Key findings
- Oath was one of the top performers of the 2018 Index and showed clear commitments to respect freedom of expression and privacy.
- Oath improved its disclosure of government requests to censor content and hand over user data, and clarified options users have to opt out of targeted advertising.
- The company lacked disclosure of what steps it takes to keep user data secure, including how it handles data breaches.
Analysis
Oath ranked third out of the 12 internet and mobile ecosystem companies evaluated, behind Google and Microsoft. A member of the Global Network Initiative (GNI), Oath has continued to implement many of the human rights commitments and policies previously established by Yahoo, following Verizon’s acquisition of Yahoo and the establishment of Oath in June 2017. The company made several improvements in the 2018 Index, including incorporating Tumblr into Oath’s more detailed transparency reporting. While Oath disclosed a strong commitment to respect human rights at the governance level, it could still improve its disclosure of key policies affecting users’ freedom of expression and privacy. It could be more transparent about how it polices content on its services and could be more clear about its security practices. Oath disclosed less data than all other U.S. internet and mobile ecosystem companies about the government and private requests it received for user information. U.S. law prohibits companies from disclosing exact numbers of government requests for stored and real-time user information they receive, which prevented Oath from being fully transparent in that area.
- Communicate more clearly about security. The company should disclose more about its processes for responding to data breaches and preventing unauthorized access.
- Be more transparent about policing of content. Oath should disclose data about the volume and nature of content or accounts it restricts for terms of service violations.
- Be more transparent about external requests affecting user rights. Oath should improve its disclosure of government and private requests to restrict content or accounts and hand over user information.
Oath Inc. (a subsidiary of Verizon Communications) provides a range of communication, sharing, and information and content services. Following the acquisition of Yahoo by Verizon Communications in June 2017, Verizon combined Yahoo-branded services and AOL-branded services into a new subsidiary called Oath.
Governance
Oath tied with Microsoft for the highest governance score among internet and mobile ecosystem companies. The company disclosed a clear commitment to freedom of expression and privacy as human rights (G1), evidence of senior leadership oversight of human rights concerns (G2), and employee training and a whistleblower program addressing freedom of expression and privacy (G3). Oath disclosed evidence that it engages with stakeholders, including civil society, on freedom of expression and privacy issues (G5). Disclosure of its human rights due diligence processes (G4) declined slightly since the 2017 Index, due to less clear disclosure of whether its human rights impact assessments (HRIAs) are incorporated into executive- or board-level decisions (G4). Like most companies evaluated, Oath did not disclose sufficient grievance and remedy mechanisms (G6).
G4. Impact assessment
Oath lost points on G4, as it was not clear if members of the board or senior executives consider the results of human rights impact assessment in their decision-making.
Freedom of expression
Oath received the sixth-highest score of the 12 internet and mobile ecosystem companies evaluated in the Freedom of Expression category, behind Facebook, Google, Kakao, Microsoft, and Twitter.
Restricting content and accounts: Oath was less transparent about its process for enforcing its terms of service (F3) than many of its peers, including Facebook, Google, Kakao, Microsoft, and Twitter. Like most companies, Oath did not disclose any data about the volume or nature of actions it took to enforce its rules, such as removing content or restricting users’ accounts (F4). The company clarified and improved policies regarding whether it notifies users of account restrictions (F8).
Content and account restriction requests: Oath disclosed more than all of its peers other than Google about how it handles government and private requests to censor content or restrict accounts (F5-F7). It improved its disclosure due to the inclusion of Tumblr in the parent company’s transparency reports, which contained more comprehensive information than Tumblr's previous reports. Like most companies evaluated, Oath provided less thorough disclosure of its processes for content or account restriction requests filed through private processes than it did for government requests (F5).
Identity policy: Tumblr disclosed it does not require users to verify their identities, but for Yahoo Mail and Flickr, the company disclosed that users are required to verify their account with a phone number, which in some jurisdictions can be used by law enforcement or other government officials to connect users with their offline identities (F11).
F5. Process for responding to third-party requests for content or account restriction
Oath more clearly explained its process for responding to content and account restriction requests for Tumblr, and it improved its commitment to push back on inappropriate copyright takedown requests to remove content on Flickr and Tumblr.
F6. Data about government requests for content or account restriction
Oath provided less detailed information about the number of Tumblr accounts affected by government requests to remove content.
F8. User notification about content and account restriction
Oath improved its disclosure of policies for notifying Yahoo Mail and Flickr users of account restrictions when possible.
Privacy
Oath received the third-highest score of the 12 internet and mobile ecosystem companies evaluated in the Privacy category, behind Google and Microsoft and on par with Apple.
Handling of user information: Oath disclosed less than Twitter and Google but more than the other internet and mobile ecosystem companies evaluated about how it handles user information (P3-P9). Oath disclosed more about what user information it collects and shares (P3, P4) than it did about its purpose for doing so (P5). While it improved its disclosure of options users have to opt out of targeted advertising (P7), this suggested that targeted advertising is on by default. Oath offered more information than most of its peers, aside from Google, about whether users can access the information that the company holds about them (P8).
Requests for user information: Oath was less transparent than Google and Microsoft about its process for responding to government and private requests for user information (P10), but disclosed more than the rest of its peers. Oath now includes Tumblr in its transparency reporting, which contained more detailed disclosure of Tumblr’s handling of government and private requests for user information. However, Oath disclosed less data than all other U.S. internet and mobile ecosystem companies about the government and private requests it received for user data (P11). Oath did not disclose the exact number of requests received for stored or real-time user data, or what actions it took in response to these requests, because U.S. companies are prohibited by law from doing so. The company disclosed clear policies for notifying users of government requests for their user information, when legally possible, similar to most U.S. companies (P12).
Security: Oath disclosed less about its security policies than Google, Yandex, Microsoft, Kakao, and Apple (P13-P18). It disclosed nothing about its policies for handling data breaches (P15), like most companies in the Index. Oath’s disclosure of its encryption practices improved slightly due to a change in Tumblr’s disclosure in which the company stated that the transmission of data for Tumblr blogs is encrypted by default (P16).
P7. Users’ control over their own user information
The company improved its disclosure of how Tumblr users can opt out of targeted advertising.
P11. Data about third-party requests for user information
Oath improved its disclosure of data about government requests for real-time and stored user information. It also included more detailed information for Tumblr about the number of accounts affected and the number of requests with which it complied.
P16. Encryption of user communication and private content
The company improved its disclosure of its encryption policies for Tumblr.
