Ranking Internet companies' data-handling: a test they all fail

Rebecca MacKinnon, the journalist/activist who wrote the seminal Consent of the Network, has launched a new project called Ranking Digital Rights, part of the New America Foundation's Open Tech Institute. RDR issues report-cards that evaluate how Internet giants and other companies handle your data: what do they promise, do they encrypt, and who do they share it with? Virtually every company gets a failing grade in virtually every category.

The problem of a report card that issues nothing but failing grades is a urgent and thorny one. Take cars: virtually every car on the road today is designed to invoke the protection of the DMCA against security researchers who want to make sure that its firmware isn't deadly to the driver, either due to programmer error or fraud. Without independent verification of firmware, no car should be trusted with your life. If you were issuing a report card on the information security of contemporary automobiles, your only honest recommendation would have to be: DON'T DRIVE.

This is a recipe for security nihilism. If you must drive, but all the cars are potential death-traps, you are apt to just stop paying attention to consumer advice and ranking.

But there's precedent. Before asbestos's deadly nature was understood, most insulation contained asbestos. Before the campaigns for seat-belts, almost no cars had seat-belts. In other words, there was a time when consumer advocacy groups' recommendations for which vital, non-optional product you should buy was DON'T. Somehow, they made a difference. They didn't counsel buying "low asbestos" insulation or cars that were "seatbelt ready." They scared the shit out of manufacturers (in part by putting ideas into class-action lawyers' heads), and the result was a total overhaul of industry after industry.

That's what we have to do with Internet companies. Because when you look at RDR's report-cards, it's clear that the net is unsafe at any speed. The difficulty this time is going to be that governments, far from protecting the public's privacy through regulation or liability, would prefer that Internet companies collect everything and store it forever, so that the state can snaffle it up without having to incur the expense themselves.

The project, produced in concert with research firm Sustainalytics after detailed study of many, many data handling standards from United Nations reports to Wharton's Zicklin Accountability Index, defines the borders of public corporate contracts on the internet. What happens legally when you pass information through Facebook? Or Gmail? Or Twitter? Or Tumblr? Governments across the globe are creating secret pipelines through which those companies may share your information with them – the US's Cybersecurity Information Sharing Act (Cisa) is only the most recent – and they share data with each other and with advertisers, as well. MacKinnon wants to know how much you're being told about your data's disposition, and by whom.

On a hot day in September in a little Washington DC office, she was listening to a conversation about which technology company had performed best on her group's index of fundamental rights – a series of privacy, human rights and free speech indicators. Google had scored highest, but Twitter seemed to have greater corporate commitment while disdaining the details.

Finally, MacKinnon cut in: "If this was a test, nearly everyone failed."

'If this was a test, nearly everyone failed': how tech giants deny your digital rights
[Sam Thielman/The Guardian]