RDR is now an independent initiative. Our website is catching up.  Read our announcement →

Donate

15 Jan

Posted at 13:25h in Announcements, Featured, News, Press by
0 Likes

A group of investors has endorsed the Ranking Digital Rights (RDR) Corporate Accountability Index as an important tool for helping tech companies meet their human rights responsibilities and for helping investors identify digital rights risks.

In December, 49 members of the Investor Alliance for Human Rights (IAHR), a coalition of global funds focused on advancing corporate human rights due diligence, issued a statement to the 22 internet, mobile and telecommunications companies evaluated in the Ranking Digital Rights (RDR) Corporate Accountability Index urging these companies to use the RDR Index to improve governance systems and performance on salient human rights risks related to privacy and freedom of expression.

The group also highlighted growing financial and reputational risks in the ICT sector due to the mishandling of user data and real and potential human rights abuses. In the statement, the investors say they rely on the RDR Index to assist in investment decision-making and to inform corporate engagements with the ICT sector. Investors argue that, as custodians of their users’ data and digital rights, these companies have a responsibility to respect users’ right to privacy and freedom of expression and must be accountable for how they handle users’ data.  

RDR is proud to be recognized by a growing number investors who hold shares in the world’s most powerful internet, mobile, and telecommunications companies as an indispensable tool for conducting due diligence on potential risks in their portfolios and engaging with those companies about how they can improve respect for users’ rights. As Rosa van den Beemt of NEI Investments stated in today’s IAHR press release: “As investors we are committed to using the transparent and comparable data the RDR Index provides to hold companies accountable.

RDR maintains an investor resource page which includes useful materials such as links to an October 2018 investor webinar hosted by IAHR, and our 2018 Investor Update analyzing the relationship between the 2018 RDR Index findings on company policies and disclosures and some of the key developments reflected in last year’s negative headlines about several of the world’s most powerful internet companies.

Most notably, investors turned to RDR data and analysis in the wake of the revelation that, unbeknownst to its users, Facebook data was shared with the political research firm Cambridge Analytica in order to influence the 2016 U.S. presidential election. In May 2018 Domini Funds cited RDR in announcing its decision to sell all Facebook holdings. RDR research was also cited in an open letter from 78 organizations to major Facebook shareholders, and in a shareholder resolution by Arjuna Capital.

We look forward to engaging further with the investment community on the findings of the 2019 RDR Index, to be released in May.

29 Nov

Posted at 06:32h in Featured, News by
0 Likes

This post is published as part of an editorial partnership between Global Voices and Ranking Digital Rights. Global Voices’ advocacy director Ellery Roberts Biddle co-authored this piece.

A Google music event in China, 2009. Photo by Keso via Flickr (CC BY 2.0)

The secret is out — Google is building a search engine for China.

After deflecting questions from reporters for months, CEO Sundar Pichai acknowledged in October Google’s plan to build a mobile app that will serve Chinese users — and thus comply with Chinese government censorship mandates.

But big questions remain. Namely, how will this actually work? To keep the censors happy, Google will need to invest significant human, financial and technical resources to keep up with China’s unique and exhaustive approach to controlling online information and speech. While the company may be prepared to make some concessions (and substantial investments) in order to enter the Chinese market, this move will force Google to undermine its own commitments ”to advancing privacy and freedom of expression for [its] users around the world.”

Google’s DragonFly program also raises questions about what responsibilities companies —  and in particular tech companies — have to protect and respect human rights of their users, not just in the company’s home market but in every market in which they operate. Rights groups and experts agree that these companies should conduct human rights impact assessments before entering new markets or launching new products in order to identify how aspects of its business may affect freedom of expression and privacy and to mitigate any risks posed by those impacts.

How to censor the internet (by Chinese standards)

In contrast to US-based companies, which are largely shielded from liability for illegal content, Chinese internet giants are obligated to proactively censor illegal and politically sensitive content and report it to the authorities. If Google does enter the Chinese market, it can expect to be held to the same standard.

What counts as a illegal content? This is dictated by the country’s far-reaching Cybercrime law, along with an ever-evolving set of demands from high-level party and government officials in the Cyberspace Administration.

China’s cybersecurity law bans Internet users from publishing information that damages “national honor”, “disturbs economic or social order” or is aimed at “overthrowing the socialist system”. The law also requires internet companies to collect and verify users’ identities whenever they use major web sites or services.

