A Race to the Bottom - Privacy Ranking of Internet = Service Companies

This report has been prepared by Privacy International = following=20 a six-month investigation into the privacy practices of key = Internet=20 based companies. The ranking lists the best and the worst = performers=20 both in Web 1.0 and Web 2.0 across the full spectrum of = search,=20 email, e-commerce and social networking sites.=20

The analysis employs a methodology comprising around = twenty core=20 parameters. We rank the major Internet players but we also = discuss=20 examples of best and worst privacy practice among smaller = companies.=20

The report was compiled using data derived from public = sources=20 (newspaper articles, blog entries, submissions to government = inquiries, privacy policies etc), information provided by = present=20 and former company staff, technical analysis and interviews = with=20 company representatives.=20

Because the 2007 rankings are a precedent, Privacy = International=20 will regard the current report as a consultation report and = will=20 establish a broad outreach for two months to ensure that any = new and=20 relevant information is taken into account before publishing = a full=20 report in September.=20

Interim results are available here in PDF format: Interim=20 Rankings

About Privacy International

Privacy International (PI) was established in 1990 as a = human=20 rights research and campaign organization. It was the first = privacy=20 NGO to operate in the global environment and since then has = been=20 instrumental in the evolution of the modern international = privacy=20 movement. Its key functions are to provide technology = assessment,=20 develop reviews of public policy and to act as a watchdog on = surveillance by governments and corporations. PI is based in = London,=20 and has an office in Washington, D.C. Together with members = in 40=20 countries, PI has conducted campaigns throughout the world = on issues=20 ranging from wiretapping and national security activities, = to ID=20 cards, video surveillance, data matching, police information = systems=20 and medical privacy, and works with a wide range of NGO's, = academic=20 institutions and inter-governmental organizations. PI's = primary=20 source of funding comes from philanthropic and charitable=20 organizations.=20

We have previously led campaigns and taken action against = the=20 practices of a number of companies including:=20

Campaigning against corporate privacy practices, e.g. = Amazon=20
Identifying the problems in technology design, e.g.problems=20 with advertising in Gmail=20
Monitoring and campaigning against the disclosure of = data from=20 companies to governments, e.g. EU-US=20 PNR, SWIFT,=20 Telecommunications=20 companies=20
Founding and running the Big = Brother=20 Awards, now held annually in over 15 countries, that = identify=20 'worst corporate invaders',=20
Campaigning against bad practice in account = management, for=20 instance preventing users from deleting accounts, e.g. against=20 Amazon and eBay=20
Ranking=20 countries for their privacy protection and surveillance=20 levels,

Building particularly from our work on companies' = practices on=20 customer account management and our expertise developed in = the=20 country rankings we are now positioned to develop rankings = for=20 companies.=20

Why have we undertaken this study?

For many years, consumers and companies have approached = Privacy=20 International asking for our suggestions of good company = practice in=20 privacy protection. In the past this has been difficult for = us to=20 achieve for a number of reasons, including:=20

Privacy International does not endorse specific = companies.=20
We know the dynamics of this field well enough to = understand=20 that even if a company exhibits good privacy practice = today, it=20 can quickly change those practices for the worse by = tomorrow.=20
It is very difficult and time consuming to accurately = discover=20 the privacy practices of a given company and it is often = the case=20 that these companies are not fully aware of their own = information=20 handling procedures.

We are increasingly concerned about the recent dynamics = in the=20 marketplace. While a number of companies have demonstrated = integrity=20 in handling personal information (and we have been surprised = by the=20 number of 'social networking' sites which are taking some of = these=20 issues quite seriously), we are witnessing an increased = 'race to the=20 bottom' in corporate surveillance of customers. Some = companies are=20 leading the charge through abusive and invasive profiling of = their=20 customers' data. This trend is seen by even the most privacy = friendly companies as creating competitive disadvantage to = those who=20 do not follow that trend, and in some cases to find new and = more=20 innovative ways to become even more surveillance-intensive.=20

We felt that consumers want to know about these = surveillance=20 practices so that they can make a better-informed decision = about=20 how, whether and with whom they should share their personal=20 information. We also believe that companies need to be more = open=20 about how they process information and why it is processed.=20

Most importantly, we wanted to indicate to the = marketplace that=20 their surveillance and tracking activities are being = scrutinised=20

Background

PI has tracked the development of the Internet since the = creation=20 of the World Wide Web in the early 1990s. We have = continually voiced=20 our concern that this medium provides the potential for a=20 haemorrhage of personal privacy, and we have argued for some = years=20 that Internet companies should embrace a wider range of = privacy=20 protections for users.=20

