New, global accountability mechanisms needed for a free and open internet

As governments around the world adopt internet regulations that clash with international human rights norms, new and more innovative mechanisms are needed to hold tech companies accountable to these standards, according to a new paper by Ranking Digital Rights (RDR) team members published by the Centre for International Governance Innovation (CIGI).

In the paper, “Corporate Accountability for a Free and Open Internet,” authors Rebecca MacKinnon, Nathalie Marechal, and Priya Kumar make the case for how global human rights benchmarking and evaluation projects like RDR’s Corporate Accountability Index help fill “governance gaps” caused by the failure of traditional governance institutions to hold governments and companies accountable for protecting and respecting the rights of internet users around the world.     

“Private Internet intermediaries increasingly find themselves at odds with governments, with serious implications for human rights,” according to the authors. “Even where law does not compel companies to violate users’ rights, companies generally lack sufficient market and regulatory incentives to protect the human rights of all of their users.”

The authors therefore call for new cross-border accountability initiatives outside existing governance institutions that will strengthen and enforce corporate accountability in upholding international freedom of expression and privacy standards: “If international legal and treaty frameworks cannot adequately protect human rights, then other types of governance and accountability mechanisms are urgently needed to provide incentives to owners and operators of Internet platforms and services to respect human rights,” according to the authors.  

Ranking Digital Rights is one of several efforts that might serve as building blocks for such mechanisms and institutions, according to the authors. The inaugural Index, published in November 2015, ranked Internet and telecommunications companies on 31 indicators evaluating disclosed commitments, policies and practices affecting Internet users’ freedom of expression and right to privacy. These types of rankings, when combined with transparency and disclosure frameworks, can help foster greater accountability as well as respect for international human rights standards.

Why companies fail on privacy policies

Why are privacy policies so difficult to understand? Because they are vague and unclear–which prevents users from understanding what companies do with their information, according to new research by former Ranking Digital Rights (RDR) research analyst Priya Kumar.

In November 2016, Kumar presented a paper using data from RDR’s 2015 Corporate Accountability Index, in which she analyzed the privacy policies of 16 of the world’s largest tech companies evaluated in that year’s Index. Her research shows that these companies typically fail to convey to users what happens to their information–from the point it is collected to when it is (possibly) deleted. Kumar finds that along with vague or unclear language, the lack of uniform definitions for what companies consider “personal information” make it difficult for users to get a complete and accurate picture of how companies handle their information.

The analysis also shows that companies are more transparent about the information they collect compared to what information they share, and that companies are least transparent about what user information they retain–even after a user deletes their account or service. “People would expect a company to keep information they actively submit to the service (e.g., posts, messages, photos, videos, etc.), until they delete it themselves,” according to Kumar. “But companies collect several other types of user information, and they typically fail to disclose how long they retain those types of information.”

The paper was presented as part of the Privacy and Language Technologies track of the Association for the Advancement of Artificial Intelligence’s (AAAI) Fall Symposium Series held in Virginia. Click the link for a PDF of the paper: Privacy Policies and Their Lack of Clear Disclosure Regarding the Life Cycle of User Information

RDR en español

RDR en españolWe are pleased to announce the Spanish-language release of the executive summary of the 2015 Corporate Accountability Index, the Research Indicators, and America Móvil company profile. Funded by Internews and translated by Global Voices Fair Trade Translation, these documents are a crucial step in making our research approach and findings available to global audiences, notably Latin American civil society organizations and ICT companies that operate in the region.

Indeed, privacy and freedom of expression are under threat in Latin America as governments across the region deploy increasingly sophisticated ways to control the flow of information online. In Spain as well, the “Gag Law” (Ley Mordaza) presents a threat to privacy and freedom of expression. Fortunately, a growing number of civil society organizations are dedicated to advocating for digital rights, and we hope they will find these translated documents useful in their work.

RDR’s Allon Bar and Nathalie Maréchal are at the Internet Freedom Festival this week in Valencia, Spain, and would be delighted to meet with colleagues from the Spanish-speaking world and beyond.

Resumen executivo Indice de Responsabilidad Corporativa 2015
Indicadores de Investigacion 2015
Perfíl America Movil
RDR @ IFF blog post

Updated March 24: The Spanish translation of the full Index is now online!

Improving Corporate Transparency Reporting

Technology companies face mounting pressure to address certain types of content on their platforms. And while some content can be problematic and deserves to be addressed, Ranking Digital Rights emphasizes the need for companies to develop accountable, fair, and consistent practices when doing so.

To that end, RDR’s 2015 Corporate Accountability Index includes several indicators on companies’ transparency reporting practices with regard to free expression and privacy. These indicators examine the extent to which companies explain their processes to evaluate third-party requests for content restriction or for access to user data, report data about the volume and nature of those requests, and enforce of their terms of service.