Censorship of politically-sensitive keywords is a powerful component of this system. Alongside terms that have long been outlawed, such as “human rights” and “Tiananmen Square”, there is a constant churn of new censorship requests from above, driven by current events and hot topics on social media. Earlier this year, for example, censors moved to ban phrases like “anti-sexual harassment” in the wake of the #metoo movement spreading to China.

In order to comply and keep up with state demands, large tech firms in China invest substantial financial and human resources into the work of keeping their sites “clean” and legal. Companies enlist layers of individuals as part of this effort, ranging from full-time employees to community “advisors” to “civilization volunteers” who promote positive messages about the Communist Party (and drown out negative ones). An unofficial estimate by a Japanese media outlet in 2014 put the number of people employed in the internet censorship sector at eight million.

Artificial intelligence is also becoming a bigger part of this industry, though there is still relatively little known about how companies are building censorship decision-making mechanisms into their systems.

For foreign companies like Google, there also are extra hurdles when it comes to data storage. As Google will be collecting user data (The Intercept reports that users in China will need to log in before they can search), the company will need to run a data center with a local partner, as per China’s Cybersecurity Law. Drawing on a leaked internal memo, The Intercept contends that the Chinese partner company would have “unilateral access” to users’ search data.

To keep up with these demands, Google may need to substantially change its model for content distribution and moderation, not to mention data collection. This will surely put Google’s principles of openness and preserving free speech to the test.

Profit before human rights: ‘a race to the bottom’

In its early years, Google did comply with censorship requests from the Chinese government. But it stopped censoring search results in China in 2010, after suffering a major cyber attack from within the country, that was aimed at Chinese human rights activists. After the attack, the company began directing traffic from mainland China to its Hong Kong version, which was relatively open, similar to the rest of the world. Within months, the company’s services were fully blocked in mainland China.

Google’s decision was applauded by internet freedom activists, both in and outside of China, and placed Google into a unique category. It became a company that chose to change its agenda (and likely lose profits) in order to protect human rights.

Google was forced to leave China in 2010. Image by Flickr user Josh Chin (CC BY-NC 2.0)

Isaac Mao, a Hong-Kong based entrepreneur and founder of Musicoin Project, looked back on the 2010 move: “Google’s action then enlightened a lot of people to pay attention to censorship issues, that [was] historical.”

Although Google officially removed its servers from China in 2010, it still maintains a presence in the Chinese market by investing in local startups and an artificial intelligence research center in Beijing. But the decision to bring its flagship products back to China, on the Chinese government’s terms, represents a true paradigm shift for the industry as a whole.

Mao sees Google’s plan to re-enter China as being entirely profit-driven.

“Chinese internet users suffer a lot and they really want to see Google hold a high level of morality…instead of just caring about the single digits of the market share,” he told us.

Alongside the changes that this will bring for Google, experts say this shift will encourage other tech companies (whose services are currently blocked in China) to seek their own share of the Chinese market.

“It would embolden other companies to also lower their human rights standards for the Chinese market. And then it becomes a race to the bottom,” said Yaqiu Wang, the China researcher at Human Rights Watch.

Lokman Tsui, a professor at Chinese University of Hong Kong who once worked for Google told us that the move will also make it easier for governments around the world to impose stricter censorship regimes on Google. He said:

“In negotiations with governments around the world, any government can now say, ‘you can do that kind of censorship for china, but you cannot do this for us?’”

Joining the party in Beijing

Google’s decision to bring its flagship products back to the Chinese market is unsurprising and seems to correspond to a broader trend among major US companies. Facebook, LinkedIn and Apple, to name a few, have all sought to establish stronger footing in China in recent years — though only some have succeeded.

In 2014, LinkedIn launched a Chinese version of its service which prevents mainland users from accessing content forbidden by the Chinese government. Speaking with The Guardian after users complained about political content being blacked out on the site, LinkedIn Asia-Pacific staff member Roger Pua explained that this was intended “to protect the privacy and security of the member who posted that content.”

Apple products have long been available for purchase in China. Throughout the years, the tech giant has also been complicit in censoring its Chinese users by cracking down on VPNs, removing the New York Times app from its China store, and censoring the Taiwan flag emoji. In early 2018, Apple agreed to store user data locally to comply with the country’s 2017 cybersecurity law, in a move that was slammed by human rights groups and privacy advocates.

