26 Sep What should governments do?

Andrew Kazmierski/Shutterstock

Governments committed to a free and open internet must do more than sign statements to ensure that the internet supports and sustains human rights for future generations.

This week, world leaders descended on New York City for the UN General Assembly’s annual debate. While issues like climate change, migration, military conflict, and economic inequality have dominated the news, many government delegations also came to talk about the problems and opportunities of globally networked digital technologies.

On Monday, 27 countries issued a joint statement on “Advancing Responsible State Behavior in Cyberspace.” It affirms that an “international rules-based order should guide state behavior in cyberspace,” including a commitment to universal human rights standards:

“We reiterate that human rights apply and must be respected and protected by states online, as well as offline, including when addressing cybersecurity. …As responsible states that uphold the international rules-based order, we recognize our role in safeguarding the benefits of a free, open, and secure cyberspace for future generations.” 

We appreciate this public commitment, but governments must do more than sign statements. Not only must they uphold their own constitutional and treaty obligations to protect and respect human rights, but also they must ensure that the companies that provide the infrastructure, content moderation, and other services that more than half the world now rely on do not corrode fundamental human rights, especially the rights to freedom of expression and privacy. 

In order for people to exercise their rights and hold power accountable in our digitally networked age, internet users must be able to know who controls their ability to connect, speak online, or access information; and who has the ability to access and share their personal information. Four iterations of the RDR Corporate Accountability Index have underscored how people around the world still lack basic information about how private and government entities exercise power over their digital lives. 

Meanwhile, governments are responding to serious national and public security threats perpetrated through networked communications technologies. Some regulations have improved company disclosures, policies, and practices. Far more have made it harder for companies to meet global human rights standards for transparency, responsible practice, and accountability in relation to freedom of expression and privacy. 

In our 2019 RDR Index report we cite some concrete examples: Many regulatory efforts targeting hate speech and disinformation on social media are pushing companies to over-censor journalism and activism even as they fail to address the harms caused by the abuse of their rules. Government surveillance via internet, mobile and telecommunications companies is growing less accountable and transparent in much of the world. And while data protection laws in some places are helping to protect users’ rights, the lack of coherent regulation in other parts of the world enables threats to proliferate. 

Our analysis of these challenges shows that governments could be doing much more to optimize their legal, regulatory, and policy frameworks both to raise the costs of corporate behavior that infringes on people’s freedom of expression and privacy, and to incentivize greater respect for human rights. While we have included recommendations for governments in previous years, in the 2019 RDR Index we expanded the recommendations for governments in each chapter, and we have now summarized all of them in one reference document to provide more concrete, actionable advice for policymakers. 

Measures and commitments should include: Conducting human rights impact assessments on proposed legislation; maintaining limitations on liability for third-party content; instituting comprehensive privacy law; reforming surveillance law and practices to comply with human rights standards; and protecting the right to encrypt. Most important, just as companies should be subjected to more robust oversight to prevent abuses of users’ rights, governments must commit to enabling independent and credible oversight to prevent abuse of their own censorship and surveillance powers. 

Other recommendations emphasize the importance of accountability and transparency by governments as well as by companies. Specifically, we recommend that companies should be required by law to implement board oversight, systematic internal and external reporting, and impact assessments to identify, evaluate, and mitigate potential human rights harms, including violations of users’ freedom of expression and privacy. As we note in our 2019 RDR Index, such laws are starting to emerge in Europe. 

Government transparency must also be strengthened. As the human rights community pushes companies to be more transparent about what content is removed or restricted, and about who has access to people’s personal data, governments should also publish regular reports revealing the volume, nature, and purpose of requests their agencies and branches make to companies.

Access to remedy is also vital. Some countries already require that companies provide grievance and remedy mechanisms, but where they exist, such laws tend to focus more on physical harms or commercial and service issues rather than digital rights issues like freedom of expression and privacy. Laws could do much to improve the quality and availability of grievance and remedy mechanisms for internet users. 

Finally, global collaboration is essential. Governments committed to advancing a free and open internet that supports and sustains human rights should work proactively and collaboratively with one another, as well as with civil society and the private sector. They should work together with all stakeholders to establish a positive roadmap for addressing threats to individuals and communities without causing collateral violations of human rights. 

