The analysis employs a methodology comprising around twenty core parameters. We rank the major Internet players but we also discuss examples of best and worst privacy practice among smaller companies.
The report was compiled using data derived from public sources (newspaper articles, blog entries, submissions to government inquiries, privacy policies etc), information provided by present and former company staff, technical analysis and interviews with company representatives.
Because the 2007 rankings are a precedent, Privacy International will regard the current report as a consultation report and will establish a broad outreach for two months to ensure that any new and relevant information is taken into account before publishing a full report in September.
About Privacy International
Privacy International (PI) was established in 1990 as a human rights research and campaign organization. It was the first privacy NGO to operate in the global environment and since then has been instrumental in the evolution of the modern international privacy movement. Its key functions are to provide technology assessment, develop reviews of public policy and to act as a watchdog on surveillance by governments and corporations. PI is based in London, and has an office in Washington, D.C. Together with members in 40 countries, PI has conducted campaigns throughout the world on issues ranging from wiretapping and national security activities, to ID cards, video surveillance, data matching, police information systems and medical privacy, and works with a wide range of NGO's, academic institutions and inter-governmental organizations. PI's primary source of funding comes from philanthropic and charitable organizations.
We have previously led campaigns and taken action against the practices of a number of companies including:
- Campaigning against corporate privacy practices, e.g. Amazon
- Identifying the problems in technology design, e.g.problems with advertising in Gmail
- Monitoring and campaigning against the disclosure of data from companies to governments, e.g. EU-US PNR, SWIFT, Telecommunications companies
- Founding and running the Big Brother Awards, now held annually in over 15 countries, that identify 'worst corporate invaders',
- Campaigning against bad practice in account management, for instance preventing users from deleting accounts, e.g. against Amazon and eBay
- Ranking countries for their privacy protection and surveillance levels,
- Building particularly from our work on companies' practices on customer account management and our expertise developed in the country rankings we are now positioned to develop rankings for companies.
Why have we undertaken this study?
For many years, consumers and companies have approached Privacy International asking for our suggestions of good company practice in privacy protection. In the past this has been difficult for us to achieve for a number of reasons, including:
Privacy International does not endorse specific companies. We know the dynamics of this field well enough to understand that even if a company exhibits good privacy practice today, it can quickly change those practices for the worse by tomorrow. It is very difficult and time consuming to accurately discover the privacy practices of a given company and it is often the case that these companies are not fully aware of their own information handling procedures.
We are increasingly concerned about the recent dynamics in the marketplace. While a number of companies have demonstrated integrity in handling personal information (and we have been surprised by the number of 'social networking' sites which are taking some of these issues quite seriously), we are witnessing an increased 'race to the bottom' in corporate surveillance of customers. Some companies are leading the charge through abusive and invasive profiling of their customers' data. This trend is seen by even the most privacy friendly companies as creating competitive disadvantage to those who do not follow that trend, and in some cases to find new and more innovative ways to become even more surveillance-intensive.
We felt that consumers want to know about these surveillance practices so that they can make a better-informed decision about how, whether and with whom they should share their personal information. We also believe that companies need to be more open about how they process information and why it is processed.
Most importantly, we wanted to indicate to the marketplace that their surveillance and tracking activities are being scrutinised
PI has tracked the development of the Internet since the creation of the World Wide Web in the early 1990s. We have continually voiced our concern that this medium provides the potential for a haemorrhage of personal privacy, and we have argued for some years that Internet companies should embrace a wider range of privacy protections for users.
The privacy threat on the Internet arises from a number of factors. Increasing disclosure by consumers of personal information allows companies to capture and process data to a significant extent. New technologies permit the capture of increasingly detailed levels of information. Meanwhile, new Internet products often involve a requirement for user registration, enabling of identifying techniques and agreement to terms and conditions that are frequently hostile to privacy.
However the emergence over the past three years of an aggressive move by major Internet companies into "ad space" has created the most recent and possibly most dangerous threat to privacy. With the creation of a greater range of products and services, increased disclosure of personal information and the evolution of a huge user population came the opportunity to establish new forms of user targeting and profiling to generate greater advertising revenue.
Privacy International has been concerned that this development may result in a "lowest common denominator" for privacy. In contrast to the 1990's vision of the Internet, in which strong privacy could become a market differentiator, the reality in 2007 is that all major Internet players may move to establish a level of user surveillance that results in little or no choice for Internet users and relatively few meaningful privacy mechanisms. Market domination by a handful of key players will ensure that without care, a race to the bottom will evolve during the immediate future.
Our decision to undertake the privacy ranking study is a first attempt at understanding the full spectrum of the privacy threat and to discover where each key player stands with regard to privacy protection. The long term goal of this report is not necessarily to "name and shame" but to highlight crucial trends and imperatives that will shape the future of privacy on the Internet.
This is a consultation report for the following reasons:
- While the data used for this analysis provides a very strong indication of privacy practices, we wish to reach out for more data on how companies' process information. Too many companies presume that statements framed in legal language within their privacy policies actually describe their true information collection and processing practices. When our legal experts reviewed a spectrum of privacy policies we became alarmed at how much we still do not know. We felt that additional time should be allocated in the hope that companies will come forward with more data. The fact that we, as specialists in this field, cannot fully understand the full range of surveillance practices of some companies leaves us greatly concerned about the ability of consumers to make informed decisions in the marketplace.
- We are soliciting comments on the findings of this report from companies, consumer organisations, industry associations and other experts on practices and additional elements. We have been in touch with a number of the companies involved in this study and we hope to receive further relevant information. If useful information is not offered we will wherever possible use legal mechanisms to obtain it.
- We are seeking the assistance of regulators who might help illuminate some of the more arcane collection and processing practices. Privacy commissioners from around the world and even the U.S. Federal Trade Commission can, we hope, help us uncover some of legal challenges arising from the data processing practices of these companies.
A more detailed report will be available in September.