While both Apple and LinkedIn have encountered challenges along the way, it appears that for both companies, the strategic business decision to move into China has so far been effective. That said, neither of these companies have nearly as much power over what people say and see online as Google.

What next?

It is clear that Google’s executives and leadership are prioritising profit over openness in this move. What remains unclear now is how far is the company willing to go to get the Chinese government’s blessing.

Google will be facing fierce competition from Chinese tech companies, and Baidu in particular which dominates the search engine market in the country. And while many users in China may be willing to switch to Google due to public disappointment with Baidu, Chinese companies have an edge: their close ties to the Chinese government.

Most Chinese companies “have very deep local or central government relationships, and in china the relationship is everything,” Mao said. “If they are not satisfied they can shut you down overnight.”

Chinese companies “have better relations with the Chinese government,” Tsui said. “This is something Google never will be better at, nor should they want to be better at that.”

In April this year, authorities ordered Toutiao or Today’s Headline, China’s most popular information platform, to shut down its affiliated social media application, NeihanShequ, which allowed users to submit jokes and riddles for others to comment on. NeihanShequ was banned on the grounds that it was “heading a wrong direction with its vulgar and banal content.” This came despite a public apology from the company’s CEO Zhang Yiming who also promised that Toutiao will strengthen self-censorship measures by increasing the pre-screen staff team from 6,000 to 10,000 people.

Many of the largest tech companies in the country, including Baidu, even have a designated Communist Party branch within their office. In 2017, the government made a big push for companies to do this, offering them cash and other incentives in exchange for even more access to corporate activities and control.

Earlier this month, the micro-blogging platform Weibo gave 1,322 accounts affiliated with government entities including public security bureaus and cyberspace offices the direct authority to label posts as “rumors”. Weibo will not even play a role in the screening process.

It is difficult to imagine that Google would ever give Chinese authorities the ability to label its content, or that the Silicon Valley superpower would deign to establish a Chinese Communist Party branch within its own Beijing office. But the company will surely be asked to make substantial concessions to the government. So where will Google draw the line? If and when this happens, will the company be asked to leave?

These and many other unknowns leave many wondering if Google is really taking “a longer-term view” here, as its CEO maintains.

29 Oct

Posted at 18:05h in Announcements, Featured, News by
0 Likes

Luis Villa del Campo via Wikimedia Commons (CC-BY 2.0)

The 2018 Ranking Digital Rights Corporate Accountability Index findings foreshadowed many of the corporate governance and disclosure problems reflected in this year’s constant stream of negative news headlines about some of the world’s most powerful internet companies.

Today we are publishing a 2018 Investor Update, which reviews key developments of the past year and their relationship to the RDR Index findings and methodology, and flags some developments to watch as we move into 2019.

Last year we published our inaugural Ranking Digital Rights 2017 Investor Research Note which identified concrete risks stemming from how companies manage user data and content. Poor disclosure and inadequate policies by internet, mobile and telecommunications companies covering online expression, privacy and security topped the list of red flags. In 2018, these issues and risks became more demonstrably material to investors.

Click cover image to download report.

  • Governance: 2018 showed why it matters. Poor disclosuresespecially when signaling an underlying lack of adequate governance practiceswere red flags that predicted some companies’ failure to anticipate and mitigate risks to users’ expression and privacy rights that have turned out to be costly to companies. Investor resolutions have been pushing for governance reform and we expect to see more in 2019.
  • Online speech: transparency has improved but the rough ride will continue.  As opaque, seemingly arbitrary and unaccountable processes for policing content have come under growing fire over the past three years, companies have responded to stakeholder pressure for more transparency, as RDR’s research reflects. But greater transparency and engagement has been insufficient and too late to avert political and humanitarian consequences caused by disinformation and extremism.  Most of the resulting regulatory efforts and proposals have themselves sparked human rights concerns about political abuse and censorship. The 2018 Update examines how ongoing policy debates relate to RDR’s indicators.
  • Privacy and security: Corporate irresponsibility invites more risk and regulation. Poor disclosure to users about what happens to their data, especially when combined with policies that have limited – or obscured – the amount of control users can have over the collection and sharing of their data, foreshadowed un-examined risks to users’ privacy and security that blew up in the headlines this year. The 2018 Update examines the fast-evolving regulatory landscape on privacy in relation to RDR’s findings and methodology.

