Google's right to ignore the principles. They are speaking out against a fundamental of privacy: a basic principle regarding processing personal data. IMHO that is extremely anti-privacy.
Both of these points significantly harm real privacy campaigning, from a group which places itself as one of the defenders of privacy.
Focusing on governments seems like a good focus. They are much more powerful, have a much darker history of abusing that power, and opting out of giving info to businesses is much more realistic, while still hard.
There are a handful of private services for which the market is both cornered by a handful of participants and a necessity to modern life. Opting out of those is about as easy as opting out of laws, both of which require a form of essentially going off grid or on the lam.
Also, it is important to realize that the consolidation of data by businesses is exactly what makes it so easy for government to show up and say "I'll have some of what he's having."
Businesses leverage their power over people to get at data they otherwise wouldn't like to share.
Governments leverage their power over businesses to get at data they otherwise wouldn't like to share.
You can argue that the power in question is different, and that's an important piece of the conversation to have. But overstating that facet becomes a smokescreen for an "it's OK for me to do, but don't do it to me" argument.
They aren't really focusing on governments plural, just government singular: the US government. To comply with US law these American companies must provide information about non-US users to the US government, without any warrants. The 'warrant for content' star is meaningless to non-US citizens.
>opting out of giving info to businesses is much more realistic
This EFF report is only talking about government surveillance through corporations. If you opt out of using Google (note: this isn't possible if you use the web) then it doesn't matter if governments are requesting your data from Google because Google has nothing to tell them.
Solving corporate surveillance would solve all of the of government surveillance that this EFF report is concerned with.
The text on the page is pretty misleading as well. It starts off ok:
>We entrust our most sensitive, private, and important information to technology companies like Google, Facebook, and Verizon. Collectively, these companies are privy to the conversations, photos, social connections, and location data of almost everyone online.
But then they ignore what they just said and focus only on government data requests, instead of asking the most relevant question which is what do the companies do with that data that might impact users privacy. Is the company selling a profile about me to health insurers? This page won't tell me, yet the page is giving these companies an EFF badge of approval for 'privacy'.
Further on they say:
>In the face of unbounded surveillance, users of technology need to know which companies are willing to take a stand for the privacy of their users.
Again this is misleading. Standing up to government data requests is not the same as 'taking a stand for the privacy of their users', since the company may also be selling the information to anybody willing to pay for it. Standing up to one type of request (that has no economic benefit to the company) doesn't tell us how the companies act when it comes to protecting the data in other ways (where they have a direct economic incentive to mine the data and to sell the data). The text continues on in a similar way, constantly implying that government data requests are the only thing that could possibly violate privacy.
I can only agree with the other commentators that are calling this report a corporate propaganda exercise. Some people have implied that it's just because these companies are funders of the EFF. I'm not sure it's a simple as that. The EFF has always involved some people with pretty extreme political views that are very pro-corporate. The 'Freedom' in their name has always been as much about freedom for corporations as it was about freedom for individuals. That is probably why this page acts like corporate surveillance can't exist; by definition (according to their politics) only the government can spy on you. Everything else is just 'the market'. I doubt many people reading the page will be aware of the extreme political view behind the design of this report, which is of course the sign of well executed propaganda.
>Your Web searches about sensitive medical information might seem a secret between you and your search engine, but companies like Google are creating a treasure trove of personal information by logging your online activities, and making it potentially available to any party wielding enough cash or a subpoena.
This is exactly what I object to: they present themselves as privacy campaigners on their front pages, but when push comes to shove they roll in favour of Google and against the individual's right to privacy.
>Tell users about government data requests. To earn a star in this category, Internet companies must promise to tell users when the government seeks their data unless prohibited by law, in very narrow and defined emergency situations,[2] or unless doing so would be futile or ineffective.[3]
Those caveats make this a meaningless category, particularly the first one. Nearly all the data requests that people are concerned about have been coming with gag orders attached. Not to mention, how can the EFF even verify this? One assumes the criteria are assessed by the companies' policies, not by their actions, and that's clearly meaningless if the government is essentially compelling them to lie, keep silent or "massage the truth".
> Nearly all the data requests that people are concerned about have been coming with gag orders attached.
citation? most data requests are run of the mill subpoenas (in non-criminal cases), gag orders only apply to a fairly small subset of user data requests.
