Facebook, Inc.
Domicile: United States
Website: www.facebook.com
Download company report: English
Key findings
- Facebook lacked clarity about its handling of user information and about what it does to keep user data secure—including policies limiting employee access to user data and for handling data breaches.
- Facebook improved disclosure of how it enforces its own rules, but it disclosed less than in previous years about how it responds to government requests to remove content or deactivate accounts.
- While Facebook failed to disclose enough about its policies and practices affecting users’ freedom of expression and privacy, its relatively high place in the ranking was due, in part, to greater transparency about policies related to government demands.
- Facebook (Social networking & blog)
- Instagram (Video & photo sharing)
- Messenger (Messaging & VoIP)
- WhatsApp (Messaging & VoIP)
Analysis
Facebook ranked fourth out of the 12 internet and mobile ecosystem companies evaluated,1 disclosing less about policies and practices affecting freedom of expression and privacy than Microsoft, Verizon Media,2 and Google.3 While it introduced a raft of policy changes over the last year in response to scrutiny by the public and lawmakers over its unclear content moderation policies4 and its mishandling of user data, these changes still fell short in key areas.5 Although Facebook improved its disclosure of actions it took to police content as a result of violations of its own rules, it disclosed less than in previous years about how it responds to third party requests to remove content or deactivate accounts. While it made numerous revisions to its privacy policy that clarified different aspects of how it handles user data, these steps still fell vastly short of giving users a clear picture of its data collection and sharing policies—or clear options to control what is being collected and shared. Facebook also lacked clarity about what it does to keep user data secure, including whether it monitors employee access to user data and its policies for handling data breaches. As in previous years, Facebook’s grievance and remedy mechanisms remained among the weakest of any company in the RDR Index.
Facebook, Inc. operates social networking platforms for users globally.
Market cap: USD 510.5 billion6
NasdaqGS: FB
- Clarify handling of user information: Facebook should disclose more about its handling of user information and its policies to keep user information secure.
- Improve human rights due diligence: Facebook should demonstrate it carries out human rights risk assessments on existing products and services, as well as on its terms of service enforcement, its use of automated decision-making, and its targeted advertising policies and practices.
- Improve appeals mechanisms: Facebook should improve its grievance and remedy mechanisms for users whose freedom of expression and privacy are violated by the company’s policies and practices.
Governance
A member of the Global Network Initiative (GNI), Facebook received the third-best governance score among the 12 internet and mobile ecosystem companies evaluated, behind Microsoft and Verizon Media. While it published a clear commitment to respect and protect human rights to freedom of expression and privacy (G1), it disclosed little about its due diligence efforts aimed at ensuring that its business operations and practices actually protect these rights in practice (G4). For instance, it disclosed nothing about whether it conducts risk assessments around its targeted advertising policies and practices, or about its use of automated decision-making technologies (G4). Facebook also had one of the lowest scores of any company in the RDR Index for its appeals mechanisms—even after introducing improvements to its appeals process over the last year. In April 2018, Facebook (the social network) unveiled a new process for remedying wrongful takedowns, but it was not clear if the scope of this appeals mechanism includes any type of violation to its Community Guidelines.7 Meanwhile, the company lacked a clear appeal mechanism for users to seek remedy when they feel that Facebook has violated their privacy.
No score changes
Freedom of Expression
Despite notable improvements, Facebook failed to disclose enough about its policies affecting freedom of expression, and scored below most of its U.S. peers in this category. It provided relatively clear information about its rules and what types of activity and content are prohibited on its services (F3): it received one of the top scores on this indicator, after Microsoft. While Facebook published its first ever Community Standards Enforcement Report in May 20188—making it one of just four companies in the RDR Index to disclose data about the nature and volume of content it removed, or accounts it restricted for rules violations (F4)—this data applied just to Facebook (the social network) and not to Instagram, WhatsApp, or Messenger.
Facebook also disclosed significantly less than in previous years about its process for handling and complying with government requests to restrict content or accounts (F5-F7). Whereas its previous transparency reports specified that data about compliance with government requests applied to all services, Facebook’s latest transparency report (January - June 2018) failed to state if the data included information about WhatsApp or Messenger (F5, F6). The company’s overall score in the freedom of expression category declined this year as a result.
