Phase 1 Draft Criteria

UPDATE August 12, 2013: We now have two versions of the Phase 1 Draft Research Criteria:

• July 11 version used in case studies focused on Internet companies.

• August 12 version used in case studies focused on telecommunications companies.

(Note: In both documents, all changes made since the original document was first published on July 1 are visible as tracked changes.)

Overview:

In 2013 the Ranking Digital Rights project is developing a methodology to rank the world’s major information and communications technology (ICT) companies on policies and practices related to free expression and privacy. Due to the complexity of the ICT sector, we are taking a two-phase approach:

Phase 1 (2013-2014) covers Internet and telecommunications companies. Research and stakeholder consultation required to develop the methodology is being conducted in 2013. A draft of the methodology will be published for public consultation in early 2014. Once finalized, the methodology will be applied to a data collection and analysis process in the first half of 2014. The project’s first rankings report, in which companies will be scored, will be published in late 2014.

Phase 2 (2014-2015) adds software, networking equipment, and devices. Methodology development takes place in 2014, with the project’s second rankings report covering all categories of ICT sector companies to be published in late 2015.

This document contains the Phase 1 Criteria Research Draft for measuring Internet and telecommunications companies’ policies and practices. This draft of the criteria will be applied by researchers in case studies to selected Internet and telecommunications companies in a range of different jurisdictions and contexts. That research in turn will contribute to the drafting of a full methodology by the end of 2013. This draft is based on:

• Feedback on two earlier drafts from academics, technologists, advocates, investors, experts on business and human rights, and specialists on corporate accountability and rankings (click here for summaries of workshops and consultations);

• Review of other corporate rankings and indexes, most focusing on other issues related to business and human rights and/or sustainability (see our resource page);

• Review of other relevant research, publications, and corporate accountability projects (see our resource page);

• Identification of specific human rights risk scenarios for users of Internet and telecommunications platforms and services worldwide;

• Extensive and long-running engagement with the Global Network Initiative (GNI), the UN Working Group on Business and Human Rights[1], and the European Commission’s ICT Sector Guide on Implementing the UN Guiding Principles for Business and Human Rights[2].

Broader objectives:

Our purpose in ranking companies according to a version of the criteria below is to:

1)    Educate a broader audience of Internet users, advocacy groups, consumers, investors, policymakers, and companies themselves on baseline standards of corporate policy and practice that we believe should be achievable in the medium-term by existing companies.

2)    Identify: a) which companies can be considered industry leaders on free expression and privacy in what specific ways, and b) which companies could be doing much more to respect customers’ and users’ digital rights.

3)    Point the way for all companies to improve their policies and practices through concrete, measurable steps.

Building on emerging global standards

In 2008 the Global Network Initiative (GNI)[3], a multi-stakeholder initiative of companies, NGO’s, socially responsible investors, and academics, launched a set of principles for the ICT sector on free expression and privacy based on international human rights law enshrined in the UN Declaration of Human Rights and the two UN human rights covenants. Alongside those principles, the GNI published a set of Implementation Guidelines for how companies can act on their commitments through establishing company-wide policies and procedures, conducting human rights impact assessments, and maximizing transparency with users and customers about how the company responds to government demands.

Companies that join the GNI commit not only to the Principles and Implementation Guidelines. They also agree to undergo an independent assessment by certified independent assessors who verify whether member companies have put in place adequate policies and practices to implement the principles. Assessors further verify whether those policies and practices are being carried out by the company in a manner that results in greater respect for user and customers’ rights to free expression and privacy in the face of government demands that sometimes contradict human rights law. Without such an assessment, there is no way that the public can be certain that company actions actually match their claims about and public commitments.

In 2011 the UN Guiding Principles on Business and Human Rights (“the GP’s”) [4] affirmed that while governments have the primary responsibility to protect human rights, companies also have a responsibility to respect human rights, including:

a)    Determining specifically how their products, services, or business processes affect human rights both positively and negatively (in other words, to conduct what is called a “human rights impact assessment”);

b)    Implementing  policies and practices designed to mitigate human rights risks and avoid complicity in human rights abuses to the fullest extent possible;

c)    Engaging with organizations and individuals who are at greatest human rights risk in relation to the company’s product or service in order to address their concerns, understand their risks, and construct the best possible policies and practices for respecting their rights;

d)    Providing remedy to aggrieved parties.

Explanation of draft criteria elements:

This draft criteria identifies three key issue areas: The first is based on general responsibilities of business in the context of long-established international human rights standards. The second two issue areas address businesses’ specific responsibilities towards two specific rights: freedom of expression and privacy. Each is coded with a different letter:

G – General human rights responsibilities – As outlined in the “International Bill of Human Rights” comprising the Universal Declaration of Human Rights (UDHR), the International Covenant on Civil and Political Rights (ICCPR) and the International Covenant on Economic and Social Rights.[5] The UN Guiding Principles on Business and Human Rights provide a framework for how businesses should uphold their responsibility to protect human rights, while the European Commission (EC)’s ICT Sector Guide on Implementing the UN Guiding Principles for Business and Human Rights provides specific guidance to the ICT sector in meeting all human rights obligations.

