RDR @ the 2016 IGF

Last week, Ranking Digital Rights traveled to Guadalajara, Mexico for the the 11th Internet Governance Forum. The theme this year was “Enabling Inclusive and Sustainable Growth.” In all of the workshops and panels we participated in, our message focused on a central concern: as the next billion people get connected to the internet, their human rights need to be protected and respected by governments and companies. We believe that our Corporate Accountability Index produces data and analysis that can help governments, businesses, and civil society work together to address the concrete challenges in protecting, respecting, and defending human rights in the digital age.

Many of the official IGF sessions and side meetings provoked thoughtful discussion and provided us with ample opportunity to share insights from our work researching and analyzing Internet and telecommunications companies’ human rights-related public disclosures.

Some of the issues we highlighted included:

It is crucial that people have control over how their identities are presented online, as Rebecca MacKinnon noted in the session Human Rights: Broadening the Conversation. Real identity policies are pernicious, particularly for gender minorities and members of marginalized groups, and companies should bear this in mind when determining the choices they provide users.

We stressed the importance of companies disclosing information relating to government requests for user data – both in terms of their processes for responding to these requests, including indicating that they push back against inappropriate or overly broad requests, as well as data about the number of government requests received and with which they complied. This issue was also highlighted by civil society activists from Mexico, who noted that Mexican authorities often obtain user information without oversight or judicial warrants.

We also pointed out that governments have an important role to play to ensure companies adequately respect human rights. In some instances, regulatory ambiguity can leave companies unsure if the law prohibits disclosure on certain issues, and therefore they withhold publishing information on their policies or practices. We’ve also seen in our research that in countries that haven’t passed data protection laws, companies tend to not adhere to best practices for collection of user information.

Combatting online violent extremism was a recurring topic of discussion, particularly in light of the recent announcement that Google, Facebook, Microsoft, and Twitter planned to create “a shared industry database of ‘hashes’ — unique digital ‘fingerprints’ — for violent terrorist imagery or terrorist recruitment videos or images that [they] have removed from [their] services.” We again stressed the need for transparency and accountability for such a system, and for independent review for how images are included in it, as we’ve found that companies’ disclosure around their Terms of Service enforcement is often lacking. Companies have been under enormous pressure from governments to do something about this issue. At the same time, any new measures taken to facilitate the removal of content need to be carried out in a manner that is responsible, accountable, and respects users’ rights. It is vital that companies work closely with civil society to make sure that implementation of the new database system does not inflict new “collateral damage” on freedom of expression.  

Although much of the human rights trends highlighted by civil society at the conference were negative, as censorship and surveillance are on the rise around the world, there is also some cause for optimism. Many ICT companies, particularly those that are members of the Global Network Initiative, are making commitments to respect human rights throughout their operations and carrying out due diligence to ensure these commitments are upheld. This may include instituting board-level oversight on privacy and free expression matters, creating mechanisms for grievance and remedy, and conducting human rights impact assessments. These practices, among others, are evaluated in the “Governance” section of our 2017 methodology (previously referred to as “Commitment” in the 2015 Index). As MacKinnon concluded in the session Implementing Human Rights Standards to the ICT Sector, “Despite all of our complaints, which are many and justified, I think things would be a lot worse if we hadn’t had this system where companies are being held accountable to whether or not they are implementing their [human rights] commitments and whether or not they have a system in place.”

In addition to the official IGF sessions, we met with representatives from civil society, governments, the private sector, academia, and others to discuss a wide range of issues. Several of RDR’s research partners also attended the IGF, and we had a productive meeting with them to share and receive feedback on our ongoing research process and also begin brainstorming plans around the 2017 Index launch this March.

We’re looking forward to continuing many of these conversations in the new year, and in the lead-up to the launch of our 2017 Corporate Accountability Index, which will be launched in advance of RightsCon in late March. Stay tuned!

