This section lists key actions that companies, governments, and other stakeholders can take in order to maximize Internet and telecommunications companies’ respect for users’ freedom of expression and privacy.
Below are recommendations that apply to many companies in the Index.
Recommendations for specific companies can be found in the individual company reports.
Communicate with users in a clear, accessible, and organized way. Don’t expect users to scour news archives, the blogosphere, and the Twittersphere in order to learn about the company’s commitments and practices. Companies that are serious about demonstrating respect for users’ rights – to their actual users and not just media elites or other specialized experts – should strive for well-organized disclosures in places that users can reasonably find.
Disclose and communicate what ordinary people – who aren’t telecom lawyers or specialists in Internet regulation – need to know. Companies should disclose and explain laws and regulations that affect users’ freedom of expression and privacy. Companies should also disclose and explain how they comply with those laws and what that compliance means for users.
Conduct regular assessments to determine the impact of the company’s products, services, and business operations on users’ freedom of expression and privacy. Several companies in the Index conduct different types of human rights impact assessments, a systematic approach to due diligence that enables companies to identify risks to users’ freedom of expression and privacy as well as opportunities for companies to enhance users’ enjoyment of those rights. While it would be counterproductive for companies to publish all details of their processes and findings, several companies in the Index have demonstrated that it is indeed possible to disclose information about a) the fact that the company conducts assessments and b) basic information about the scope, frequency, and use of these assessments.
For such disclosures to be credible, assessments should be conducted by an external third party which is accredited to a relevant and reputable human rights standard by an independent body whose own governance structure demonstrates strong commitment and accountability to human rights principles. As of 2015, only the Global Network Initiative meets the requirements for such an accrediting organization. For more details and resources related to human rights impact assessments and related assurance processes and bodies, please see Appendix 1 of the 2015 Research Indicators document or the relevant resource pages on the project website.
Disclose evidence that the company has institutionalized its commitments. Even in cases where the research team happened to be personally familiar with the work of certain executives in particular companies, our methodology stipulated that companies could only receive credit if they provided publicly disclosed evidence that they have institutionalized their commitments with strong accountability and oversight mechanisms. While it is certainly important for a company to have leaders with strong personal commitments to users’ rights, it is even more important that such commitments are clearly institutionalized. This bolsters external confidence that commitments may be honored and implemented even if those people leave the company.
Improve transparency and accountability about all types of third-party requests to restrict content or share user information. To the maximum extent possible under the law, companies should publish comprehensive information related to the following types of third-party requests:
Process for responding to third-party requests to restrict content, access, or service (F6);
Data about government requests to restrict content, access, or service (F7);
Data about private requests for content restriction (F8);
Process for responding to third-party requests for user information (P9);
Data about third-party requests for user information (P11).
See the individual indicator pages on the project website for full text of the indicators and their underlying elements.
If a company does not receive or entertain a particular type of request, the company should also clearly disclose that information.
Communicate clearly with users about what happens to their information. If somebody were to create a dossier or “file” on the user based on what information the company holds at a given point in time, what would it look like? Companies should explain to users the lifecycle of information they collect. A user should understand:
What specific information the company collects (P3);
When or how the company collects that information (e.g., when the user registers for the service, when the user sends an SMS) (P3);
Whether users have an option not to provide that information (P5);
Specifically, what information the company shares and with whom (P4);
Why the company shares that information (P4);
Whether – and the extent to which – users can control the sharing of that information (P5);
How long the company retains that information (P7);
Whether the user can access that information (P6); and
Whether and how the company destroys that information when users delete their accounts or cancel their service (P7).
See the individual indicator pages on the project website for full text of the indicators and their underlying elements.
Many privacy policies discuss some of these practices, but often, the disclosure is too general to be meaningful. For example, a statement that a company stores personal information for as long as required by law or for as long as the company needs it provides no detail to users about the amount of time their information would reside in company servers. It also does not clarify whether the company stores different pieces of user information for different amounts of time. Framing company disclosure around how these practices apply to specific types of user information will give users a clearer and more comprehensive picture of how companies use their information.
Improve terms of service and privacy policies. Indicators F1 and P1 examined whether terms of service and privacy policies are freely available and easy to understand. Companies that received full credit on these indicators did both, as well as provided their policies in languages commonly spoken by their users. In addition, companies should make sure they provide meaningful notice and documentation to users about changes to these policies.
