Facebook is continuing to find themselves in the spotlight. The American Civil Liberties Union (ACLU) and six other campaign groups have responded to their privacy controversy by calling on tech companies to sign a “security pledge”. The pledge asks companies to make four promises to their customers and users. The promises are:
- Limit the amount of data they collect in the first place and give users control over how it is shared.
- Offer end-to-end encryption by default to ensure that users’ communications are protected from corporate and government surveillance
- Provide users with full transparency about what data is collected, how it is used, and what measures are in place to prevent it from being abused.
- Support legislation and policy reforms that limit government access to user data except with a warrant and judicial oversight.
Is this enough though? In a time when someone like Tim Cook is calling for Facebook to be regulated, is this kind of promise or pledge enough to make significant changes? If we look at the promises one by one, they do make sense in terms of wanting to protect data. But should legislation also be developed that supports these promises? Further, should legislation be created for Facebook themselves? When I say that, I simply mean that Facebook is a whole “thing”. It’s not like anything else, so maybe there needs to be some kind of regulation around it so that it doesn’t get out of hand.
A website has been created for this campaign, and it’s called “Tech Companies Need to Change”. The website makes a good case for why this is an important issue:
Every day we learn more about how our data is being harvested and used against us. A group of technologists and human rights experts have developed this Security Pledge, a set of principles that — if enough companies adopted them — would ensure the Internet is used to expand democracy, not undermine it.
The website expands upon the four promises. Point two, which is not only timely but also extremely important states:
We use the Internet to communicate about nearly everything, from banking to politics. Commit to following best practices to secure this information, including offering end-to-end encryption by default. Permit public and independent auditing of systems. Prohibit the use of your products and services, including your APIs, to collect information about your customers and users for commercial tracking or governmental surveillance purposes. If you are the victim of a data breach or contract violation, notify your users promptly if their information has been compromised or shared without their consent. Commit to providing updates to your products when necessary, and notifying customers in the case of breach or identified vulnerabilities. When other companies you work with fail to keep products updated, proactively warn users and potential buyers about them.
The ACLU has shared a list of the companies that they are targeting, and have also included a list of who has yet to sign. Of which, includes Apple. What’s interesting about this is that Apple has (arguably) the strictest standards for user data security, and they’ve gone on the record saying that they’re unlikely to sign. Apple isn’t saying that they don’t agree with this, but they point to their own commitments, rather than wanting to be seen as responding to ones created by someone else. It is also viewed as possibly endorsing the organizations behind the campaign itself. Regardless, this initiative means that the message is getting out there for everyone to make their own decisions.