Findings

There are no “winners.” Even companies in the lead are falling short. Across the board, companies need to improve their commitments to, and disclosures of, policies and practices that affect users’ freedom of expression and privacy. The quality of companies’ disclosed policies and practices often fell short of stated commitments. There is much room for improvement even among companies that have made considerable – even laudable – efforts in certain areas.

No company in the Index provides users with sufficiently clear, comprehensive, and accessible information about the practices they have in place that affect freedom of expression and privacy. These include the handling of user information, terms of service enforcement, government requests and private requests.

Nine companies can be considered to have made meaningful efforts to respect users’ rights. However, companies’ efforts and disclosures were uneven and inadequate in many of their specifics. The top scoring company (Google) received 65 percent of the total possible score. Five other companies (Yahoo, Microsoft, Vodafone, Twitter, and AT&T) scored at least 50 percent. Three more (Kakao Corp, Facebook Inc., Orange) scored between 30-49 percent.

Seven companies – nearly half – suffer from a serious deficit in respect for users’ freedom of expression and privacy. América Móvil, MTN, Bharti Airtel, Tencent, Axiata, Etisalat, and Mail.ru scored between 13-22 percent. While some of these companies face substantial legal and regulatory obstacles to making commitments and disclosures related to freedom of expression and privacy in the jurisdictions where they are headquartered or operate, our research identified many indicators on which all companies in the bottom half of the Index can improve even if their legal and regulatory environments do not change.

Despite Europe’s strong data protection laws, the two E.U.-based telecommunications companies were not Index leaders on disclosure of policies and practices related to the handling of user information. Both Vodafone and Orange suffer from significant gaps in their public disclosures about the collection, retention, and sharing of user information. Surveillance and national security laws in those companies’ home countries are a substantial impediment to greater transparency about the volume and nature of government requests received to share user information. Nonetheless, our research identifies many areas in which these companies can improve, even without necessary legal reforms.

Some Internet companies fail to effectively communicate key commitments, policies, and practices that are relevant to their users. The best-performing Internet companies provided easily accessible and well-organized privacy policies and terms of service, and they regularly published “transparency reports” that disclosed the frequency and nature of government and private requests. Some of the companies, despite making meaningful efforts to respect users’ rights, shared information about broader commitments, along with evidence for how those commitments are being implemented, through scattered tweets or blog posts, rather than offering a centralized overview of such information. By contrast, the telecommunications companies that performed best in the Index have clearly organized policy pages and documents on their own websites that are easy to locate and that articulate the company’s commitments and policies. Yet those companies suffer from significant gaps in disclosure.

In sum, users are left in the dark about many company practices that affect freedom of expression and privacy. Even for a very committed and concerned user who is willing to search news databases, pore over terms of service, and parse through privacy policies, it is impossible to formulate a clear picture about how the ranked companies’ practices may affect the user’s freedom of expression and privacy. Even our team of researchers, working full time for several months, struggled to draw definitive conclusions after evaluating many companies’ practices and policies – often times, because the relevant disclosures were disorganized, unclear, and sometimes even contradictory. In other cases, there were simply too many gaps in disclosure – or no disclosure at all – for entire categories of policy and practice.

More specifically, the Index results point to some bad news as well as some good news when it comes to companies’ respect for users’ freedom of expression and privacy.

The bad news

All companies except Orange and Mail.ru’s email and chat services make their privacy policies publicly available to people who have not signed up or subscribed. Nearly all companies take some steps to present these policies in a manner that is easy for users to understand. However, even policies that are visually appealing and written in everyday language lack specificity, particularly related to what user information companies share and what control users have over their data. This is significant because it makes it more difficult for individuals to make decisions about information that is essentially private, and the sharing of such information risks enabling third parties to learn about their activities, interests, and connections.

As noted in the “good news” section below, companies are expanding disclosure and “transparency reporting” about government requests. Unfortunately, most companies’ disclosure does not include information about private third-party requests, even when those requests come with a court order or subpoena, or are made in accordance with established legal processes such as a copyright “notice and takedown” system. Even fewer companies disclose any information about whether – let alone the extent to which – they receive or respond to private or informal requests, which are requests to restrict content or share user information that are made outside of any official or legal process. While some companies told our researchers in private communications that they have no such disclosures because they have policies of never entertaining such requests, such requests do exist, and companies have failed to communicate relevant policies to users.

The lack of communication with users makes sense for a company that considers regulators, not users, to be its primary audience. It also makes sense if one expects users to be highly conversant in their home countries’ telecommunications and Internet related laws and regulations. However, it is our position that companies that seek to demonstrate respect for users’ rights should consider users as their primary – not secondary – audience in public communications about commitments, policies, and practices. It is reasonable to expect companies to provide basic disclosure about how they manage users’ private information, as well as access to information and communications flows, in the course of complying with laws.

The good news