Executive summary

The Ranking Digital Rights 2018 Corporate Accountability Index evaluated 22 of the world’s most powerful internet, mobile, and telecommunications companies on their disclosed commitments and policies affecting freedom of expression and privacy. These companies held a combined market capitalization of approximately USD 4.7 trillion.[1] Their products and services are used by a majority of the world’s 4.2 billion internet users.[2] There is good news and bad news:

The good news: More than half of the companies evaluated in the 2018 Index improved disclosure in multiple areas affecting users’ freedom of expression and privacy. In all, 17 of the 22 companies improved scores on at least one indicator. Even companies headquartered in the world’s toughest regulatory environments are making efforts to improve. Positive trends included:

  • Transparency reporting continues to improve and expand. More companies disclosed more information and data related to their policies and processes for responding to government or other third party requests to restrict content, as well as to share user information with authorities.

  • Telecommunications companies that joined the Global Network Initiative (GNI) pulled ahead of others in the sector. In 2017, three European telecommunications companies evaluated by the Index (Orange, Telefónica, and Vodafone) joined GNI, a multi-stakeholder initiative that works with companies to advance human rights principles in the face of government censorship and surveillance demands. All three strengthened disclosure about governance, oversight, due diligence, and internal accountability mechanisms.

The bad news: Companies are not transparent enough about the design, management, and governance of digital platforms and services that affect human rights. If people lack the information necessary to understand how state and non-state actors exert power through digital platforms and services, it is impossible not only to protect human rights—but to sustain open and democratic societies. Transparency is essential in order for people to even know when users’ freedom of expression or privacy rights are violated either directly by—or indirectly through—companies’ platforms and services, let alone identify who should be held responsible. There are four areas of particularly urgent concern:

  • Governance: Too few companies make users’ expression and privacy rights a central priority for corporate oversight and risk assessment. Companies do not have adequate processes and mechanisms in place to identify and mitigate the full range of expression and privacy risks to users that may be caused not only by government censorship or surveillance, and by malicious non-state actors, but also by practices related to their own business models.

  • Security: Most companies withhold basic information about measures they take to keep users’ data secure, leaving people in the dark about risks they face when using a particular platform or service. At the same time, security failures by companies have serious economic, financial, political, and human rights consequences for people around the world.

  • Privacy: Companies don’t disclose enough about how users’ information is handled, including what is collected and shared, with whom, and under what circumstances. This includes how user information is shared for targeted advertising. Such opacity makes it easier for digital platforms and services to be abused and manipulated by a range of state and non-state actors, including those seeking to attack institutions, communities, and individuals.

  • Expression: Companies do not adequately inform the public about how content and information flows are policed and shaped through their platforms and services. In light of revelations that the world’s most powerful social media platforms have been used to spread disinformation and manipulate political outcomes in a range of countries, companies’ efforts to police and manage content lack accountability without greater transparency.

The 2018 Index evaluated companies on 35 indicators examining disclosed commitments and policies affecting freedom of expression and privacy, including corporate governance and accountability mechanisms.

Company highlights

  • For the second year in a row, Google and Microsoft remain the only companies in the entire Index to score more than 60 percent overall. However both made relatively few changes in the past year. Their leading positions are due to the fact that they disclosed more information about more policies than other companies in the Index. Neither company led the pack on every indicator and each had areas of poor performance compared to other internet and mobile ecosystem companies in the Index.

  • Vodafone shot ahead of AT&T and is the only telecommunications company in the Index to score more than 50 percent. Vodafone made meaningful improvements to disclosure about governance and due diligence processes, disclosed more information about how it responds to network shutdown demands, and was the only company in the Index to clearly inform users and the public about how it handles data breaches.

  • Facebook performed poorly on questions about handling user data. The company ranked fourth in the Index overall, raising its score by strengthening transparency reporting about lawful requests it receives to restrict content or hand over user data, and improving its explanation about how it enforces terms of service. However, Facebook disclosed less about how it handles user information than six other internet and mobile ecosystem companies. Most notably, Facebook disclosed less information about options for users to control what is collected about them, and how it is used, than any other company in the Index, including Chinese and Russian companies.

  • Apple saw the greatest score increase, gaining eight percentage points. Much of this improvement was due to improved transparency reporting, plus new direct disclosure to users on its own website of information that it had previously only disclosed to experts and other third parties.

  • Chinese internet companies Baidu and Tencent made meaningful improvements on disclosure of handling of user information and terms of service enforcement. While China’s legal environment handicaps Chinese companies in the Index, these results nonetheless show that Chinese companies can—and do—compete with one another to improve transparency in areas that are not directly related to compliance with government censorship and surveillance requirements.

Recommendations

If the internet is to be designed, operated, and governed in a way that protects and respects human rights, we must all play our part. Companies, governments, investors, civil society organizations, and individuals—as employees of companies, as citizens of nations, as consumers of products, and as users of a globally interconnected internet—must all take responsibility and act.

Corporate transparency and accountability is incomplete without transparent and accountable governments that fulfill their duty to protect human rights. Meanwhile, companies should be held responsible for all the ways that their products, services, and business operations affect users’ rights, over which they have any influence or control.[3] All companies evaluated in the Index can make many changes immediately, even in the absence of legal and policy reform. Detailed recommendations are listed throughout the Index report and in the individual company report cards. They fall under seven broad categories:

  1. Strengthen corporate governance. Companies should not only articulate clear commitments to respect users’ freedom of expression and privacy, but also disclose concrete evidence that they have institutionalized these commitments through board and executive oversight, company-wide training, internal reporting, and whistleblowing programs.

  2. Get serious about risk assessment. Companies should implement comprehensive due diligence processes to ensure they can anticipate and mitigate any negative impact that their products, services, and business operations may have on users’ rights.

  3. Provide meaningful grievance and remedy mechanisms. Companies should have channels for users and other affected parties to file grievances if their rights have been violated as a result of company actions. Companies should also have clearly disclosed processes for responding to complaints and providing appropriate redress.

  4. Be transparent and accountable. Companies should publish regular information and data on their official websites that helps users and other stakeholders understand the circumstances under which personal information is accessed by third parties, speech is censored or restricted, and access to a service is blocked or restricted.

  5. Strengthen privacy. Companies should clearly inform users about what happens to their information, minimize collection and use of data to what is necessary for provision and service, and provide users with maximum control over what information they provide and with whom it is shared.

  6. Strengthen security. Companies should disclose credible evidence of their efforts to secure users’ information. Specifically, they should show that they maintain industry standards of strong encryption and security, conduct security audits, monitor employee access to information, and have an established process for handling data breaches.

  7. Innovate for human rights. Collaborate with government and civil society. Invest in the development of new technologies and business models that strengthen human rights, and maximize individual control and ownership over personal data and content.

Footnotes

[1] Figures as of March 8, 2018. Bloomberg Markets,https://www.bloomberg.com/markets.

[2] Figures as of December 31, 2017. “World Internet Users Statistics and 2018 World Population Stats,” Internet World Stats, accessed March 19, 2018,https://www.internetworldstats.com/stats.htm.

[3] “Guiding Principles on Business and Human Rights” (United Nations, 2011),http://www.ohchr.org/Documents/Publications/GuidingPrinciplesBusinessHR_EN.pdf.