See you at RightsCon!

This week, the Ranking Digital Rights team is in Brussels for RightsCon, an annual conference on digital rights organized by Access Now. We are organizing and participating in several sessions and look forward to discussions with human rights and technology experts and advocates from all over the world.

On Wednesday March 29 at 2:30pm, we will host the European launch of the newly-released 2017 Ranking Digital Rights Corporate Accountability Index, which found that 22 of the world’s leading internet, mobile, and telecommunications companies are leaving users in the dark on their policies affecting free expression and privacy rights. Project director Rebecca MacKinnon will give a brief presentation highlighting the report’s key findings and recommendations, followed by a discussion with panelists and audience members. We hope the session will provide a jumping off point for further conversation throughout RightsCon with people interested in collaborating on research and advocacy. The launch event will be held in “Creativity & Exploration, 1st Floor.”

On Friday March 31 at 12pm, join us for “How to Talk So Companies Will Listen, and Listen So Companies Will Talk: Doing company advocacy and research.” In this roundtable discussion, seasoned researchers and advocates will share how they work to understand company policies and practices, and share insights on the most effective ways to engage with companies for change. Participants will discuss challenges they’ve encountered in their research and advocacy efforts as well as tips and best practices for overcoming them. This session will be held in “Evasion, 1st Floor.”

Rebecca MacKinnon is also speaking in the session, “Everything We Know About Internet Shutdowns,” on Wednesday March 29 at 12pm, in “Palace Ballroom I, Ground Floor.”

The full conference program is available here. Our team will be at RightsCon for the entire conference, so feel free to get in touch if you’d like to connect: info@rankingdigitalrights.org.

The Ranking Digital Rights 2017 Corporate Accountability Index is now online!

The 2017 Ranking Digital Rights Corporate Accountability Index finds the world’s most powerful internet, mobile and telecommunications companies leave users in the dark, failing to disclose key information about policies affecting users’ rights.

Tune in here at 9:30am ET (13:30 GMT) to watch the 2017 Index launch event at New America in Washington, DC. You can also join the conversation on Twitter by following @rankingrights and by using the hashtag #rankingrights.

According to the 2017 Corporate Accountability Index, top companies fail to disclose key corporate policies and practices affecting freedom of expression and privacy. While some companies have improved since they were first evaluated in 2015, most of the world’s internet users do not receive adequate information about how companies’ policies affect what users can or cannot say online or who is tracking them. Ranking Digital Rights analyzed a representative group of 22 companies whose products and services collectively are used by over half of the world’s 3.7 billion internet users. It builds on the 2015 Corporate Accountability Index, which found widespread failure by companies evaluated to disclose key information about their policies and practices affecting freedom of expression and privacy.

Companies were assessed on 35 indicators in three categories: Governance, Freedom of Expression, and Privacy. This methodology was revised since the 2015 Index, following an extensive review and consultation process. It also includes new indicators, focusing on company disclosures related to issues such as network shutdowns and  data breaches.

Selected findings include:

Top scores: Overall, Google ranked highest among 12 internet and mobile companies, followed closely by Microsoft. They were the only two companies to score over 60 percent.

The U.K.-based Vodafone and U.S.-based AT&T tied for first place among 10 telecommunications companies, despite significant gaps resulting in scores of less than 50 percent.

Mobile ecosystems: Six new companies were added to the 2017 Index, including Apple and Samsung, which control the world’s largest mobile ecosystems.

Apple ranked seventh among the 12 internet and mobile companies evaluated, with an overall score of only 35 percent, despite the company’s strong public stand for users’ privacy rights in the face of recent U.S. government demands. A major reason for Apple’s relatively low score was lack of disclosure about commitments and policies affecting freedom of expression. Also, next to its U.S. peers, Apple disclosed little about how or whether it has institutionalized commitments to protect users’ rights. Samsung ranked ninth out of 12 companies in the same category, scoring only 26 percent.

Given that most of the world’s new internet users are coming online through smartphones it is especially troubling that companies controlling the world’s mobile ecosystems do not clearly disclose policies affecting users’ freedom of expression and privacy. We hope the Index will lead to greater corporate transparency across the industry, thereby empowering users to make more informed decisions about how they use technology.

