03 Feb RDR @ CPDP

Last week, Ranking Digital Rights participated in PrivacyCamp and the Computers, Privacy and Data Protection (CPDP) conference in Brussels. Two issues dominated the discussions: government mass surveillance, especially in light of the Schrems Safe Harbor decision (PDF), and the new EU General Data Protection Regulation. Participants also discussed corporate practices and their impact on privacy.

At CPDP, the panel “Appfail or Appwin” discussed how mobile apps may or may not respect users’ right to privacy. For example, Finn Myrstad of the Norwegian Consumer Council investigated the terms & conditions of apps, which may sometimes change without notice, and sometimes impose perpetual, worldwide and irrevocable licenses on users. They conducted a fun experiment to see how that plays out in the streets of Oslo. The Council will soon release a report about apps’ terms. In turn, Richard Tynan of Privacy International explained that even if apps don’t demand your real identity, your device collects enough data to compile a reliable picture of who you are. An audience member working for the Dutch Data Protection Authority called on Google to require that app developers publish a privacy policy, as well as to add an option for users to temporarily grant permissions for apps to do certain things such as access location only at specific times, but not generally.

Other sessions also touched on how companies should address privacy concerns. We learned that more and more companies are thinking about privacy impact assessments as ways to mitigate risks and ensure legal compliance, even though, according to one speaker, individuals within companies conducting the assessment may lack sufficient awareness about the range of privacy risks people might face when using the company’s services. Also, accountability frameworks are emerging as instruments for companies to go beyond compliance with data protection regulations, to being able to credibly demonstrate their practices to external stakeholders. For example, in order to meet RDR’s standard for corporate policy and practice, companies should be accountable not only to business partners and regulators, but also to affected individuals and the wider public.

In a panel on transparency reporting, Artur Alves of Concordia University recognized that transparency reports have beefed up over the past years, but could gain more in uniformity and transparency on internal processes. Microsoft’s Mark Lange highlighted the company’s Transparency Hub, and further talked about national security related requests. He explained that Microsoft is limited in its disclosure on receiving such requests, due to U.S. legal restrictions. Niels Huijbregts of Dutch ISP XS4ALL, said that customers welcome their transparency reports, but he had to overcome hesitation within XS4ALL’s parent company KPN, where some feared harming government relations. Nate Cardozo talked about EFF’s Who’s Got Your Back report, and said that companies are still deficient when it comes to national security-related reporting, reporting on government requests for terms of service enforcement, as well as reporting on informal processes.

Further discussions at CPDP dealt with anything from interactive toys and the need to have granular control over what kind of data they collect from children, to data minimization, where a European Commission panelist called for privacy compliance as a competitive advantage.

Ranking Digital Rights supports the view that improved privacy practices provide business opportunities for companies. The many conversations at CPDP confirmed that a human rights-centered approach to privacy accountability is necessary to improve companies’ practices.

26 Nov How will people use the Index? Brainstorming at the IGF

After a series of launch events in the U.S., the RDR Corporate Accountability Index took to the global stage earlier this month as members of the RDR team presented the Index’s results at the Internet Governance Forum, an opportunity to engage with civil society advocates, researchers, government officials and private sector representatives from around the world. We received feedback on the project, and brainstormed about future activities with potential partners and collaborators

Reactions to the Index were positive. Several people commented on the painstakingly detailed approach to data collection and analysis. This is data one can stand behind. Most of the critiques could be summarized as “do more of the same… much, much more.” More companies, more services, in more markets… which of course requires more resources than the project currently possesses, but we are working on it…

Another common concern is that the Index measures disclosed policies and practices but does not take the next step to verify whether companies are actually carrying out the policies and practices that they describe. We also lack the resources to do such work, which would require on-the-ground staff in many countries. Instead, we welcome researchers and advocates to develop projects that would carry out the verification work in a globally distributed way: it would be ideal if a multitude of advocacy groups and academic institutions could develop their own approaches to verify and track how companies’ policies and practices are actually experienced by users in different parts of the world.

We also learned more about similar yet complementary projects that approach the same issue — corporate responsibility to respect human rights online — from different angles. If this ecosystem can seem like a messy patchwork at first glance, the conversations that RDR participated in highlighted the importance of collaboration between projects. As Carolina Botero, of Colombia’s Fundación Karisma, shared during our Day 2 workshop, being able to tell representatives from domestic Internet service providers that transparency reporting is now a standard practice that global giants like Google and Facebook routinely engage in was key in changing the tone of the conversation, which had been rather confrontational until then.

Day 0: Brainstorming Session

On “Day 0” of the conference devoted to self-organized events by conference attendees, RDR and Internews held a research and advocacy brainstorming session around the newly released Corporate Accountability Index. What additional research projects could emerge from the Index data, and how can the Index support advocacy?

Following opening remarks by David Kaye, the UN’s Special Rapporteur on Freedom of Expression, and a presentation of the Corporate Accountability Index, the Ranking Digital Rights team engaged the participants in a wide-ranging discussion of the Index, its potential for both research and advocacy, and also its limitations.

