Key findings
- Twitter disclosed less than most of its U.S. peers about policies affecting users’ privacy, but disclosed more about policies affecting freedom of expression than any company in the Index.
- Twitter improved its disclosure of how it responds to government requests to remove content and restrict accounts.
- Twitter disclosed ways for users to opt out of targeted advertising, which indicates that targeted advertising is on by default. In a setback for user privacy, the company disclosed it no longer responds to “Do Not Track” signals from users asking the company not to track them across third-party websites.
Analysis
Twitter ranked fifth out of 12 internet and mobile ecosystem companies, disclosing less about its policies affecting privacy than most of its U.S. peers. The company’s score improved in the 2018 Index due to improved public commitments to users’ freedom of expression and greater clarity in its transparency reporting on content removal requests. However, Twitter’s privacy score declined due to a change in its privacy policy stating that the company no longer responds to “Do Not Track” signals, and a lack of clear examples about how it implements its process for responding to government or private requests for user information. In addition,U.S. law prevents companies from disclosing the exact number of government requests for stored and real-time user information they receive, which prevented Twitter from being fully transparent in that area.
- Institutionalize policy commitments to freedom of expression and privacy. Twitter should demonstrate that it has institutionalized comments to respect users' digital rights by disclosing whether and how it is implementing policies such as employee training and human rights impact assessments.
- Protect users’ privacy. The company should show a stronger commitment to protect users' privacy by not sharing users' information for targeted advertising unless they opt in. It should also commit to respect signals from users to not track them across third-party websites.
- Disclose more comprehensive information about security policies and practices. Twitter should improve its disclosure of its internal processes for keeping user data secure, including the company’s policies for responding to data breaches.
Twitter, Inc. operates a global social sharing platform with products and services that allow users to create, share, and find content on the Twitter social network and to livestream videos on Periscope. Twitter also provides advertising services and developer tools.
Governance
Twitter ranked fifth in the Governance category, scoring lower than most U.S. internet and mobile ecosystem companies evaluated, despite some notable improvements. The company strengthened its public commitment to respect users’ freedom of expression and privacy (G1), improved its disclosure of senior-level oversight over these issues (G2), and disclosed a commitment to conduct human rights risk assessments when launching new products or entering into new markets (G4). While it disclosed that it regularly engages with a range of stakeholders on freedom of expression and privacy issues (G5), Twitter is not a member of a multi-stakeholder initiative like the Global Network Initiative (GNI), whose members not only make commitments but also undergo independent assessments to verify whether they have implemented and institutionalized them. As a result, Twitter’s disclosure in the Governance category suffered compared to its other U.S.-based peers.
G1. Policy Commitment
Twitter improved its public commitment to respect and protect freedom of expression and privacy rights by publishing a new policy ("Defending and respecting the rights of people using our service") that articulates a clear commitment to defend users' rights.
G2. Governance and management oversight
Twitter clarified that there is executive- and management-level oversight over freedom of expression and privacy issues within the company.
G4. Impact assessment
Twitter improved its disclosure of its human rights due diligence practices by explaining that it evaluates risks associated with launching new activities, services, or entering into new markets.
Freedom of expression
Twitter disclosed more than any of its peers about policies affecting freedom of expression.
Content and account restrictions: Twitter disclosed more than any other internet and mobile ecosystem company about its process for terms of service enforcement (F3, F4, F8). It disclosed more than most other companies about why it may restrict content or accounts (F3). It was one of only four companies, including Facebook, Microsoft, and Google, to disclose any data about its terms of service enforcement, reporting the number of accounts it restricted due to terrorist content and from legal requests to remove content or restrict accounts for violating Twitter’s rules (F4). However, the data did not include all of the actions the company might take to enforce its rules.
Content and account restriction requests: Twitter disclosed less than Google and Oath about how it handles government and private requests to restrict content or accounts (F5-F7). It disclosed more data about government requests to restrict content or accounts than several of its U.S. peers (F6), and it provided more data than any other company about private requests to restrict content or accounts (F7).
Identity policy: Twitter and Microsoft were the only two internet and mobile ecosystem companies that disclosed that they do not require users to verify their identity with a government-issued ID or other information tied to their offline identity (F11).
F1. Access to terms of service
Twitter made the terms of service for Periscope available in Spanish.
F2. Changes to terms of service
The company improved its F2 score by stating it may directly notify Periscope users of changes to its terms of service policy.
F5. Process for responding to third-party requests for content or account restriction
Twitter improved its disclosure of its process for responding to requests to remove content or restrict accounts, from foreign governments and private parties, and provided examples of how it responds to government requests.
F6. Data about government requests for content or account restriction
Twitter disclosed more data about government requests for content and account restrictions it received for Periscope, including the number of accounts affected, pieces of content specified for removal, and the number of such requests with which it complied.
F7. Data about private requests for content or account restriction
Twitter improved its disclosure of the number of private requests for content and account removals or restrictions it received and with which it complied.
F8. User notification about content and account restriction
Twitter improved its disclosure of policies for notifying Periscope users when their content has been removed due to copyright restrictions, or when their account has been restricted.
Privacy
Twitter disclosed less than Google, Microsoft, Apple, and Oath about policies affecting users’ privacy, but more than Facebook.
Handling of user information: Twitter offered more information than all other internet and mobile ecosystem companies about how it handles user information, but still fell short of Index benchmarks (P3-P9). It clearly disclosed what types of user information it collects (P3), but was less clear about what information it shares and with whom (P4). It disclosed more than any other company about how long it retains user information (P6), but disclosed little about whether users could access the information the company holds about them (P8). The company provides users with options for controlling how their information is collected for targeted advertising, suggesting targeted advertising is on by default (P7). Twitter’s revised privacy policy made its practices of tracking users across third-party websites less clear (P9). The company also disclosed it no longer respects “Do Not Track” (DNT) signals (P9).
Requests for user information: Twitter disclosed more than most of its peers, apart from Microsoft and Google, about how it handles government and private requests to hand over use data (P10-P12). Like most companies, it clearly disclosed its processes for responding to government requests for user information, but not for private requests it received (P10). It tied with Facebook for disclosing the most data on government and private requests for user information it received (P11).
Security: Twitter provided little information about its security policies, scoring higher than only Baidu, Samsung, and Tencent on these indicators (P13-P18). Like most companies, it failed to disclose any information about its policies for responding to data breaches (P15). It also lacked clear disclosure of whether it encrypts user communications and private content (P16).
P1. Access to privacy policies
Twitter made Periscope’s privacy policy available in Spanish.
P9. Collection of user information from third parties
The company provided less clear disclosure of its practices related to how it tracks users across the internet, and disclosed it no longer respects “Do Not Track” signals from users asking the company not to track them on third-party websites.
P10. Process for responding to third-party requests for user information
The company’s P10 score declined because Twitter no longer provides an example of how it implements its process to respond to private requests.