I'm talking about the requests people are concerned about, not nearly all the data requests that are made. I may be way off-base here, but I think that most people are not particularly uncomfortable with the idea that law enforcement could get a warrant to seize their data from a judge based on probable cause and would do so without putting the company under a gag order - that's what we expect from the constitution. I think people are much less comfortable with being caught in a suspicionless surveillance net based on a warrant issued by a FISA "court" with no transparency and no adversarial hearing process, and those are generally issued with national security gag letters.
The PRISM companies have been saying they 'have our backs' since that story broke, and it's more clear than ever that they were lying in those statements. (notably, see the material in Glenn Greenwald's recent book No Place to Hide about direct surveillance agency access to severs, in spite of coordinated statements from the companies denying precisely that. Not that most people found them credible back then.)
What I'd like to know is who is acting to protect their users, and for a lot of the of the entries on this list I have negligible levels of trust that words and actions tell the same story.
Still, all the star categories here are at least somewhat verifiable, and giving bad actors credit for improving is a good thing.
I think this has limited value as a guide to what companies can be trusted, but great value as a survey about the response of U.S. society to the Snowden releases, and these trends look somewhat encouraging.
Thanks EFF, for pointing the spotlight.
Pretty intrigued by this! However, if the data is sold by CC companies, is it truly "public"? Regardless, would you even be able to target an individual without spending lots of money to buy a large batch of "anonymized" spending data?
They are basing this largely on statements by the companies in question, not on their actions or any proof that these companies actually abide by their promises. Seems a bit hollow to me.
Criteria like "Tell users about government data requests. To earn a star in this category, Internet companies must promise to tell users when the government seeks their data unless prohibited by law" doesn't inspire confidence either.
what would a reasonable criteria be? Should the EFF create criteria that could only be met by criminals?
The main issue with the gag orders that people are concerned about is not that they are fundamentally wrong, but that they are ripe for abuse. Many of these companies are publishing some data about these kinds of orders, so within the limits of the law they are doing everything possible.
If people are interested in a more in-depth view about this, check out https://transparency-reports.silk.co/. It covers other countries too and has more raw data on both companies and governments.
The EFF collaborated with us [1] on this and we're very excited about being able to provide the data in an accessible and easily comparable way on the web.
It is indeed a sad state of affairs when you have to read the title "Protecting Your Data From Government...".
It highlights the fact that government no longer works for us; that that majority of people either do not care about the issue, or they do care and democracy is a farce.
Of those options, I firmly believe that democracy is a farce.
My 90 year old Gran's father was one of the founder's of the British Labour Party. She says that if someone starts a revolution she she join in. She thinks she is too old to start it, and to be fair she is blind and deaf so she's doing pretty well. We need more people like her.
I'm curious as to whether my pessimism about government, or my disillusionment with democracy or my 90 year old Gran's revolutionary tendencies caused offence?
If you're not willing to participate in, and accept the conclusions of, your democracy in the first place, what makes it likely you'd be willing to do so in any other system?
Those revolutions were about asserting an effective democracy, not a particular policy platform. The governments they removed were actively rigging elections, not just successfully attracting the majority of the vote and implementing polices you didn't like.
Just to play devil's advocate here, what if there were only two parties you could effectively vote for, because the system was rigged in such a way that regardless of which party you voted for, the actual underlying system still penalised the majority whilst benefitting the corporation.
To be fair, my use of the word 'revolution' was misleading. I meant fundamental change, and not a violent overthrow of government. I did not realise and was naieve to the fact that many people only see revolution as a word that is both negative and violent.
It's too broad of a problem to describe. Different places have different problems. But you're also phrasing the issue in terms of non-participation. Is it impossible to join the political parties and work for change from within them?
So long as the vote itself is not rigged (something which gets questionable in the US I'd say) then in many cases its very much a matter of playing well with others, and actually having the support of the populace on your side.
There's also more layers of government that are important then just the federal. Local councils have a fair amount of power to influence policy implementation in their areas, states more so and representatives of both have louder voices for broadcasting dissent.
You seem to be using revolution to describe "getting enough supporters to vote for you". And if you can do that, then you can get yourself elected into office at some level of government (or someone you feel does represent you) and start effecting change.
I am happy to see the significant increase in stars, but I do wonder if the same rules apply to both US and non-US users. The report is vague regarding this.
It applies equally to non-U.S. nationals. The U.S. just ignores the requirement because those people don't have standing to sue in U.S. courts, and the U.S. has the de facto ability to ignore rulings by other courts.
The Constitution tends not to refer to "nationals" or "citizens" but to "people", as the general intent was to limit the things the government was allowed to do, not to whom they could do those things. The likely argument then, as it would be now, is that if the U.S. can blanket-surveil a foreigner, they could easily convert those same capabilities to a U.S. national.
