RightsCon 2016: Corporate Accountability Enters the Mainstream

Issues of transparency, encryption, and corporate accountability played a central role at last week’s RightsCon conference in San Francisco, and RDR’s Index and data helped inform many discussions at the annual technology and human rights conference. Participants in various panels and workshops highlighted the value of RDR’s Index. Three public sessions organized by RDR, including a standing room-only session focused on terms of service enforcement, demonstrated how research-based advocacy can push companies to better respect users’ rights and help to inform policy solutions.

rights-con-logoIn a panel about data breaches, security expert Bruce Schneier called RDR’s Index “very valuable,” since the prospect of performing poorly on a public ranking can make companies think twice about the cost of collecting too much user information. In a session on institutionalizing human rights commitments at companies, Nicole Karlebach and Katie Shay from Yahoo’s Business and Human Rights Program described how engaging with civil society and research organizations, including RDR, gives them useful perspectives to share with other staff at Yahoo. At a session on remedy, Yves Nissim from the French telecom Orange said the company is using the RDR Index and methodology as a guide in its efforts to disclose more information about its practices. In addition, representatives from companies not included in the Index said they used RDR’s methodology to evaluate their own policies.

Many discussions at RightsCon highlighted the need for more transparency about company practices that relate to freedom of expression and privacy. For example, while some companies publish rules or community standards that explain what content is and is not permitted on their service, users are left in the dark about how companies enforce those rules.

Panelists discuss terms of service enforcement at a public session organized by RDR.

Panelists discuss terms of service enforcement at a public session organized by RDR.

Panelists at RDR’s session on terms of service enforcement explained that this lack of clarity means that users can be locked out of their accounts for reasons they don’t understand. Such uncertainty can erode user trust in companies, they added. A few company representatives at the session shared the difficulties they face in reporting such information, which include providing enough context so the public understands what the data means. This mix of participants provided meaningful dialogue on a concern where disclosure is sorely lacking.

Several projects in addition to RDR’s Index are pushing for greater respect for users’ rights. At RightsCon, researchers from the Center for Technology and Society at FGV-Rio de Janeiro discussed their draft findings on how the terms of service of 50 online platforms comply with the human rights of freedom of expression, privacy, and due process. In addition, OnlineCensorship.org released its first report, which found that users whose content is removed may not understand why and that users are either unaware or unsatisfied with appeal mechanisms.

While corporate transparency regarding terms of enforcement is nearly non-existent, reporting on government requests for user information has emerged as a standard practice. The Transparency Reporting Toolkit, a project by the Open Technology Institute and Berkman Center, also launched at RightsCon. It identified best practices and aims to develop a platform that companies can use to standardize their reports, enabling greater comparison and more in-depth analysis of the reports.

Throughout the conference, RDR connected with members of these projects as well as others from civil society, academia, companies, and the investor community. We organized a private session to discuss possible revisions to the Index methodology. Participants described how the Index has informed their work and provided feedback about how the indicators relate to the human rights concerns that users face when using such products and services. This feedback helps ensure that RDR’s Index remains a relevant measure to push for greater respect for users’ rights.

At a session on incorporating software and device companies in the Index, technologists and other experts brainstormed how to frame indicators on such topics as encryption and the privacy practices of apps in app stores. The conversation helped highlight the types of public disclosure RDR can evaluate for software and device companies.

While RDR plans to expand the types of companies its Index covers, one project alone can’t cover the full global universe of companies in this sector. RDR has encouraged other civil society and research organizations to use the methodology to conduct national or regional versions of the Index. To promote such projects, we teamed up with EFF on a session to share lessons learned about ranking companies in different parts of the world.

Participants discussed the importance of considering local culture when conducting such research efforts. For example, in regions where where companies are not used to engaging with civil society or academic researchers about digital rights issues, researchers can provide examples of other companies in other countries and regions that have changed in response to public pressure. This can underscore the positive intentions of such research.

The RDR team at RightsCon

The RDR team at RightsCon

RDR team members also participated in several other panels and workshops at the event. Rebecca MacKinnon spoke at sessions about cybersecurity and human rights and multi-stakeholder processes. Allon Bar spoke about global perspectives on privacy as well as universal principles for the internet. Priya Kumar discussed data breaches, terms of service and human rights, and freedom of assembly online. Ciprian Iancu presented on digital literacy and digital security training.

Priya’s comments on data breaches and privacy were quoted in a Consumer Reports blog post. Allon’s comments on internet openness were included in a UNESCO article. The Committee to Protect Journalists also highlighted RDR’s involvement with RightsCon in a blog post.

Overall, RightsCon was an exciting opportunity to connect with stakeholders, share our insights, and learn from others. We look forward to reconvening at RightsCon 2017 in Brussels!

