Twitter Linkedin
Donate

29 Oct

Posted at 18:05h in Announcements, Featured, News by
0 Likes

Luis Villa del Campo via Wikimedia Commons (CC-BY 2.0)

The 2018 Ranking Digital Rights Corporate Accountability Index findings foreshadowed many of the corporate governance and disclosure problems reflected in this year’s constant stream of negative news headlines about some of the world’s most powerful internet companies.

Today we are publishing a 2018 Investor Update, which reviews key developments of the past year and their relationship to the RDR Index findings and methodology, and flags some developments to watch as we move into 2019.

Last year we published our inaugural Ranking Digital Rights 2017 Investor Research Note which identified concrete risks stemming from how companies manage user data and content. Poor disclosure and inadequate policies by internet, mobile and telecommunications companies covering online expression, privacy and security topped the list of red flags. In 2018, these issues and risks became more demonstrably material to investors.

Click cover image to download report.

  • Governance: 2018 showed why it matters. Poor disclosuresespecially when signaling an underlying lack of adequate governance practiceswere red flags that predicted some companies’ failure to anticipate and mitigate risks to users’ expression and privacy rights that have turned out to be costly to companies. Investor resolutions have been pushing for governance reform and we expect to see more in 2019.
  • Online speech: transparency has improved but the rough ride will continue.  As opaque, seemingly arbitrary and unaccountable processes for policing content have come under growing fire over the past three years, companies have responded to stakeholder pressure for more transparency, as RDR’s research reflects. But greater transparency and engagement has been insufficient and too late to avert political and humanitarian consequences caused by disinformation and extremism.  Most of the resulting regulatory efforts and proposals have themselves sparked human rights concerns about political abuse and censorship. The 2018 Update examines how ongoing policy debates relate to RDR’s indicators.
  • Privacy and security: Corporate irresponsibility invites more risk and regulation. Poor disclosure to users about what happens to their data, especially when combined with policies that have limited – or obscured – the amount of control users can have over the collection and sharing of their data, foreshadowed un-examined risks to users’ privacy and security that blew up in the headlines this year. The 2018 Update examines the fast-evolving regulatory landscape on privacy in relation to RDR’s findings and methodology.

The 2018 Investor Update concludes with a preview of the 2019 RDR Index. Please also see our special investor resource page for regularly updated information and resources relevant to investors.

19 Oct

Posted at 04:47h in Announcements, Featured, News, Partnerships by
0 Likes

More than half of the companies evaluated in the 2018 Corporate Accountability Index have publicly responded to our findings, thanks to a campaign by digital rights group Access Now. In September, the organization sent letters to each of the 22 companies evaluated in the 2018 Index, asking them to respond to recommendations for improving their policies and practices affecting freedom of expression and privacy.

Twelve companies have so far responded, with many reporting steps they have taken since the 2018 Index was published to improve. Letters can be viewed on the Business & Human Rights Resource Center (BHRRC) website. Below is a summary of responses:

  • AT&T emphasized its commitment to respecting users’ freedom of expression and privacy, noting it received the highest privacy score among telecommunications companies over the past three Index rankings. The company stated that it although it did not join the Global Network Initiative (GNI) like many of its US and European peers, it has opted instead to independently implement and report on their progress on human rights issues. (Read Access Now’s letter, and AT&T’s response.)
  • Facebook pointed to new efforts aimed at improving transparency of its policies affecting users’ rights, including its new appeals process allowing users to dispute content that has been removed. (Read Access Now’s letter, and Facebook’s response.)
  • Kakao said it was actively “maximizing transparency” of its content management, data collection, and data security policies and practices. It also reported it is preparing to roll out a new user-friendly privacy portal and it is improving ways for users to improve security through a security control center. (Read Access Now’s letter, and Kakao’s response.)
  • Mail.Ru stated that protecting user data is among the company’s top priorities, but did not address recommendations urging the company to publicly commit to freedom of expression and privacy as human rights. (Read Access Now’s letter, and Mail.Ru’s response.)
  • Microsoft acknowledged it has a “responsibility and commitment to operate our business in a way that respects universal rights such as privacy, freedom of expression and the right to access information.” It also pointed out that it sided with consumers in recent privacy rights cases in both the United States and Europe. (Read Access Now’s letter, and Microsoft’s response.)
  • MTN reported that a “project team comprising members of regulatory compliance and customer operations functions is currently working on implementation of solutions to the priority indicators identified.” (Read Access Now’s letter, and MTN’s response.)
  • Oath emphasized how its Business & Human Rights Program (BHRP) has brought continued improvements in corporate transparency and stakeholder engagement. The company also acknowledged “the potential the Index has to drive dialogue on how companies can communicate about their attention to these important issues.” (Read Access Now’s letter, and Oath’s response.)
  • Orange emphasized its commitment to respecting and promoting fundamental human rights, noting that it conducts due diligence on government requests to hand over user information. The company also stated it works to ensure it protects users’ data, but does not publish its process for responding to data breaches due to security concerns. (Read Access Now’s letter, and Orange’s response.)
  • Samsung stated its commitment to protecting users’ privacy, and said it would consider joining multi-stakeholder initiatives to “join forces with industry peers and other stakeholders in protecting users’ personal information.” (Read Access Now’s letter, and Samsung’s response.)
  • Telefónica addressed each of Access Now’s recommendations and highlighted its “active commitment” to international human rights standards for more than a decade. (Read Access Now’s letter, and Telefónica’s response.)
  • Twitter said it would continue to review and improve its privacy policy and transparency reporting. It also called attention to its new policy prohibiting “dehumanizing” speech. (Read Access Now’s letter, and Twitter’s response.)
  • Vodafone pointed out that the company has launched new privacy portals in compliance with the EU’s new privacy directive (the GDPR), and stated that its privacy policies are based on the principles of accountability, fairness and lawfulness. (Read Access Now’s letter, and Vodafone’s response.)