Other highlights of the 2017 Index:

  • Freedom of expression is getting short-changed. How do the company’s actions affect our ability to publish, transmit, or access content? With a couple of notable exceptions, most companies disclosed the least amount of information about policies that affect users’ freedom of expression.
  • Handling of user information is opaque. How and for what purpose is our information collected, shared, retained, and used?  If somebody were to build a profile on us using this information what would it look like? Companies don’t disclose enough for us to understand our risks and make informed choices.
  • Security commitments lack sufficient evidence. Is a company making maximum efforts to keep our information secure? While we don’t expect companies to reveal security information that will help attackers, they need to provide clearer evidence that their security policies and practices are robust enough for us to trust them with sensitive information.

The Index also includes practical recommendations for steps that internet and telecommunications companies–as well as other companies throughout the sector–can take to improve. These include:

  • Provide concrete evidence that the company has institutionalized its commitments. While it is important for company leaders to demonstrate strong personal commitments to users’ rights, it is even more important that such commitments be clearly institutionalized. Otherwise, how do users know whether policies and practices will change or stay the same after key individuals leave the company?
  • Explain to users why speech, access to information, or access to service may be blocked or constrained. Who has the ability to ask the company to remove or block content or otherwise restrict speech? How does the company handle these requests? Are there effective grievance and remedy mechanisms? Companies must be transparent and accountable about the circumstances under which access to a service may be denied, or content is restricted or blocked.
  • Demonstrate a credible commitment to security. Companies should maintain industry standards of encryption and security, conduct security audits, monitor employee access to information, and educate users about threats. These policies and practices should be disclosed to users.

To view and download the complete reportincluding in-depth analysis and “report cards” for each company—as well as raw data files and other materials, visit rankingdigitalrights.org/index2017.

The 2017 Index website and data visualization were developed in partnership with the SHARE Foundation, a digital rights NGO.

New, global accountability mechanisms needed for a free and open internet

As governments around the world adopt internet regulations that clash with international human rights norms, new and more innovative mechanisms are needed to hold tech companies accountable to these standards, according to a new paper by Ranking Digital Rights (RDR) team members published by the Centre for International Governance Innovation (CIGI).

In the paper, “Corporate Accountability for a Free and Open Internet,” authors Rebecca MacKinnon, Nathalie Marechal, and Priya Kumar make the case for how global human rights benchmarking and evaluation projects like RDR’s Corporate Accountability Index help fill “governance gaps” caused by the failure of traditional governance institutions to hold governments and companies accountable for protecting and respecting the rights of internet users around the world.     

“Private Internet intermediaries increasingly find themselves at odds with governments, with serious implications for human rights,” according to the authors. “Even where law does not compel companies to violate users’ rights, companies generally lack sufficient market and regulatory incentives to protect the human rights of all of their users.”

The authors therefore call for new cross-border accountability initiatives outside existing governance institutions that will strengthen and enforce corporate accountability in upholding international freedom of expression and privacy standards: “If international legal and treaty frameworks cannot adequately protect human rights, then other types of governance and accountability mechanisms are urgently needed to provide incentives to owners and operators of Internet platforms and services to respect human rights,” according to the authors.  

Ranking Digital Rights is one of several efforts that might serve as building blocks for such mechanisms and institutions, according to the authors. The inaugural Index, published in November 2015, ranked Internet and telecommunications companies on 31 indicators evaluating disclosed commitments, policies and practices affecting Internet users’ freedom of expression and right to privacy. These types of rankings, when combined with transparency and disclosure frameworks, can help foster greater accountability as well as respect for international human rights standards.

Why companies fail on privacy policies

Why are privacy policies so difficult to understand? Because they are vague and unclear–which prevents users from understanding what companies do with their information, according to new research by former Ranking Digital Rights (RDR) research analyst Priya Kumar.

In November 2016, Kumar presented a paper using data from RDR’s 2015 Corporate Accountability Index, in which she analyzed the privacy policies of 16 of the world’s largest tech companies evaluated in that year’s Index. Her research shows that these companies typically fail to convey to users what happens to their information–from the point it is collected to when it is (possibly) deleted. Kumar finds that along with vague or unclear language, the lack of uniform definitions for what companies consider “personal information” make it difficult for users to get a complete and accurate picture of how companies handle their information.

