I'd like to point out something related to what others have already said. First, they've pointed out the seemingly illogical picking of companies. Snapchat but not Instagram (maybe part of facebook?) and AT&T but not T-Mobile? etc.
Another issue here is that by looking at the past reports you see how quickly one company is the favorite and soon becomes the ugly step child. The columns with stars are also changing to what sound like very vague and lax requirements compared to the year before.
I didn't see any explanation there why. For instance they took out the "requires warrant" column. I wonder if companies are contributing to the EFF and so the EFF feels the pressure to make these companies look good in the face of this new Snowden era. For instance, isn't it great that Apple now has 5 stars as it's starting it's big "we're private" push while Google is now very low compared to previous years? And how about twitter? They used to be a poster child for good behavior as far as companies go.
You can read the description below the chart, they rolled the requires warrant column into another column. A company must do both things to get a star.
This is about requests for stored data and then the encryption is moot, that mostly affects data in-flight or seized computers if the data is stored. In the latter case you will probably be forced to cough up the decryption keys.
When we're talking about protection against government data requests, only companies that make sure they have access to the absolute minimum client information they possible can do truly have our backs. Everyone else just has good intentions.
Colin has it right. If you don't want to ever compromise your clients data make sure you can't read any of it. It's that simple. Anything else simply won't do.
That's why I keep recommending tarsnap to customers.
Or you could.. you know... recommend an appropriate client-side encryption tool so they can then store the archive/backup data on the storage provider of their choice...
The advantage of having client-side encryption built into tarsnap is that it encrypts only after data deduplication and compression.
Obviously there could be a tarsnap option to stream the data to be uploaded through an encryption program of your choice, but doing it just as you suggest would nerf a few of tarsnap's prime advantages.
Tarsnap is a combination client-side application and remote service.
I am suggesting instead to use/recommend one of the existing client-side tools that work similar to the tarsnap client does, but don't lock the user into a single service provider.
By using a client-side tool that just generates archives (and isn't tied to a single storage service provider), you can store them anywhere - AWS, iCloud, Google Drive, Rsync.net, a rented VPS, a friends computer, an external hard drive, all of the above. You name it.
I understood what you said, I just didn't know that there were tools in existence that are as good as or better than tarsnap at the archiving part which allow you to specify the storage location.
Edit: I used 'specify the storage location' very loosely. I.e., I realise it could mean simply piping the archive data to yet another program in the shell.
I've never used it, but I've seen people on HN recommend Attic. It dedups and encrypts. https://attic-backup.org
Personally, I use git-annex, which isn't exactly a backup tool but a general distributed file manager which can, among other things, automatically make encrypted copies of the files to various places (SSH servers, S3, Google Drive, etc).
Both do dedup and encryption, Attic can also store the data remotely via SSH (either with or without installation on the remote end) and Obnam can handle remote storage to an SFTP server.
It's an almost completely transparent user-space filesystem. Basically you store your files in a given folder, and it automatically stores a parallel encrypted copy in a different folder.
If a group planned ahead they could give out some secondary kind of key. Gmail gives out these really long codes I can use to login should I not have the authenticator app.
Sorry, I might be missing something here, but would there be any tangible differences between the service provider having access to a secondary key vs them having access to the primary key if both can be used to access your data?
I'm honestly interested because I'm building a distributed system where only the user has the decryption key, and I've always just assumed that password recovery is a lost cause in such systems.
I would assume the recovery key is not stored in plain-text - it's likely hashed, similar to a password. If you need to use it, you enter the (hopefully safely stored) recovery key you have, they re-hash it and compare to the hashed one they keep.
I believe it is the only way if you truly want a single user to have complete control of decryption. There are other solutions if you don't. I heard of one the other day (from MaidSafe maybe?) where you have a shared secret amongst your "friends" and if a quorum of them agree, it can reset your password. I assume this means your data is duplicated and encrypted via that shared secret as well which could be coerced I suppose.
I'm interested in why the EFF chose these companies to rate. For example, rating AT&T and Verizon but not Sprint and T-Mobile seems odd to me. Rating Snapchat but not Instagram almost makes sense becuase they're rating Facebook, but then they've rated WhatsApp separately.
The ATT/VZW/Sprint/TM differentiation is weird, but Instagram versus Whatsapp doesn't seem strange... Instagram doesn't honestly seem like a hugely valuable target. That's not to say I'm comfortable with them giving up info freely, but I'd be much more concerned about my WhatsApp data being turned over than my Instagram data.
