12 Jun Arab region’s telecommunications companies fail to respect users’ digital rights

United Arab Emirates-based Etisalat and Qatar-based Ooredoo once again ranked lowest among telecommunications companies in the Ranking Digital Rights Corporate Accountability Index — and were among the few companies to score even lower than in previous years. This downward trend coincides with steady declines in internet freedom in both countries and across the Arab region, where internet users face increasing government censorship and surveillance.

Qatar filtering message, Qtel network. Image via Wikimedia Commons (CC-BY-SA-3.0).

Internet service providers in the Arab region operate in one of the world’s more restrictive environments. Authorities have increasingly cracked down on online expression, particularly in the wake of the Arab Spring in 2011 when the internet proved to be a powerful tool for human rights advocates. Rights groups and experts have since reported steady declines in internet freedom in a number of countries across the region — including in Bahrain, Egypt, Libya, the United Arab Emirates (UAE), and Qatar — as governments have enacted draconian measures criminalizing online speech, engaged in targeted surveillance of human rights activists, journalists, and political opponents, and shut down access to select services or to the entire internet.

It is perhaps not surprising then that Etisalat (based in the UAE) and Ooredoo(based in Qatar) continued to be the two lowest scoring telecommunications companies in the RDR Index. The RDR Index evaluates how transparent companies are about their policies and practices affecting human rights — specifically users’ freedom of expression and privacy. We evaluated Etisalat and Ooredoo on their disclosed policies in their home markets, where UAE and Qatari governments actively restrict freedom of expression online and have a monopoly over private telecommunications markets.

The 2019 RDR Index ranked 12 telecommunications companies and 12 internet and mobile ecosystem companies on how transparent they are about commitments, policies, and practices affecting freedom of expression and privacy. Read about the RDR Index methodology, indicators, and research process.

What is surprising, however, is just how little progress these companies have made. While a majority of companies evaluated in the 2019 RDR Index made some improvements — including companies operating in equally restrictive countries like China and Russia — Ooredoo and Etisalat were among the few companies to actually backslide in this year’s ranking, disclosing even lessabout key policies and practices affecting users’ rights than previously. Neither company even so much as published a privacy policy — although there are no laws preventing either company from doing so.

Comparative year-on-year scores (2018 RDR Index v. 2019 RDR Index). Most companies evaluated improved their overall score in the 2019 RDR Index. Etisalat and Ooredoo were among just three companies whose scores declined, both for disclosing even less about policies affecting freedom expression than previously.

These results highlight growing concerns by digital rights advocates about the deterioration of internet freedom across the Arab region, where internet service providers — which are often state-owned and state-controlled — have become a de facto part of the state’s censorship and surveillance apparatus. Results also spotlight how internet users in the region are deprived of even the most basic information about how and why content is censored, what information companies collect and share about them and with whom — including with governments and law enforcement — and what companies do to keep that information secure.

Government owned, government controlled

While the UAE and Qatar have some of the best-connected internet systems in the Arab region, online speech in both countries is heavily censored. Along with legal measures, authorities control the internet through direct ownership: the UAE government owns a 60 percent stake in Etisalat and the Qatari government has a 69 percent stake in the Ooredoo Group.

Although censorship is generally more pervasive in the UAE than in Qatar, internet filtering is prevalent in both countries, as internet service providers (ISPs) in both the UAE and Qatar are required to block access to content deemed objectionable by authorities, including political speech and websites of media outlets and human rights organizations.

In 2016, Qatar’s only two ISPs, Ooredoo and Vodafone, blocked access to independent media site Doha News, without providing an explanation to its publishers or users. In the UAE, severe cybercrime laws paired with expansive government surveillance have resulted in the widespread silencing of both individuals and organizations. In 2017, authorities in the UAE blocked a number of Qatari media sites, including Al-Jazeera Live and Huffington Post Arabic, as part of a political strategy to isolate Qatar in the region. Content deemed offensive or critical of the government can result in hefty prison sentences, including up to 15 years for expressing sympathy for Qatar.

