The 2015 Ranking Digital Rights Corporate Accountability Index evaluates 16 of the world’s most powerful Internet and telecommunications companies on their commitments and policies that affect users’ freedom of expression and privacy.
The companies ranked in this Index collectively affect the lives of billions of people across the world. People increasingly depend on Internet and telecommunications services for many facets of their daily lives, including civic, political, and religious activities. The services these companies offer connect and empower people in unprecedented ways, but they can also be misused to undermine freedom of expression and privacy.
Companies are losing public trust. According to a recent Gallup poll, only about two in 10 Americans said they “have a lot of trust in the companies they regularly do business with to keep their personal information secure.” In a 2014 poll of Internet users in 24 countries commissioned by the Center for International Governance Innovation, 74 percent of respondents said they are “concerned about company monitoring of online activity and the subsequent sale of personal data.” Loss of trust represents a material risk for companies’ business.
At the same time, society places a complex set of expectations and responsibilities upon these companies: we want them to be innovative, to make life easier and more enjoyable, and to help make our economic and business activities more efficient. We want them to operate in a way that supports public safety, child protection, and national security. In doing so, however, companies face demands from governments and others to facilitate censorship and surveillance.
Like all other businesses, the companies in this Index, and the broader technology sector they represent, share a responsibility to respect human rights. Freedom of expression and privacy are rights guaranteed in key international human rights frameworks, including the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights. The international community has affirmed that these rights should extend to the digital realm. By evaluating and comparing companies’ commitments, policies, and disclosures about practices that impact users’ freedom of expression and privacy, the Corporate Accountability Index seeks to:
Help companies understand what changes they should make to credibly demonstrate respect for human rights;
Provide individual users, investors, civil society advocates, and governments with information and criteria to make decisions about choices, strategies, and policy positions;
Identify what specific legal and political factors prevent or hinder companies from respecting users’ human rights.
This introductory section reviews how the business operations of Internet and telecommunications companies affect users’ freedom of expression and privacy rights. Building on internationally established standards for business and human rights, we explain the role that we expect companies to play in mitigating those risks. We also lay the basis for the indicators on which we have evaluated the companies. The section then concludes with a general description of the methodology used to evaluate a set of 16 companies.
Internet and telecommunications companies commonly take the following actions, thus affecting their users’ freedom of expression and privacy:
Remove, block, or otherwise restrict content that users publish or share;
Block or shut down communications of certain people;
Shut down or otherwise restrict service to groups of people within a specific area or region (e.g., city, country);
Share user information with third parties;
Collect and retain user information.
Companies can take such actions for different reasons:
Government requests: Around the world, government authorities and courts of law ask companies to take actions that affect users’ freedom of expression and privacy. There are many legal reasons for such requests. For example, governments may ask companies to help identify individual users as part of a criminal investigation, or to restrict online content that violates local laws. However, when authorities abuse the government’s power to make such requests, human rights violations can result: censorship of diverging opinions, blocking of communication channels, or the prosecution, persecution, and even killing of individuals who engage in speech and activities in accordance with their fundamental human rights.
Certainly, freedom of expression and privacy are only two of many rights that citizens and technology users hold dear. Integrating essential objectives of freedom of expression, privacy, accountability, and security is not an easy task for companies or governments. In accordance with international human rights norms, governments are expected to protect human rights, and companies are expected to respect those rights. In reality, however, companies in all countries where people use the Internet and mobile devices receive requests that arguably go beyond what can be considered “necessary and proportionate” to achieve other legitimate ends, and which therefore violate users’ fundamental human rights.
Intermediary liability – when the law holds companies responsible (liable) for users’ actions and speech – creates challenges for companies that are committed to respecting users’ rights. Companies that operate under strict or ambiguous liability laws are often held responsible, either explicitly or implicitly, for policing hate speech or preventing terrorist activity in circumstances where the law does not clearly or narrowly define such speech and activities.
The findings of this Index highlight how laws and regulations may prevent companies from maximizing their respect for users’ freedom of expression and privacy rights. However, we have also identified specific ways in which all companies are not as clear as they should be about how their compliance with laws and regulations can affect users’ freedom of expression and privacy.
