Recommendations

Based on what we have learned from the Index results, below are recommendations for companies as well as for governments.

For companies

All companies in the Index can make improvements. Below is a basic guide. More specific recommendations for each company can be found in the individual company reports.

Governance and general recommendations

• Communicate with users in a clear, accessible, and organized way. Companies should disclose and explain how they comply with laws and what that compliance means for users. Companies that are serious about demonstrating respect for users' rights should strive for well-organized disclosures in places that users can reasonably be expected find. Users should not have to depend on external sources or be specialists in telecommunications or privacy law in order to learn about the company's commitments and practices.

• Disclose evidence that the company has institutionalized its commitments. It is great for a company to have leaders with strong personal commitments to users' rights, who make strong statements in speeches and the media. However long-term respect for users' rights requires that such commitments are clearly institutionalized. This bolsters external confidence that the company's implementation of commitments and principles does not depend on specific individuals remaining employed by the company.

• Conduct regular assessments to determine the impact of the company's products, services, and business operations on users' freedom of expression and privacy. Several companies in the Index conduct different types of human rights impact assessments, a systematic approach to due diligence that enables companies to identify risks to users' freedom of expression and privacy as well as opportunities for companies to enhance users' enjoyment of those rights. While it may be counterproductive for companies to publish all details of their processes and findings, it is important to disclose information about the fact that the company conducts assessments and basic information about the scope, frequency, and use of these assessments. For such disclosures to be credible, companies' assessments should be assured by an external third party accredited by an independent body whose own governance structure demonstrates strong commitment and accountability to human rights principles. As of 2017, only the Global Network Initiative meets the requirements for such an accrediting organization.

• Publish transparency reports including the volume, nature, and legal basis of requests made by governments and other third parties to access user information or restrict speech. Disclosures should include information about the number or percentage of requests complied with, and about content or accounts restricted or removed under the company's own terms of service.

• Commit to push back against excessively broad or extra-legal requests, including in a court of law while complying with bona fide requests to restrict speech or share user information within the bounds of the law. Companies should use every opportunity available to pressure governments to move away from mass surveillance and institute meaningful oversight over national security and law enforcement authorities.

• Make clear to users what types of requests the company will—and will not—consider, from what types of parties. For example: some companies make clear that they will only accept government requests for user information via specified channels and that they will not respond to private requests. Other companies do not disclose any information about whether they may consider private requests. Without clear policy disclosure about the types of requests the company is willing to entertain, users will lack sufficient information about risks that they may take when using a service.

• Establish effective grievance and remedy mechanisms. Grievance mechanisms and remedy processes should be more prominently available to users. Companies should more clearly indicate that they accept concerns related to potential or actual violations of freedom of expression and privacy as part of these processes. Beyond this, disclosure pertaining to how complaints are processed, along with reporting on complaints and outcomes, would add considerable support to stakeholder perception that the mechanisms follow strong procedural principles and that the company takes its grievance and remedy mechanisms seriously.

Mobile ecosystems

• Recognize app store content as a freedom of expression issue. Companies that have committed to freedom of expression principles should ensure that mobile ecosystems and app stores are clearly covered by due diligence and governance processes necessary to implement those principles.

• Clearly disclose policies and processes for handling requests to remove or pre-emptively restrict apps, whether such requests come from governments or from other entities. Companies should also disclose in their transparency reports information about app removals and restrictions from their app store, including the number of requests received and complied with as well as data about apps or other content removed in the process of terms of service enforcement.
• Commit to enforce app store terms of service that require all apps collecting user information to have a privacy policy. Commit to evaluate the content of those privacy policies, and disclose information about this enforcement process in transparency reports.
• Commit to deliver all security updates to users within 30 days of a patch being made available. Companies should also clearly communicate to users for how long after purchase (or until what date) they should expect to receive software updates.

Freedom of expression

• Improve transparency and accountability about all types of third-party requests to restrict content or user accounts - government requests as well as requests by private individuals and organizations. To the maximum extent possible under the law, companies should publish comprehensive information (including transparency reports) related to the following types of third-party requests:
  • Process for responding to all types of third-party requests to restrict content, access, or service;
  • Data about government requests to restrict content, access, or service;
  • Data about private requests for content restriction.