#KeepItOn: Corporate Accountability for Network Shutdowns

keepiton

Internet shutdowns are bad for human rights – as this YouTube video by RDR advocacy partner Access Now clearly illustrates, and as the UN Human Rights council asserted in a landmark resolution this past summer. Shutdowns are also bad for business. A recent paper by the Brookings Institution found that between July 2015 and June 2016, 81 short-term shutdowns of the internet by 19 countries cost the global economy over $2.6 billion in GDP.

For both reasons, the UK-based investor advocacy group ShareAction and Access Now recently co-published an Investor Brief explaining why investors should be concerned, and suggesting questions they should be asking of the telecommunications companies in whose stock they invest. Last month ShareAction and UNPRI (Principles for Responsible Investment) hosted an investor briefing event in their London offices. RDR was asked to present at the meeting alongside Access Now and the Global Network Initiative, whose members have also been speaking out against the harms of network shutdowns. The Investor Brief cites RDR as a useful tool for investors in evaluating companies’ performance on digital rights including network shutdowns, and notes which companies that performed poorly in RDR’s 2015 Index have also been connected to internet shutdowns.

While our 2015 Index methodology did not have a dedicated indicator focusing exclusively on network shutdowns, specific elements within several of the 2015 “freedom of expression” indicators examined company policies and practices in relation to network shutdowns. Specifically F4: Reasons for account or service restriction, F5: Notify users of restriction, and F6: Process for responding to third party requests which includes requests to restrict or shut down networks, and F7: Data about government requests which included data about requests to shut down networks. Other indicators in the commitment section also sought due diligence and accountability policies and mechanisms that would have an impact on how companies handle government demands to shut down networks.

For the 2017 Index, in response to the growing problem of network shutdowns and the need to highlight company policy and practice in relation to them, we have consolidated elements related to network shutdowns into a single indicator, F10: Network shutdowns, which states:

The company should clearly explain the circumstances under which it may shut down or restrict access to the network or to specific protocols, services, or applications on the network.

In order to evaluate telecommunications companies on this indicator we evaluate their disclosures on eight “element” questions:

  1. Does the company clearly explain the reason(s) why it may shut down service to a particular area or group of users?
  2. Does the company clearly explain why it may restrict access to specific applications or protocols (e.g., VoIP, messaging) in a particular area or to a specific group of users?
  3. Does the company clearly explain its process for responding to requests to shut down a network or restrict access to a service?
  4. Does the company commit to push back on requests to shut down a network or restrict access to a service?
  5. Does the company clearly disclose that it notifies users directly when it shuts down the network or restricts access to a service?
  6. Does the company list the number of network shutdown requests it receives?
  7. Does the company clearly identify the specific legal authority that makes the request?
  8. Does the company list the number of requests with which it complied?

Stay tuned for the launch of the 2017 Corporate Accountability Index in March 2017 to find out which companies do best and worst on this indicator.

RightsCon 2016: Corporate Accountability Enters the Mainstream

Issues of transparency, encryption, and corporate accountability played a central role at last week’s RightsCon conference in San Francisco, and RDR’s Index and data helped inform many discussions at the annual technology and human rights conference. Participants in various panels and workshops highlighted the value of RDR’s Index. Three public sessions organized by RDR, including a standing room-only session focused on terms of service enforcement, demonstrated how research-based advocacy can push companies to better respect users’ rights and help to inform policy solutions.

rights-con-logoIn a panel about data breaches, security expert Bruce Schneier called RDR’s Index “very valuable,” since the prospect of performing poorly on a public ranking can make companies think twice about the cost of collecting too much user information. In a session on institutionalizing human rights commitments at companies, Nicole Karlebach and Katie Shay from Yahoo’s Business and Human Rights Program described how engaging with civil society and research organizations, including RDR, gives them useful perspectives to share with other staff at Yahoo. At a session on remedy, Yves Nissim from the French telecom Orange said the company is using the RDR Index and methodology as a guide in its efforts to disclose more information about its practices. In addition, representatives from companies not included in the Index said they used RDR’s methodology to evaluate their own policies.

