Together, the companies evaluated in the Index offer products and services that are used by at least half of the world’s 3.7 billion internet users.
We regret to report that companies do not disclose enough information to their users about policies and practices affecting freedom of expression and privacy. As a result, most of the world’s internet users lack the information they need to make informed choices.
Company disclosure is inadequate across the board. Similar to the 2015 results, the average score for all companies evaluated was just 33 percent. The highest score in the 2017 Index was 65 percent overall. While examples of good practice can be found across the Index, all companies failed to sufficiently disclose policies affecting users’ freedom of expression and privacy. Even the better performing companies had significant gaps in disclosure on key issues that affect what a user can and cannot say or do, or who knows what about their activities.
We are also pleased to report, however, that many companies made meaningful improvements since the 2015 Index.
Download the full report and analysis.
- Google and Microsoft were the only companies in the entire Index to score more than 60 percent overall. However, Google's lead over the other companies near the top of the Index narrowed since 2015, while Microsoft moved from third to second place primarily due to improved disclosures about its policies affecting freedom of expression.
- Apple ranked seventh among the 12 internet and mobile companies evaluated. A major reason for this relatively low score was poor disclosure about the company's commitments and policies affecting users' freedom of expression. Next to its peers, Apple also disclosed little information about how it has institutionalized its commitments to users' rights through corporate governance, oversight, and accountability mechanisms.
- Samsung, the world's second largest smartphone manufacturer, headquartered in South Korea, ranked ninth among 12 internet and mobile companies. It placed just above two Chinese companies and a Russian company.
- Kakao, a South Korean company that offers internet search, email, and mobile chat services, ranked fifth among the 12 internet and mobile companies and notably earned high scores on 10 of the 35 indicators across the Index.
- AT&T and Vodafone tied for the highest score among the 10 telecommunications companies evaluated. Vodafone scored better on disclosures related to its governance mechanisms as well as policies affecting freedom of expression. AT&T offered more detailed disclosure on policies affecting users' privacy.
- Telefónica, which ranked third among telecommunications companies, led its category on several indicators. Most notably, it led all 22 companies in the entire Index for disclosure of how it responds to data breaches. The company's disclosure of policies related to network shutdowns was also among the more comprehensive across all telecommunications companies.
When companies work together and with stakeholders to implement human rights commitments, they can make a real difference.
While even the highest scores in the Index showed major room for improvement, many of the top-scoring companies shared one commonality: all are members of either the Global Network Initiative (GNI) or the Telecommunications Industry Dialogue (TID), organizations whose company members commit to uphold principles of freedom of expression and privacy. Additionally, GNI conducts an assessment of whether members have implemented the principles satisfactorily. It has multi-stakeholder membership, and is governed by a multi-stakeholder board.
The 2017 Index data shows that GNI and TID member companies performed better on indicators in the Governance category - measuring the institutionalization of corporate-level commitments to freedom of expression and privacy - than all other companies. However, in other areas of the Index, GNI or TID membership was not necessarily a predictor of strong performance.
The Index offers a roadmap for companies to credibly demonstrate respect for their users' rights around the globe. After analyzing this year's data we have identified several major concerns:
- Mobile ecosystems: We don't know enough about the impact of smartphones on our digital rights. Smartphones are chokepoints for freedom of expression and gatekeepers for digital security. It is important that companies controlling mobile ecosystems have strong commitments and disclosed policies.
We evaluated three mobile ecosystemsmobile ecosystems: Apple's iOS ecosystem, the Google Android mobile ecosystem, and Samsung's implementation of Android. All three offered poor disclosure about policies affecting freedom of expression and privacy.
Google disclosed the most information across the board about policies and practices affecting Android smartphone users' freedom of expression and privacy. Apple's iOS mobile ecosystem was most competitive on privacy-related disclosures and generally had better disclosure than Samsung-controlled Android devices. Explore our in-depth analysis of mobile ecosystems.
- Freedom of expression is getting short-changed. How do company actions affect our ability to publish, transmit, or access content? With a couple of notable exceptions, most companies disclosed much less information about policies that affect users' freedom of expression than about policies affecting privacy. Here is what that means in practice:
- Third-party requests to restrict speech: Companies don't disclose enough about how they respond when governments and other parties ask them to block, delete, or otherwise restrict content or deactivate users' accounts. Companies are receiving growing numbers of requests not only from governments but from private organizations and individuals. If and how companies respond to and comply with these requests can have a critical impact on freedom of expression and on human rights more broadly. (For a detailed analysis see section 5.1 of the full report.)
- Terms of service enforcement: Companies tell us almost nothing about when they remove content or restrict users' accounts for violating their rules. Through their terms of service and user agreements, companies set their own rules for what types of content or activities are prohibited on their services and platforms, and have their own internal systems and processes for enforcing these rules. Companies need to disclose more information about their enforcement processes and the volume and nature of content being removed. (For a detailed analysis see section 5.2 of the full report.)
- Identity policies tied to government ID threaten freedom of expression. The ability to communicate anonymously is deemed essential to freedom of expression by many in the human rights community. Only four companies in the Index enable people to create accounts or use a service without providing information linked to government ID. (For a detailed analysis see section 5.3 of the full report.)
- Network shutdowns: A growing number of governments are requiring telecommunications companies to shut down service either for a whole country or in a specific area for specified periods - and for a range of reasons. In 2016, the U.N. Human Rights Council affirmed that network shutdowns threaten freedom of expression and the right to access information, condemned them to be a violation of international human rights law and called on governments to refrain from taking these actions. Users are generally in the dark about why they are cut off. Explore our in-depth analysis related to network shutdowns.
- Handling of user information is opaque. How and for what purpose is our information collected, shared, retained, and used? If somebody were to build a profile on us using this information, what would it look like? Companies don't disclose enough for users to understand risks and make informed choices.
The 2017 Index contains seven indicators measuring if and how clearly companies disclose what types of user information they collect, share, for what purpose, how they collect this information, and for how long they retain it. Indicators also look for companies to offer users options to control what is collected and to obtain all of the information a company holds on them. (For a detailed analysis see Section 6 of the full report.)
- Security commitments lack sufficient evidence. In order to trust a service, we need to know that credible efforts are being made to secure our information. Most companies communicate less about what they are doing to protect users' security than about what users should do to protect themselves. Disclosure about company policies for informing affected parties about data breaches was especially poor. (For a detailed analysis see Section 7 of the full report.)
What is to be done? Read our recommendations.