Key findings
- AT&T ranked second among telecommunications companies after Vodafone, disclosing more about policies affecting freedom of expression and privacy than most of its peers.
- The company did not clearly commit to engage with stakeholders about digital rights issues, unlike its European peers.
- AT&T disclosed more than any other telecommunications company about policies affecting users’ privacy, but it could do more to explain what it does to keep user information secure.
Analysis
AT&T received the second-highest score among telecommunications companies, after Vodafone. The company made some improvements to policies affecting users’ freedom of expression by clarifying its processes for handling government network shutdown demands, and strengthened its commitments to users’ privacy by disclosing how users can obtain the data the company holds on them. However, AT&T’s score in the Governance category declined due to its failure to join the Global Network Initiative (GNI) after the Telecommunications Industry Dialogue became inactive in March 2017. Despite positive steps in some areas, the company should take additional steps to ensure transparency of its network management policies and practices. AT&T should also give users greater control over their own data and disclose more about its security policies and practices. In addition, the company could disclose more about how it handles government and private requests to hand over user data. U.S. law prohibits companies from disclosing exact numbers of government requests for stored and real-time user information they receive, which prevented AT&T from being fully transparent in that area.
- Engage with stakeholders on digital rights issues. The company should join the Global Network Initiative (GNI) to better address the human rights risks of diverse user groups.
- Be transparent about handling of user information. The company should clearly disclose its practices around handling user information and give users more control over their own data.
- Clearly communicate security practices. The company should clearly communicate to users how it handles data breaches.
AT&T, Inc. provides telecommunications services in the United States and in Mexico, offering data and voice services to approximately 152 million wireless subscribers.
Governance
AT&T ranked fourth in the Governance category among telecommunications companies, disclosing less than Vodafone, Telefónica, and Orange about how commitments to users’ freedom of expression and privacy are institutionalized within the company. AT&T publicly committed to respect human rights, including freedom of expression and privacy (G1), and it provided evidence of senior-level oversight over these issues (G2). It also disclosed some information on its grievance and remedy mechanisms (G6). However, the company’s overall score in this category declined due to a change in the company’s public commitment to engage with stakeholders (G5). As of March 2017, the Telecommunications Industry Dialogue ceased to be active, and many of its members have joined GNI. However, AT&T did not join GNI, which resulted in a score decline.
G5. Stakeholder engagement
The company lost points on G5 due to its weakened commitment to engage with stakeholders on freedom of expression and privacy issues. The company did not join the Global Network Initiative (GNI) along with the rest of its European peers after the Telecommunications Industry Dialogue ceased to be active in 2017.
Freedom of expression
AT&T earned the second-highest freedom of expression score among telecommunications companies, after Vodafone.
Content and account restriction requests: AT&T was one of only four telecommunications companies to receive any credit for disclosing information about its handling of government and private requests to restrict content or accounts (F5-F7). Notably, AT&T was one of three telecommunications companies to receive any credit for publishing data on government requests to restrict content or user accounts (F6), but it did not disclose any data about private requests (F7).
Network management and shutdowns: AT&T disclosed less information than Vodafone about its policies related to network management and shutdowns. While the company revealed reasons it may engage in network management practices, it did not commit not to engage in content blocking or prioritization practices (F9). AT&T clarified that it would report the number of government requests to shut down its networks if it received such requests (F10).
Identity policy: AT&T did not disclose a requirement that pre-paid mobile service users verify their identity with a government issued ID, making it, along with Vodafone, one of only two telecommunications companies evaluated to receive full credit on this indicator (F11).
F10. Network shutdown
The company improved its disclosure of how it handles network shutdown demands from governments.
Privacy
AT&T was the highest-scoring telecommunications company in the Privacy category.
Handling of user information: AT&T disclosed more than all other telecommunications companies about how it handles user information (P3-P8). Still, it did not fully disclose what types of user information it collects (P3), shares (P4), and why (P5). The company revealed even less information about how long it retains user information (P6), although it and Vodafone were the only two telecommunications companies evaluated to score any points on this indicator. The company improved its disclosure regarding the options users have to access their own user data (P8). While options to download a copy of their data had already been available for AT&T’s post-paid mobile users, the company disclosed additional options for pre-paid mobile and fixed-line broadband users to access their data.
Requests for user information: AT&T received the highest score of all telecommunications companies for disclosure of its process for responding to and complying with government and private requests for user information (P10, P11). Like all other telecommunications companies, AT&T did not indicate whether it notifies users about requests for their information (P12).
Security: AT&T ranked second after Vodafone for disclosure of its security policies (P13-P18). It was the only one of its peers to receive full credit for disclosure of its internal processes for ensuring that user data is secure (P13). While AT&T was one of only four companies in the entire Index to reveal any information about how it handles data breaches, its disclosure still fell short (P15).
P8. Users’ access to their own user information
The company improved its disclosure of options users have to obtain copies of their information.