If a company does not receive or entertain a particular type of request, or if it doesn't entertain requests from certain types of third parties (e.g., private individuals acting without legal authority), the company should also clearly disclose that information.

• Telecommunications companies should provide as much information as possible about their policies for responding to network shutdowns, including details such as the number of requests they received and the number with which they complied.

• Companies that host or serve as a conduit for content should disclose sufficient detail to meet standards for transparency and accountability around terms of service enforcement. Specifically, companies should publish data on a regular basis about the volume and nature of content removals and account restrictions that the company makes to enforce its terms of service so that users have a clearer understanding of the level of effort the company is making to keep different types of speech from appearing on or through its service.

• Where the law does not explicitly mandate it, refrain from requiring users to register their identity, such as by providing a government-issued document or a credit card (other than for billing purposes, if applicable).

Handling of user information

• Provide users with a more comprehensive picture of the lifecycle of their personal information, from collection to use to sharing to retention and deletion. Disclosures should include:
  • What specific types of information the company collects (P3);
  • How the company collects that information (e.g., does a company ask users to provide certain information, or does the company collect it automatically?) (P3);
  • Whether users have an option not to provide that information (P7);
  • Specifically, what information the company shares and with whom (P4);
  • Why the company shares that information (P5);
  • Whether—and the extent to which—users can control how their information is used (P7);
  • How long the company retains that information (P6);
  • Whether the user can access all public-facing and private user information a company holds about them (P8);
  • Whether and how the company destroys that information when users delete their accounts or cancel their service (P6).

Security

• Disclose clear information about policies for addressing security vulnerabilities. This disclosure should include bug bounty programs and the company's practices for relaying security updates to mobile phones.

• Disclose processes for mitigating the risk and severity of data breaches. Companies should also disclose procedures for dealing with breaches when they occur. Communicate with users and provide them with an appropriate remedy.

• Where permitted by law, publicly commit to implement the highest encryption standards available. This disclosure should include encryption in transit, end-to-end encryption, and forward secrecy. At minimum, make it possible for users to encrypt their own data as securely as possible and communicate this to users clearly. Where the law prohibits strong encryption, clearly say so to users, explaining the specific legal barrier and the potential consequences for user privacy and safety.

For governments

Full corporate accountability will only be achieved when governments are also held accountable. Governments must work with the private sector and civil society to ensure that legal and regulatory frameworks make it possible for companies to respect digital rights.

• Publish government transparency reports that disclose the volume, nature, and legal basis for requests made to companies to share user information or restrict speech. This should be a fundamental component of any nation's commitment to open government.

• Ensure that laws and regulations allow companies to be transparent and accountable with users about how they receive and handle government requests.

• Carry out human rights due diligence to ensure that laws and regulations governing ICT sector companies do not have a negative impact on internet users' freedom of expression and privacy as defined by the Universal Declaration of Human Rights and international human rights instruments such as the International Covenant on Civil and Political Rights.

• Reform surveillance-related laws and practices to comply with the thirteen "Necessary and Proportionate" principles, a framework for assessing whether current or proposed surveillance laws and practices are compatible with international human rights norms.

• Require companies to implement effective mechanisms for grievance and remedy that are accessible to users who believe that their freedom of expression and privacy rights have been violated in connection with the use of companies' products and services.

• Limit legal liability imposed on companies for their users' speech and other activities, consistent with the Manila Principles on Intermediary Liability, a framework of baseline practices and standards to ensure that regulation of ICT sector companies does not result in the violation of users' rights.

• Respect the right to anonymous online activity as central to freedom of expression, privacy and human rights. Refrain from requiring companies to document users' identities when it is not essential to the provision of service.

• Develop effective data protection regimes and privacy regulations in consultation with industry and civil society, with impact assessments to ensure that the laws can avoid unintended consequences for freedom of expression.

• Require companies to clearly disclose to users the full lifecycle of their information, from collection to use to sharing to retention and deletion.

• Require companies to give users more control over the collection and sharing of their information, and to clearly disclose how users can exercise such control.

• Do not enact laws and policies that undermine encryption. Strong encryption is vital not only for human rights but also for economic and political security.

• Support appropriate incentives for companies to adopt industry standard security practices and encourage appropriate disclosure to users.

• Encourage companies to implement and disclose appropriate policies and procedures for data breaches, including through relevant legislation.