RDR @ RightsCon 2016

Next week, the Ranking Digital Rights team heads to San Francisco for the fifth RightCon conference. Our team is planning and participating in several sessions, and we look forward to many dynamic, informative conversations with experts and advocates from around the world.

rights-con-logoEager to provide feedback on RDR’s potential expansion to include software, device, and networking equipment companies? Then our Day 1 session on Ranking Tech Companies Part 2: Software, Devices and Networking Equipment is the one for you. On Wednesday, March 30 from 4:00-5:00 pm, we’ll converse with privacy and freedom of expression experts, technical specialists, and other participants about how best to incorporate companies that make and sell software, devices, and networking equipment into the already existing RDR methodology.

Interested in corporate transparency? RDR has organized a Day 2 session in partnership with Article 19 focused on Opening the Black Box: Understanding How Companies Enforce Their Rules. Join us on Thursday, March 31 from 12:00-1:15 pm to discuss how companies can be more transparent about their enforcement practices and why governments should be transparent about extra-legal requests they make to companies to restrict content. Our research for the Corporate Accountability Index found that as of November 2015 none of the 16 companies we evaluated reported any data on content they restrict when enforcing terms of service.

Doing company-focused research of your own? Then come to our Day 3 session, “Ranking ICT Companies on Digital Rights: A ‘How To’ Guide” on Friday, April 1 from 9:00-10:15 am. Co-hosted by RDR and EFF, this session is designed for civil society groups who are at various stages of research projects that focus on ICT companies and digital rights. We will learn from each other’s experiences in carrying out company rankings and other company-focused research.

Our team is also participating in additional sessions at RightsCon — come check them out!

The full conference program is available here. Our team will be at RightsCon for the entire conference, so feel free to get in touch if you’d like to connect: info@rankingdigitalrights.org.

RDR in the Public Eye

As issues of encryption, security, and online content restriction dominate the headlines, the RDR team continues to speak and write publicly about why it’s important for companies in the ICT sector to respect users’ freedom of expression and privacy.

Screenshot of the Ford Foundation's Q & A with Rebecca MacKinnon

Screenshot of the Ford Foundation’s Q & A with Rebecca MacKinnon

The Ford Foundation, which supports RDR’s work, featured a Q-and-A with Rebecca MacKinnon focused on the question, “Are tech companies doing enough to protect consumer rights and privacy?

The team has been active in broader policy discussions about digital rights. MacKinnon participated in a panel on “How to Fight ISIS Without Breaking the Internet” at the South by Southwest Interactive Festival. She spoke about RDR and the state of global Internet freedom in at a congressional briefing on “Internet Freedom in the Age of Dictators and Terrorists” organized by the Commission on Security and Cooperation in Europe, also known as the Helsinki Commission. She also joined a panel on “Digital Globalization: The New Era of Global Flows and What it Means for the United States” hosted by New America.

RDR continues to engage with stakeholders about the Corporate Accountability Index, how it is being used, and how we can continue to improve and expand it.  Allon Bar and Nathalie Maréchal ran three sessions related to RDR at the Internet Freedom Festival. Priya Kumar participated in a panel on digital rights at the Media Consortium’s annual conference.

In recent weeks, RDR released several documents that build on and extend its work. Spanish translations of the 2015 Corporate Accountability Index methodologyexecutive summary, and report on Mexico-based telco América Móvil are now available on RDR’s website. A Spanish translation of the full report is coming soon. RDR also submitted comments to the UN Special Rapporteur on Freedom of Opinion and Expression and published an in-depth analysis of the Index’s transparency reporting findings.

Policymakers, educators, and journalists are citing RDR and its work. The Corporate Accountability Index was cited in a paper by the Global Commission on Internet Governance on “The Privatization of Human Rights: Illusions of Consent, Automation, and Neutrality.” A University of Helsinki course, Media Reform: Issues and Stakeholders, references RDR’s Index. MacKinnon was quoted in a Reuters story about India’s recent decision to ban Internet service programs such as Facebook’s Free Basics on the grounds that they violate net neutrality principles.

Improving Corporate Transparency Reporting

Technology companies face mounting pressure to address certain types of content on their platforms. And while some content can be problematic and deserves to be addressed, Ranking Digital Rights emphasizes the need for companies to develop accountable, fair, and consistent practices when doing so.

To that end, RDR’s 2015 Corporate Accountability Index includes several indicators on companies’ transparency reporting practices with regard to free expression and privacy. These indicators examine the extent to which companies explain their processes to evaluate third-party requests for content restriction or for access to user data, report data about the volume and nature of those requests, and enforce of their terms of service.

RDR-Transparency-Findings-Title-Image

RDR has written a white paper, “Ranking Digital Rights Findings on Transparency Reporting and Companies’ Terms of Service Enforcement” to summarize the Index findings on these indicators and provide recommendations on how companies can improve their disclosure and reporting, particularly related to content restriction. These recommendations include:

  • Companies should specify what services or platforms their transparency reporting covers.
  • Companies should expand their transparency reporting to include requests from private parties as well as those from governments.
  • Companies should provide enough granularity in their reporting to give the public a clear picture of the scope and implications of company actions.
  • Through terms of service and other community standards-type documents, companies already disclose information about the circumstances in which they restrict content; they should take the next step and report data about the volume of actions they take to enforce these rules with respect to different types of content.