F1, F2. Access and changes to terms of service
Instagram made its terms of service available in Spanish and clarified its policy for directly notifying users of changes.
F3, F4. Terms of service enforcement
Facebook disclosed more about its processes for enforcing its rules, and published more data about actions it took to enforce these terms.
F5, F6. Requests for content of account restriction
Facebook did not include WhatsApp and Messenger in its transparency report, and disclosed less than previously about its process for responding to private requests for Instagram. It also published less data about government requests to restrict content or accounts.
F8. User notification about content and account restriction
Facebook improved its disclosure of policies for notifying users who attempt to access content that has been restricted.
Privacy
Facebook disclosed less about its privacy policies and practices than most of its U.S. peers, including Microsoft, Apple, Google, and Verizon Media. While it made numerous revisions to its privacy policies that clarified different aspects of how it handles user data, those revisions fell short of giving users a clear picture of its data collection and sharing policies—or of options for users to control what is being collected and shared. It remained among the least transparent of any internet and mobile ecosystem company about options users have to control how their data is used, including for the purposes of targeted advertising (P7). Facebook was also less transparent than Google, Apple, Microsoft, and Verizon Media about its policies for keeping user data secure (P13-P18): it revealed little about its policies for limiting employee access to user data (P13), and disclosed nothing about its policies for handling data breaches (P15).
In contrast, Facebook’s clarifications about ways users can obtain their data (P8) earned it the top score on that indicator. Of the internet and mobile ecosystem companies evaluated, it was among the most transparent about its handling of government and other types of third-party requests for user information (P10-P12), and was one of the few companies to commit to notifying users of government requests for their data (P12). Like other U.S. companies, Facebook did not divulge the exact number of requests received for user data under the Foreign Intelligence Surveillance Act (FISA) or National Security Letters (NSLs), or the actions it took in response to these requests, since it is prohibited by law from doing so.9 Facebook provided end-to-end encryption by default for WhatsApp, and gave Messenger users the option to enable end-to-end encryption, although it is not on by default. In contrast, it failed to disclose any information about its encryption practices for Instagram (P16).
P1. Access to privacy policies
Instagram made its privacy policy available in Spanish.
P5, P6, P7, P8. Handling of user information
Facebook clarified its policy of combining user information across some of its different services, and disclosed more about its data retention policies. It also clarified options for users to control and obtain their information.
P9. Collection of user information from third parties
Facebook improved its disclosure of how and for what purposes it tracks users across the internet.
P12. User notification about third-party requests for user information
WhatsApp disclosed a commitment to notify users of requests for their user information when possible.
Footnotes
[1] The research period for the 2019 Index ran from January 13, 2018 to February 8, 2019. Policies that came into effect after February 8, 2019 were not evaluated in this Index.
[2] Oath, which provides a range of communications services including Yahoo Mail and Tumblr, updated its name to Verizon Media on January 7, 2019.
[3] For Facebook’s performance in the 2018 Index, see: rankingdigitalrights.org/index2018/companies/facebook
[4] Julia Carrie Wong and Olivia Solon, “Facebook releases content moderation guidelines – rules long kept secret,” Guardian, April 24, 2018. www.theguardian.com/technology/2018/apr/24/facebook-releases-content-moderation-guidelines-secret-rules
[5] Kieran Corcoran, “Facebook is overhauling its privacy settings in response to the Cambridge Analytica scandal,” Business Insider, March 28, 2018, www.businessinsider.com/facebook-overhauls-privacy-settings-after-cambridge-analytica-scandal-2018-3
[6] Bloomberg Markets, Accessed April 18, 2019, www.bloomberg.com/quote/FB:US
[7] “Publishing Our Internal Enforcement Guidelines and Expanding Our Appeals Process,” Facebook, April 24, 2018, newsroom.fb.com/news/2018/04/comprehensive-community-standards
[8] “Community Standards Enforcement Report,” Facebook, transparency.facebook.com/community-standards-enforcement
[9] “USA FREEDOM Act of 2015,” Pub. L. No. 114–23 (2015), www.congress.gov/bill/114th-congress/house-bill/2048