The 2019 RDR Index found that both Etisalat and Ooredoo revealed hardly anything at all about their policies and practices affecting users’ freedom of expression, receiving some of the lowest scores in this category among all companies evaluated. Both even lost points in the freedom of expression category this year: Etisalat revealed less information about its processes for responding to third-party requests to restrict content and Ooredoo made its terms of service less accessible to users than it had previously.

Freedom of expression scores: 2019 RDR Index. The Freedom of expression category of the RDR Index applies 11 indicators evaluating how transparent companies are about their rules and how they are enforced, how they deal with government demands to block, filter, or otherwise censor content, and how they respond to government orders to shut down access to the internet.

Notably, neither company disclosed anything about how they respond to government demands to filter or block content or what actions they have taken in response to these demands. While it is a criminal offense in the UAE not to comply with government blocking orders, there is no law prohibiting Etisalat from disclosing how it handles these requests or its compliance rates with either government or private content-blocking requests. Similarly, telecommunications companies in Qatar are legally required to comply with judicial orders to block content, but there is no law prohibiting these companies from disclosing their processes for handling such demands or from publishing its compliance rates with either government or private content-blocking requests.

In addition, both Etisalat and Ooredoo failed to disclose sufficient information about how they respond to government demands to shut down access to the internet or to specific services or applications — an issue of particular relevance in both the UAE and Qatar, where access to certain voice and video services and applications is restricted. In the UAE, for instance, these applications have been banned under a 2009 regulation that allows only licensed telecommunications providers to offer such services. Despite the ban, users were able to make audio and video calls via Skype until access to that service was blocked in December 2017.

Privacy blackout

Nearly every ranked company improved their privacy score in the 2019 RDR Index — a trend driven in part by both new data protection regulations in the European Union and elsewhere, as well as by public demand for greater transparency and accountability. Even Chinese internet companies Baidu and Tencent — which operate in one of the world’s most restrictive environments — made notable improvements to their privacy and security policies over the past year.

However, Etisalat and Ooredoo made no improvements at all in this area. As we found in previous Indexes, neither company even published a privacy policy — making it impossible for users to understand what these companies do with their information, including what information they collect and for what purposes. This trend is unfortunately not that unusual for operators across the region: research conducted in 2018 by our partners at Beirut-based Social Media Exchange (SMEX) showed that just 7 out of 66 mobile operators evaluated made their privacy policies publicly available. This is despite the fact that there are no legal barriers for either company to be transparent about which user data they collect, share, their purposes for doing so, and for how long they retain that data.

Privacy scores: the 2019 RDR Index. The Privacy category of the RDR Index applies 18 indicators to evaluate how transparent companies are about policies and practices affecting users’ privacy and security, including how clearly companies disclose what types of user information they collect, share, with whom, and why.

Notably, neither company disclosed anything about their processes for responding to government demands for user data. Etisalat earned a small amount of points for disclosing that it may share the user information it collects with law enforcement or government agencies. But, like Ooredoo, the company disclosed nothing about its processes for handling such demands. Both the UAE and Qatari governments may in fact have direct access to the network and to user communications without having to request it, but internet service providers should still disclose this so that users can understand the risks of using a particular service.

Companies can still do more

While government surveillance and crackdowns on internet freedom put considerable pressure on both Etisalat and Ooredoo, the 2019 RDR Index findings demonstrate that government restrictions alone do not explain or justify such opaque company policies. Even in the absence of regulatory changes, both Etisalat and Ooredoo can take immediate steps to improve their disclosure of policies and practices affecting users’ freedom of expression and privacy.

Specifically, both companies could:

• Publish privacy policies: Both companies should publish privacy policies detailing what information they collect, share, with whom, and why — and make those policies easy to find and understand.
   
• Clarify content and access restrictions: Both companies should be more transparent about their processes for handling government and private requests to filter or block content or restrict user accounts, and about government requests to shut down networks.
   