Participants rightly pointed out that while this evaluation of 16 companies is a commendable start, future iterations of the Index (ideally on an annual basis) will have greater impact if they include a wider range of companies, including more of the companies’ direct competitors. This, of course, is contingent on a combination of successful fundraising and on forging partnerships with civil society groups around the world. All of Ranking Digital Rights materials’, including our methodology and research guidance, are freely available under Creative Commons licensing, and we encourage our colleagues in the digital rights space to consider applying the RDR criteria to a wider range of companies and subsidiaries, for example by doing regional or country-specific rankings.

A thornier limitation is that because it only evaluates publicly available information (for reasons documented here), the Index cannot address the issue of company practices that diverge from their stated commitments. While there is a clear need to highlight this kind of disparity where it exists, our research has revealed that it is much more common for companies to simply not have a policy in place, or to have a an internal policy that users and the general public have no access to. We believe that RDR can best promote greater corporate accountability for human rights by incentivizing companies to develop and make public policies surrounding commitment to human rights, privacy and freedom and expression. Once companies make public commitments and disclosures, it is then possible for stakeholders to hold them accountable by verifying that they are living up to their commitments and actually adhering to their own stated policies. One project aiming to highlight companies’ actual practices is the recently launched OnlineCensorship.org, where users are able to submit their experiences with content takedown and other online censorship. Lumen (formerly Chilling Effects) allows users to upload information about take-down requests and receive information about their legal rights.

Day 2: Benchmarking ICT companies on digital rights

On Day 2 of the IGF, Rebecca MacKinnon participated in a roundtable workshop on “Benchmarking ICT companies on digital rights,” which I moderated. The participants’ experiences point to the diversity of strategies that can be effective in getting companies to improve their respect for digital rights: from star-based ratings like the EFF’s Who Has Your Back? and Fundación Karisma’s ¿Dónde están mis datos? to the RDR Index’s granular scoring system, there is more than one way to encourage ICT companies to respect human rights. The Transparency Reporting Index maintained by Access Now is formidable resource for activists from a wide variety of subsectors, providing links and brief descriptions for the transparency reports of more than 50 global companies. The Terms of Service & Human Rights project translates the “legalese” that these documents are usually written in into plain language that users can understand, thus empowering them to make informed decisions about the services they use. It is clear that these projects, and others, rely on and support one another. All human rights advocacy is an ecosystem to an extent, but this is all the more true when we’re dealing with multinational corporations whose actions impact users all over the world in different but related ways.

Comments by Cecille Soria of Democracy.Net.PH and Kelly Kim of Open Net Korea reinforced the importance of starting with a low bar and raising it gradually. While both Democracy.Net.PH and Open Net Korea would eventually like to start ranking projects using the RDR criteria, the reality is that many companies in their respective countries do not currently provide the kind of information that the Index’s methodology seeks to surface. Even though the South Korean company Kakao stood out for its relatively robust disclosures in the RDR Index, Kim said Korean companies still have considerable progress to make. Open Net Korea plans to focus on getting companies to publish regular transparency reports before scrutinizing the contents of those reports. This echoed the earlier comments from the EFF’s Jeremy Malcolm, who noted that the Who Has Your Back? report has gradually raised the bar for the companies it evaluates.

07 Nov RDR @ the IGF

This year Ranking Digital Rights has a strong presence at the Internet Governance Forum, being held this coming week in João Pessoa, Brazil. We will be presenting the results of the Corporate Accountability Index and also engaging in broader discussions about standards for government and industry related to human rights and the Internet. An interactive schedule for the entire conference can be found here.

We are organizing two events:

Monday November 9, 2-6pm, Workshop Room 8 –  “Day Zero” workshop: Corporate Accountability for Digital Rights: Building a Global Research and Advocacy Network.

UPDATE: The UN Special Rapporteur on Freedom of Expression, David Kaye, will deliver opening remarks

This will be an in-depth meeting to brainstorm ideas for how civil society groups and academic researchers can use the Corporate Accountability Index data and indicators for their own research and advocacy at national, regional, and global levels. Click here for more details about location and agenda, and to RSVP.

Wednesday November 11, 11am-12:30pm, Workshop Room 7 –  Workshop: Benchmarking ICT Companies on Digital Rights. (Click here for remote participation information)

Session description: There has been growing interest over the past few years in civil society efforts to hold ICT companies accountable for their impact on human rights,. All stakeholders including companies have an interest in setting clear industry standards on dimensions of privacy and freedom of expression. To that end, more research and comparative data about different companies’ policies and practices can encourage companies to compete with one another on respect for users’ rights. Given the international scope and complexity of the sector, this task is more than any single organization can fully tackle on a global scale, and it is important to recognize the diversity of goals and perspectives represented by organizations working in this space. The purpose of this roundtable workshop is to bring together a geographically diverse range of NGO’s and researchers to share experiences and perspectives on creating projects to rank or rate ICT companies. The goal is to create a “how to” guide on launching such projects as well as a collaborative network of organizations and researchers. Company and government stakeholders will also provide feedback on how such projects can most effectively influence corporate practice and government policy.

Click here for updated session info and list of participants.