I'd rather lists like these not be polluted by things like that.
Usually the EFF does a good job with these reports but you got to wonder with a company like Dropbox.
- Condi Rice is on the Board of directors - an avowed supporter of NSA warantless wiretaps
- Users cannot control thier Keys such that it becomes impossible for them handover data to the Govt. even if they complied to the NSL or whatever other BS demand
The point of this effort is to elicit change from these organizations. If having breaches "a few years ago" means never getting a star, why would a company care?
Inform users about government data demands: "...Google does not commit to providing notice after an emergency has ended or a gag has been lifted"
Disclose data retention policies: "Google publishes some information about log data and deleted data, but it is not complete and representative of all its services and thus does not qualify for a star."
I agree that the changes are covered, but I disagree that they are covered well.
The following companies have gone from at least one star below Google to at least one star above Google, on a 4-6 star rating system, in the last year:
Adobe, LinkedIn, Wickr, Wikimedia, Wordpress.
despite no company materially changing their terms in that time.
How is this a robust or meaningful measure, in that case? The exceptionally large variation is not addressed.
Why has this happened? In my opinion, it's because the 2014 report is bogus (two of the categories are "published a report"), and most probably it was just permitted to be bogus because Google were heavily funding the EFF in 2014.
Three of the stars last year -- "requires a warrant", "publishes transparency reports", and "publishes law enforcement guidelines" -- were merged into a single star "follows industry best practices". According to the report, a company has to do all three of those things to qualify.
It's perfectly reasonable for the EFF to evolve how they're rating companies as the years go on. After all, the privacy landscape changes and they're trying to push companies to making some changes. That explains the drop in stars. According to the EFF, Google is doing things that are now considered standard, and they're no longer on the forefront of defending privacy.
Your accusations of bias because Google isn't funding the EFF are, frankly, ridiculous.
If that were the only major difference, Google would still have 4 stars with the 5th undecided. Google now have 3 stars.
>Your accusations of bias because Google isn't funding the EFF are, frankly, ridiculous.
To be clear, I am not accusing EFF of bias against Google.
Other privacy organisations have literally accused the EFF of lobbying for Google. From Wikipedia:
"In 2011, the EFF received $1 million from Google as part of a settlement of a class action related to privacy issues involving Google Buzz. EPIC and seven other privacy-focused nonprofits protested that that the plaintiffs lawyers and Google had, in effect, arranged to give the majority of those funds "to organizations that are currently paid by Google to lobby for or to consult for the company.""
Since then, the EFF spoke up loudly against the right to be forgotten (Google Spain v AEPD and Mario Costeja González), even though this is considered a privacy basic by EU data protection principles.
> despite no company materially changing their terms in that time
Yes, because, again, the test criteria themselves changed.
I'd suggest your focus on a two-data-point trend and google (at the exclusion of every other company on this list) may just be revealing your own bias rather than the EFF's.
> it's because the 2014 report is bogus (two of the categories are "published a report")
again, I'd suggest actually reading the report. Several of the categories this year also only require a single line in a privacy policy. That's all this report has ever been -- some disclosures, but in many cases, just flat out statements that something will be done with no actual verification that it will be (since in many cases that's not conclusively possible).
Thanks in advance for being more civil in the future. It's important, and we appreciate it.
> Can you clarify why my comment was rebuked, but the parent was not, please?
I simply didn't see that bit. You're right that it broke the guidelines as well. Had I seen it I would have said so.
Still, accusing a fellow user of shilling is worse than accusing one of not having read an article. The shilling thing is its own circle of forum hell. I've written about it, if anyone wants to understand why we single this out: https://hn.algolia.com/?sort=byDate&prefix=true&page=0&dateR....
Another issue here is that by looking at the past reports you see how quickly one company is the favorite and soon becomes the ugly step child. The columns with stars are also changing to what sound like very vague and lax requirements compared to the year before.
I didn't see any explanation there why. For instance they took out the "requires warrant" column. I wonder if companies are contributing to the EFF and so the EFF feels the pressure to make these companies look good in the face of this new Snowden era. For instance, isn't it great that Apple now has 5 stars as it's starting it's big "we're private" push while Google is now very low compared to previous years? And how about twitter? They used to be a poster child for good behavior as far as companies go.