Since the Index data was finalized, companies have taken steps in the right direction. Last October, Microsoft released its first content removals requests report. This report, which was released after the 2015 Index data was finalized, includes data on government requests, copyright infringement requests related to Bing search results, and requests received under the European Court of Justice’s “right to be forgotten” ruling. Shortly after the Index was released in November, Facebook updated its transparency report to specify that it covers requests related to Facebook, Messenger, WhatsApp, and Instagram.

In February, Twitter became the first company ranked in the Index to disclose some information on the actions it takes to enforce its Terms of Service. It disclosed that it has suspended more than 125,000 accounts “for threatening or promoting terrorist acts,” which violates the Twitter Rules. Twitter’s content removals transparency report covering the second half of 2015 also disclosed the number of times the company received legal requests to restrict content and did so because the content violated Twitter’s terms of service. (Twitter’s reporting does not include content removal requests the company’s customer support team received through online forms.)

These company actions demonstrate that there is momentum toward disclosing more information related to content restriction. We hope RDR’s findings and recommendations can help those who advocate for greater transparency reporting from companies.

RDR’s Comments to the UN on the ICT Sector’s Role in Free Expression Online

RDR recently submitted comments to a project looking at the role of companies in promoting freedom of expression led by the U.N. Special Rapporteur on Freedom of Opinion and Expression.

The Special Rapporteur’s study aims to identify the main actors in the information and communications technology (ICT) sector that affect freedom of expression, the legal issues at play, and the frameworks for corporate responsibility that exist in this space. RDR’s submission highlights that while companies face many legal and regulatory obstacles to fully disclosing information about their impact on freedom of expression, even companies that operate in restrictive environments can take steps to improve their respect for freedom of expression.

Broadly speaking, three types of company actions can directly restrict or otherwise affect freedom of expression:

  • Actions resulting from requests made by governments, or other government requirements;
  • Actions resulting from requests made by private parties for legal, commercial, or other reasons, or other private-party requirements;
  • Actions taken by companies on their own initiative when setting and enforcing private terms of service, making design and engineering choices, or carrying out commercial and business decisions.

In many countries, law, policy, or regulation can limit companies’ ability to disclose information about these types of actions. For example, “transparency reporting,” or the disclosure of data related to the volume and nature of requests, is becoming a standard practice. Six of the 16 companies ranked in RDR’s Corporate Accountability Index published some type of transparency report related to freedom of expression concerns (A seventh company released its inaugural report of this type shortly after RDR finalized the Index data).

This reporting varies in clarity and granularity, but in some countries, companies are legally barred from disclosure. For example, Chinese laws on state secrets and national security prohibit disclosure of information on government requests to restrict content, and Indian law prevents companies from disclosing information about specific requests (though this does not preclude reporting of aggregate data).

In other cases, ambiguity in the law leaves companies unsure of what they can and cannot publish. For example, the Malaysian Official Secrets Act 1972 may prevent companies from disclosing some information about government requests, although according to local legal experts consulted during RDR’s Index research, it would be unrealistic to conclude that this law affects every restriction request that companies receive.

RDR’s Index and its prior work on the role of Internet intermediaries demonstrates that while legal and policy environments significantly influence ICT companies, such companies can nevertheless take steps toward respecting freedom of expression, regardless of where they operate.

Companies should clearly commit to respect human rights, including freedom of expression. They should consider their effect on freedom of expression as part of their corporate governance mechanisms and conduct due diligence to understand how their business decisions affect freedom of expression. RDR’s Corporate Accountability Index found that while a number of companies take such steps with regard to privacy, similar oversight of freedom of expression is lacking. For example:

  • Oversight: Researchers examining the Korean company Kakao—which performed competitively in the Index overall—found clear disclosures of executive and management oversight on privacy issues, but they did not find similar evidence of oversight on freedom of expression.
  • Employee training: Of the companies that disclose information about employee training on freedom of expression and/or privacy, Kakao’s public materials only mention privacy-related training. At AT&T (USA) and Vodafone (UK), training programs focused on privacy issues appeared to be more common than trainings covering freedom of expression.
  • Whistleblower programs: Twitter (USA), Bharti Airtel (India) and América Móvil (Mexico) maintain employee whistleblower programs that clearly cover privacy issues, but there is no evidence that these companies’ programs also cover freedom of expression.
  • Due diligence: Impact assessment and related human rights due diligence processes carried out by Vodafone appeared to be more thorough for privacy than for freedom of expression.

RDR’s full comments are available here.

The Special Rapporteur’s study will be presented to the U.N. Human Rights Council in June. The report as well as submissions from stakeholders will be publicly available on the website of the U.N.’s Office of the High Commissioner for Human Rights.