Earlier this year someone stole my personal information -- including my social security number -- and used it to file a false tax return in my name.

That theft resulted in me not being able to file my tax return electronically. Instead I had to send the Internal Revenue Service a hard copy along with an affidavit proving that I'm me. Resolving the situation could take as long as six months and until then my refund sits in limbo.

As far as identity theft goes, those consequences are not too bad -- really more of an inconvenience than a major problem. But having personal data stolen can lead to much bigger problems. Someone using your name illegally can ruin your credit. In some cases, proving that you did not take out a loan, get a credit card, or do whatever else can be a major challenge.

Some identity theft happens despite the extreme security measures taken by some companies to protect personal info and keep it out of anyone's hands -- including the government. Not all companies are as diligent, however. You may be surprised by which ones score the lowest ratings on the Electronic Frontier Foundation's annual Who Has Your Back report on data collection practices, which examines how tech companies protect your data from government requests.

Of course, Congress, the Federal Communications Commission, or any other government agency are not likely to steal your identity, but the more your data is shared, the better chance there is of it getting out. Companies that are diligent in protecting your info from the government are probably also the ones most likely to keep it safe in general.  

What does EFF look at?
The report ranks companies in five categories. 

  1. Does the company follow industry best practices?
  2. Does it tell users about government requests for data before handing that data over?
  3. Does it disclose its policy on data retention?
  4. Does it disclose government content removal requests?
  5. Does it have a pro-user public policy opposing government back doors? 

Now in its fifth year, EFF's report has tracked some pretty remarkable changes in how data is protected. In its first report in 2011, the majority of companies rated received at most one star out of four. That has vastly improved, with all the tracked brands -- except the two that scored worst -- earning at least two stars, and most receiving more.

For this year's report, EFF upped the standard it was looking for and it was impressed with the results.

"We think it's time to expect more from Silicon Valley. We designed this report to take the basic principles of Who Has Your Back up a notch and see which companies were still leading the pack," according to the report. "Already, our newest report has had a similar effect on the industry as a whole, encouraging companies large and small to strive for more when it comes to standing by their users."

It's not all good news
While the majority of the companies tracked improved their ratings and nine received perfect scores, EFF found that AT&T (T -1.21%), Verizon (VZ -4.67%), and Facebook's (META 0.14%) WhatsApp "lag behind [the] industry in standing by users." Both AT&T and WhatsApp only scored one star while Verizon managed two.

EFF noted that AT&T would have received a perfect score based on the prior year's standard, but it failed to meet most of the strengthened criteria. Verizon scored two stars and the company "has adopted some of the best practices we've identified as part of this report, according to EFF, but it's still lacking in a number of areas.

"There is room for improvement," EFF wrote. "Verizon should have a stronger policy of informing users of government requests, disclose its data retention policies, and take a public position opposing back doors." 

In general, EFF was fairly kind to AT&T and Verizon, noting that both companies had made attempts to comply. It did not offer similar kudos to WhatsApp.

WhatsApp earns one star in this year's Who Has Your Back report. This is WhatsApp's first year in the report, and although EFF gave the company a full year to prepare for its inclusion in the report, it has adopted none of the best practices we've identified as part of this report....WhatsApp should publicly require a warrant before turning over user content, publish a law enforcement guide and transparency report, have a stronger policy of informing users of government requests, and disclose its data retention policies. 

Facebook scored a solid four-star rating (five stars is the maximum) making WhatsApp's failure even more peculiar.

What does this mean to you?
If a company does not have a pro-consumer policy to keep your data safe, then you should consider not giving any personal information to that business. EFF has put pressure on companies to improve and evolve their security and that must be a constant process. In some ways, it has filled a void left by Congress, which has not been at the forefront making laws requiring data to be protected.

A commitment to maintaining data security is critical to operating any business that stores information online. Companies that are shoddy or willing to cut corners can ultimately cost you time and money.

This is a clear case where consumers should vote with their wallets. Keeping personal information private has only become more important now that so many digital doors can be opened with that info.