Key findings
- Microsoft was one of the top performers in the 2018 Index, placing second after Google.
- Microsoft tied with Oath for the most disclosure of governance processes aimed at ensuring the company’s respect for freedom of expression and privacy.
- While its disclosure of how it handles government and private requests for user information was among the highest in the Index, Microsoft was less transparent than most of its peers about its processes for handling government and private requests to remove content or restrict accounts.
Analysis
Microsoft earned the second-highest score among internet and mobile ecosystem companies, after Google. A member of the Global Network Initiative (GNI), Microsoft disclosed a strong commitment to freedom of expression and privacy. Despite its overall strong performance, its score declined slightly as a result of policies for notifying Skype users if the company restricts their accounts being no longer available. In addition, Microsoft could be more transparent about its process for enforcing its terms of service and could clarify how it handles user information, including options users have to control what information about them is collected and shared. U.S. law prevents companies from disclosing the exact number of government requests for stored and real-time user information they receive, which prevented Microsoft from being fully transparent in that area. However, Microsoft still disclosed more data on government and private requests for user information than most companies in the Index.
- Clarify role in policing online content. Microsoft should disclose more information about how it enforces its rules, and should expand the types of content removals it covers in its transparency reporting.
- Be more transparent about handling of user information. Microsoft should more clearly disclose what types of user information it collects, shares, retains, and for what purpose, and provide users with clear options to control collection and sharing of their information.
- Provide clear commitments to notify users of content or account restrictions. Microsoft should clearly commit to notify users when content or accounts are restricted, including the reason why.
Microsoft Corp. develops, licenses, and supports software products, services, and devices worldwide. Major offerings include Windows operating system, Microsoft Office, Windows Phone software and devices, advertising services, server products, Skype, and Office 365 cloud services.
Governance
Microsoft tied with Oath for the highest governance score of the 12 internet and mobile ecosystem companies evaluated. The company disclosed an explicit commitment to respect freedom of expression and privacy as human rights (G1), evidence of oversight of human rights issues by senior leadership (G2), and employee training and whistleblower programs that address freedom of expression and privacy (G3). Microsoft disclosed that its human rights impact assessments included efforts to address freedom of expression and privacy risks associated with how it enforces its terms of service (G4). Like all companies, Microsoft could do more to clarify its grievance and remedy mechanisms enabling users to submit complaints about infringements to their freedom of expression or privacy rights (G6).
G4. Impact assessment
Microsoft improved its disclosure of whether it assesses privacy risks associated with its enforcement of its terms of service.
Freedom of expression
Microsoft disclosed less about policies affecting freedom of expression than Twitter, Google, and Kakao.
Content and account restrictions: Microsoft disclosed less than Twitter and Kakao but more than all other internet and mobile ecosystem companies about its rules and how they are enforced (F3, F4, F8). Its score declined slightly due to information for notifying Skype users in the event of an account restriction being no longer available on the Skype help page (F8). Microsoft was one of four companies to publish some data about its terms of service enforcement (F4), specifically on content removed from Bing for violating its policy on “non-consensual pornography.” However, the company should disclose data on other types of content it removes for terms of service violations.
Content and account restriction requests: Microsoft disclosed more than most internet and mobile ecosystem companies about how it responds to government and private requests to remove content or restrict accounts, but provided less information than Google, Oath, Kakao, Twitter, and Facebook (F5-F7). It disclosed some information about the company’s process for responding to government and private requests to remove content (F5), and some data about the number of these requests it received and with which it complied (F6, F7).
Identity policy: Microsoft and Twitter were the only two internet and mobile ecosystem companies to disclose that they do not require users to verify their identity with a form of government-issued ID (F11).
F8. User notification about content and account restriction
Microsoft’s score declined slightly due to a change in its disclosure of whether it notifies Skype users of account restrictions. The company appears to have re-organized the Skype help pages and information that was previously available could not be located.
Privacy
Microsoft disclosed more than the rest of its peers, apart from Google, about policies affecting users’ privacy.
Handling of user information: Microsoft disclosed less than Twitter, Google, and Oath about how it handles user information (P3-P9). The company did not fully disclose the types of user information it collects, shares, or for what purpose (P3, P4, P5). Like most companies, it provided even less information about how long it retains this information (P6). It also disclosed some options users have to opt out of whether their information is collected for targeted advertising, which suggests that targeted advertising is on by default (P7). It disclosed more than most companies about options users have to obtain information the company holds about them (P8), and whether and how the company collects information about users across third-party websites (P9), though this disclosure still fell short.
Requests for user information: Microsoft disclosed more than its peers about its process for handling government and private requests for user information (P10), but lagged behind Twitter, Facebook, and Google on disclosure of data on the requests it received (P11). Microsoft disclosed its policy for notifying users about government requests for their user information, but not for requests it receives through private processes (P12).
Security: Microsoft disclosed less than Apple, Google, and Yandex about its security policies, but more than the other internet and mobile ecosystem companies evaluated (P13-P18). It disclosed it conducts internal security audits (P13), and offered a bug bounty program to address security vulnerabilities (P14). Like most companies in the Index, Microsoft failed to disclose policies for responding to data breaches (P15). It scored lower than Facebook, Apple, Yandex, and Google on disclosure of its encryption policies (P16).