• Improve redress: Both companies should improve their existing grievance mechanisms by explicitly including complaints related to freedom of expression and privacy, and by providing clear remedies for these types of complaints.
   

Click here to read the full 2019 RDR Index report.

31 May How well does your smartphone respect your rights?

Apple is in the hot seat this week, but the reality is that none of the companies that control the flow of your personal data, your access to information, or your ability to publish and communicate through your smartphone are doing enough to respect your privacy or freedom of expression.

Photo by Twitter user Chris Velazco

Last January, a prominent billboard near the Consumer Electronics Show declared: “What happens on your iPhone, stays on your iPhone.” As support for privacy rights and data protection grows around the world, Apple has been positioning itself as the privacy-respecting alternative to companies like Google whose business models rely on the collection and commodification of user information at a massive scale, proclaiming its belief that “Privacy is a fundamental human right.” But does the reality live up to the hype?

Two new articles published this week suggest that Apple has work to do if its privacy practices are to live up to its claims. In a recent Washington Post piece, journalist Geoffrey Fowler examined all the ways that apps track users’ iPhone activity. The week-long experiment revealed that 5,400 trackers “guzzled” Fowler’s data, and that many apps’ data collection practices differed from their privacy policies and other policy documents. Separately, The Verge reported that three iTunes users were suing Apple for allegedly making data about individual users’ listening habits available to data brokers and advertisers.

Apple’s privacy issues are by no means unique among smartphone companies. Rather, Apple’s claims about its robust protection of privacy are what set it apart from its competitors, and journalists should continue to point out the gaps between the company’s claims and reality. But as findings from the 2019 Ranking Digital Rights Corporate Accountability Index show, while Apple ranks relatively well on transparency about policies and practices affecting user privacy, it has persistently fared even worse with respect to another fundamental human right: freedom of expression.

While most of the 24 companies evaluated in this year’s Index demonstrated a weaker commitment to respect users’ freedom of expression than users’ privacy, Apple displayed the widest gap by far, as the graphic below illustrates. It was the only company in the entire Index to receive full credit for its commitment to privacy as a human right and no credit for making a similar commitment to freedom of expression.

Gaps in governance and oversight over users’ freedom of expression, 2019 RDR Index. Most companies displayed a weaker commitment to respect users’ freedom of expression than to users’ privacy, disclosing less oversight, due diligence, or other processes to identify and mitigate threats to users’ freedom of expression. For more information, see the 2019 RDR Index report.

Apple’s transparency about policies and practices affecting freedom of expression ranked lower in the 2019 RDR Index than any other U.S.-based internet or mobile company, as we point out in Apple’s 2019 RDR Index report card published on May 16. On May 29 in advance of its Worldwide Developers Conference (WWDC), Apple unveiled a new section of its website featuring information about its App Store policies and practices. Yet while the new section makes such disclosures more prominent, Apple still discloses only limited information about its process for enforcing its rules in the App Store or how it determines whether an app is breaking those rules. Even now, despite the fact that the company is widely reported to remove apps in response to government demands around the world—including in China—there is no information to be found on the company’s website about how Apple handles government requests to remove content from the App Store, much less data about the kinds of apps that are censored in various countries around the world. (While its Transparency Reporting page states that starting with its report for July 1 – December 31, 2018, it will begin to report on government requests to take down apps from the App Store in instances related to alleged violations of legal and/or policy provisions, it has yet to publish any such information.)

While iPhone users have reason to demand greater transparency and accountability from Apple, users of Android devices—whether they are using handsets sold directly by Google or phones from other device manufacturers like Samsung that also run on Android—also face threats to privacy and freedom of expression that the companies fail to mitigate or disclose to users. Since 2017 the Ranking Digital Rights Corporate Accountability Index has been evaluating the mobile ecosystems controlled by Apple, Google, and Samsung. While Apple significantly improved its disclosures between 2017 and 2018, our data shows much less progress in the past year. Google made few improvements to its disclosures about Android. As for Samsung, it disclosed significantly less than either Apple or Google, and its overall score declined since 2018. (See Google’s 2019 RDR Index report card and Samsung’s report card.)