RDR-Transparency-Findings-Title-Image

RDR has written a white paper, “Ranking Digital Rights Findings on Transparency Reporting and Companies’ Terms of Service Enforcement” to summarize the Index findings on these indicators and provide recommendations on how companies can improve their disclosure and reporting, particularly related to content restriction. These recommendations include:

  • Companies should specify what services or platforms their transparency reporting covers.
  • Companies should expand their transparency reporting to include requests from private parties as well as those from governments.
  • Companies should provide enough granularity in their reporting to give the public a clear picture of the scope and implications of company actions.
  • Through terms of service and other community standards-type documents, companies already disclose information about the circumstances in which they restrict content; they should take the next step and report data about the volume of actions they take to enforce these rules with respect to different types of content.

Since the Index data was finalized, companies have taken steps in the right direction. Last October, Microsoft released its first content removals requests report. This report, which was released after the 2015 Index data was finalized, includes data on government requests, copyright infringement requests related to Bing search results, and requests received under the European Court of Justice’s “right to be forgotten” ruling. Shortly after the Index was released in November, Facebook updated its transparency report to specify that it covers requests related to Facebook, Messenger, WhatsApp, and Instagram.

In February, Twitter became the first company ranked in the Index to disclose some information on the actions it takes to enforce its Terms of Service. It disclosed that it has suspended more than 125,000 accounts “for threatening or promoting terrorist acts,” which violates the Twitter Rules. Twitter’s content removals transparency report covering the second half of 2015 also disclosed the number of times the company received legal requests to restrict content and did so because the content violated Twitter’s terms of service. (Twitter’s reporting does not include content removal requests the company’s customer support team received through online forms.)

These company actions demonstrate that there is momentum toward disclosing more information related to content restriction. We hope RDR’s findings and recommendations can help those who advocate for greater transparency reporting from companies.

RDR’s Comments to the UN on the ICT Sector’s Role in Free Expression Online

RDR recently submitted comments to a project looking at the role of companies in promoting freedom of expression led by the U.N. Special Rapporteur on Freedom of Opinion and Expression.

The Special Rapporteur’s study aims to identify the main actors in the information and communications technology (ICT) sector that affect freedom of expression, the legal issues at play, and the frameworks for corporate responsibility that exist in this space. RDR’s submission highlights that while companies face many legal and regulatory obstacles to fully disclosing information about their impact on freedom of expression, even companies that operate in restrictive environments can take steps to improve their respect for freedom of expression.

Broadly speaking, three types of company actions can directly restrict or otherwise affect freedom of expression:

  • Actions resulting from requests made by governments, or other government requirements;
  • Actions resulting from requests made by private parties for legal, commercial, or other reasons, or other private-party requirements;
  • Actions taken by companies on their own initiative when setting and enforcing private terms of service, making design and engineering choices, or carrying out commercial and business decisions.

In many countries, law, policy, or regulation can limit companies’ ability to disclose information about these types of actions. For example, “transparency reporting,” or the disclosure of data related to the volume and nature of requests, is becoming a standard practice. Six of the 16 companies ranked in RDR’s Corporate Accountability Index published some type of transparency report related to freedom of expression concerns (A seventh company released its inaugural report of this type shortly after RDR finalized the Index data).

This reporting varies in clarity and granularity, but in some countries, companies are legally barred from disclosure. For example, Chinese laws on state secrets and national security prohibit disclosure of information on government requests to restrict content, and Indian law prevents companies from disclosing information about specific requests (though this does not preclude reporting of aggregate data).

In other cases, ambiguity in the law leaves companies unsure of what they can and cannot publish. For example, the Malaysian Official Secrets Act 1972 may prevent companies from disclosing some information about government requests, although according to local legal experts consulted during RDR’s Index research, it would be unrealistic to conclude that this law affects every restriction request that companies receive.

RDR’s Index and its prior work on the role of Internet intermediaries demonstrates that while legal and policy environments significantly influence ICT companies, such companies can nevertheless take steps toward respecting freedom of expression, regardless of where they operate.

Companies should clearly commit to respect human rights, including freedom of expression. They should consider their effect on freedom of expression as part of their corporate governance mechanisms and conduct due diligence to understand how their business decisions affect freedom of expression. RDR’s Corporate Accountability Index found that while a number of companies take such steps with regard to privacy, similar oversight of freedom of expression is lacking. For example:

  • Oversight: Researchers examining the Korean company Kakao—which performed competitively in the Index overall—found clear disclosures of executive and management oversight on privacy issues, but they did not find similar evidence of oversight on freedom of expression.
  • Employee training: Of the companies that disclose information about employee training on freedom of expression and/or privacy, Kakao’s public materials only mention privacy-related training. At AT&T (USA) and Vodafone (UK), training programs focused on privacy issues appeared to be more common than trainings covering freedom of expression.
  • Whistleblower programs: Twitter (USA), Bharti Airtel (India) and América Móvil (Mexico) maintain employee whistleblower programs that clearly cover privacy issues, but there is no evidence that these companies’ programs also cover freedom of expression.
  • Due diligence: Impact assessment and related human rights due diligence processes carried out by Vodafone appeared to be more thorough for privacy than for freedom of expression.

RDR’s full comments are available here.

The Special Rapporteur’s study will be presented to the U.N. Human Rights Council in June. The report as well as submissions from stakeholders will be publicly available on the website of the U.N.’s Office of the High Commissioner for Human Rights.