F – Free Expression – As articulated in Article 19 of the UDHR and Article 19 of the ICCPR.[6]  These criteria relate to company responses to government censorship and service shut-down demands as well as to company enforcement of their own terms of service. The GNI Principles and Implementation Guidelines address companies’ responsibility to uphold freedom of expression in the context of government demands, while the EC Guidance addresses free expression issues more broadly alongside all other human rights concerns.

P – Privacy – Article 12 of the UDHR and Article 17 of the ICCPR.[7] These criteria relate to all practices involving collection and sharing of information about users and customers that could have negative affects on the civil and political lives[8] of technology users. These practices include company responses to government surveillance demands, data collection and third-party sharing practices, as well as companies’ own rules governing user or customer identity. The GNI Principles and Implementation Guidelines address companies’ responsibility to uphold privacy rights in the context of government demands, while the EC Guidance addresses privacy issues more broadly alongside all other human rights concerns.

Within the three issue areas, three indicator categories are:

1. Commitment – This indicator measures whether and to what extent the company has made public commitments to uphold rights covered by each of the three issue areas. It also measures whether and to what extent it takes concrete steps to understand the real-world impacts of its products, services, and/or operations on human rights generally, and free expression and privacy specifically.

2. Practice – This indicator measures the existence of specific policies, practices and mechanisms carried out by the company.

3. Transparency – This indicator measures the extent to which a company communicates clearly with its users or customers, as well as the broader public, about how and to what extent it responds to government demands, how it formulates and enforces its own Terms of service or use, etc.

Each category contains a list of questions and sub-questions. Each question is coded with a letter for the issue category plus a number for the indicator. Questions answerable through desk research (review of publicly available material) are not highlighted. Questions requiring a company interview or survey are highlighted in blue.  Questions likely requiring a combination of desk research followed up by interview are in green.

NOTE: companies will not be scored according to this Research Draft, which is for preliminary case study research and analysis purposes only. After the criteria below have been tested and analyzed by case study researchers, they will be revised and incorporated into a full methodology which includes a company selection process and weighting of the criteria. After the methodology is finalized and applied in 2014, each company will receive a score for each of the three issue areas (General, Free Expression, Privacy). That score will in turn be divided into three parts (Commitment, Practice, Transparency).

Starting with what we know we can measure now.

Many experts and stakeholders have emphasized that it is important to measure not only what companies say but what they do. This concern must be balanced by practical considerations of what questions about company practices we would actually be able to answer, in a consistent manner, across what dozens of companies headquartered in a range of countries.

There is also the question of manageable scope. A list of every possible measure that many advocates and technologists believe companies should take in order to maximize freedom of expression and privacy for the world’s Internet users would produce a ranking – and require a data collection and analysis process – of excessive complexity that would overwhelm this project’s scope and capacity.

Finally, it is important to recognize that the criteria we have included in this draft already represent a major challenge to most companies. We have learned a great deal from observing the GNI founding companies’ experience in making commitments, putting policies and practices in place, and undergoing independent assessment. Compared to the GNI Principles and Implementation Guidelines, these criteria are more prescriptive and represent a higher but not unattainable standard of commitment, practice, and transparency. It is therefore our view that if companies come anywhere close to meeting the standards laid out in these criteria, substantial, genuinely meaningful improvements in those companies’ human rights impact will necessarily result – even if those improvements remain incomplete and imperfect.

Note on Terminology:

A few terms used in the criteria merit further explanation:

Multi-Stakeholder Organization – An organization that includes and is governed by members from at least three other groups besides industry: civil society, academics, at-large user or customer representatives, investors, and/or government.

Due Diligence and Human Rights Impact Assessments – In order to uphold their human rights responsibilities companies need to engage in a continuous internal process of identifying and assessing the negative impacts on human rights with which they may be involved in any way. These “impacts” include actual impacts (past or current) as well as potential impacts (those possible in the future). A detailed overview of best practices in human rights due diligence and impact assessments in the ICT sector context can be found in the ICT Sector Guide on Implementing the UN Guiding Principles on Business and Human Rights published by the European Commission and written by the Institute for Human Rights and Business and Shift.[9]

Independent Third-Party Assessment – A number of questions in the criteria ask whether the existence or quality of a particular policy or process has been verified by an independent assessor. These questions are based on the practical reality that if the claims made by a company cannot be independently verified, those claims have limited value. Only when a company’s claims about its human rights policies and practices are verified by a credible independent third party assessment process, whose conclusions are made public, can that company be considered to have met basic standards of public accountability. While this idea may seem new to many executives in the ICT sector, it is a core principle on which a growing number of corporate accountability systems focused on other sectors and other human rights issues are now being built.

In 2013 the GNI is the only organization in the world offering an independent third-party assessment process for ICT companies on free expression and privacy criteria, whose conclusions are publicly reported. However, it is important to note that having undergone GNI assessment may or may not earn the company a full score on that particular criteria item; it depends on whether GNI publishes sufficient detail about the results of its assessments so that an external researcher (who is not a GNI board member or participant) can satisfactorily determine the answers to specific criteria questions regarding assessment.