The Electronic Frontier Foundation (EFF) recently released its fifth annual report evaluating the practices of several online service providers with regard to government access to user data. The report rates the major online providers on a five star scale measuring their efforts to promote transparency and protect user privacy in the face of government data requests. While the media has largely focused on the identities of the highest and lowest scorers, it is useful to take a step back and review the five questions that form the basis of these ratings:

  1. Does the company meet industry-accepted best practices, including requiring the government to obtain a warrant prior to disclosing user data, publishing regular reports on government requests and enacting company guidelines for responding to government data requests?
  2. Does the company give users prior notice of government data requests so that users have an opportunity to challenge the request by appropriate legal means?
  3. Does the company publicly disclose its data retention policies for IP address logs, deleted content, and similar types of inaccessible data?
  4. Does the company publish regular transparency reports detailing requests the company has received from the government to hand over user data, remove user content or suspend user accounts and how the company has responded to such requests?
  5. Has the company taken a pro-user stand on a privacy issue in some public forum such as a blog post, coalition letter or other public written format, namely the issue of government-mandated back doors?

While these questions are oriented towards the privacy challenges faced by large online service providers maintaining troves of user information, they provide insight into the evolving privacy expectations of internet users. Any business that has an online presence and either actively or passively collects user data would be well served to test its own privacy practices against these standards. As businesses try to position themselves for growth, they must be prepared to meet the privacy challenges inherent in the accumulation of user data.