Telecommunications company

AT&T Inc.

Domicile: United States
Website: www.att.com
Download company report: English 

3

Key findings

  • AT&T had weak governance and oversight over human rights issues and ranked third among telecommunications companies, disclosing less about policies affecting privacy and freedom of expression than Telefónica and Vodafone.
  • It had especially unclear disclosure of its network management policies, and offered zero-rating programs that undermine net neutrality.
  • AT&T had relatively strong disclosure of policies affecting privacy but still did not disclose enough about its handling of user information.
Services evaluated

Analysis

AT&T has consistently landed among the top-scoring telecommunications companies in the RDR Index, but dropped to third place in this year’s ranking, after Telefónica and Vodafone.1 AT&T is not a member of the Global Network Initiative (GNI)—the company did not join the multi-stakeholder organization in 2017 when many of its European telecommunications peers did—and has since lagged behind many GNI-member companies in key areas.2 It had weak governance and oversight over human rights issues as compared to GNI members. The company also fell short of disclosing policies affecting freedom of expression. Notably, AT&T’s network management policies and commitments were unclear: it committed to not prioritize certain types of network traffic over others, but also offered zero rating programs, a form of network discrimination which undermines net neutrality in practice.3 While it had relatively strong disclosure of policies affecting user privacy, it could be far more transparent about data collection, sharing, and retention policies and practices.



AT&T Inc. provides telecommunications services in the United States and in Mexico, offering data and voice services to approximately 170 million wireless subscribers.4

Market cap: USD 232.7 billion5
NYSE: T

  • Clarify handling of user information: AT&T should clarify what types of user information it collects, shares, and retains, and for what purposes.
  • Commit to net neutrality in practice: AT&T should affirm its commitment to upholding net neutrality principles by refraining from engaging in paid prioritization of traffic, including offering zero rating programs—a form of network discrimination that undermines net neutrality in practice.
  • Clearly communicate security practices: AT&T should clearly inform users about its policies for responding to data breaches.

Governance

AT&T disclosed less about its governance and oversight over human rights issues than Telefónica, Vodafone, Orange, and Telenor. It published a formal human rights policy that clearly articulates the company’s commitment to upholding users’ freedom of expression and privacy rights (G1), but disclosed almost nothing about its human rights due diligence efforts that would enable the company to anticipate and mitigate harms (G4). AT&T failed to disclose if it conducts risk assessments on existing products and services, its terms of service enforcement, or its use of automated decision-making and targeted advertising (G4). It also disclosed little evidence of stakeholder engagement on digital and human rights issues (G5). Like most companies in this Index, AT&T failed to disclose much information about its grievance and remedy mechanisms for users to lodge complaints when they feel their freedom of expression or privacy has been violated by the company (G6).

No score changes

Freedom of Expression

AT&T disclosed more about policies affecting freedom of expression than most other telecommunications companies evaluated, apart from Telefónica and Vodafone—but still lacked transparency in key areas. It disclosed little to no information about actions it took to block content or restrict user accounts, either as a result of breaches to the company’s own rules (F4) or from government or other types of third-party requests (F6, F7). While AT&T was among only three telecommunications companies in the RDR Index to report any data about compliance with government demands (F6), it could be more transparent with users in this area. It also disclosed nothing about private requests to block content or deactivate accounts (F7).

The company’s network management policies and practices were also unclear (F9). Following the repeal of the FCC’s Open Internet Order in late 2017, AT&T announced plans to move forward with paid prioritization for certain types of traffic—which directly undermines net neutrality—but also claimed it “was not interested in creating fast lanes and slow lanes.”6 In its public disclosure evaluated for the RDR Index, AT&T committed to not prioritize certain types of network traffic over others, but at the same time offered a zero rating program, a form of network discrimination which undermines net neutrality in practice (F9). The company also disclosed almost nothing about its policies for handling government demands to shut down a network, although it did clarify that it would report the number of government requests to shut down its networks if it received such requests (F10).

No score changes

Privacy

AT&T tied with Telefónica for the second-highest privacy score after Deutsche Telekom. The company revealed more than all of its peers about its handling of government requests for user information (P10, P11) but lacked disclosure of its handling of user information (P3-P8). It revealed more about what types of user information it collects (P3), than about what it shares with whom (P4) and why (P5)—and revealed almost nothing about its data retention policies (P6). Like all telecommunications companies, AT&T failed to indicate if it notifies users about government or other types of third-party requests for their information (P12). It also did not divulge the exact number of requests received for user data under the Foreign Intelligence Surveillance Act (FISA) or National Security Letters (NSLs), or the actions it took in response to these requests, since it is prohibited by law from doing so.7

AT&T was one of the few telecommunications companies to fully disclose its policies for securing user data (P13), and that it has a bug bounty program to help identify and remedy security vulnerabilities (P14). But the company lacked clarity about its policies for handling data breaches (P15).

No score changes

Footnotes

[1] For AT&T’s performance in the 2018 Index, see: rankingdigitalrights.org/index2018/companies/att 

[2] The research period for the 2019 Index ran from January 13, 2018 to February 8, 2019. Policies that came into effect after February 8, 2019 were not evaluated in this Index.

[3] Sponsored Data, AT&T, www.att.com/att/sponsoreddata/en/index.html 

[4] “3Q 2018 AT&T by the Numbers” (AT&T, 2018), www.att.com/Common/about_us/pdf/att_btn.pdf 

[5] Bloomberg Markets, Accessed April 18, 2019, www.bloomberg.com/quote/T:US 

[6] Bob Quinn, “Let’s Take Action and Enact a Federal Consumer Bill of Rights,” February 27, 2018, www.attpublicpolicy.com/consumer-broadband/lets-take-action-and-enact-a-federal-consumer-bill-of-rights/ 

[7] “USA FREEDOM Act of 2015,” Pub. L. No. 114–23 (2015), www.congress.gov/bill/114th-congress/house-bill/2048