The 27 signatories should now hold one another accountable for translating words into action. Only then will they deserve applause from internet users around the world. 

25 Jul RDR seeks feedback on standards for algorithms and machine learning, adding new companies

Ryzhi/Shutterstock.com

Ranking Digital Rights (RDR) seeks input on our work to expand the RDR Corporate Accountability Index to address human rights harms from companies’ use of algorithms, machine learning, and automated decision-making. We also seek feedback on our work to incorporate services offered by Amazon and Alibaba into the RDR Index ranking. 

In February 2019, we announced plans to develop the RDR Index methodology to address the evolving, increasingly complex human rights threats that internet users face. We also opened public consultations soliciting feedback for our ongoing work to develop new indicators that set accountability and transparency standards for company policies and practices related to targeted advertising. 

This week, we are releasing a set of consultation documents (see below) summarizing RDR’s work aimed at encouraging corporate accountability and transparency regarding the use of algorithms, machine learning, and automated decision-making. We are also releasing consultation documents (see below) summarizing our work to include Amazon and Alibaba—and specifically, e-commerce platforms and digital personal assistants—in the RDR Index.

Stakeholder feedback: We welcome feedback on these documents by September 13, 2019. Feedback from a wide range of experts and stakeholders is essential to developing a methodology that is credible, rigorous, and effective. It will also help to inform further research as well as in-person stakeholder and expert consultations, which in turn will inform the drafting of pilot indicators that will be published and pilot-tested later in 2019. Please send comments and input to: methodology@rankingdigitalrights.org. 

Algorithms, machine learning, and automated decision-making

The use of automation—for both content curation and data processing—poses a range of human rights risks to internet users, particularly to the right to freedom of expression and information and to the right to privacy. The failure by companies to respect these fundamental human rights also causes or contributes to violations of other human rights, such as the right to non-discrimination. The following materials outline our rationale and approach for developing new indicators addressing these issues:

1. Rationale: for why and how RDR plans to expand the RDR Index methodology to address algorithms, machine learning, and automated decision-making.
2. Human rights risk scenarios: a list of “risk scenarios,” each describing human rights harms directly or indirectly related to privacy and expression that can result from companies’ use of algorithms, machine learning, and automated decision-making.
3. Best Practices: a number of best practices for company disclosure and policy that could help prevent or mitigate these risks.

Our goal in developing new indicators that address human rights harms posed by the use of algorithms, machine learning, and automated decision-making is to help set global accountability and transparency standards for how major, publicly traded internet, mobile, and telecommunications companies can demonstrate respect for human rights online as they develop and deploy these new technologies. 

New companies: Amazon and Alibaba

As two of the world’s largest digital platforms, Amazon and Alibaba’s absence from the RDR Index represents a key gap in our current ranking. There have been growing concerns about both companies’ privacy practices and respect for human rights in general—particularly in relation to e-commerce platforms and personal digital assistants (PDAs), which collect enormous amounts of information about users. The following consultation materials summarize our rationale and approach for integrating these companies and services into the RDR Index. 

1. Rationale: for why we are expanding the RDR Index to include Amazon and Alibaba.
2. Human rights risk scenarios: a list of “risk scenarios” describing privacy and freedom of expression-related risks associated with e-commerce platforms and personal digital assistants.
3. Best practices: a number of best practices for company disclosure and policy that could help prevent or mitigate these risks.

Our goal in expanding the RDR Index to include Amazon and Alibaba is to apply RDR’s global accountability and transparency standards to two companies that have enormous influence over the rights of people around the world who use their products and services. RDR’s work in this area can inform the work of other stakeholders, including investors conducting due diligence on portfolio risk, policymakers seeking to establish regulatory frameworks to protect the rights of internet users, and advocates looking to encourage these companies to adopt policies and practices to mitigate the human rights harms associated with their services.

Please send feedback to methodology@rankingdigitalrights.org. We look forward to hearing from you. 

To stay informed about our progress and plans, please subscribe to our newsletter here.

17 Jul Chinese law and state security requirements stunt companies’ progress in 2019 RDR Index

Images remixed by Oiwan Lam.