The growing reach of smartphones

Smartphones and apps are front and center in the fight for privacy and freedom of expression across the global internet: over half of the world’s 4.3 billion internet users access the internet primarily through apps on their mobile phones, instead of browsers on a desktop or laptop computer.

The relative affordability of mobile phones has contributed to their growing global popularity as a primary means of using the internet. As a result, any risks to mobile users’ rights to freedom of expression, access to information, and privacy are compounded for low-income and other vulnerable internet users who are more likely to use older, less expensive devices. These older devices are inherently more vulnerable to malware, targeted hacking, non-consensual data collection, and other harms than newer and more expensive models.

“Mobile ecosystems” are an indivisible set of goods and services offered by a mobile device company, comprising the device hardware, operating system, app store, and user account.  Alarmingly, and despite improved transparency in other areas, the 2019 RDR Corporate Accountability Index found that neither Apple nor Google—whose operating systems together account for 98% of the world’s smartphones—had taken enough meaningful steps to improve their disclosure about how their mobile products impact users’ human rights since we started evaluating mobile ecosystems since the previous year.

In addition to Apple’s iOS and Google’s Android ecosystems, we evaluated device manufacturer Samsung and 12 global telecommunications companies, whose modifications to the stock Android operating system can also have significant effects on device security. Across the board, companies failed to show key information that users have the right to know, with the two main players demonstrating opposite strengths and weaknesses: overall, Apple scored higher than Google on privacy but much lower on freedom of expression, while Google disclosed more information about policies affecting users’ freedom of expression but less about the Android ecosystem’s respect for user privacy.

Mobile ecosystem scores, 2019 RDR Index. For full data, see here.

App stores and freedom of expression

App stores have become gatekeepers with tremendous power to control what types of apps are available, to whom, under what conditions, and what kinds of user data they can collect. This is especially true of the Apple mobile ecosystem, as users can only install apps through Apple’s proprietary App Store (unless they modify their device in ways that are disallowed by Apple, such as jailbreaking it). In contrast, Android users can download apps from third-party app stores rather than exclusively from the Google Play Store, as well as “side-load” apps without going through an app store.

Very little is known about censorship within the various app stores. Like other platforms that host content produced by third-parties, app stores receive requests from governments and from private third-parties to remove or restrict content. News apps, VPNs (which help users get around China’s technical censorship system), the Taiwanese flag emoji, and even individual songs have all disappeared from Apple’s platforms in the PRC, with no explanation from the company.

Google’s Android was the only mobile ecosystem in the 2019 RDR Index to publish any data about the volume and nature of content and accounts restricted for violating the Play Store’s rules (see the findings for 2019 RDR Index indicator F4.1), although this data was not comprehensive or published regularly. Apple failed to provide enough information to users about its process for evaluating requests for content restriction (see indicator F5), its process for enforcing its own terms of service, or the volume and nature of apps that it removed or restricted for violating its rules (see F4.1). Samsung, which operates its own Galaxy Store, did not disclose such information, either.

Data collection and privacy

Privacy of location data is especially important for mobile ecosystems because people tend to keep their devices on them at all times. Historical data about where the device has been reveals extremely sensitive and personal information. The Android ecosystem in particular needs to limit the collection of location data by Google and by third-party apps.

Google received only partial credit on the 2019 RDR Index indicator P7.5, which evaluates whether the company clearly discloses that it provides users with options to control the device’s geolocation functions. The company had previously received credit for such disclosure but, in August 2018, the Associated Press found that Google saves users’ location history even if they have disabled “Location History” on mobile devices. Google has since revised its page on managing location data, stating that some services may still save users’ data even if location data is turned off. For journalists and activists to safely conduct their work, they must have the ability to control who can track their whereabouts and for what purposes. Similarly, people have the right to know if key location data, such as visits to hospitals, are shared with insurance companies. Such data sharing practices have a strong potential to affect insurance rates and access to healthcare in ways that are inherently discriminatory.

