Privacy

This category examines whether companies’ commitments and disclosures demonstrate credible efforts to respect users’ right to privacy. Companies that performed well in this category showed a strong public commitment to transparency, not only in terms of how they respond to government demands, but also how they determine, communicate, and enforce terms of service and commercial practices that affect users’ privacy. Commitments to protect and defend users’ digital security are also an important component of this category.

Telecommunications companies: AT&T and Vodafone were the clear leaders among telecommunications companies, earning 52 and 49 percent, respectively, of the total possible points on disclosure of policies and practices that affect users’ privacy. (See the company reports in Section 5 of this report and on the project website for further discussion of the factors that contributed to both companies’ scores.) América Móvil, Orange, and Bharti Airtel came in a band of scores between 21-25 percent. Axiata, Etisalat, and MTN followed with scores in the mid-teens.

Internet companies: The top four, Google, Microsoft, Yahoo, and Twitter scored more than 50 percent of total possible points, with scores ranging between 51-57 percent. They were followed by Kakao at 42 percent and Facebook at 36 percent. Facebook’s score on privacy was affected by the same factors that influenced its Freedom of Expression category score: lack of strong policy and disclosure for Instagram and WhatsApp in contrast to the stronger performance of the Facebook service itself. Tencent and Mail.ru trailed distantly.

Disclosures to users about company handling of their information: As we previously noted in the Key Findings and Recommendations sections, our research found industry-wide incoherence in disclosures to users about how companies handle their information: what is collected, how it is collected, how long it is retained, and with whom it is shared.

Nearly all companies made some effort to help users understand their privacy policies, for example, by writing them in plain language or using section headers and bulleted lists to help users absorb the information. Despite this, companies failed to provide a clear picture of how they handle user information. As explained in the Key Findings section, this project takes an expansive interpretation of “user information,” defining it as “any data that is connected to an identifiable person, or may be connected to such a person by combining datasets or utilizing data-mining techniques.”

All companies provided at least some explanation about the information they collect from users (P3). Kakao was the only company that explicitly commits to data minimization: limiting collection of user information to what is directly relevant and necessary to accomplish the purpose of its service. While other companies may adhere to legal requirements for data minimization, their own disclosures to users do not clearly mention it.

All companies also disclosed some information about what they share with third parties (P4), though companies performed significantly worse in disclosures about sharing than collecting. In part, this stemmed from the use of varied terms related to user information, including “personal information,” “personal data,” “private personal information,” “sensitive personal information,” or “anonymous information.” Even when policies defined these terms, it remained unclear what types of user information these terms did or did not include. For example, if a company stated it does not share personal information with third parties, but its definition of “personal information” only included items such as name and email address, it remained unclear whether the company shared log data or location data with third parties.

Debates about what constitutes private, personal, sensitive, or anonymous information are far from settled, particularly given the continuous advancement of data analysis techniques that can combine information in unpredictable ways. Nevertheless, if companies more clearly explain how they handle the different types of information they collect, users can make more informed choices about whom to entrust with their data.

No company clearly explained whether users can control what the company itself collects and shares about users (P5). While six companies allow users to opt-out of the sharing of their information for either app integration or analytics purposes, users are left wondering whether this is the only say they have in how their data is shared. Furthermore, half of the companies did not explain whether users can access the information the company holds on them (P6), and seven companies did not provide detail on how long they hold user information (P7).

As noted previously, despite the European Union’s strong data protection laws, the two E.U.-based companies in the Index were not the top performers on indicators examining company disclosure about collection, retention, and sharing of user information. For example, on indicator P4, which asks whether companies disclose if and why they share user information with third parties, Orange and Vodafone disclosed less information than AT&T and several U.S.-based Internet companies. On indicator P7, which examines whether companies disclose to users how long they retain user information, Orange received no credit (along with AT&T), while Vodafone’s score was lower than several U.S.-based Internet companies.

While Europe-based companies may be communicating with regulators on such matters in order to ensure compliance with the law, they do not communicate so well with users – at least those who are not conversant in telecommunications and privacy law. In the Key Findings and Recommendations sections, we discussed the reasons why, from a human rights perspective, it is insufficient for companies to communicate with regulators but not communicate clearly with users about what happens to their information.

