What: 

Who Has Your Back is an annual report released by the Electronic Frontier Foundation that evaluates a set of select companies’ policies with regard to how they treat user data when governments demand access. The report seeks to promote competition by creating a “race to the top” amongst companies who stand up for their users’ privacy in the legislature and in the courts whenever it is possible to do so.

Who: 

Electronic Frontier Foundation (EFF)

Where: 

United States

The Surveillance Practice: 

We entrust our most sensitive, private, and important information to technology companies like Google, Facebook, and Twitter. Collectively, these companies are privy to the conversations, photos, social connections, and location data of almost everyone online. The choices these companies make affect the privacy of every one of their users. So the question is: Which companies stand with their users, embracing transparency around government data requests? Which companies have resisted improper or overbroad government demands by fighting for user privacy in the courts and in the legislature? In short, which companies have your back?

These questions are even more important in the wake of the past year’s revelations about mass surveillance, which showcase how the United States government has taken advantage of the rich trove of data entrusted to technology companies to engage in surveillance of millions of innocent people in the United States and around the world. Internal NSA documents and public statements by government officials confirm that major telecommunications companies are an integral part of these programs. We are also faced with unanswered questions, conflicting statements, and troubling leaked documents which raise real questions about the government’s ability to access the information we entrust to social networking sites and web mail providers.

In the face of unbounded surveillance, users of technology need to know which companies are willing to take a stand for the privacy of their users.

In this program, the companies in the survey are all based in the United States, and subject to United States law on legal information requests (in some cases, other governments will seek information from these companies, often through mutual legal assistance treaties (MLATs) between the United States and another country).

In the United States, government requests occur in many different forms depending on the type of company and the services they offer. The types of requests directed at companies are extraordinarily varied, even within the United States. They range from warrants signed by a judge after a showing of probable cause (the highest standard in US law), to informal telephone calls in cases of emergency, to subpoenas signed only by a government lawyer, to top-secret orders of a classified intelligence court that a company may not even be able to keep a copy of. The report covers the companies policies for all of its users, regardless of where the user is located.

The Who Has Your Back report doesn’t encourage companies to resist appropriate requests. For example, if a child has been kidnapped, law enforcement could be within its rights to go to Facebook, give them the facts and circumstances that show the child has been kidnapped and is at risk of serious physical injury, and that addressing the emergency requires disclosure without delay. Facebook could then legally turn over information related to the emergency. On the other hand, if a young adult has been suspected of selling drugs on Facebook, law enforcement should go to Facebook with a warrant and ask for access to the teen’s data, which Facebook would then be required to turn over. EFF encourages companies to resist requests if and when, for example, law enforcement comes to Facebook asking for the content of a suspect’s communications in a non-emergency situation without a warrant. That’s the kind of situation where EFF expects the provider to push back.

The Campaign: 

In 2011, the Electronic Frontier Foundation released its’ first Who Has Your Back report that evaluated publicly-available policies of major Internet companies—including Internet service providers, email providers, mobile communications tools, telecommunications companies, cloud storage providers, location-based services, blogging platforms, and social networking sites—to assess whether they publicly commit to standing with users when the US government seeks access to user data. The report is now released annually, with the goal of allowing users to make informed decisions about the companies with whom they do business. It is also designed to incentivize companies to adopt best practices, be transparent about how data flows to the government, and to take a stand for their users’ privacy in the legislature and in the courts whenever possible. EFF doesn’t rate companies or give them a score or grade, they only give them positive reinforcement for positive practices and encourage those companies who already have good user data protection policies to be more public and transparent about their practices.

The Strategy: 

Each year in preparation for the release of the annual report, EFF establishes objective criteria on which they evaluate the companies. Then EFF reaches out to the selected companies, allocating ample time for EFF to learn where these companies are coming from on all of their practices and for the companies to establish an understanding of the Who Has Your Back criteria before the report is published.

Specifically for this year’s campaign, EFF's approach of being “all positive, all the time” has really worked. EFF acknowledges that sometimes you have to step on some toes to make a point, however EFF’s goal is to incentivize companies to improve their transparency practices and not shame them. For this particular campaign, EFF used only publicly-available statements to evaluate companies—the theory being that anyone can check their work.

Since Who Has Your Back’s inception, the strategy has evolved quite organically. It only took a few big-name companies like Google and Twitter to say that they publicly demand a warrant before turning over user content (in all but the most limited of emergency circumstances) for other companies to follow suit. A few major companies still don’t release transparency reports, but the vast majority of them do—and this is a direct result of Who Has Your Back. For example, Google, Yahoo, Facebook, Twitter, and Microsoft have started giving notice to their users for government requests when they didn’t before. The report has caught fire, especially in the past two years, (with the Snowden revelations to partially thank), and now we’re seeing companies like Apple—who never says anything about anything—starting to be more transparent.

Lessons Learned: 
  • Identify companies’ best practices in defending users' rights and promote competition amongst companies to promote good practices.
  • Give yourself ample time to interact and engage with companies.
  • Use positive reinforcement with companies as an effective strategy; it encourages better privacy practices.
  • Capitalize on the bandwagon effect.
  • Establish objective criteria early on if your campaign involves issuing a rating or grade so it’s clear to all parties involved.