- Microsoft earned the top score among internet and mobile ecosystem companies in the 2019 Index for disclosing more about its commitments and policies affecting users’ human rights than all other ranked companies.
- It was the most transparent of all internet and mobile ecosystem companies about its privacy policies and practices, although it disclosed less than some of its peers about how it handles user data.
- It was less transparent than many of its peers about policies affecting freedom of expression, including how it handles third-party requests to remove content or restrict accounts, as well as its policies for notifying users of such restrictions.
Microsoft was the highest scoring internet and mobile ecosystem company in the 2019 Index, disclosing more information about policies and practices affecting users’ freedom of expression and privacy than its peers.1 It earned the top score in this year’s Index for its improved disclosure of privacy and security policies.2 It disclosed more information about options users have to access the information that the company holds about them, clarified its process for responding to data breaches, and disclosed options users have to use end-to-end encryption for some of its services. Despite its strong overall performance relative to its peers, Microsoft should be more transparent about its policies affecting users’ freedom of expression by clarifying its rules and how they are enforced. It could also improve its disclosure of its handling of user information.
Microsoft Corp. develops, licenses, and supports software products, services, and devices worldwide. Major offerings include Windows OS, Microsoft Office, Windows Phone software and devices, advertising services, server products, Skype, and OneDrive cloud services.
Market cap: USD 934.2 billion3
- Be more transparent about handling of user information: Microsoft should more clearly state what user information it collects, shares, retains, and why, and clarify options users have to control what is collected and shared, and how.
- Be transparent about restrictions to freedom of expression: Microsoft should clarify how it notifies users when it restricts access to content or accounts either due to government requests or as a result of enforcing its own rules.
- Improve remedy: Microsoft should be more accountable to users by providing a clear and accessible remedy mechanism for users to issue human rights grievances against the company.
Microsoft received the highest score in the Governance category among internet and mobile ecosystem companies, and the second-highest score of all 24 companies evaluated, after Telefónica. A member of the Global Network Initiative (GNI), Microsoft continued to disclose strong governance oversight over freedom of expression and privacy issues, including clear evidence that it conducts human rights due diligence to assess and mitigate the risks of its products and services (G4). It was one of the few companies in the 2019 Index to disclose it evaluates freedom of expression and privacy risks associated with how it enforces its terms of service and its use of automated decision making technologies. However, it failed to disclose if it evaluates risks of its use of targeted advertising on freedom of expression and privacy. Like all companies, Microsoft should do more to clarify its grievance and remedy mechanisms enabling users to submit complaints about infringements to their freedom of expression or privacy rights (G6).
No score changes
Freedom of Expression
Though it made some improvements, Microsoft's weakest performance in this year's Index was in the Freedom of Expression category, ranking fourth among its internet and mobile ecosystem company peers. Microsoft’s terms of service were easy to find and easy to understand (F1). It clarified its policy for notifying users of changes to its terms of service for the Bing search engine, but failed to disclose a notification time frame for any of its services (F2).
Microsoft disclosed less than Twitter, Google, and Kakao but more than all other internet and mobile ecosystem companies about its rules and how they are enforced (F3, F4, F8). Microsoft disclosed the most information about its process for enforcing its rules (F3), but failed to disclose clear policies for notifying users of content or account restrictions (F8). Microsoft was one of four companies to publish any data about its terms of service enforcement (F4), specifically on content removed from Bing and OneDrive for violating its policy on “non-consensual pornography.” However, it should disclose data on other types of content it removes for terms of service violations.
Microsoft provided less information than Google, Verizon Media, Kakao, and Twitter about how it responds to government and private requests to remove content or restrict accounts (F5-F7).4 It disclosed some information about the company’s process for responding to government and private requests to remove content (F5), and some data about the number of these requests received and with which it complied (F6, F7).
F2. Changes to terms of service
Microsoft improved its disclosure of how it notifies Bing users of changes to its terms of service.
Microsoft received the highest score in the Privacy category among internet and mobile ecosystem companies for strong disclosure of its handling of government requests for user information, and of its security policies. But Microsoft disclosed less than Twitter, Google, Verizon Media, Facebook, and Apple about how it handles user information (P3-P9)—despite making some improvements over the last year. It did not fully disclose how it collects user information (P3), what information it shares (P4), or why (P5). Like most companies, it provided even less information about its data retention policies (P6). It also disclosed some options allowing users to control what data is collected for targeted advertising—which suggests that targeted advertising is on by default (P7).
Microsoft disclosed more than its peers about its process for handling government and private requests for user information (P10), but lagged behind Apple, Twitter, Facebook, and Google on disclosure of data on the requests it received (P11). Like other U.S. companies, it did not divulge the exact number of requests received for user data under Foreign Intelligence Surveillance Act (FISA) requests or National Security Letters (NSLs), or the actions it took in response to these requests, since it is prohibited by law from doing so.5 Microsoft disclosed its policy for notifying users about government requests for user information, but not for requests it receives through private processes (P12).
After Apple, Microsoft disclosed the most about its security policies than any other internet and mobile ecosystem company evaluated (P13-P18). Microsoft disclosed it conducts internal security audits (P13), and offered a bug bounty program to address security vulnerabilities (P14). It improved disclosure of its data breach notification policies for Outlook (P15). It also improved its disclosure regarding the availability of end-to-end encryption for both Outlook and Skype (P16).
P8. Users’ access to their own user information
Microsoft disclosed options for users to obtain a copy of their user information.
P15. Data breaches
Microsoft improved disclosure about its process of notifying affected Outlook users in the event of a data breach.
P16. Encryption of user communication and private content (internet and mobile ecosystem companies)
Microsoft improved its disclosure regarding the availability of end-to-end encryption for both Outlook and Skype.
 For Microsoft’s performance in the 2018 Index, see: rankingdigitalrights.org/index2018/companies/microsoft
 Bloomberg Markets, Accessed April 18, 2019, www.bloomberg.com/quote/MSFT:US
 Oath, which provides a range of communications services including Yahoo Mail and Tumblr, updated its name to Verizon Media on January 7, 2019. See: www.oath.com/2019/01/07/oath-is-now-verizon-media/
 “USA FREEDOM Act of 2015,” Pub. L. No. 114–23 (2015), www.congress.gov/bill/114th-congress/house-bill/2048