Electronic Frontier Foundation+Discloses policies on data retention

Discloses policies on data retention

Does the company disclose policies on data retention?

Metric value
Companies Values
2015 = Yes /Yes,No,steps in the right direction
2015 = Yes /Yes,No,steps in the right direction
2015 = Yes /Yes,No,steps in the right direction
2015 = Yes /Yes,No,steps in the right direction
2015 = Yes /Yes,No,steps in the right direction
2015 = Yes /Yes,No,steps in the right direction
2015 = Yes /Yes,No,steps in the right direction
2015 = Yes /Yes,No,steps in the right direction
2015 = Yes /Yes,No,steps in the right direction
Apple Inc.
2015 = Yes /Yes,No,steps in the right direction
2015 = Yes /Yes,No,steps in the right direction
Adobe Systems
2015 = Yes /Yes,No,steps in the right direction
2015 = Yes /Yes,No,steps in the right direction
2015 = Yes /Yes,No,steps in the right direction
2015 = Yes /Yes,No,steps in the right direction
Facebook Inc.
2015 = Yes /Yes,No,steps in the right direction
Microsoft Corporation
2015 = No /Yes,No,steps in the right direction
2015 = No /Yes,No,steps in the right direction
2015 = No /Yes,No,steps in the right direction
Amazon.com, Inc.
2015 = No /Yes,No,steps in the right direction

Export: csv / json

Designed By
Metric Type
Research Policy
Community Assessed
Report Type
Value Type

Yes , No and steps in the right direction


In 2015, Electronic Frontier Foundation evaluated companies on whether they were transparent about what deleted data they stored. Often, users may not realize that data they delete from an email service provider or off a social network is still stored and available to law enforcement agencies upon request. Transparency is the first step to educating users about what happens to their deleted data, so we are evaluating companies on their transparency practices in this category. Note that EFF aren’t making specific requirements about a company deleting data after a certain time. Indeed, some companies publicly state that they maintain deleted data and server logs indefinitely—a practice we think is terrible for users. However, for this report, they’re just asking companies to be clear about retention periods for data collected that may not be easily viewable to the user (including IP addresses and DHCP data) as well as content that users deleted.


We live digital lives—from the videos shared on social networks, to location-aware apps on mobile phones, to log-in data for connecting to our email, to our stored documents, to our search history. The personal, the profound, and even the absurd are all transcribed into data packets, whizzing through the fiber-optic arteries of the network.

While our daily lives have upgraded to the 21st century, the law hasn’t kept pace. To date, the U.S. Congress hasn’t managed to update the 1986 Electronic Communications Privacy Act to acknowledge that email stored more than 6 months deserves identical protections to email stored less than 6 months. Congress also dragged its feet on halting the NSA’s indiscriminate surveillance of online communications and has yet to enact the strong reforms we deserve. Congress is even on the precipice of making things far worse, considering proposals that would mandate government backdoors into the technology we rely on to digitally communicate.

In this climate, we increasingly look to technology companies themselves to have the strongest possible policies when it comes to protecting user rights. Which companies will stand by users, insisting on transparency and strong legal standards around government access to user data? And which companies make those policies public, letting the world—and their own users—judge their stances on standing up for privacy rights?

For four years, the Electronic Frontier Foundation documented the practices of major Internet companies and service providers, judging their publicly available policies, and highlighting best practices. Over the course of those first four reports, we watched a transformation take place among the practices of major technology companies. Overwhelmingly, tech giants began publishing annual reports about government data requests, promising to provide users notice when the government sought access to their data, and requiring a search warrant before handing over user content. Those best practices we identified in early reports became industry standards in a few short years, and we’re proud of the role our annual report played in pushing companies to institute these changes.

But times have changed, and now users expect more.

The criteria we used to judge companies in 2011 were ambitious for the time, but they’ve been almost universally adopted in the years since then. Now, users should expect companies to far exceed the standards articulated in the original Who Has Your Back report. Users should look to companies like Google, Apple, Facebook, and Amazon to be transparent about the types of content that is blocked or censored in response to government requests, as well as what deleted data is kept around in case government agents seek it in the future. We also look to these companies to take a principled stance against government-mandated backdoors.

In this, our fifth annual Who Has Your Back report, we took the main principles of the prior reports and rolled them into a single category: Industry-Accepted Best Practices. We’ve also refined our expectations around providing users notice and added new categories to highlight other important transparency and user rights issues.

We think it’s time to expect more from Silicon Valley. We designed this report to take the basic principles of Who Has Your Back up a notch and see which companies were still leading the pack. Already, our newest report has had a similar effect on the industry as a whole, encouraging companies large and small to strive for more when it comes to standing by their users. In the months since we first told the companies what this year’s criteria would be, we’ve seen significant improvement in company practices. And we hope—and expect—that over the next year, we’ll see even more.

Download the complete Who Has Your Back? 2015: Protecting Your Data From Government Requests report as a PDF.

Bulk Import