On June 4, which coincided with the 30th anniversary of the Tiananmen Square massacre, a user on the Chinese microblogging platform Sina Weibo posted the word “candle’’ in Chinese. Two hours later, the post disappeared.

The post was yet another attempt by Chinese internet users to outsmart censors that ban references to the massacre that followed the 1989 student-led democracy movement in China. In the days leading to this year’s anniversary, platforms like Weibo, LINE, TOM-Skype, and others actively monitored and removed posts referencing and remembering the massacre.

Chinese companies did the same for coverage of memorial activities taking place in Hong Kong, where thousands of people joined a vigil at the city’s Victoria Park to honor the victims. For example, popular live streaming platform YY updated its list of banned keywords to include references to Hong Kong memorial activities, their locations, and names of groups and advocates organizing them.

These cases of content takedowns by Chinese social media platforms at the behest of the government are but the latest examples of how privately-owned internet companies in China are an integral part of the country’s censorship and surveillance regime. Chinese law requires local platforms, as well as foreign companies like Apple and LinkedIn doing business in the country, to proactively monitor and take down objectionable content.

Overall ranking and scores of internet and mobile ecosystem companies.

It is therefore not surprising that China’s largest tech companies Baidu and Tencent continued to perform poorly in the 2019 Ranking Digital Rights (RDR) Corporate Accountability Index. The RDR Index evaluates how transparent companies are about their policies and practices affecting human rights — specifically users’ freedom of expression and privacy.

Baidu and Tencent made notable improvements to policies and disclosures that are not directly related to government censorship and surveillance demands, like how they secure user data from breach or theft, and how they handle user information for commercial purposes. They revealed barely anything, however, about their policies and practices that pose the greatest threats to internet freedom and digital rights in China: censorship and government surveillance. Their inability to disclose commitments, policies, or practices related to government demands to take down content or provide access to user information kept Tencent and Baidu near the bottom of the 2019 RDR Index, ranking 10th and 11th respectively among the 12 internet and mobile ecosystem companies evaluated.

Baidu and Tencent were among the companies that improved their overall scores in the 2019 RDR Index.

Freedom of expression blackout

China’s cybersecurity law bans internet users from publishing information that damages “national honor,” “disturbs economic or social order,” or is aimed at “overthrowing the socialist system.” Platforms and search engines automatically filter politically-sensitive keywords such as “human rights’’ and “Tiananmen Square.’’ They are also required to comply with an ever-evolving list of censorship requests from authorities, driven by current events and hot topics on social media.

For example, censors last year banned phrases like “anti-sexual harassment” in an effort to prevent the #metoo movement from spreading to China. According to Wechatscope, a research initiative that monitors censorship on the Tencent-owned messaging and social media app WeChat, allegations of sexual harassment and sexual misconduct were one of the most heavily censored topics on the service in 2018.

Chinese internet companies that fail to comply with regulations risk fines or even revocation of their business license, prompting them to invest substantial financial and human resources to keep objectionable content off of their sites.

In September 2017, the Cyberspace Administration penalized Baidu, Tencent, and Weibo with maximum fines under the country’s cybersecurity laws for failing to detect and take down banned content including, “pornography’’ and “false rumors.’’ A month later, Weibo hired 1000 additional content moderators to monitor and remove “pornographic, illegal and harmful content.”

These companies are also increasingly deploying artificial intelligence technologies to help moderators monitor objectionable content.

The Freedom of expression category of the RDR Index applies 11 indicators to evaluate how transparent companies are about their rules and how they are enforced, how they deal with government demands to censor content, and how they respond to government orders to shut down access to the internet or to certain services or applications. Baidu and Tencent performed poorly in this category.

The government’s constant crackdown on freedom of expression, through censorship demands and draconian laws, prevents companies from being transparent about how they moderate content on their platforms and how they respond to the Chinese government’s censorship orders. In the Freedom of Expression category of the RDR Index, Baidu and Tencent received the two lowest scores of all internet and mobile ecosystem companies, disclosing hardly anything about these policies. Both companies revealed limited information about what types of content and activities are prohibited on their services (F3) but they disclosed nothing about how they respond to government censorship demands (F5). They also did not commit to notify users when they restrict their access to content or accounts (F8).