The 2018 Investor Update concludes with a preview of the 2019 RDR Index. Please also see our special investor resource page for regularly updated information and resources relevant to investors.

19 Oct

Posted at 04:47h in Announcements, Featured, News, Partnerships by
0 Likes

More than half of the companies evaluated in the 2018 Corporate Accountability Index have publicly responded to our findings, thanks to a campaign by digital rights group Access Now. In September, the organization sent letters to each of the 22 companies evaluated in the 2018 Index, asking them to respond to recommendations for improving their policies and practices affecting freedom of expression and privacy.

Twelve companies have so far responded, with many reporting steps they have taken since the 2018 Index was published to improve. Letters can be viewed on the Business & Human Rights Resource Center (BHRRC) website. Below is a summary of responses:

  • AT&T emphasized its commitment to respecting users’ freedom of expression and privacy, noting it received the highest privacy score among telecommunications companies over the past three Index rankings. The company stated that it although it did not join the Global Network Initiative (GNI) like many of its US and European peers, it has opted instead to independently implement and report on their progress on human rights issues. (Read Access Now’s letter, and AT&T’s response.)
  • Facebook pointed to new efforts aimed at improving transparency of its policies affecting users’ rights, including its new appeals process allowing users to dispute content that has been removed. (Read Access Now’s letter, and Facebook’s response.)
  • Kakao said it was actively “maximizing transparency” of its content management, data collection, and data security policies and practices. It also reported it is preparing to roll out a new user-friendly privacy portal and it is improving ways for users to improve security through a security control center. (Read Access Now’s letter, and Kakao’s response.)
  • Mail.Ru stated that protecting user data is among the company’s top priorities, but did not address recommendations urging the company to publicly commit to freedom of expression and privacy as human rights. (Read Access Now’s letter, and Mail.Ru’s response.)
  • Microsoft acknowledged it has a “responsibility and commitment to operate our business in a way that respects universal rights such as privacy, freedom of expression and the right to access information.” It also pointed out that it sided with consumers in recent privacy rights cases in both the United States and Europe. (Read Access Now’s letter, and Microsoft’s response.)
  • MTN reported that a “project team comprising members of regulatory compliance and customer operations functions is currently working on implementation of solutions to the priority indicators identified.” (Read Access Now’s letter, and MTN’s response.)
  • Oath emphasized how its Business & Human Rights Program (BHRP) has brought continued improvements in corporate transparency and stakeholder engagement. The company also acknowledged “the potential the Index has to drive dialogue on how companies can communicate about their attention to these important issues.” (Read Access Now’s letter, and Oath’s response.)
  • Orange emphasized its commitment to respecting and promoting fundamental human rights, noting that it conducts due diligence on government requests to hand over user information. The company also stated it works to ensure it protects users’ data, but does not publish its process for responding to data breaches due to security concerns. (Read Access Now’s letter, and Orange’s response.)
  • Samsung stated its commitment to protecting users’ privacy, and said it would consider joining multi-stakeholder initiatives to “join forces with industry peers and other stakeholders in protecting users’ personal information.” (Read Access Now’s letter, and Samsung’s response.)
  • Telefónica addressed each of Access Now’s recommendations and highlighted its “active commitment” to international human rights standards for more than a decade. (Read Access Now’s letter, and Telefónica’s response.)
  • Twitter said it would continue to review and improve its privacy policy and transparency reporting. It also called attention to its new policy prohibiting “dehumanizing” speech. (Read Access Now’s letter, and Twitter’s response.)
  • Vodafone pointed out that the company has launched new privacy portals in compliance with the EU’s new privacy directive (the GDPR), and stated that its privacy policies are based on the principles of accountability, fairness and lawfulness. (Read Access Now’s letter, and Vodafone’s response.)

Five internet and mobile companies (Apple, Baidu, Google, Tencent, and Yandex) and five telecommunications companies (América Móvil, Axiata, Bharti Airtel, Etisalat, and Ooredoo) have not yet responded to Access Now’s letters.