While Apple disclosed that it requires apps made available through its App Store to have a privacy policy (see indicator P1.4), it did not disclose if it evaluates the substance of individual apps’ privacy policies to ensure that they provide users with adequate information about their privacy rights, such as what user information the apps collect and share. This begs the question: how meaningful are policies governing third-party developers if Apple doesn’t enforce them? If Apple is to live up to its promise that “What happens on your iPhone, stays on your iPhone,” it must substantively evaluate the content of apps’ privacy policies and verify that each app adheres to its own policies, notably regarding collection of user data (see P3).

Security risks unique to mobile devices

Low-income internet users of Android devices produced by manufacturers like Samsung, who often make changes to the stock Android operating system that affect how quickly users can access security updates, are especially vulnerable. As we highlighted in the 2017 RDR Index, such changes to the Android mobile operating system can hinder the timely delivery of software updates, including security updates, that are key to device security and user privacy. Samsung no longer disclosed what changes it introduced to the Android mobile operating system (P14), though it had previously disclosed some information about such modifications.

Telecommunications providers can also make such changes affecting how quickly users can access security updates (P14.6). None of the telecommunications companies evaluated in the 2019 RDR Index disclosed such information. Manufacturers and telecommunications companies all need to be much more transparent about the changes they make to the Android operating system and how the changes affect users’ device security.

Android models from the Nexus and Pixel product lines and iOS devices receive updates directly from Google and Apple, respectively, but neither company gives users all the information they need about device security. Google was the only company to disclose how long various device models would be guaranteed to receive software updates—a “best by” date for smartphones—though it did not commit to providing security updates for five years after a new model’s release (a reasonable expectation, given how expensive devices can be). Apple and Samsung did not provide such information, making it difficult for users to evaluate for how long their devices will be safe to use.

Demanding more of companies

Any device designed to curate content, facilitate speech, collect data, and allow multiple third-parties to collect reams of personal information—including physical location around the clock—poses a significant threat to human rights. Users should be concerned that these companies have made so little progress when it comes to respecting freedom of expression and privacy on mobile devices: none of these companies score more than 60% on RDR’s indicators measuring mobile ecosystems’ transparency.

The 2019 RDR Index includes a series of policy recommendations that mobile ecosystem companies can and should adopt to ensure their users’ safety and rights online, including:

Apple

• Be transparent about restrictions to freedom of expression: Apple should make its terms of service easier to find and understand, and it should publish data about actions it takes to enforce its own rules, and about actions it takes to remove content as a result of government and other third party demands (as it states that will start doing for the July 1 – December 31, 2018 period).
   
• Enforce rules protecting user privacy: Apple should enforce rules governing third-party apps’ collection of user information, and publish data about its actions.
   
• Guarantee security updates for five years: Apple should ensure its devices are safe to use for at least five years after release, and publish this “best by” date.
   

Google

• Be transparent about enforcing the company’s own rules: Google should provide comprehensive data about restrictions to the Play Store due to its own terms of service enforcement. It should publish this information at least once a year, as a structured data file.
   
• Do more to protect privacy: Google should clarify what information it collects and shares, and for what purpose—and give Android users clear options to control what data is collected about them (notably location data).
   
• Guarantee security updates for five years: Google should increase the duration for which it guarantees new devices will receive security updates from three to five years.
   

Samsung

• Be transparent about third-party requests: Samsung should publish data about third-party requests for content and account restrictions, and for user data.
   
• Improve security disclosures: Samsung should be more transparent about measures it takes to keep user information secure, and if it encrypts user communication and private content.
   
