Thursday, 23 March 2017

Why Are So Many Tech & Telecom Companies Bad At Respecting Your Privacy?

The 21st century world is all about data: who has it, how they use it, when they share it, and how much they make from selling it. Despite the proliferation of terms of service and privacy policies, the companies responsible for handling our data are largely doing a poor job of telling us what they do with it.

That’s the key takeaway from the Ranking Digital Rights 2017 Corporate Accountability Index, which scores internet and telecommunications companies on a whole host of issues related to privacy, user control, and disclosure.

Tech is global — we use it everywhere, no matter where it’s based — so the report is, too, looking at 22 of the world’s largest telecommunications companies. The ones of particular interest to consumers in the U.S. include Apple, AT&T, Facebook, Google, Microsoft, Twitter, Samsung, and Yahoo.

The companies get rated on three main axes: governance, freedom of expression, and privacy. The overall score can run anywhere from 1-100, but the sad reality is that no company fared better than a total score of 65 (Google).

After Google, the top five is rounded out by Microsoft (62); Yahoo (58); Facebook (53); and Kaokao (50), a major internet social and communications company based out of South Korea.

Outside of those five companies, no other organization in the world managed even to crack a score of 50. What’s preventing these providers from scoring higher?

“In some cases, it’s because of government requirements to do certain things or prohibiting certain things,” Nathalie Maréchal, senior fellow with Ranking Digital Rights, tells Consumerist. “For example, the FBI issues National Security Letters to tech companies, which come with a gag order. These demands for user information prohibit the user, the telecommunications company, their attorneys, and anyone else from even mentioning the existence of the demand, which is not vetted by a judge or court of law.”

Beyond governmental restrictions, there’s also what Maréchal describes as the “inherent tension” between profits and consumer privacy for those companies with business models based on collecting and reselling user data — primarily for targeted advertising.

“One of our indicators asks whether companies commit to limiting the collection of user information to the information that is required to provide the service — but that limits how much user information companies can monetize,” explains Maréchal. “Consumer awareness and market pressure on companies to respect their privacy — including by being transparent about what they collect, how they collect it, for what purpose they collect it, who they share it with, and how long they will retain it — is key to getting companies to improve their behavior.”

Overall, the report finds, one of the biggest problems affecting everyone is disclosure: Companies simply aren’t telling consumers about their policies and practices. And as a result, the report authors conclude, “most of the world’s internet users lack the information they need to make informed choices.”

When Is Android Not Quite Android?

Most consumers refer to the two dominant mobile operating systems as Apple and Android, but while Apple iPhone users generally get the same software update at the same time, an Android device might not be updated until weeks after Google has released it.

The report notes that while Google pushes these updates out to its devices, like the Pixel phone, Samsung Android devices often lag behind.

“The delivery of software updates to Android devices that aren’t directly controlled by Google is a major issue,” explains Maréchal, “especially since low-income, minority and other marginalized users are most likely to use cheaper, older devices that no longer get security updates, or only do so with a significant delay.”

This disparity is often caused by tweaks — which may be unnoticeable to most consumers — that manufacturers (and sometimes wireless carriers) make to the underlying Android operating system. The Google update then needs to be modified to make sure it works with each different iteration of Android.

Beyond that, there is the concern about older phones that are no longer supported by their manufacturers. Of the three wireless manufacturers — Apple, Google, and Samsung — included in the RDR report, only Google provides a guaranteed timeline for how long its devices will receive software updates. In the case of Pixel and Nexus devices, users will continue receiving support for at least 3 years from when the device first became available, or at least 18 months from when the Google Store last sold the device, whichever is longer.

“It would be ideal if Google extended that time period further, but at least they clearly communicate this commitment to users,” says Maréchal. “We depend on our smartphones for so much — and low-income people without broadband or computers at home depend on them the most. Rich or poor, we all deserve to know how long they will be safe to use, and what companies are doing to keep us safe.”

A Look At The Numbers

The report goes in-depth on its methodology, findings, and recommendations before providing individual report cards for each company. In these, you can break down where each company performed well or fell down.

