The 2018 Index measures company disclosure of policies and practices affecting users’ freedom of expression and privacy. The Index methodology applies 35 indicators in three main categories: Governance, Freedom of Expression, and Privacy. Each category contains indicators measuring company disclosure for that category; each indicator is comprised of a series of elements that measure company disclosure for that indicator.[9]
While every company we examined has attributes that make it unique, for the purpose of research and scoring, we divided the 22 companies into two groups.
Internet and mobile ecosystems: This category includes both internet companies and companies that produce software and devices that we call “mobile ecosystems.” These company types are evaluated together because Google is both an internet company and a mobile ecosystem company, and along with its iOS mobile ecosystem, Apple also offers services like iMessage and iCloud. In addition, the freedom of expression and privacy issues faced by mobile cloud data and operating systems overlap with the issues faced by traditional internet services. We do not evaluate hardware attributes of devices, focusing our assessment instead on their operating systems. Additional elements relevant only to mobile ecosystems were added to some indicators.
For each internet and mobile ecosystem company we examined up to four services, as follows:
Telecommunications companies: For these companies, we evaluated global group- level policies for relevant indicators, plus the home-country operating subsidiary’s pre-paid and post-paid mobile services, and fixed-line broadband service, where offered, as follows:
Corporate-level commitment to freedom of expression and privacy: We expect companies to make an explicit statement affirming their commitment to freedom of expression and privacy as human rights (G1), and to demonstrate how these commitments are institutionalized within the company. Companies should disclose clear evidence of: senior-level oversight over freedom of expression and privacy (G2), and employee training and whistleblower programs addressing these issues (G3); human rights due diligence and impact assessments to identify the impacts of the company’s products, services, and business operations on freedom of expression and privacy (G4); systematic and credible stakeholder engagement, ideally including membership in a multi-stakeholder organization committed to human rights principles, including freedom of expression and privacy (G5); a grievance and remedy mechanism enabling users to notify the company when their freedom of expression and privacy rights have been affected or violated in connection with the company’s business, plus evidence that the company provides appropriate responses or remedies (G6).
Terms of service and privacy policies: We expect companies to provide terms of service agreements and privacy policies that are easy to find and understand, available in the primary languages of the company’s home market, and accessible to people who are not account holders or subscribers (F1, P1). We also expect companies to clearly disclose whether and how they directly notify users of changes to these policies (F2, P2).
Terms of service enforcement: We expect companies to clearly disclose what types of content and activities are prohibited, and their processes for enforcing these rules (F3). We also expect companies to publish data about the volume and nature of content and accounts they have removed or restricted for violations to their terms (F4), and to disclose if they notify users when they have removed content, restricted a user’s account, or otherwise restricted access to content or a service (F8).
Handling user information: We expect companies to disclose what information they collect (P3), what information they share and the types and names of the third parties with whom they share it (P4), the purpose for collecting and sharing user information (P5), and for how long this information is retained (P6). Companies should also provide clear options for users to control what information is collected and shared, including for the purposes of targeted advertising (P7), and should clearly disclose if and how they track people across the web using cookies, widgets, or other tracking tools embedded on third-party websites (P9). We also expect companies to clearly disclose how users can obtain all public-facing and internal data they hold, including metadata (P8).
Handling of government and private requests: We expect companies to clearly disclose their process for responding to government and private requests to restrict content and user accounts (F5) and to hand over user information (P10). We expect companies to produce data about the types of requests they receive and the number of these requests with which they comply (F6, F7, P11). Companies should notify users when their information has been requested and disclose if laws or regulations prevent them from doing so (P12).
Identity policies: We expect companies to disclose whether they ask users to verify their identities using government-issued ID or other information tied to their offline identities (F11). The ability to communicate anonymously is important for the exercise and defense of human rights around the world. Requiring users to provide a company with identifying information presents human rights risks to those who, for example, voice opinions that do not align with a government’s views or who engage in activism that a government does not permit.
Network management and shutdowns: Telecommunications companies can shut down a network, or block or slow down access to specific services on it. We expect companies to clearly disclose if they engage in practices that affect the flow of content through their networks, such as throttling or traffic shaping (F9). We also expect companies to clearly disclose their policies and practices for handling government network shutdown demands (F10). We expect companies to explain the circumstances under which they might take such action and to report on the requests they receive and with which they comply.
Security: We expect companies to clearly disclose internal measures they take to keep their products and services secure (P13), explain how they address security vulnerabilities when they are discovered (P14), and outline their policies for responding to data breaches (P15). We also expect companies to disclose that they encrypt user communications and private content (P16), that they enable features to help users keep their accounts secure (P17), and to publish materials educating users about how they can protect themselves from cybersecurity risks (P18).
Research for the 2018 Index ran from January 13, 2017 to January 12, 2018. New information published by companies after January 12, 2018 was not evaluated for this Index.
2017 Index score adjustments: Some company scores from 2017 were adjusted for comparison with the 2018 evaluation. Scores were adjusted at the element level, in accordance with clarified evaluation standards that were applied in the 2018 Index, or to include information not located during the 2017 Index cycle, or as a result of a re-assessment of the company’s disclosure. These adjustments did not produce changes to any company position in the 2017 rankings or to any of the key findings highlighted in the 2017 Index. Each score adjustment, including a detailed explanation of the reason for each change, is recorded in each company’s final dataset, which is publicly available for download at: https://rankingdigitalrights.org/index2018/download/.
Scoring: The Index evaluates company disclosure at the overarching “parent,” or “group,” level as well as those of selected services and/or local operating companies (depending on company structure). The evaluation includes an assessment of disclosure for every element of each indicator, based on one of the following possible answers: “full disclosure,” “partial,” “no disclosure found,” “no,” or “N/A”.
Companies receive a cumulative score of their performance across all Index categories, and results show how companies performed in each category and indicator. Scores for the Freedom of Expression and Privacy categories are calculated by averaging scores for each service. Scores for the Governance category indicators include parent- and operating-level performance (depending on company type).
Points
(For more information on company selection, and evaluation and scoring, see the Appendix, in Chapter 11 of this report).
[9] For the full set of indicators, definitions, and research guidance please visit: “2018 Indicators,” Ranking Digital Rights,https://rankingdigitalrights.org/2018-indicators/.
[10] “2018 Indicators: Governance,” Ranking Digital Rights, https://rankingdigitalrights.org/2018-indicators/#G.
[11] “2018 Indicators: Freedom of Expression,” Ranking Digital Rights, https://rankingdigitalrights.org/2018-indicators/#F.
[12] “2018 Indicators: Privacy,” Ranking Digital Rights, https://rankingdigitalrights.org/2018-indicators/#P.