Privacy progress remains inadequate

In the Privacy category, both Baidu and Tencent made improvements mainly on indicators related to how they handle user information and their security policies.

The Privacy category of the RDR Index applies 18 indicators to evaluate how transparent companies are about policies and practices affecting users’ privacy and security, including how clearly companies disclose what types of user information they collect, share, with whom, and why.

12 Jun Arab region’s telecommunications companies fail to respect users’ digital rights

United Arab Emirates-based Etisalat and Qatar-based Ooredoo once again ranked lowest among telecommunications companies in the Ranking Digital Rights Corporate Accountability Index — and were among the few companies to score even lower than in previous years. This downward trend coincides with steady declines in internet freedom in both countries and across the Arab region, where internet users face increasing government censorship and surveillance.

Qatar filtering message, Qtel network. Image via Wikimedia Commons (CC-BY-SA-3.0).

Internet service providers in the Arab region operate in one of the world’s more restrictive environments. Authorities have increasingly cracked down on online expression, particularly in the wake of the Arab Spring in 2011 when the internet proved to be a powerful tool for human rights advocates. Rights groups and experts have since reported steady declines in internet freedom in a number of countries across the region — including in Bahrain, Egypt, Libya, the United Arab Emirates (UAE), and Qatar — as governments have enacted draconian measures criminalizing online speech, engaged in targeted surveillance of human rights activists, journalists, and political opponents, and shut down access to select services or to the entire internet.

It is perhaps not surprising then that Etisalat (based in the UAE) and Ooredoo(based in Qatar) continued to be the two lowest scoring telecommunications companies in the RDR Index. The RDR Index evaluates how transparent companies are about their policies and practices affecting human rights — specifically users’ freedom of expression and privacy. We evaluated Etisalat and Ooredoo on their disclosed policies in their home markets, where UAE and Qatari governments actively restrict freedom of expression online and have a monopoly over private telecommunications markets.

The 2019 RDR Index ranked 12 telecommunications companies and 12 internet and mobile ecosystem companies on how transparent they are about commitments, policies, and practices affecting freedom of expression and privacy. Read about the RDR Index methodology, indicators, and research process.

What is surprising, however, is just how little progress these companies have made. While a majority of companies evaluated in the 2019 RDR Index made some improvements — including companies operating in equally restrictive countries like China and Russia — Ooredoo and Etisalat were among the few companies to actually backslide in this year’s ranking, disclosing even lessabout key policies and practices affecting users’ rights than previously. Neither company even so much as published a privacy policy — although there are no laws preventing either company from doing so.

Comparative year-on-year scores (2018 RDR Index v. 2019 RDR Index). Most companies evaluated improved their overall score in the 2019 RDR Index. Etisalat and Ooredoo were among just three companies whose scores declined, both for disclosing even less about policies affecting freedom expression than previously.

These results highlight growing concerns by digital rights advocates about the deterioration of internet freedom across the Arab region, where internet service providers — which are often state-owned and state-controlled — have become a de facto part of the state’s censorship and surveillance apparatus. Results also spotlight how internet users in the region are deprived of even the most basic information about how and why content is censored, what information companies collect and share about them and with whom — including with governments and law enforcement — and what companies do to keep that information secure.

Government owned, government controlled

While the UAE and Qatar have some of the best-connected internet systems in the Arab region, online speech in both countries is heavily censored. Along with legal measures, authorities control the internet through direct ownership: the UAE government owns a 60 percent stake in Etisalat and the Qatari government has a 69 percent stake in the Ooredoo Group.

Although censorship is generally more pervasive in the UAE than in Qatar, internet filtering is prevalent in both countries, as internet service providers (ISPs) in both the UAE and Qatar are required to block access to content deemed objectionable by authorities, including political speech and websites of media outlets and human rights organizations.

In 2016, Qatar’s only two ISPs, Ooredoo and Vodafone, blocked access to independent media site Doha News, without providing an explanation to its publishers or users. In the UAE, severe cybercrime laws paired with expansive government surveillance have resulted in the widespread silencing of both individuals and organizations. In 2017, authorities in the UAE blocked a number of Qatari media sites, including Al-Jazeera Live and Huffington Post Arabic, as part of a political strategy to isolate Qatar in the region. Content deemed offensive or critical of the government can result in hefty prison sentences, including up to 15 years for expressing sympathy for Qatar.

