With companies, particularly in the tech space, collecting more and more user data, there has been ongoing tension around government requests for information about individuals and a company’s aim to protect the privacy of users. But since whistleblower Edward Snowden’s National Security Agency revelations in 2013, the conversations on digital privacy have intensified, resulting in stronger privacy policies at some companies.
A report released Monday from the Electronic Frontier Foundation identifies the companies that are most protective of user data when it comes to government requests. For legal departments, there are plenty of considerations in creating and implementing the policies that protect users, according to the general counsel at Automattic, parent company of WordPress, which was one of this year’s top-rated companies.
The EFF’s seventh annual “Who Has Your Back?” report measures companies based on five criteria: adherence to industry-wide best practices; informing users about government data requests; commitment to not sell users out; push back when possible against national security letters (NSLs), which typically require companies to hand over data without revealing they’ve done so; and a pro-user public policy.
Nine companies received the highest rating of five stars, one of which was WordPress, which was highlighted by the EFF for its policies related to transparency and user privacy. This marks WordPress’s second time with a perfect score in this report, the first was in 2015. Paul Sieminski, Automattic’s GC, said that the Snowden leaks significantly changed the data privacy and government requests landscape.
“I think it just really made internet users much more aware of No. 1, the volume of information that was out there that the government could potentially get their hands on and two, the methods that could be used,” Sieminski said. “That just caused us and a lot of other companies to really look at these issues in a new light … and I think that just raised the stakes for all companies.”
Another issue that’s altered this space is the aggressiveness with which certain regions and countries around the world are investigating online terrorist activity, Sieminski said. “There’s a lot of political pressure and a lot of legitimate security fears about those types of activities happening online, and so I think you’ve seen a lot more activity from governments trying to get that information from those companies that have it,” he said, pointing to the European Union as an example. “We take it very seriously. But at the same time, we have strong principles on user protection and transparency that we want to protect.”
You have to approach this “very carefully” to strike the right balance, Sieminski said.
When Sieminski joined Automattic in 2012, he said the “instinct was already there” in the company to be user protective and transparent about law enforcement dealings. But as the company’s first general counsel, Sieminski said that he was able to “add some legal expertise” and to “refine some of our policies.” These policies, which are made available to the public, outline the steps followed in response to government requests, he said, which include requiring a warrant, except in the case of an emergency, before disclosing information, notifying users of a request for information when possible and requesting judicial review of gag orders that accompany NSLs.
In May of this year, Automattic also joined a number of leading internet companies in signing a letter to the U.S. House Judiciary Committee Chairman, asking for reforms to Section 702 of the FISA Amendments Act of 2008, a law used to carry out surveillance of non-U.S. persons. This particular area of the law “just permits the government to gather a lot of information and to do it in a way that is not very transparent,” Sieminski explained. “If there are areas of the law we think are not in line with our principles, we can try to change them.”
“Overall, I’m encouraged by the progress of the whole industry towards being more transparent and user protective,” Sieminski said. “And I think the report is a really good resource to see what the practices are and I always use it as a way to improve, if we can.”