Private requests: Private third parties – organizations or individuals not acting on behalf of a government entity – also ask companies to perform some or all of the actions listed above. Many private requests are made as part of processes sanctioned or stipulated by copyright and child protection laws. Other requests are made to companies through extralegal processes, including reporting mechanisms that companies create to receive requests and complaints about content or user behavior.
The Index identifies the extent to which the ranked companies inform users about the full range of private requests they receive, in addition to whether and how the companies respond to such requests. We identify specific ways that companies can improve their policies and practices to foster greater user trust and demonstrate that they are making maximum efforts to respect users’ freedom of expression and privacy rights in the face of external demands.
Companies’ own rules and processes: Companies can also take action that affects users’ freedom of expression and privacy for reasons unrelated to direct external requests. Through “terms of service,” companies create their own rules that govern what types of content or activities are forbidden on their platforms. They set up their own systems and processes to enforce these rules. Enforcement can include deleting content, restricting access to the service, or shutting down accounts. The way companies enforce their rules can diminish users’ freedom of expression.
Company rules can also include requirements for how a user’s identity is publicly displayed, and what identity-related information the user is required to submit, either upon sign-up or during the course of enforcing identity policies. Enforcement of such policies can negatively affect users’ freedom of expression and privacy.
Handling of user information: Companies collect, process, and retain user information for commercial purposes. They may also share this information with third parties for commercial or legal reasons. Once companies have collected that information, third parties can access it through commercial, legal or illicit channels. These include agreements between companies to share information, legal requests from governments, extralegal nation-state hacking, and even criminal attacks. By serving as a collection and storage point for user information, companies make themselves a target for compelled or covert data acquisition, making them responsible for keeping user data safe. Thus, due to the very nature of their businesses, ICT companies become guardians of essential human rights.
Ranking Digital Rights applies the following definition of “user information:”
“User information is any data which is connected to an identifiable person, or may be connected to such a person by combining datasets or utilizing data-mining techniques.”
Any data that documents a user’s characteristics and/or activities is therefore considered to be “user information.” This information may or may not be tied to a specific user account. It includes, but is not limited to, personal correspondence, user-generated content, account preferences and settings, log and access data, data about a user’s activities or preferences collected from third parties either through behavioral tracking or purchasing of data, and all forms of metadata. User Information is never considered anonymous except when included solely as a basis to generate aggregate measures (e.g. number of active monthly users). For further discussion of this definition and the project’s definition of “anonymous data,” please see Appendix 1 of the 2015 Research Indicators document.
Given the issues described above, Ranking Digital Rights expects companies to frame their commitments, policies, and practices around three core objectives:
Due diligence and governance: According to the U.N. Guiding Principles on Business and Human Rights, governments have the primary duty to protect human rights, but companies have a responsibility to respect human rights. Companies do not have direct control over the laws, regulations or other government actions of the countries where they operate. However, companies can carry out due diligence to anticipate potential human rights risks, and subsequently make informed business decisions on how to best prevent negative impacts on their stakeholders. In the context of Internet and telecommunications companies, this means that companies committed to respecting users’ rights should regularly assess how all aspects of their operations might potentially impact users’ freedom of expression and privacy. Companies also need to have clear processes and governance mechanisms in place to ensure that employees, managers, and executives at all levels are upholding and implementing the company’s commitments.
Transparency and disclosure: By disclosing as much information as possible about their policies and practices that affect users’ freedom of expression and privacy – including commercial data collection, enforcement of their terms of service, and compliance with government demands and legal requirements – companies can demonstrate a credible commitment to respect users’ rights. With sufficient information, people can better understand the risks they face and make informed decisions about how they use technology. People will also be in a better position to hold companies, governments, and other actors accountable for violations of their rights.
Grievance and Remedy: According to the U.N. Guiding Principles, companies should establish a means of identifying and addressing any human rights violations or concerns that occur in relation to the company’s business. Internet and telecommunications companies should demonstrate that they have clear mechanisms in place for people to file grievances and receive remedy. Similarly, users must also have a way of learning about these mechanisms. In order for people to use such mechanisms appropriately and effectively, companies need to provide users with sufficient information not only about how companies receive and handle government requests, but also how companies handle non-governmental requests, how they collect, use, and share user information, and what the company’s own rules and enforcement processes are. This is one of many reasons why the Index places such great emphasis on transparency and disclosure.