05 Oct

Posted at 05:56h in Featured, News by
0 Likes

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

Facebook data breach tests GDPR

Photo by user TheDigitalWay on Pixabay

Facebook could be hit with a $1.63 billion fine over its recent data breach affecting 50 million users. Irish data watchdogs this week opened an investigation over whether the company’s handling of the breach violated the EU’s new privacy rules that came into force in May 2018.

The company last week revealed that hackers gained access to the accounts of at least 50 million Facebook users. Roughly 90 million users were automatically logged out of their accounts as a precaution. Less than 10 percent of affected users are located within the European Union, according to a tweet sent out by Irish regulators.

The case is the first test of the General Data Protection Regulations (GDPR), the EU’s sweeping privacy rules that carry stiff financial penalties for companies that violate the rules. The GDPR requires any “data processor” to safeguard the user information it handles, and to notify regulators and affected users of a breach within 72 hours. According to CNBC, while Facebook appears to have notified regulators of the data breach, Irish regulators will investigate whether the company has violated the GDPR requirements to take appropriate security measures for safeguarding people’s data. If the company is found to not have done enough to protect user information in violation of the GDPR, it could be fined 4 percent of its global revenue, or $1.63 billion.

Internet, mobile, and telecommunications companies collect, store, and share vast amounts of information about users and should have clear policies in place for keeping this data secure. They should also clearly disclose their policies for addressing data breaches in the event that they occur. Findings of the 2018 Corporate Accountability Index showed that while Facebook disclosed more than most internet and mobile companies evaluated about its processes for addressing security vulnerabilities, the company failed to provide any information about its policies for responding to data breaches, including policies of notifying affected users.

Tech companies pledge to help the EU fight misinformation

A group of companies that include Facebook and Google have signed on to a new initiative to fight the spread of misinformation online, as part of the EU’s effort to combat news manipulation and interference ahead of the 2019 European parliamentary elections. The European Commission’s Code of Practice on Disinformation asks companies to monitor and voluntarily remove “verifiably false or misleading” content and to increase transparency of political advertising.  

The initiative was first proposed in April, when the Commission convened a multistakeholder forum that included online platforms, advertisers, journalists, and civil society to discuss self-regulatory solutions for addressing the spread of misinformation on social media and internet platforms. Hailed by proponents as a key step in combating misinformation, the plan has been criticized by media and civil society stakeholders for lacking “measurable objectives,” enforcement tools and oversight, Euractiv reports.

In 2016, the European Commission introduced a similar self-regulatory initiative aimed at combating the spread of hate speech online. A group of companies—including Facebook, YouTube (Google), Twitter, and Microsoft—signed onto the code, despite warnings by critics that the plan gave private companies too much power to censor content.

While private companies have the right to establish rules about what type of content is prohibited on their platforms, they should be transparent about the rules and how they are enforced. Companies should also disclose how they handle external government and private requests to remove content. Findings of the 2018 Index showed that most internet platforms lacked transparency about the volume and nature of content removed as a result of private processes. Ranking Digital Rights urges companies to clearly disclose how much and what types of content it has removed, filtered, or restricted, and why, and to notify users when it does so, and for what reason.

Trump administration opposes Google’s Chinese search engine

The Trump administration says it opposes Google’s efforts to re-enter the Chinese market. The Wall Street Journal reports that Vice President Mike Pence this Thursday called on the company to end the development of a search engine called Dragonfly, a confidential project rights groups say will enable internet censorship and compromise user privacy.

News of the project was first reported by The Intercept, which revealed that the Dragonfly search engine and news app will blacklist websites and search terms according to the Chinese government’s rigid censorship demands. The Chinese government has developed an increasingly sophisticated internet censorship system (called the “Great Firewall”) that filters and blocks information about human rights, political dissent, and other blacklisted topics. According to documents leaked to The Intercept, Google’s Dragonfly would have an automatic filter for banned sites and search results. Further reports indicate that user search results will be tracked by linking searches to individual phone numbers.

Google exited China in 2010 following disputes with authorities over its censorship practices targeting human rights activists. Plans to re-enter China have sparked new criticism from rights groups who say that the Dragonfly search engine will help the government’s extensive censorship and surveillance practices. Companies should conduct comprehensive and credible human rights risk assessments before launching new products or entering new markets in order to mitigate the freedom of expression and privacy risks to users. They must also be fully transparent about how much content it filters or removes at the behest of governments, and why, as well as their processes for handling government requests for user data.