Key findings
- Facebook ranked fourth in the Index, disclosing less about policies affecting freedom of expression and privacy than most of its U.S. peers.
- It made slight improvements to its disclosure of processes for identifying content that violates its rules and began to provide some data on content restricted for violating the company’s policies on hate speech and inauthentic accounts, but still lacked transparency on how it enforces its rules.
- The company provided users with limited options to control what information the company collects, retains, and uses, including for targeted advertising, which appears to be on by default.
Analysis
Facebook ranked fourth out of 12 internet and mobile ecosystem companies evaluated, below Google, Microsoft, and Oath, but above Twitter and Apple. As a member of the Global Network Initiative (GNI), Facebook publicly committed to respect human rights, but disclosed less about its policies and practices affecting freedom of expression and privacy than many of its peers. It improved its disclosure of its terms of service enforcement, security measures for WhatsApp and Instagram, and how it handles government requests for user information. U.S. law prohibits companies from disclosing the exact number of government requests for stored and real-time user information they receive, which prevented Facebook from being fully transparent in that area. However, Facebook disclosed less than many of its peers about its handling of user information and options users have to control the data it collects and shares, including for purposes of targeted advertising. Facebook disclosed options for users to opt out of targeted advertising, suggesting that targeted advertising is on by default.
- Commit to user privacy. The company should show a stronger commitment to protect privacy by not sharing users' information for targeted advertising unless they opt in. Otherwise, the company should clearly disclose that targeted advertising is on by default, and improve mechanisms for user control over their information.
- Clarify role in policing online content. Facebook should be more transparent about how it enforces its terms of service by disclosing how it identifies content or activities that violates the rules, and publish data about the type and volume of content it removes for breaching its terms of service.
- Be more transparent about external requests. The company should be more transparent about how it responds to government and private requests to hand over user information or remove content.
Facebook, Inc. operates social networking platforms for users globally. These include the Facebook social network, Messenger, Instagram, and WhatsApp.
Governance
Facebook received the second-highest governance score of the 12 internet and mobile ecosystem companies evaluated, behind Microsoft and Oath. Facebook provided evidence that senior leadership exercises oversight of issues related to freedom of expression and privacy (G2) and there are mechanisms in place formalizing these commitments throughout the company (G3). It disclosed that it conducts regular human rights impact assessments, though it failed to disclose whether it assesses the risks to freedom of expression and privacy associated with how it enforces its terms of service (G4).
Freedom of expression
Facebook ranked fifth out of 12 internet and mobile ecosystem companies in the Freedom of Expression category, below most other U.S. companies, but above Oath and Apple.
Content and account restrictions: Facebook improved its disclosure of the processes it uses to identify content or accounts violating its rules (F3) and was one of only four companies to disclose any data about the actions it took to enforce its terms of service (F4). However, Facebook’s disclosure still fell short of Index benchmarks for these indicators. Additionally, Facebook did not clearly disclose whether it notifies users when content has been restricted or removed and why (F8).
Content and account restriction requests: Facebook scored in the top half of internet and mobile ecosystem companies on these indicators, though it disclosed less than Google, Oath, and Twitter (F5-F7). Facebook improved its disclosure of its process for responding to removal requests via court orders (F5), and its transparency reporting on private requests for content removal (F5, F7). It disclosure of data on its compliance with government and private requests was less comprehensive (F6, F7). It disclosed actions it took to restrict content in response to government requests but did not disclose the number of requests it received, making it difficult to determine its compliance rate for responding to such requests.
Identity policy: WhatsApp and Instagram disclosed that users can register for an account without verifying their identity with a government-issued ID; however, Facebook’s social network and Messenger app disclosed they may require users to do so (F11).
F3. Process for terms of service enforcement
Facebook improved its disclosure of the methods it uses to identify content and activities that violate the company’s rules, such as inauthentic accounts and terrorist content.
F4. Data about terms of service enforcement
Facebook improved its disclosure of actions it has taken to enforce its terms of service, publishing some data on the volume and nature of content restricted for violating rules against hate speech and inauthentic accounts.
F5. Process for responding to third-party requests for content or account restriction
Facebook improved its disclosure of how it responds to both government and private requests to restrict content or user accounts.
F7. Data about private requests for content or account restriction
The company improved its disclosure of the number of pieces of content it removed due to intellectual property violations, the reasons associated with removal requests, as well as the number of such requests with which it complied.
F8. User notification about content and account restriction
Facebook improved its disclosure of WhatsApp’s notification policy, disclosing on a help page that it will send users a message in case their account is restricted.
Privacy
Facebook received the seventh-highest score out of 12 internet and mobile ecosystem companies in the Privacy category, behind all other U.S. internet and mobile ecosystem companies and South Korean internet company Kakao.
Handling of user information: Facebook fell short of explaining how it handles user information, placing behind Twitter, Google, Microsoft, Oath, Apple, and Kakao on these indicators (P3-P9). While the company offered some disclosure of what types of user information it collects (P3), it revealed less about what it shares and with whom (P4), for what purpose (P5), and for how long it retains user information (P6). Its disclosure of options users have to control what information the company collects, retains, and uses was worse than any other company in the Index (P7). The company offered some ways to opt out of targeted advertising, suggesting it is on by default. Facebook also did not clearly disclose if it tracks users across the internet using cookies or widgets, or whether it respects user-generated signals to opt out of data collection (P9).
Requests for user information: Facebook disclosed less than Microsoft and Google about its process for handling government and private requests for user information (P10). However, it received the highest score of internet and mobile ecosystem companies, along with Twitter, for its disclosure of data about its compliance with these types of requests (P11). Like most U.S. companies, Facebook disclosed that it notifies users of government requests for their information, and disclosed the circumstances in which it may not notify users, but did not offer similar disclosure of private requests (P12).
Security: Facebook disclosed less than many of its peers, including Google, Apple, and Oath, but more than Twitter, about its security policies (P13-P18). It revealed little about its processes for keeping its products and services secure (P13). Facebook received higher than average marks for disclosure of its encryption policies (P16). The company clearly stated that for WhatsApp, end-to-end encryption is enabled by default, and that Messenger users can enable end-to-end encrypted "secret conversations," although these are not on by default. Facebook improved its disclosure of account security practices by rolling out two-factor authentication for Instagram and WhatsApp (P17).
P10. Process for responding to third-party requests for user information
For the WhatsApp service, Facebook more clearly explained its process for responding to court orders and requests from foreign jurisdictions. The company also improved its disclosure of the legal basis under which it may comply with government requests for user information from WhatsApp users, and provided clearer guidance on the company’s process for responding to these requests.
P17. Account security
The company rolled out two-factor authentication for Instagram and WhatsApp.