Internet companies were also evaluated on disclosure about whether and how they collect user information from other services and websites (P8). Such disclosure helps users understand how their online activities outside a company’s services, tracked through “cookies” and other web-tracking mechanisms, might affect their use of those services. Facebook, Inc. and Google scored very poorly on this indicator (in the single digits for each company), while Microsoft and Yahoo had somewhat more disclosure. Twitter was the clear leader on this indicator: It was the only company in the Index to support the “Do Not Track” standard that allows users to opt-out of certain types of web tracking. All other Internet companies had no disclosure whatsoever about whether they collect user information from third parties.

Legal obstacles to transparency about government requests: Three indicators in the Privacy category focus on ways that companies can be transparent about third-party requests for user information. Specifically, the indicators focus on company processes for responding to third-party requests for user information (P9), user notification about third-party requests for user information (P10), and data about third-party requests for user information (P11). All companies face varying legal barriers – primarily national security and secrecy laws – that make perfect scores on these three indicators difficult in some cases.

On indicator P9, which examines companies’ disclosure of processes to respond to government or other third-party requests for user information, the highest-scoring companies in the Index are headquartered in countries where the law is not an obstacle to disclosing basic information about such processes. However, in other countries, the law may be interpreted as potentially preventing disclosure about at least some types of processes (see the company report in Section 5 or on the project website for the French company Orange, which received a zero score on Indicator P9). In yet other countries, such as South Africa, the law forbids disclosure of the fact that the government has made any request for user information. If MTN, the South African company in this Index, published its process for handling South African government requests, it would acknowledge the existence of such requests, and thus potentially violate the law. In China, where Tencent is headquartered, a company could be found in violation of national security and state secrets laws for disclosing how it receives and responds to requests.

The laws of many countries restrict the circumstances under which companies can notify users about government requests for user information. No telecommunications company from any country received any score on indicator P10, which asks whether the company notifies users about any type of third-party request for user information. However, most services of all U.S.-based Internet companies received credit for committing to notify users when government entities (including courts or other judicial bodies) request their user data. Many also received credit for disclosing situations when the company might not notify users, including a description of the types of government requests they are prohibited by law from disclosing to users.

On Indicator P11, which examines whether the company publishes data about government and other third-party requests for user information, the U.S.-based companies (except Facebook) and Kakao of Korea scored substantially higher than the only two other companies that received any score for this indicator, Orange and Vodafone (both with 35 percent). The U.S.-based companies report on the number of requests received, while the two European telecommunications companies provide more general information. Vodafone cites the law as a barrier to publishing further detail. (See company report in Section 5 for more details.) As for companies that scored no points for this indicator, some, like MTN in South Africa, face clear legal prohibitions against reporting on government requests for user information. However, for América Móvil in Mexico, the law does not impose the same limitations.

The individual company reports contain more details about the specific legal contexts in which each company operates.

Laws in many countries prevent companies from disclosing information about at least some types of government requests, and thus cause the companies’ Index scores to be lower. In fact, some stakeholders even in very open societies argue that, for security and law enforcement reasons, it is not desirable for companies to be fully transparent about all types of government requests. Nonetheless, we believe that our strict approach to scoring of these indicators offers a framework for necessary debate among stakeholders about what prohibitions on disclosure are truly necessary in societies committed to integrating security-related concerns and practices with international human rights standards.

In some countries, laws barring disclosure of requests to companies for user information also cover some categories of court orders. In many countries, the laws are not clear about what types of processes and requests a company can in fact legally disclose. Companies everywhere indicate that they must err on the side of caution in order to protect their employees from prosecution.

Our results on these indicators highlight the need for legal reforms that clarify what companies can and cannot disclose before, during, and after the fact. Prohibitions around disclosure should be limited to very narrow circumstances. Furthermore, there are no compelling reasons why companies should not be allowed – by governments claiming to be committed to public accountability – to inform users at very least about the types of requests they are prohibited from disclosing.

Lack of transparency about private requests: Indicators P9, P10, and P11 (discussed above) all contained elements that examined disclosures about private requests, in addition to government requests whose disclosure can be legally problematic in some places and contexts. While laws of confidence may bar companies from disclosing information about specific requests, no companies face direct legal prohibitions against general descriptions of their processes for responding to requests for user information made by private parties, although some are deterred by legal ambiguity or weak rule of law. In some jurisdictions, the lines between public and private are blurry. In China, for example, government officials are known to make demands via private channels such as mobile phone text messages to company employees who understand that there will be consequences if they refuse. In such jurisdictions, it may be unrealistic to expect corporate transparency about most types of third-party requests without placing individual employees at risk until legal mechanisms to prevent abuse of government power are strengthened.

