P11(b). Data about private requests for user information

Please make sure you have read the note on transparency reporting indicators before using this indicator.

The company should regularly publish data about requests for user information that come through private processes.

Elements:

1. Does the company list the number of requests it receives for user information that come through private processes?
2. Does the company list the number of requests for user information that come through private processes with which it complied?
3. Does the company report this data at least once per year?
4. Can the data reported by the company be exported as a structured data file?

Private requests (for user information) — Requests made through a private process rather than a judicial or governmental process. Such requests are often informal and do not involve a formal legal process. According to the Wikimedia Foundation, which produces transparency reports that disclose data on the number of these types of requests it receives, private requests for user information includes cases in which another company sends them a letter or an email requesting “non-public information” about one of its users. This could include a user’s IP address and email.

Structured data — “Data that resides in fixed fields within a record or file. Relational databases and spreadsheets are examples of structured data. Although data in XML files are not fixed in location like traditional database records, they are nevertheless structured, because the data are tagged and can be accurately identified.” Conversely, unstructured data is data that “does not reside in fixed locations. The term generally refers to free-form text, which is ubiquitous. Examples are word processing documents, PDF files, e-mail messages, blogs, Web pages and social sites.” Sources: PC Mag Encyclopedia: “structured data” http://www.pcmag.com/encyclopedia/term/52162/structured-data

“unstructured data” http://www.pcmag.com/encyclopedia/term/53486/unstructured-data

User information — Any data that is connected to an identifiable person, or may be connected to such a person by combining datasets or utilizing data-mining techniques. User information may be either collected or inferred. As further explanation, user information is any data that documents a user’s characteristics and/or activities. This information may or may not be tied to a specific user account. This information includes, but is not limited to, personal correspondence, user-generated content, account preferences and settings, log and access data, data about a user’s activities or preferences collected from third parties either through behavioral tracking or purchasing of data, and all forms of metadata. User information is never considered anonymous except when included solely as a basis to generate global measures (e.g. number of active monthly users). For example, the statement, ‘Our service has 1 million monthly active users,’ contains anonymous data, since it does not give enough information to know who those 1 million users are.

Indicator guidance: Companies increasingly receive private requests to turn over user information. Such requests are often informal requests for user information from a non-governmental entity that do not involve or come through any formal legal process. According to the Wikimedia Foundation, which produces transparency reports that disclose data on the number of these types of requests it receives, private requests for user information includes cases in which another company sends them a letter or an email requesting “non-public information” about one of its users. This could include a user’s IP and email address.

Just as companies should publish data about the government demands they receive to hand over user information, companies should also publish data about requests for user information they receive (and comply with) that come through any private processes. We expect companies to regularly publish data about the number and type of such requests they receive, and the number of such requests with which they comply. Companies should also report this data once a year and ensure the data can be exported in a structured data file.

• Company transparency report
• Company sustainability report
• Corporate social responsibility report