Chinese internet companies show room for improvement
Chinese internet companies operate in one of the world's most restrictive environments. The 2016 Freedom on the Net report by Freedom House rated China's internet environment as "Not Free," with China receiving the lowest score of all countries reviewed.
The 2017 Corporate Accountability Index evaluated two Chinese companies: Baidu and Tencent. The poor performance by both companies in the 2017 Index highlights legal and regulatory obstacles that make it difficult for companies to respect for freedom of expression and privacy. Chinese companies indeed will not be globally competitive on respect for users' rights until China undertakes substantial legal and regulatory reforms.
Yet there were notable differences in their disclosed policies, particularly in relation to policies affecting users' privacy and security. These variations in performance indicate that Chinese internet companies can disclose more about policies affecting users' privacy. Chinese companies have room not only to improve-but even to compete-on the degree to which they safeguard user information and handle it responsibly.
Two key trends emerge from these results:
- Tencent disclosed much more information than Baidu about its policies affecting user's rights.
- Both companies disclosed more about privacy-related policies than those affecting users' freedom of expression.
These trends highlight areas in which Chinese companies can and should be held responsible for their policies and disclosures-and provide a roadmap for improvement for these specific companies and the Chinese internet sector more broadly.
Legal and regulatory challenges
All digital products and services operating across and within Chinese borders are subject to Chinese law. Chinese law stipulates nine categories of forbidden content, including speech that "harms the dignity or interests of the State," "disseminates rumors, disturbs social order or disrupts social stability," or "sabotages State religious policy."
Chinese companies are held liable if forbidden content is published on or transmitted through their services. Services that do not make a concerted effort to police such content are blocked from being accessed through mainland Chinese internet service providers. For this reason most major U.S.-based multinational internet companies including Google, Facebook, and Twitter are not accessible to users of fixed-line and mobile networks operating in China.
An even more restrictive cybersecurity law, passed in late 2016 and set to take effect in mid-2017, requires companies to assist public security in "protecting national security and investigating crimes" and authorizes the creation of "systems for cybersecurity monitoring, early warning, and notification" which companies would be required to help implement. This could mean that companies will be obligated to comply with government requests for user information and other surveillance demands, and allow authorities direct access to user communications and stored data.
Chinese officials and state think tanks have on multiple occasions equated the advocacy of online freedom of expression with foreign interference in China's media ecosystem , creating a strong disincentive for Chinese companies to make explicit commitments to respect users' freedom of expression. State secrets laws make it unrealistic to expect companies to disclose information about government requests to remove content or share user information, causing Chinese companies to perform poorly on Index indicators that reward maximum transparency about government requests.
Areas of control and responsibility
In the Governance and Freedom of Expression categories, China's legal and political environment does not prevent companies from making commitments and enacting policies to defend users' rights from attack by private parties. (In other words, entities that are not acting on behalf of the Chinese state: private individuals, other companies, or other non-state actors.)
Providing evidence that such commitments and policies in relation to private parties are being implemented across the company's operations through due diligence, stakeholder engagement and grievance mechanisms should be possible in the Chinese national context. Only Tencent makes a partial commitment to protect users' privacy-though it shows no evidence that it is holding its employees and managers accountable to that commitment. Tencent also provides some channels for users to file complaints and grievances, while Baidu offers nothing. Tencent's slightly stronger performance on freedom of expression was earned because Tencent's QQ and WeChat services do disclose some limited information about how they handle private requests-meaning requests made by people or entities not connected to the Chinese government.
While state secrets laws make it unrealistic to expect Chinese companies to reveal information related to government requests, there is no legal obstacle to disclosing a range of information about how the company handles user information, as well as the security measures it takes to protect user information.
Tencent's 13-point score differential over Baidu in the Privacy category underscores the extent to which Chinese companies can and should be expected to disclose maximum possible information in these areas.
Specifically, there are many areas related to the security and handling of user information on which Chinese companies can improve, and even compete:
- Demonstrate strong commitment to users' security. Chinese internet companies can do a better job of communicating with users about the steps they take to keep users' accounts and information secure.
- Tencent performed at the top of the Index on two security-related indicators: It earned a perfect score for user education about security threats (P18), while Baidu scored only half. Tencent also tied with several other companies in the Index for first place the indicator that seeks disclosure about how the company addresses security vulnerabilities (P14). The only indicator on which Baidu performed better than Tencent was on disclosure about how the company helps users keep user accounts secure (P17).
- Neither company discloses any policy for notifying users about data breaches (P15). While national law requires companies to notify relevant authorities, it does not require notification of users. However some localities (such as Shanghai) do require consumer notification of breaches. This demonstrates that there is no legal obstacle to notifying users of breaches and that by doing so, companies would send a message to users that they are committed to being held accountable - by the public as well as by the government - for user security.
- Tencent disclosed substantially more information about how it notifies users about changes in its privacy policies than Baidu, and should be in a position to do even better. Tencent and Baidu both scored higher than the Index average among internet and mobile companies for disclosure about the collection of user information (P3), demonstrating that this is an area on which Chinese companies can compete not only with one another but with their global peers. Tencent disclosed twice as much detail as Baidu about the sharing of user information (P4), and the purpose for doing so (P5), indicating that this is also an area where Chinese companies can and should be more up-front with their users.
- Be as transparent as possible about the handling of requests for user information that do not come from government.
- While neither company reveals any information related to government requests for reasons discussed above, both companies reveal different types of information to varying degrees about requests they may receive from private individuals or entities (P10, P11). Baidu receives some credit because its PostBar service states that it does not entertain private requests for user information, while Tencent gets credit for statements by different services about either rejecting private requests or subjecting them to scrutiny. These results demonstrate that Chinese companies have room to improve disclosures on how they handle requests for user information from entities other than branches of government.