The analysis also shows that companies are more transparent about the information they collect compared to what information they share, and that companies are least transparent about what user information they retain–even after a user deletes their account or service. “People would expect a company to keep information they actively submit to the service (e.g., posts, messages, photos, videos, etc.), until they delete it themselves,” according to Kumar. “But companies collect several other types of user information, and they typically fail to disclose how long they retain those types of information.”

The paper was presented as part of the Privacy and Language Technologies track of the Association for the Advancement of Artificial Intelligence’s (AAAI) Fall Symposium Series held in Virginia. Click the link for a PDF of the paper: Privacy Policies and Their Lack of Clear Disclosure Regarding the Life Cycle of User Information

RDR @ the 2016 IGF

Last week, Ranking Digital Rights traveled to Guadalajara, Mexico for the the 11th Internet Governance Forum. The theme this year was “Enabling Inclusive and Sustainable Growth.” In all of the workshops and panels we participated in, our message focused on a central concern: as the next billion people get connected to the internet, their human rights need to be protected and respected by governments and companies. We believe that our Corporate Accountability Index produces data and analysis that can help governments, businesses, and civil society work together to address the concrete challenges in protecting, respecting, and defending human rights in the digital age.

Many of the official IGF sessions and side meetings provoked thoughtful discussion and provided us with ample opportunity to share insights from our work researching and analyzing Internet and telecommunications companies’ human rights-related public disclosures.

Some of the issues we highlighted included:

It is crucial that people have control over how their identities are presented online, as Rebecca MacKinnon noted in the session Human Rights: Broadening the Conversation. Real identity policies are pernicious, particularly for gender minorities and members of marginalized groups, and companies should bear this in mind when determining the choices they provide users.

We stressed the importance of companies disclosing information relating to government requests for user data – both in terms of their processes for responding to these requests, including indicating that they push back against inappropriate or overly broad requests, as well as data about the number of government requests received and with which they complied. This issue was also highlighted by civil society activists from Mexico, who noted that Mexican authorities often obtain user information without oversight or judicial warrants.

We also pointed out that governments have an important role to play to ensure companies adequately respect human rights. In some instances, regulatory ambiguity can leave companies unsure if the law prohibits disclosure on certain issues, and therefore they withhold publishing information on their policies or practices. We’ve also seen in our research that in countries that haven’t passed data protection laws, companies tend to not adhere to best practices for collection of user information.

Combatting online violent extremism was a recurring topic of discussion, particularly in light of the recent announcement that Google, Facebook, Microsoft, and Twitter planned to create “a shared industry database of ‘hashes’ — unique digital ‘fingerprints’ — for violent terrorist imagery or terrorist recruitment videos or images that [they] have removed from [their] services.” We again stressed the need for transparency and accountability for such a system, and for independent review for how images are included in it, as we’ve found that companies’ disclosure around their Terms of Service enforcement is often lacking. Companies have been under enormous pressure from governments to do something about this issue. At the same time, any new measures taken to facilitate the removal of content need to be carried out in a manner that is responsible, accountable, and respects users’ rights. It is vital that companies work closely with civil society to make sure that implementation of the new database system does not inflict new “collateral damage” on freedom of expression.  

Although much of the human rights trends highlighted by civil society at the conference were negative, as censorship and surveillance are on the rise around the world, there is also some cause for optimism. Many ICT companies, particularly those that are members of the Global Network Initiative, are making commitments to respect human rights throughout their operations and carrying out due diligence to ensure these commitments are upheld. This may include instituting board-level oversight on privacy and free expression matters, creating mechanisms for grievance and remedy, and conducting human rights impact assessments. These practices, among others, are evaluated in the “Governance” section of our 2017 methodology (previously referred to as “Commitment” in the 2015 Index). As MacKinnon concluded in the session Implementing Human Rights Standards to the ICT Sector, “Despite all of our complaints, which are many and justified, I think things would be a lot worse if we hadn’t had this system where companies are being held accountable to whether or not they are implementing their [human rights] commitments and whether or not they have a system in place.”

In addition to the official IGF sessions, we met with representatives from civil society, governments, the private sector, academia, and others to discuss a wide range of issues. Several of RDR’s research partners also attended the IGF, and we had a productive meeting with them to share and receive feedback on our ongoing research process and also begin brainstorming plans around the 2017 Index launch this March.

We’re looking forward to continuing many of these conversations in the new year, and in the lead-up to the launch of our 2017 Corporate Accountability Index, which will be launched in advance of RightsCon in late March. Stay tuned!