Five internet and mobile companies (Apple, Baidu, Google, Tencent, and Yandex) and five telecommunications companies (América Móvil, Axiata, Bharti Airtel, Etisalat, and Ooredoo) have not yet responded to Access Now’s letters.

05 Oct

Posted at 05:56h in Featured, News by
0 Likes

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

Facebook data breach tests GDPR

Photo by user TheDigitalWay on Pixabay

Facebook could be hit with a $1.63 billion fine over its recent data breach affecting 50 million users. Irish data watchdogs this week opened an investigation over whether the company’s handling of the breach violated the EU’s new privacy rules that came into force in May 2018.

The company last week revealed that hackers gained access to the accounts of at least 50 million Facebook users. Roughly 90 million users were automatically logged out of their accounts as a precaution. Less than 10 percent of affected users are located within the European Union, according to a tweet sent out by Irish regulators.

The case is the first test of the General Data Protection Regulations (GDPR), the EU’s sweeping privacy rules that carry stiff financial penalties for companies that violate the rules. The GDPR requires any “data processor” to safeguard the user information it handles, and to notify regulators and affected users of a breach within 72 hours. According to CNBC, while Facebook appears to have notified regulators of the data breach, Irish regulators will investigate whether the company has violated the GDPR requirements to take appropriate security measures for safeguarding people’s data. If the company is found to not have done enough to protect user information in violation of the GDPR, it could be fined 4 percent of its global revenue, or $1.63 billion.

Internet, mobile, and telecommunications companies collect, store, and share vast amounts of information about users and should have clear policies in place for keeping this data secure. They should also clearly disclose their policies for addressing data breaches in the event that they occur. Findings of the 2018 Corporate Accountability Index showed that while Facebook disclosed more than most internet and mobile companies evaluated about its processes for addressing security vulnerabilities, the company failed to provide any information about its policies for responding to data breaches, including policies of notifying affected users.

Tech companies pledge to help the EU fight misinformation

A group of companies that include Facebook and Google have signed on to a new initiative to fight the spread of misinformation online, as part of the EU’s effort to combat news manipulation and interference ahead of the 2019 European parliamentary elections. The European Commission’s Code of Practice on Disinformation asks companies to monitor and voluntarily remove “verifiably false or misleading” content and to increase transparency of political advertising.  

The initiative was first proposed in April, when the Commission convened a multistakeholder forum that included online platforms, advertisers, journalists, and civil society to discuss self-regulatory solutions for addressing the spread of misinformation on social media and internet platforms. Hailed by proponents as a key step in combating misinformation, the plan has been criticized by media and civil society stakeholders for lacking “measurable objectives,” enforcement tools and oversight, Euractiv reports.

In 2016, the European Commission introduced a similar self-regulatory initiative aimed at combating the spread of hate speech online. A group of companies—including Facebook, YouTube (Google), Twitter, and Microsoft—signed onto the code, despite warnings by critics that the plan gave private companies too much power to censor content.

While private companies have the right to establish rules about what type of content is prohibited on their platforms, they should be transparent about the rules and how they are enforced. Companies should also disclose how they handle external government and private requests to remove content. Findings of the 2018 Index showed that most internet platforms lacked transparency about the volume and nature of content removed as a result of private processes. Ranking Digital Rights urges companies to clearly disclose how much and what types of content it has removed, filtered, or restricted, and why, and to notify users when it does so, and for what reason.

Trump administration opposes Google’s Chinese search engine

The Trump administration says it opposes Google’s efforts to re-enter the Chinese market. The Wall Street Journal reports that Vice President Mike Pence this Thursday called on the company to end the development of a search engine called Dragonfly, a confidential project rights groups say will enable internet censorship and compromise user privacy.

News of the project was first reported by The Intercept, which revealed that the Dragonfly search engine and news app will blacklist websites and search terms according to the Chinese government’s rigid censorship demands. The Chinese government has developed an increasingly sophisticated internet censorship system (called the “Great Firewall”) that filters and blocks information about human rights, political dissent, and other blacklisted topics. According to documents leaked to The Intercept, Google’s Dragonfly would have an automatic filter for banned sites and search results. Further reports indicate that user search results will be tracked by linking searches to individual phone numbers.