• Apple, for example, earned a 35. The report evaluated the iOS ecosystem, along with iMessage and iCloud, and found that although Apple has a “strong public defense of users’ privacy,” the company did not actually make clear disclosures about “commitments or policies demonstrating respect for users’ freedom of expression.”

For privacy, the report gives Apple a 48, finding that it doesn’t clearly articulate what kinds of personal information it collects or shares, nor to what end or for how long. The company also “lagged behind most of its peers in disclosure of government and private requests for user information,” posting a policy for data-sharing with government requests but without a similar policy for how it handles requests from private entities.

Things go downhill from there for Apple, which then scored a 22 on Freedom of Expression and a 17 on Governance, showing no “substantive grievance and remedy mechanism” consumers can use to issue complaints if their privacy is infringed.

• Facebook — including Instagram, Messenger, and WhatsApp — did a bit better, clocking in at a 53, and registering “notable improvement” since the 2015 report.

Facebook scored best in Governance, hitting 81%, a number that is actually decent on its own and not just in comparison to a very poor pack. Facebook has, “provided evidence that the company’s senior leadership exercises oversight of issues related to freedom of expression,” privacy, and human rights impacts.

Things are a little less rosy on the Privacy side of things, though, where Facebook eked out a 49, and on Freedom of Expression, where it sits at 41. In general, the report finds, Facebook doesn’t do a good job describing either what kinds of content and activities are and aren’t allowed on its service, nor does it particularly reveal much about what it shares with whom, when, how, or why.

Top performer Google, meanwhile, sees overall 65% score come from a pretty even breakdown across the board in all three areas. The internet giant scored a 60 for Freedom of Expression, a 65 for Privacy, and a 71 in Governance.

Of Google, the report says that the company does poorly when it comes to explaining how it handles user information, disclosing less than other businesses about how it handles both government and private entities’ requests for user information. Google does, however, get good marks for “a clear commitment to complying with … requests for user information only when prescribed by law, as well as to challenging overbroad requests.”

When it comes to content and account restrictions, Google’s about in the middle of the pack, the report finds. It does provided detailed info about what types of content and activities are prohibited, but of all its services only YouTube disclosed how much content (92 million videos in 2015) was removed for terms of service violations.

Can’t You Just Not Use These Companies?

Reports like this one often result in rejoinders like “This is why I don’t use X” or “Just don’t use X and you won’t have this problem,” but RDR’s Maréchal says it’s rarely that simple.

“It’s not like you can choose between a dozen different platforms that all do similar things” to Facebook, Google, or the others. She points out that there are real restrictions — like having few choices for broadband service — and cultural pressures that can compel consumers to reluctantly become part of an online ecosystem.

“If all your friends and family are on one social network, you can’t just move to a different platform and still connect with the same people,” Maréchal points out, adding that consumers often aren’t fully informed about these issues. “So the average person doesn’t necessarily know what to look for or what questions to ask to know what’s best for them or what their options are.”

Getting Better

When a 65% is a high score, that is indeed a sad state of affairs. So the report includes a whole lot of recommendations for companies outlining what they can do to improve their woeful marks before the next report, presumably in 2019.

  • Communicate more and better. Companies, the report suggests, should “disclose and explain” how they comply with laws, and what that compliance means for consumers. What data is going to whom? Where? When? Why? How? What can you do about it? Just outlining the basics in a place where consumers can read it would go a long way.
  • Self-assess more. It’s the old saw about being unable to identify or fix what you can’t measure. A company that wants to know where it’s succeeding — and falling down — should conduct assessments on the impacts of its own services and behaviors regularly.
  • Be transparent. In basically all things, the report suggests, companies need to increase transparency and disclosure. Publish more policies. Outline more cases. Paint a more comprehensive picture, and do it often. Get in the details. In short, give consumers all the information they could want to know if they’re going to feel safe sharing their data with your business.

by Chris Morran via Consumerist

No comments:

Post a Comment