Many discussions at RightsCon highlighted the need for more transparency about company practices that relate to freedom of expression and privacy. For example, while some companies publish rules or community standards that explain what content is and is not permitted on their service, users are left in the dark about how companies enforce those rules.

Panelists discuss terms of service enforcement at a public session organized by RDR.

Panelists discuss terms of service enforcement at a public session organized by RDR.

Panelists at RDR’s session on terms of service enforcement explained that this lack of clarity means that users can be locked out of their accounts for reasons they don’t understand. Such uncertainty can erode user trust in companies, they added. A few company representatives at the session shared the difficulties they face in reporting such information, which include providing enough context so the public understands what the data means. This mix of participants provided meaningful dialogue on a concern where disclosure is sorely lacking.

Several projects in addition to RDR’s Index are pushing for greater respect for users’ rights. At RightsCon, researchers from the Center for Technology and Society at FGV-Rio de Janeiro discussed their draft findings on how the terms of service of 50 online platforms comply with the human rights of freedom of expression, privacy, and due process. In addition, OnlineCensorship.org released its first report, which found that users whose content is removed may not understand why and that users are either unaware or unsatisfied with appeal mechanisms.

While corporate transparency regarding terms of enforcement is nearly non-existent, reporting on government requests for user information has emerged as a standard practice. The Transparency Reporting Toolkit, a project by the Open Technology Institute and Berkman Center, also launched at RightsCon. It identified best practices and aims to develop a platform that companies can use to standardize their reports, enabling greater comparison and more in-depth analysis of the reports.

Throughout the conference, RDR connected with members of these projects as well as others from civil society, academia, companies, and the investor community. We organized a private session to discuss possible revisions to the Index methodology. Participants described how the Index has informed their work and provided feedback about how the indicators relate to the human rights concerns that users face when using such products and services. This feedback helps ensure that RDR’s Index remains a relevant measure to push for greater respect for users’ rights.

At a session on incorporating software and device companies in the Index, technologists and other experts brainstormed how to frame indicators on such topics as encryption and the privacy practices of apps in app stores. The conversation helped highlight the types of public disclosure RDR can evaluate for software and device companies.

While RDR plans to expand the types of companies its Index covers, one project alone can’t cover the full global universe of companies in this sector. RDR has encouraged other civil society and research organizations to use the methodology to conduct national or regional versions of the Index. To promote such projects, we teamed up with EFF on a session to share lessons learned about ranking companies in different parts of the world.

Participants discussed the importance of considering local culture when conducting such research efforts. For example, in regions where where companies are not used to engaging with civil society or academic researchers about digital rights issues, researchers can provide examples of other companies in other countries and regions that have changed in response to public pressure. This can underscore the positive intentions of such research.

The RDR team at RightsCon

The RDR team at RightsCon

RDR team members also participated in several other panels and workshops at the event. Rebecca MacKinnon spoke at sessions about cybersecurity and human rights and multi-stakeholder processes. Allon Bar spoke about global perspectives on privacy as well as universal principles for the internet. Priya Kumar discussed data breaches, terms of service and human rights, and freedom of assembly online. Ciprian Iancu presented on digital literacy and digital security training.

Priya’s comments on data breaches and privacy were quoted in a Consumer Reports blog post. Allon’s comments on internet openness were included in a UNESCO article. The Committee to Protect Journalists also highlighted RDR’s involvement with RightsCon in a blog post.

Overall, RightsCon was an exciting opportunity to connect with stakeholders, share our insights, and learn from others. We look forward to reconvening at RightsCon 2017 in Brussels!

RDR @ RightsCon 2016

Next week, the Ranking Digital Rights team heads to San Francisco for the fifth RightCon conference. Our team is planning and participating in several sessions, and we look forward to many dynamic, informative conversations with experts and advocates from around the world.

rights-con-logoEager to provide feedback on RDR’s potential expansion to include software, device, and networking equipment companies? Then our Day 1 session on Ranking Tech Companies Part 2: Software, Devices and Networking Equipment is the one for you. On Wednesday, March 30 from 4:00-5:00 pm, we’ll converse with privacy and freedom of expression experts, technical specialists, and other participants about how best to incorporate companies that make and sell software, devices, and networking equipment into the already existing RDR methodology.