Google exited China in 2010 following disputes with authorities over its censorship practices targeting human rights activists. Plans to re-enter China have sparked new criticism from rights groups who say that the Dragonfly search engine will help the government’s extensive censorship and surveillance practices. Companies should conduct comprehensive and credible human rights risk assessments before launching new products or entering new markets in order to mitigate the freedom of expression and privacy risks to users. They must also be fully transparent about how much content it filters or removes at the behest of governments, and why, as well as their processes for handling government requests for user data.

21 Sep

Posted at 06:58h in Featured, News by
0 Likes

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

European lawmakers approve contested copyright reforms

Photo by user OpenIcons on Pixabay

The European Parliament last week voted in favor of controversial copyright reform measures that tech experts and rights groups warn could threaten internet freedom. The directive, aimed at updating the EU’s copyright laws, includes provisions requiring online platforms to filter copyrighted material and to buy licenses from publishers for linking to their content. Critics have bashed the legislation as “a hammer blow to the open Internet.”

European lawmakers in June voted down the directive after intense pressure by rights groups and tech companies. The European Parliament last week approved the directive, despite only minor amendments to the original proposal.

The directive has sparked widespread criticism from tech lobbying groups, who warn the reforms will thwart access to information and could lead to censorship. Among the more contested provisions, Article 11 would prohibit online platforms from linking to news content unless they first get a license from the publisher for the digital use of their content, and Article 13 would require all content published online in the EU to be checked for copyright infringement. According to the Electronic Frontier Foundation (EFF), this means any website that allows users to post “text, sounds, code, still or moving images, or other copyrighted works for public consumption will have to filter all their users’ submissions against a database of copyrighted works.” Rights groups agree this would lead to excessive filtering and censorship. While digital rights groups have panned the measures, content producers, including many music and media organizations, have hailed the proposed reforms.

The approved legislation now enters into closed-door discussions between the European Commission, the Council of the European Union, and the European Parliament before a final vote in January 2019. If the vote passes, EU-member states will have two years to adopt new regulations.

Ranking Digital Rights recommends that companies push back against overly broad or vague regulations that infringe on users’ freedom of expression and privacy. Companies should be transparent about their policies and practices for filtering, removing, or otherwise blocking access to content, whether in compliance with national laws or for breaches to the company’s own rules. This involves clearly disclosing how they handle requests to restrict content.

Benin levies internet tax

The government of Benin has approved measures that will tax citizens for using the internet and social media. The measures require citizens to pay five CFA francs ($0.008) per megabyte of data used on “over-the-top” (OTT) services, which includes for regular internet access, as well as apps like Facebook, Twitter, and WhatsApp. An additional tax of five percent will be levied on the price of service—excluding VAT—of standard telephony-based calls and messages.

Benin’s internet tax is part of a growing trend by African lawmakers to curb access to online services. Similar tax regimes have been implemented by the governments of Tanzania, Uganda, and Zambia. Digital rights advocates in Nigeria warn that the government there may soon follow suit. The policies are likely to aid regional telecommunications companies, who have lost significant revenue as OTT services continue to grow, but they will also impede internet access in a region where penetration remains low.

Governments should refrain from introducing measures, such as taxing internet usage, that impede internet access and violate human rights. Both governments and companies should carry out human rights due diligence in order to ensure that policies do not negatively affect freedom of expression, in breach of international human rights standards and norms.

Amazon investigates reported data breach

Amazon is investigating reports that employees have been accepting bribes in exchange for leaking customer data and manipulating product reviews in order to give some online sellers an advantage, according to the Wall Street Journal.  

The incidents were first discovered among Amazon employees in China, but the company is also investigating similar reports involving Amazon employees in the US.

Studies show that “insider threats” account for a majority of breach incidents. The 2018 Corporate Accountability Index recommends that companies disclose basic information on what steps they take internally to keep user information secure, including if they limit and monitor unauthorized employee access to user information. They also should disclose information about their processes for handling data breaches once they do occur, including policies for notifying affected users.

20 Sep

Posted at 06:00h in Announcements, Featured, News by
0 Likes

Photo by user geralt on Pixabay

Ranking Digital Rights (RDR) has partnered with Global Voices Translation Services to translate key components of the 2018 Corporate Accountability Index into six major languages—Arabic, Chinese, French, Korean, Russian, and Spanish.

The Index ranks the world’s most powerful Internet, mobile, and telecommunications companies on their disclosed policies affecting freedom of expression and privacy. The companies evaluated by RDR are headquartered around the world, and their products and services are accessed by the world’s 4.2 billion internet users. These translations will make our findings more accessible to companies, civil society, and policy makers in these regions.

The following materials are now available in each of the six languages listed above:

A summary of the overall findings of the Index:

Company report cards:

 

We would like to thank Global Voices for their work on these translations, as well as our research partners and regional partners for their help in reviewing and promoting these materials.

Twitter Linkedin

Media requests:

comms@rankingdigitalrights.org

Other inquiries:

info@rankingdigitalrights.org