This is a very good development, and it also suggests that these kinds of publications may have some positive effect in encouraging more companies to, well, "have your back".
I think they changed the categories, and now they are only about whether they fight against the government or not, and even those aren't that great. Take AT&T for example. Yes, they "publish transparency reports", but very weak/misleading ones. They don't publish everything. AT&T gives NSA the whole firehose to their cables, and they still get to get a star for "publishing transparency reports" which don't even include that important tidbit of information?
They have nothing to do with how invasive their privacy policies are against their users, how much they track you, how good of an encryption they use or anything like that. Maybe they should make a separate benchmark for all of those, too, if they're not going to integrate them anymore. Because soon we'll be seeing headlines like "Facebook has 5/5 stars on privacy!" - which is just misleading to most people.
It's a good development but to say that these companies "have our back" is an overkill. Most of them don't really care, I probably would just count on twitter from that list, and I'm not so sure anymore since this happened: http://allthingsd.com/20130830/twitter-general-counsel-alexa... interestingly this was right before the IPO.
So the EFF is now becoming the lobby for the US surveillance companies?
Several of these companies built their business model on commercial surveillance of their users with the purpose of monetizing their data directly or indirectly.
And these are the companies that are supposed to "have my back"? Really?
Companies never "have anyone's back." They exist to generate revenue; this isn't intrinsically bad. However, this should preclude any form of blind trust.
Their whole business model fundamentally depends on extracting as much personal data as possible from their users. Though there is some solace in the fact that their motive is at least known.
It's fighting for users' privacy as in fighting for how much of that ton of information they're gathering can be withheld. Otherwise, yeah, I know a few really attractive ladies who are fucking for virginity.
It's not surprising that Google and Facebook would be huge advocates against government and other use of their databases - I imagine the renewed fervor about end-to-end encryption and the increased skepticism of cloud services is really going to hurt their business model. A secret kept by two people is almost as private as one kept by just one. (Not saying that they'll succeed or even that they have an incentive to succeed 100% of the time, just that I imagine the lack of trust now is going to start hurting soon, if it's not already.)
> CREDO Mobile, a new addition to this year’s report, demonstrated through its exemplary policies that it is possible for a telecom to adopt best practices when it comes to transparency and resistance to government demands.
I'd never heard of Credo Mobile before.
Regardless of the intentions of Credo, since they appear to be leasing Sprint's towers, doesn't that ultimately put Credo's customers at the whim of Sprint in terms of who gets wiretapped / transparency reports / etc?
Or is it possible for a tenant on the infrastructure to be reasonably assured that outsiders can't intrude into their communications.
I know very little about it, but what I've seen of cell network security research, makes me assume that no such security exists for tenants leasing towers.
The problem with this list is that I can't tell if the starred company ALWAYS does the relevant action, or HAS done the relevant action at times. Does Google always tell users about govt requests for data? Or does Google sometimes tell users about govt requests for data? Because recent revelations indicated the government could retrieve their data without Google even being involved in each transaction, and they were legally barred from revealing fine-grained details about requests. But they did publicly oppose that policy after the fact and fought (or at least appeared to) the policy after it was revealed. So they get a star in that category now?
It's a bit like charting a flip-flopping political candidate's stances on issues. Does candidate X support issue Y? Yes! Does candidate X oppose issue Y? ... yes!
Why aren't there any of the services that actually have our backs on this list? Companies such as https://MyKolab.com clearly seem to belong on that list.
reddit doesn't really have any of your personal data. They may have an email address, but that's about it. They may also have an IP address, but as long as your ISP is good, even if law enforcement gets that it won't help much.
Lets all just trust these corporations who went behind our backs since start of the 90s.
EFF reports clearly shows now that the major corporations which backstabbed us are doing all they can now to serve our interests and not other agendas. Herd the sheep, and sheep will not say a thing. Well done EFF, show me the way to herd the sheep.
While it might not be believable it could give the companies and the people inside pushing for these things some positive reinforcement. It has to be very clear what is not acceptable and what will create good and bad press. They will most probably keep doing it in the dark, but at least everyone involved knows it's wrong and could endanger their business. That's a first step.
Oh I guess then it's safe to put my data on the American cloud again.
Just kidding, wouldn't do it. And neither should you.
It's sad, but as a foreigner I don't see that, regarding government policies, anything at all has changed since Snowden went public. I have nothing against the USA taking various leadership roles. Biggest democracy, newest technology etc, but since early 2000s it seems they are doing a bad job in many areas.
No thanks.