The privacy threat on the Internet arises from a number = of=20 factors. Increasing disclosure by consumers of personal = information=20 allows companies to capture and process data to a = significant=20 extent. New technologies permit the capture of increasingly = detailed=20 levels of information. Meanwhile, new Internet products = often=20 involve a requirement for user registration, enabling of = identifying=20 techniques and agreement to terms and conditions that are = frequently=20 hostile to privacy.=20

However the emergence over the past three years of an = aggressive=20 move by major Internet companies into "ad space" has created = the=20 most recent and possibly most dangerous threat to privacy. = With the=20 creation of a greater range of products and services, = increased=20 disclosure of personal information and the evolution of a = huge user=20 population came the opportunity to establish new forms of = user=20 targeting and profiling to generate greater advertising = revenue.=20

Privacy International has been concerned that this = development=20 may result in a "lowest common denominator" for privacy. In = contrast=20 to the 1990's vision of the Internet, in which strong = privacy could=20 become a market differentiator, the reality in 2007 is that = all=20 major Internet players may move to establish a level of user = surveillance that results in little or no choice for = Internet users=20 and relatively few meaningful privacy mechanisms. Market = domination=20 by a handful of key players will ensure that without care, a = race to=20 the bottom will evolve during the immediate future.=20

Our decision to undertake the privacy ranking study is a = first=20 attempt at understanding the full spectrum of the privacy = threat and=20 to discover where each key player stands with regard to = privacy=20 protection. The long term goal of this report is not = necessarily to=20 "name and shame" but to highlight crucial trends and = imperatives=20 that will shape the future of privacy on the Internet.=20

A consultation report

This is a consultation report for the following reasons:=20

While the data used for this analysis provides a very = strong=20 indication of privacy practices, we wish to reach out for = more=20 data on how companies' process information. Too many = companies=20 presume that statements framed in legal language within = their=20 privacy policies actually describe their true information=20 collection and processing practices. When our legal = experts=20 reviewed a spectrum of privacy policies we became alarmed = at how=20 much we still do not know. We felt that additional time = should be=20 allocated in the hope that companies will come forward = with more=20 data. The fact that we, as specialists in this field, = cannot fully=20 understand the full range of surveillance practices of = some=20 companies leaves us greatly concerned about the ability of = consumers to make informed decisions in the marketplace.=20
We are soliciting comments on the findings of this = report from=20 companies, consumer organisations, industry associations = and other=20 experts on practices and additional elements. We have been = in=20 touch with a number of the companies involved in this = study and we=20 hope to receive further relevant information. If useful=20 information is not offered we will wherever possible use = legal=20 mechanisms to obtain it.=20
We are seeking the assistance of regulators who might = help=20 illuminate some of the more arcane collection and = processing=20 practices. Privacy commissioners from around the world and = even=20 the U.S. Federal Trade Commission can, we hope, help us = uncover=20 some of legal challenges arising from the data processing=20 practices of these companies.

A more detailed report will be available in September.=20

Which companies?

Ideally we would like to be able to look at all companies = in all=20 sectors, but for now we have limited ourselves to online = service=20 companies. We created a list of consumer-facing companies = based on a=20 number of 'top 50', 'top 100', and 'top 500' resources using = criteria including:=20

market share=20
services offered=20
number of users=20
site traffic

We have solicited comments from experts around the world = about=20 companies that we may have unintentionally omitted. For the = time=20 being we have excluded coverage of companies operating under = mandatory data collection regimes such as those in the = financial=20 sector (e.g. online banking and payment schemes) and the = travel=20 industry (e.g. airlines and travel agencies).=20

Categorising companies has become increasingly difficult. = The=20 amount of mergers and acquisitions sometimes makes it quite=20 difficult to differentiate stand-alone companies from = conglomerates.=20 We had to judge when it was appropriate to differentiate = between=20 companies and services. For instance, Windows Live Space is = part of=20 Microsoft, but because it offers services that are quite = specific=20 and because of the size of the user base, we took the = decision to=20 treat it as a distinct organisation. Meanwhile, Google is a = company=20 comprising many services, but its practices and ethics are = very much=20 part of its brand and image as a whole, and so we treated it = as one=20 single entity. We ranked Orkut as a separate entity even = though it=20 is owned by Google.=20