• Commit to providing timely security updates: Samsung should disclose what modifications it makes to the Android operating system, if any, and how such changes affect the company’s ability to send security updates to users. It should commit to provide security updates for the operating system and other critical software for a minimum of five years after release, and to do so within one month of a vulnerability being announced to the public.
   

Telecommunications companies

• Commit to providing timely security updates: Telecommunications companies should disclose what modifications they make to the Android operating system, if any, and how such changes affect users’ access to security updates. In all cases, users should be able to install security updates within one month of a vulnerability being announced to the public.
   

Click here to read the full 2019 RDR Index report.

22 May Facebook’s Oversight Board needs a broader mandate that integrates human rights principles

Image from Facebook

This week, Ranking Digital Rights has submitted a set of recommendations in response to Facebook’s call for feedback on its Draft Charter for its recently proposed Oversight Board—an independent body to which people can appeal Facebook’s content moderation decisions.

Facebook has come under intensifying fire for the range of ways that its platform has been used to incite violence and spread disinformation campaigns—as well as for the lack of transparency around how it develops and enforces its Community Standards. These standards determine what types of content the company deletes from its platform and have a powerful impact on what viewpoints are silenced and whose, in effect, are amplified.

The direct link between Facebook’s content moderation policies and its users’ right to freedom of expression are a longstanding concern of internet activists and watchdog groups, including Ranking Digital Rights. In April 2018, in response to mounting pressure, Facebook published its internal guidelines for how it enforces its Community Standards. It also launched a new appeals process for users whose content may have been wrongfully removed.

These are both laudable improvements, but a far cry from what is needed to ensure adequate freedom of expression protections for Facebook’s over 2 billion users worldwide. The 2019 RDR Corporate Accountability Index, published on May 16, revealed that Facebook’s grievance and remedy mechanisms—including its appeals process for content removals—were among the weakest of any company in the RDR Index, even after introducing improvements to its appeals process over the last year.

The Draft Charter to which we have responded outlines Facebook’s proposal for the creation of the Oversight Board, with questions and considerations on the Board’s membership and role in the appeals process. We commend Facebook for publicly disclosing and seeking input on the Draft Charter for its Oversight Board, and welcome the opportunity to help inform and improve its content moderation policies and appeals processes.

The 2019 RDR Index findings offer a roadmap for how Facebook can and should improve its practices. Our recommendations submitted to company representatives this week highlight the need for Facebook to clarify the Oversight Board’s role in implementing the company’s commitment to respect human rights. We believe that clearly grounding the Oversight Board’s mandate in international human rights standards is essential given Facebook’s struggle to grapple with how to make decisions affecting users’ freedom of expression, and how Facebook users’ speech affects the rights of others on the platform.

We also stress the need for the Oversight Board to contribute to the company’s human rights impact assessment process, which should include assessments of how the content and enforcement of the company’s Community Standards affect the human rights of users and communities around the world. The Oversight Board should also be empowered to make recommendations regarding the company’s Community Standards and processes for enforcement. In addition, we urge the Board to regularly publish data about the nature and volume of its decisions.

Recommendations submitted by other concerned stakeholders emphasize the high stakes involved in Facebook’s content moderation decisions and its ability to impact users’ rights around the world. David Kaye, the UN Special Rapporteur on freedom of opinion and expression, submitted a letter to Mark Zuckerberg urging Facebook to include human rights principles in the Board’s review standards, noting that “…company standards based on “vague assertions of community interests” has “created unstable, unpredictable and unsafe environments for users and intensified government scrutiny”—the very problems that the creation of the Board seeks to address.” We wholeheartedly agree with these recommendations. Ranking Digital Rights is also a signatory to a joint statement with recommendations from civil society, investors, and academics.

As findings from the 2019 RDR Index show, most companies are not transparent enough about who has the power to control what they can say or see online, even as government pressure on companies to control online speech increases globally. Facebook’s proposed Oversight Board is an opportunity for increased transparency and accountability over the company’s own actions to police content on its platform. We look forward to the company’s responses to the feedback it has received during the public consultation process.