Interested in corporate transparency? RDR has organized a Day 2 session in partnership with Article 19 focused on Opening the Black Box: Understanding How Companies Enforce Their Rules. Join us on Thursday, March 31 from 12:00-1:15 pm to discuss how companies can be more transparent about their enforcement practices and why governments should be transparent about extra-legal requests they make to companies to restrict content. Our research for the Corporate Accountability Index found that as of November 2015 none of the 16 companies we evaluated reported any data on content they restrict when enforcing terms of service.

Doing company-focused research of your own? Then come to our Day 3 session, “Ranking ICT Companies on Digital Rights: A ‘How To’ Guide” on Friday, April 1 from 9:00-10:15 am. Co-hosted by RDR and EFF, this session is designed for civil society groups who are at various stages of research projects that focus on ICT companies and digital rights. We will learn from each other’s experiences in carrying out company rankings and other company-focused research.

Our team is also participating in additional sessions at RightsCon — come check them out!

The full conference program is available here. Our team will be at RightsCon for the entire conference, so feel free to get in touch if you’d like to connect: info@rankingdigitalrights.org.

RDR @ the 2016 Internet Freedom Festival

Internet Freedom Festival. Come celebrate the free internet with us! 1-6 March 2016, Valencia, Spain

Ranking Digital Rights is organizing a full day of sessions on Saturday, March 5 as part of the Internet Freedom Festival held at Las Naves in Valencia, Spain. The full schedule is available here.

If you want to learn more about how NGOs are encouraging ICT companies to respect human rights, come to our first session, “Holding Companies to Account: Advocating for Corporate Respect for Human Rights” at 10am in the Auditorium. Allon Bar and Nathalie Maréchal will join Jillian York and Sarah Myers West of OnlineCensorship.org to compare the experiences of our two projects and discuss methods to push tech companies to better respect human rights. The session will be structured as a conversation between members of each project and then a Q&A with the community.

Interested in ranking technology companies in your country? If so, come  to Taller 2 (workshop 2) for “Ranking ICT companies on digital rights: A ‘how to’ guide” from 11am to 1pm on Saturday. Led by Nathalie and Allon, this interactive workshop will guide participants through the initial steps of launching a ranking similar to RDR’s Index, but on the national or local level. Interested participants are encouraged to RSVP to Nathalie (marechal [at] rankingdigitalrights [dot] org).

Do you have ideas to share? Come  to Taller 2 on Saturday from 3 to 5 pm for “Ranking tech companies part 2: software, devices and networking equipment.” We are hard at work revising the methodology for the next iteration of the Index, and we need your input! In this session we invite privacy and freedom of expression experts, technical specialists, and other participants to discuss how to best incorporate companies that make and sell software, devices, and networking equipment into RDR’s methodology

Ranking such companies brings challenges such as ensuring the indicators are comparable across diverse product ranges, comprehending dense company documents,, and dealing with the fact that these types of companies may have more limited public disclosure. At the same time, it is clear that people who use  of these products may suffer because of how products are configured and what operational decisions companies make. Devices and software may have access to location data or biometric information about their users, they may restrict certain types of web visits, encrypt device storage, etc. These features impact users’ rights to freedom of expression and privacy. That makes it especially important to devise an approach to benchmark software producers and device and network equipment manufacturers.

Some of the specific questions we’d like to brainstorm about include:

  • what specific products should be included?
  • what indicators of the 2015 Corporate Accountability Index can be used directly for these other types of companies?
  • what indicators should be adapted?
  • what indicators should be added?

This session is focused on ensuring that privacy and free expression issues of concern to attendees can be incorporated in the Index. Here again, we’d appreciate if interested attendees could RSVP to Nathalie (marechal [at] rankingdigitalrights [dot] org).

At least part of the team will be present for the entire Festival and we’d love to connect with you, so please reach out!