In many other jurisdictions where due process and rule of law are clearer – in other words, in countries where it is possible for companies to challenge government authorities in court, and for individuals to challenge companies as well as governments – the legal experts we consulted could identify no reason why companies cannot or should not disclose their policies and practices for handling private requests, as well as data about the numbers of private requests they receive.

In the U.S., while the law restricts companies from providing the content of users’ communications to third parties, it does not prevent the sharing of some other types of user information with non-governmental third parties. At least a few such requests have apparently occurred: there are documented cases of intellectual property owners and defamation claimants trying to address concerns about infringement who have requested the information about domain name registrants that use privacy and proxy services to keep their personal data out of ICANN’s WHOIS database. Therefore it is reasonable to expect a company to clarify and disclose whether it accepts or responds to private requests for certain types of information pertaining to users. U.S. companies that disclose such information include Tumblr (owned by Yahoo).

Our methodology thus takes the position that companies who have a policy not to accept private requests made without any legal authority have an obligation to clearly inform users of their commitments, policies, and practices surrounding such types of requests, as they pertain to different types of user information.

For this reason, companies that make no public disclosures about private requests for user information – whether or not they actually receive or comply with such requests – lost points in our three indicators focused on third-party requests. Some of these companies made assurances in conversations with our researchers that they indeed have policies not to accept or comply with private requests for user information. If these companies clearly disclose such commitments and policies to users in future, their scores can easily increase on several relevant indicators in future iterations of the Index.

For Indicator P9, only one service of one company, Tumblr (acquired by Yahoo in 2013), provided disclosure that clearly states that it does not entertain requests without a valid subpoena, search warrant, or other government order. All other companies were too vague in their disclosure to receive credit on elements examining private requests not only in P9 but also P10 and P11.

Security standards: Indicator P12 examines several security-related aspects of companies’ disclosure, including whether they conduct security audits, keep up with latest encryption standards and have systems in place to limit employees’ access to user information. The indicator applied six different elements for Internet companies and four elements for telecommunications companies. (See the indicator page on the project website for full details.) Two telecommunications companies earned full scores: AT&T and Vodafone. Orange came in third, Kakao fourth and Google fifth. Other companies that earned at least 50 percent of total possible points on this indicator were Yahoo, Microsoft, Bharti Airtel and Twitter. Several more companies earned between 10-40 percent: Facebook, Mail.ru, América Móvil, Axiata, and MTN. Etisalat and Tencent received zero points.

Security education: Indicator P14 examines whether a company publishes information to help users defend against cyber threats. A number of companies received full scores: América Móvil, AT&T, Bharti Airtel, Google, Orange, and Vodafone. It is clear to our researchers and consulted legal experts that there is no reason why all companies should not be able to earn full scores on this indicator.

Encryption of users’ content: Indicator P13 applied only to Internet companies. Companies could only receive full credit if private user content is encrypted end-to-end by default – in other words, the company itself has no access to the content itself, or to the encryption keys needed to decrypt it. This indicator obviously does not apply to social media features through which users intentionally share content with large groups, or publicly. It does apply to services such as email, chat, and other private messaging offered by Internet companies, sometimes even in conjunction with public-facing social media platforms. No company in this year’s Index received a full score on this indicator, and only one company (Kakao for its messaging service KakaoTalk) received partial credit for its optional encryption feature.

Even in countries where the Internet is considered relatively free, as of November 2015, legislation is being proposed to outlaw such encryption. For example, British Prime Minister David Cameron has been calling for a ban on encryption that is impenetrable to anyone but the end user, as has U.S. Federal Bureau of Investigation director James Comey. The overwhelming consensus among computer security experts is that encryption that contains a so-called “backdoor” is no encryption at all. Laws that prohibit encryption will make companies less competitive on this indicator, not to mention they will make the Internet less safe and less free. While some politicians’ public statements have portrayed encryption as something that primarily enables criminal activity, this indicator is included in the Index because we support the view that encryption is the Internet user’s strongest defense against malicious hacking, identity theft, financial fraud, theft of intellectual property, and other serious crimes. Encryption is also necessary to protect the freedom of expression and physical safety of journalists, human rights defenders, political activists, and ordinary users from growing mass surveillance, including from countries that routinely imprison their citizens because of what they say online.