The 2019 RDR Index found that both Etisalat and Ooredoo revealed hardly anything at all about their policies and practices affecting users’ freedom of expression, receiving some of the lowest scores in this category among all companies evaluated. Both even lost points in the freedom of expression category this year: Etisalat revealed less information about its processes for responding to third-party requests to restrict content and Ooredoo made its terms of service less accessible to users than it had previously.

Freedom of expression scores: 2019 RDR Index. The Freedom of expression category of the RDR Index applies 11 indicators evaluating how transparent companies are about their rules and how they are enforced, how they deal with government demands to block, filter, or otherwise censor content, and how they respond to government orders to shut down access to the internet.

Notably, neither company disclosed anything about how they respond to government demands to filter or block content or what actions they have taken in response to these demands. While it is a criminal offense in the UAE not to comply with government blocking orders, there is no law prohibiting Etisalat from disclosing how it handles these requests or its compliance rates with either government or private content-blocking requests. Similarly, telecommunications companies in Qatar are legally required to comply with judicial orders to block content, but there is no law prohibiting these companies from disclosing their processes for handling such demands or from publishing its compliance rates with either government or private content-blocking requests.

In addition, both Etisalat and Ooredoo failed to disclose sufficient information about how they respond to government demands to shut down access to the internet or to specific services or applications — an issue of particular relevance in both the UAE and Qatar, where access to certain voice and video services and applications is restricted. In the UAE, for instance, these applications have been banned under a 2009 regulation that allows only licensed telecommunications providers to offer such services. Despite the ban, users were able to make audio and video calls via Skype until access to that service was blocked in December 2017.

Privacy blackout

Nearly every ranked company improved their privacy score in the 2019 RDR Index — a trend driven in part by both new data protection regulations in the European Union and elsewhere, as well as by public demand for greater transparency and accountability. Even Chinese internet companies Baidu and Tencent — which operate in one of the world’s most restrictive environments — made notable improvements to their privacy and security policies over the past year.

However, Etisalat and Ooredoo made no improvements at all in this area. As we found in previous Indexes, neither company even published a privacy policy — making it impossible for users to understand what these companies do with their information, including what information they collect and for what purposes. This trend is unfortunately not that unusual for operators across the region: research conducted in 2018 by our partners at Beirut-based Social Media Exchange (SMEX) showed that just 7 out of 66 mobile operators evaluated made their privacy policies publicly available. This is despite the fact that there are no legal barriers for either company to be transparent about which user data they collect, share, their purposes for doing so, and for how long they retain that data.

Privacy scores: the 2019 RDR Index. The Privacy category of the RDR Index applies 18 indicators to evaluate how transparent companies are about policies and practices affecting users’ privacy and security, including how clearly companies disclose what types of user information they collect, share, with whom, and why.

Notably, neither company disclosed anything about their processes for responding to government demands for user data. Etisalat earned a small amount of points for disclosing that it may share the user information it collects with law enforcement or government agencies. But, like Ooredoo, the company disclosed nothing about its processes for handling such demands. Both the UAE and Qatari governments may in fact have direct access to the network and to user communications without having to request it, but internet service providers should still disclose this so that users can understand the risks of using a particular service.

Companies can still do more

While government surveillance and crackdowns on internet freedom put considerable pressure on both Etisalat and Ooredoo, the 2019 RDR Index findings demonstrate that government restrictions alone do not explain or justify such opaque company policies. Even in the absence of regulatory changes, both Etisalat and Ooredoo can take immediate steps to improve their disclosure of policies and practices affecting users’ freedom of expression and privacy.

Specifically, both companies could:

• Publish privacy policies: Both companies should publish privacy policies detailing what information they collect, share, with whom, and why — and make those policies easy to find and understand.
   
• Clarify content and access restrictions: Both companies should be more transparent about their processes for handling government and private requests to filter or block content or restrict user accounts, and about government requests to shut down networks.
   
• Improve redress: Both companies should improve their existing grievance mechanisms by explicitly including complaints related to freedom of expression and privacy, and by providing clear remedies for these types of complaints.
   

Click here to read the full 2019 RDR Index report.