It’s an internet truism that most people don’t read the terms of service for the apps and websites they use. Typically, this is viewed as a lamentable state of affairs, but—as we have said before—not everyone needs to read them. If a few people read companies’ digital policies, that’s enough to alert the public about really dangerous changes in what tech companies disclose.
There is good news and bad news on this point. The good news is that there is an organization, Ranking Digital Rights, that reads these policies systematically and reports on what they see. It released its 2017 report on 22 of the world’s largest technology companies today. It assessed their transparency and privacy policies, as well as their disclosures about security breaches and government censorship requests.
Here’s the bad news: “Company disclosure was inadequate across the board,” the report says. So even with people looking at these documents, we can’t assess what they don’t tell us.
The report assesses companies like Facebook, Mail.ru, Twitter, Vodafone, AT&T and Tencent. To get a sense for what the report covers here’s some of the key takeaways from its assessment of Apple and Google.
The last accountability report came out in 2015, but this is the first time the organization assessed Cupertino.
Generally speaking, Apple is thought of as one of the best companies for protecting consumer privacy. The logic goes like this: Apple wants to profit from customers buying its products. This helps explain why Apples products tend to cost more: consumer prices aren’t subsidized by income from marketers that buy data about the products’ users. In fact, Chris Soghoian, a security researcher, has argued that the higher price of an iPhone amounts to a pay-for-privacy scheme.
But Ranking Digital Rights finds their specific commitments to protecting users lacking.
“Apple placed seventh out of the 12 internet and mobile companies and ninth in the overall Index, scoring lower than any other U.S.-based company evaluated,” the report states.
The report assesses companies on governance (how it ensures its commitments), freedom of expression (the degree to which users can say what they want, know the limits and understand how governments might curtail that freedom) and privacy (how much information is collected about users, how it’s used and whether it gets shared).
Under governance, the report stated that it “offered little evidence of a substantive grievance and remedy mechanism enabling users to issue complaints against the company for infringement of their freedom of expression or privacy.” This is no surprise to anyone that’s tried to cover Apple. It is an opaque company.
App stores have become an easy way for repressive governments to undermine freedom of expression, as The New York Times reported in January. We know that Apple has caved to pressure to kill an app. “Apple should disclose its processes for responding to requests it receives from governments to restrict apps in its app store,” the report states, “as well as the volume and nature of these requests, as these requests are becoming an increasingly prominent threat to freedom of expression around the world.”
The report faults Apple for failing to do a good job describing what it collects about user behavior, but it notes approvingly that Apple defaults to encrypting users data. “Apple’s disclosure regarding its encryption policies was notably better than most other companies evaluated, disclosing that it encrypts users’ communications by default,” it writes.
The general consensus about Apple is that it provides the hardware and the service and just generally doesn’t watch users. In fact, it encrypts their data in such a way that it couldn’t if it wanted to, but that’s just a guess. We just don’t know, and clearer statements from Apple on these points would be good.
Google’s whole business model relies on profiting off of gathering information of people who use its services, but Ranking Digital Rights gave the company the highest score of any company assessed. It may be a for-profit NSA, but at least it admits to a lot of its spying.
That said, the report found its governance language wanting. “While Google articulated a clear commitment to upholding users’ freedom of expression and privacy rights, it did not disclose evidence of board-level or even executive-level oversight over these issues within the company,” it writes. “This marked a decline in clarity of disclosure about governance and accountability mechanisms across Google’s global operations since the company’s corporate restructuring under Alphabet.”
One of the smartest PR moves Google ever made won high praise in the report. “Google disclosed more than any other company in the Index about how it handles government and private requests to restrict content and accounts,” it wrote. Google’s transparency reports set the standard for how other companies write similar disclosures. These reports detail requests made by governments about its users.
The report also wrote that “Google performed poorly on a number of indicators related to disclosure of how it handles user information.” That’s saying the least about the most. It’s surprising the report didn’t take some points away because the company quietly ended its commitment to divorce personally identifiable information from tracking data, as Propublic reported last year.
Both Google and Apple received mixed reviews under security. Both are known for having good security teams, but they don’t have commitments about notifying users impacted by breaches. Google has a bug bounty program; Apple doesn’t. Both of them have fairly clear statements about how they use encryption.
Overall, Apple scored 35 percent, with its highest marks in privacy (48 percent). Google led the list with a score of 65 percent, with its highest marks in governance (71 percent).
Ranking Digital Rights is a project of the New America Foundation, and it is one of the organizations collaborating with Consumer Reports on a new privacy standard for digital products, as we previously reported.
“We believe that public commitment and disclosure of basic policies is an essential baseline,” the report contends, “from which to evaluate companies’ respect for human rights.”