We are open to recommendations for other companies that = we should=20 include in future ranking reports. Ideally we should be able = to=20 segment the report findings into various sectors. For = instance, we=20 could identify the best and worst practices within social = networking=20 sites, search engines and location-based services. We are = looking=20 into expanding our company list in the future, but we must = also=20 conduct research and consult widely on how looking at = specific=20 service dynamics will affect the methodology. It should also = be=20 noted that due to resource constraints many of the companies = on our=20 current list operate predominately in the English language. = We hope=20 to broaden the language base in future rankings. Due to = these=20 constraints we have currently omitted some of the largest = companies=20 on the Internet.=20

The companies we included in this consultation study are: =

Amazon=20
AOL=20
Apple=20
BBC=20
Bebo=20
eBay=20
Facebook=20
Friendster=20
Google=20
Hi5=20
Last.fm=20
LinkedIn=20
LiveJournal=20
Microsoft=20
Myspace=20
Orkut=20
Reunion.com=20
Skype=20
Wikipedia=20
Windows Live Space=20
Xanga=20
Yahoo!=20
YouTube

We also reviewed the practices of other companies that = are not=20 necessarily market leaders. Through investigation and = research,=20 sometimes spurred by communications we receive from = concerned=20 members of the public, we identified a number of smaller = companies=20 who sometimes exercise a complete disregard for the = sensitivity of=20 their customers' personal information.=20

We are also searching for companies that exhibit positive = privacy=20 practices. We have been able to identify a number of these = companies=20 and hope to report on them more fully in our September = report.=20

Methodology

In wide consultation with experts from around the world = we were=20 able to identify the following ranking categories for = analysis:=20

Corporate administrative details=20

Does the company actually have a department or = individual=20 responsible for privacy compliance? The policy will have = limited=20 effect if users cannot question the processing of personal = information. Some companies have designated privacy = officials or=20 embed privacy protection within the legal branch of the = firm,=20 while others do not even publish contact information.

Corporate leadership=20

Assesses whether a company plays a strong public role = in=20 protecting and promoting privacy in the marketplace (this = must be=20 matched with authority and action, not just mere words), = or=20 whether the firm is a leader in the trend toward = profiling,=20 sharing and disclosure of customer data. We also looked = into=20 whether the company is using industry-recognised = self-regulatory=20 mechanisms (e.g. Trust-e) and whether the company has = signed up=20 for the Safe Harbor agreement between the EU and the U.S. =

Data collection and processing=20

What type of information does the site collect, with = and=20 without consent? On some sites the personal information = submitted=20 by customers is necessary (e.g. billing addresses) but = there are=20 many sites that collect information that may be = unnecessary (age,=20 marital status, home address, preferences, medical = information,=20 extraneous financial information) from customers without = adequate=20 information about why this information is needed and how = it is=20 used. Some companies may collect and mine other = information, such=20 as viewing habits and preferences (e.g. musical genre, = lifestyle=20 choices etc.)=20

Here, it is also important to note the status of = 'Internet=20 Protocol Addresses' (IP addresses). Many companies state = that they=20 see this data as non-personal - even anonymous - = information,=20 permitting them to collect and track users' movements = around the=20 site to determine what a specific user reads. This = approach=20 permits profiling of a user's habits and interests.

Data retention=20

Some companies delete the information they collect once = it is=20 no longer needed. Other companies are not quite so clear, = and a=20 few sites are quite open that they do not intend to delete = personal information at all (or at least not until they = are ready=20 to do so). With increased consumer concern about = information=20 breaches from stolen and lost computing resources, or = through=20 malicious hackers gaining access to resources, companies = need to=20 be aware that the risk to their market position and = customer base=20 may be proportionate to the amount of personal data they = store.=20

Openness and Transparency=20

It is fair to say that most organisations have now = created=20 privacy policies. These privacy policies often say much = but=20 disclose relatively little about a company's true = practices. Some=20 companies also cover up or refuse to engage publicly about = privacy=20 concerns. Here we rate these companies on how open they = are to the=20 public about their actual practices. We look at their = privacy=20 policies to assess whether they are merely a collection of = disarming words (that usually starts with 'At [company X] = we take=20 your privacy seriously') with little detail, or which even = highlight contradictory practices.=20

Disappointingly, many of the privacy policies seem to = have been=20 written with the same goal: to say very little but in as = complex a=20 way as possible. Yet there are also some policies that are = exemplary in their eloquence and detail, describing every = element=20 of information and how it is processed by the company. =

Responsiveness=20

Disarming statements about privacy do little to = compensate for=20 the lack of responsiveness to consumers who have privacy = concerns.=20 We are in a continuing process of contacting companies to = see how=20 they respond to privacy queries and concerns and whether = those=20 concerns are dismissed (as we have seen in some remarkable = situations where in one case a company told us 'Life is = too short=20 (to worry about privacy)' or obfuscated (where companies = respond=20 with platitudes but disclose very little).=20

We look back over the history of the company to see how = they=20 responded to privacy problems and when those were brought = to their=20 attention, to measure the sincerity of these companies in=20 protecting their customers' information. We also assess = whether a=20 company allows users to access and correct their personal=20 information through 'subject access requests' or similar=20 mechanisms.