Disclose meaningful amounts of information about the volume and nature of content and/or accounts restricted when enforcing terms of service. The absence of any disclosures about restriction of content and accounts when enforcing companies’ terms of service undermines company commitments to respect users’ freedom of expression. While there are no clear answers regarding the optimal form of – and approach to – such disclosures, companies should engage with stakeholders to determine what types of disclosures related to terms of service enforcement would bolster trust and accountability.
Establish effective grievance and remedy mechanisms. Grievance mechanisms and remedy processes should be more prominently available to users. Companies should more clearly indicate that they accept concerns related to potential or actual violations of freedom of expression and privacy as part of these processes. Beyond this, disclosure pertaining to how complaints are processed, along with reporting on complaints and outcomes, would add considerable support to stakeholder perception that the mechanisms follow strong procedural principles and that the company takes its grievance and remedy mechanisms seriously.
Communicate basic information about security practices and educate users about security threats. Experts we consulted agree that it is reasonable to expect companies to implement and disclose the measures described in indicators P12 (“Security standards”) and P14 (“Inform and educate users about potential threats”). Companies that are serious about maximizing users’ security should offer full encryption of user content, as described in indicator P13 (“Encryption of users’ private content”), for all relevant services in all possible legal contexts.
Implement end-to-end encryption to the greatest extent possible. Such capabilities would go a long way to reassure users that their private communications are indeed safe from data breaches, interception, and sharing with third parties, and that it they will only be accessed by the desired recipients, now and in the future. At a minimum, companies should allow users to encrypt their own data.
Advocate for legal and regulatory changes that will support the company’s ability to respect users’ freedom of expression and privacy. Our research has identified a number of ways in which the laws and regulations of particular countries prevent specific companies from performing as well as they otherwise might on certain indicators. We hope that our research findings can help companies work together with civil society advocates and responsible investors to make a convincing case for legal and regulatory reform that will maximize users’ enjoyment of their freedom of expression and privacy.
While companies have a responsibility to respect human rights, governments have a primary duty to protect human rights. Other projects such as Freedom House’s Freedom on the Net report provide more specific measures of the extent to which governments are living up to their duty to protect Internet users’ rights. This Index data underscores the fact that governments create legal and regulatory environments that maximize companies’ ability to respect users’ rights. The following steps by governments would help companies in this Index to improve their performance:
Legislative bodies and regulatory agencies should carry out their own impact assessments to ensure that laws and regulations governing Internet and telecommunications companies do not infringe on Internet users’ freedom of expression and privacy as defined by the Universal Declaration of Human Rights and international human rights instruments such as the International Covenant on Civil and Political Rights.
Legal liability imposed on companies for their users’ activities should be limited and consistent with the Manila Principles on Intermediary Liability, a framework of baseline practices and standards to ensure that regulation of ICT sector companies does not result in the violation of users’ rights to freedom of expression and privacy.
Surveillance-related laws and practices should be reformed to comply with the thirteen “Necessary and Proportionate” principles, a framework for assessing whether current or proposed surveillance laws and practices are compatible with international human rights norms.
Governments should publish their own transparency reports that disclose the volume, nature, and legal basis for requests made to companies.
Laws and regulations should allow companies to be transparent and accountable with users about how they receive and handle government requests.
Governments should develop effective data protection regimes and privacy regulations in consultation with industry and civil society, with impact assessments to ensure that the laws enacted can avoid unintended consequences for freedom of expression.
In consultation with industry and civil society, legislatures should develop laws that require companies to implement effective mechanisms for grievance and redress when users believe that their freedom of expression and privacy rights have been violated while using companies’ services.
The data in this Index has many uses for individuals, consumer advocates, human rights activists, responsible investors, and researchers. In the months after launch, we will work with advocates, investors, and researchers to help them develop specific strategies for using the Index data. This work will be continuously documented on the project website. In the meantime, we have the following general suggestions:
Encourage companies to improve everything over which they have meaningful control. The Index data includes many examples of good policy and practice and points to concrete ways in which practices could be improved.
Use RDR’s data as a starting point for more questions. These should be questions posed not only to and about the 16 companies included in the Index, but any other Internet or telecommunications company. Researchers may also use the indicators as the basis for sector- or topic-specific comparative studies.
Work with allies within companies and governments wherever possible to change laws and regulations that prevent companies from respecting users’ rights.
Demand transparency and accountability of both companies and government actors regarding requests and expectations – legal and extralegal – being placed on companies. At present, no government provides meaningful transparency on requests made to companies. Citizens should push any government that is a signatory of the Open Government Partnership and/or the Freedom Online Coalition but does not release transparency reports about requests from authorities to companies for assistance with censorship and surveillance, to act in a manner more consistent with their commitments.