In the wake of disclosures made by U.S. National Security Agency (NSA) whistleblower Edward Snowden about government surveillance, many Americans have become more aware of privacy risks. In response, many U.S. companies have taken privacy increasingly seriously, according to a new report on government data requests from the Electronic Frontier Foundation (EFF).
The EFF report has six categories under which it ranks vendors: requiring a warrant for content of communications; telling users about government data requests; publishing transparency reports; publishing law-enforcement guidelines, fighting for users’ privacy rights in courts and publicly opposing mass surveillance.
The EFF gave a full six-star rating to Apple, CREDO Mobile, Dropbox, Facebook, Google, Microsoft, Sonic, Twitter and Yahoo.
“This year, we saw major improvements in industry standards for informing users about government data requests, publishing transparency reports, and fighting for the user in Congress,” the EFF reports states. “These changes in policy were likely a reaction to the releases of the last year, which repeatedly pointed to a close relationship between tech companies and the National Security Agency.”
The overall tone and trends shown in the EFF’s report are positive, showing clearly that most technology vendors are taking solid steps to protect users’ privacy. It’s unfortunate that it took a major event like the Snowden disclosures to make privacy such a priority.
The improved privacy and transparency can be seen as a silver lining of the whole Snowden affair. If he hadn’t leaked information, it’s not likely that the EFF report would have been as favorable.
Privacy and transparency are, however, only part of the full equation for user security.
Whether it’s a rogue nation-state or the NSA, there are other risks to user privacy that might not be disclosed in transparency reports of the type the EFF tracks. Secure Sockets Layer (SSL) technology, for example, is critical to ensuring the security of data in motion across the Internet.
The vast majority of SSL sites today do not use a technique known as “forward secrecy.” In a non-forward secrecy SSL deployment, there is a single server key that is used to encrypt all SSL sessions. The risk is that if that key is stolen or lost, all SSL data content could be decrypted. With forward secrecy, each SSL session gets its own unique server key, minimizing the risk.
In November 2013, Twitter announced that it is using forward secrecy. It would be great to have full transparency from other vendors in a report that shows all the other vendors that now support forward secrecy, as well.
Users are also at risk from data breaches that could put their information at risk. The speed with which different organizations respond and report data breaches affects privacy, as well.
Passwords are also a risk to privacy and sites/services that do not provide users with two-factor authentication are not doing their users any favors. Two-factor authentication requires users to have a second password (or factor) in order to log into a site or service.
The EFF report is focused on transparency in the face of government requests, and it’s great to see so much improvement in that area. It’s still important to remember that transparency is only part of the solution, and organizations should be using SSL forward secrecy and two-factor authentication to further protect user information and privacy.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.