Protect our Privacy and Security

Tell tech companies to sign the Security Pledge to protect our privacy and help build a surveillance-resistant web. [1]

Corporate and government attacks on human rights to privacy, security, and liberty are increasing across the globe, and technology plays a central role in extending their reach. Technology can empower and grant freedoms to us all, but now our online data is empowering data brokers, ISP’s, surveillance companies, and runaway government agencies to discriminate, exploit, and limit our freedoms. If a company wanted to exploit, or an authoritarian government wanted to surveil everyone affiliated with a certain racial, religious, or political group, they could do so with the information collected on innocent people by technology and social media companies. Companies and governments can exploit the massive troves of data companies have on people and weak links in Internet security. They can twist the Internet into something it was never meant to be: a weapon against the public.

Tech companies have also faced increased scrutiny from the public and policymakers over their inability to protect the privacy and security of their users. Facebook recently dealt with a security breach exposing 50 million accounts that eroded user trust, and its failure to disclose its data-sharing deals spurred calls for regulatory action across the whole industry. [2] [3]

Tech companies should take steps to protect users and earn back their trust. We ask tech companies to join companies like Adblock Plus and DuckDuckGo in signing the Security Pledge, committing to:

  1. Ensure Users Have Access to and Control Over Their Data. We need to know that we are in control of our personal information. Commit to meaningful transparency, including providing users full access to all data you have collected and a list of all parties given access to that data. In addition, provide users full control, which includes requiring explicit opt-in consent, over the retention, sharing, or use of their information, including all data sharing with third parties. Adopt auditing procedures to ensure that shared data is used consistently with the users’ preferences. Guarantee that users have an easy and free way to download all the data you have about them in a standardized, open, and usable format. Allow users to delete their entire account and permanently eliminate their data from your servers if they choose to, except when prohibited by law.
  2. Protect Our Data. We use the Internet to communicate about nearly everything, from banking to politics. Commit to following best practices to secure this information, including offering independently audited end-to-end encryption by default. Prohibit the use of your products and services, including your APIs, by developers to collect information about your customers and users without appropriate consent for third-party commercial tracking or governmental surveillance purposes. If you are the victim of a data breach or contract violation, notify your users promptly if their information has been compromised or shared without their consent. Commit to providing updates to your products when necessary and notify users with an end-of-life announcement when you no longer plan to provide services. Notify customers in the case of a breach or identified vulnerabilities related to user data being exposed. When other companies you work with fail to keep products updated, proactively warn users and potential buyers about them.
  3. Limit the Data You Collect. Data can last forever and harm people in unpredictable ways. The best way to guard against that harm is to not collect or store it. Review your data collection practices, and stop collecting and storing information that isn't necessary for your product or business.
  4. Ensure All Communities Receive Equal Protections. Algorithms are not neutral by default, and can easily reflect or exacerbate historical biases. Commit to policies that do not further or exploit discrimination and unequal treatment. From the development stage onward, evaluate the impact of products on various communities, including those that have been historically discriminated against, and test the impact of those products when possible or when concerns about such effects have been brought to your attention. Ensure that there are avenues for outside researchers to evaluate bias or discriminatory impact of your product. Do not collect information that is vulnerable to misuse, including information about your customers’ and employees’ immigration status, political views, national origin, nationality, or religion, unless required by law or strictly necessary for the service your provide.
  5. Resist Improper Government Access and Support Pro-Privacy Laws. Supporting strong legal privacy protections can both protect your users and earn their respect. Pledge to refuse voluntary requests for data in non-emergency situations, and fight overly broad, questionable, and illegal efforts to surveil your users, in the courts and in the public sphere. Contribute to the broader conversation about government access to private data by publishing transparency reports detailing requests from governments to the greatest extent allowed by law and by providing notice to individual customers or users whose records are sought or obtained by the government unless barred from doing so. If you engage in policy debates, support laws that enhance user privacy, including laws that require a warrant before the government can demand information about your users, and support reforms that curtail mass surveillance. If you engage in lobbying or public policy debates, then support immigration policies that ensure immigrants (including your own employees) are treated humanely, receive due process, and are not discriminated against.

[1] https://www.securitypledge.com

[2] https://www.bloomberg.com/news/articles/2018-09-29/facebook-s-worst-security-breach-hammers-user-trust-once-again

[3] https://www.nytimes.com/2018/12/19/technology/facebook-data-privacy-criticism.html