Ethical compass=20

Have these companies encountered ethical challenges and = how=20 have they dealt with them? Have they co-operated with = problematic=20 warrants and access contentious requests from law = enforcement=20 agencies and foreign governments? How have they responded = to=20 customers' concerns? These actions go some way to = explaining how=20 seriously a company treats their customers' personal = information.=20

Customer and User control=20

In our earlier research and campaigns we identified a = number of=20 companies that were unwilling to let customers delete = their=20 accounts. This widespread practice is not only problematic = for=20 privacy (in that your data can never be deleted) but also = calls=20 into question whether companies are properly marketing = themselves=20 as 'x million customers' when in fact there are only 'x = thousand'=20 active customers.=20

User control in the age of advanced customer activity = (such as=20 in social networking sites) should also allow customers = the=20 ability to control who has access to personal information, = whether=20 this access can be limited and even, when possible, when = it should=20 be anonymized. There has been a remarkable level of = activity in=20 this area since the security concerns over social = networking=20 emerged and we are optimistic that new protections will = emerge.=20

Additionally, we assess whether customers can choose = for=20 themselves what types of information they disclose.

Fair gateways and authentication=20

Online services increasingly require individuals to = create=20 accounts in order to gain access to services, whether to = look at=20 itineraries, read articles or conduct searches. Sometimes = these=20 access controls are privacy enhancing, where they can aid=20 individual consumers in preventing the trawling of their = personal=20 profiles by unwelcome visitors. However we are concerned = at the=20 increased profiling of customers' preferences based on the = resources companies gain access to (e.g. profiling = individuals=20 based on the material they read). We have also taken into = account=20 scenarios where a decision to block any form of = surveillance may=20 intefere with the resulting level and quality of service. =

Privacy enhancing innovations and Privacy invasive = innovations=20

Some companies have implemented advanced techniques to = protect=20 privacy through advanced use of encryption (beyond simple = SSL) and=20 identity management technologies, amongst others. But = 'innovation'=20 need not only be technology-based, but could also reflect = advanced=20 and progressive attitudes toward information processing, = such as=20 promoting the use of pseudonymous accounts. We highlight = these=20 practices where such information is available.=20

Conversely, many companies are investing vast amounts = of funds=20 into privacy invasive practices, and most hope to be the = first to=20 market these innovations. We highlight when companies use = blunt=20 instruments to collect personal information without = consent, and=20 when they use pinpoint precision to delve deeper into = personal=20 profiles. While many companies use cookies (in a variety = of ways)=20 a number of companies go well beyond this practice into = using 'web=20 beacons' or 'pixel tags' to even identify whether users = are=20 reading their emails.

Analysis

Where possible we present data on specific privacy = practices. It=20 was not always possible to precisely assess a company's = approach in=20 each category. As a result, we erred on the side of caution = and gave=20 the company the benefit of the doubt and assessed it only = for what=20 we could actually identify.=20

We look forward to working with the relevant companies in = the=20 coming months to complete the study -- this will be expanded = in the=20 September report. We look forward to receiving compelling = evidence=20 that a given company respects the privacy of its users, and = protects=20 their personal information accordingly.=20

We will also be reaching out to even more experts from = around the=20 world who may recommend additional categories and even other = companies to include in this study.=20

As a result, some findings of this report may change=20 substantively.=20

Each category is currently assessed based on a color-band = system:=20

A Race to the Bottom:
Privacy Ranking = of=20 Internet Service Companies

A Consultation report

About Privacy International

Why have we undertaken this study?

Background

A consultation report

Which companies?

Methodology

Analysis

Why Google?

Why not Microsoft?

Key findings

A Race to the Bottom: Privacy Ranking = of=20 Internet Service Companies

A Consultation report

About Privacy International

Why have we undertaken this study?

Background

A consultation report

Which companies?

Methodology

Analysis

Why Google?

Why not Microsoft?

Key findings

A Race to the Bottom:
Privacy Ranking = of=20 Internet Service Companies