Leading tech companies get failing grade for their privacy policies

Among the report’s findings:

  • Only six companies scored at least 50 percent of the total possible points
  • The overall highest score was only 65 percent
  • Seven companies — nearly half of the companies surveyed — scored less than 22 percent, demonstrating “a serious deficit of respect for users’ freedom of expression and privacy,” the report found
  • Tech firms universally failed to disclose internal censorship. If Google decides to edit or remove someone’s content, the report found, it does not feel the need to publicly disclose either that it has done so or why.
  • When it came to whether Web-based companies allowed encryption of private content and control access, the average score across all eight was 6 percent
  • Transparency varies greatly within a single company: Facebook owns WhatsApp and Instagram, but disclosures at its flagship product and Instagram were far better than those at WhatsApp, which sometimes did not even publish privacy agreements in the correct language.
  • While local laws block companies from disclosing national security-related government requests in some countries, in every case the survey identified ways that the companies could improve their standing even without changes to extant laws.
  • Despite the revelations about their cooperation with the National Security Agency (NSA), U.S. companies were far from the worst offenders. European companies, notably Orange, had serious cooperation issues as well.

The fact that the highest aggregate score on privacy, freedom of expression, and companies’ commitment to those values as evidenced by the companies’ practices and user agreements was only 65 percent out of 100 percent, can be read in two ways. “On the one hand, it’s not like nobody’s trying at all, but the best-scoring company got a D,” Rebecca MacKinnon, who runs the ranking project, told the Gurdian.

Overall, Google ranked highest among Internet companies, while the U.K.-based Vodafone ranked highest among telecommunications companies, despite significant deficiencies.

The lowest was Mail.ru, the Russian email service often used to create spam accounts, which had a score of 13 percent.

“The picture is quite remedial,” said MacKinnon. “Part of the problem is that this is a new world with the internet, and we are so dependent on these companies that we really need them to get it right. And they have a lot of work to do.”

MacKinnon said clarity for users was vital and a lack of it could have serious consequences.

“About a year and a half ago, Syrian opposition groups started getting locked out of Facebook and having photos taken down because they were ‘against terms of service’,” she told the Guardian. “There was no clarity about why or how those terms of service are being enforced. And a lot of activists that depend on Facebook feel like the opacity, given how dependent people are on the platform, is not socially responsible.”

MacKinnon said the indicators would need to improve if the companies were going to succeed in multiple regions.

“If they don’t earn the trust of the user, it’s going to be much harder to succeed as a multinational company and earn the trust of users across borders,” she said. “A French user might trust the French government, but they don’t trust the NSA. These companies have to prove that they’re doing everything they can in this imperfect world where you have governments everywhere that at least someone thinks is infringing on their rights.”

MacKinnon noted that she remained optimistic that over time, the industry would improve its privacy efforts. “This is the test you take at the beginning of the class where everybody fails, and then you get to work, and then everybody’s going to improve,” she said.