2019 RDR Index methodology

The 2019 RDR Index measures company disclosure of policies and practices affecting users’ freedom of expression and privacy. The Index methodology applies 35 indicators in three main categories: Governance, Freedom of Expression, and Privacy. Each category contains indicators measuring company disclosure for that category. Each indicator is comprised of a series of elements that measure company disclosure for that indicator.9

RDR Index categories

  • Governance: This category contains six indicators measuring company disclosure of commitments to freedom of expression and privacy principles along with measures taken to implement those commitments across the company’s global operations.10
  • Freedom of Expression: This category contains 11 indicators measuring company disclosure of policies that affect users’ freedom of expression.11
  • Privacy: This category contains 18 indicators measuring company disclosure of policies and practices that affect users’ privacy rights.12

Company types

While each company we examined has attributes that make it unique, for the purpose of research and scoring, we divided the 24 companies into two categories.

Internet and mobile ecosystem companies: This category includes both internet companies and companies that produce software and devices that we call “mobile ecosystems.” These company types are evaluated together because Google is both an internet company and a mobile ecosystem company, and along with its iOS mobile ecosystem, Apple also offers services like iMessage and iCloud. In addition, the freedom of expression and privacy issues faced by mobile cloud data and operating systems overlap with the issues faced by traditional internet services. We do not evaluate hardware attributes of devices, focusing our assessment instead on their operating systems. Additional elements relevant only to mobile ecosystems were added to some indicators.

For each internet and mobile ecosystem company, we evaluated global group-level policies for relevant indicators, as well as the home-country policies applicable for up to five services, as follows:

  • Apple (U.S.): iOS mobile ecosystem, iMessage, iCloud
  • Baidu (China): Baidu Search, Baidu Cloud, Baidu PostBar
  • Facebook (U.S.): Facebook, Instagram, WhatsApp, Messenger
  • Google (U.S.): Google Search, Gmail, YouTube, Android mobile ecosystem, Google Drive
  • Kakao (South Korea): Daum Search, DaumMail, KakaoTalk
  • Mail.Ru (Russia): VKontakte, Mail.Ru email, Mail.Ru Agent, Mail.Ru Cloud
  • Microsoft (U.S.): Bing, Outlook.com, Skype, OneDrive
  • Samsung (South Korea): Samsung implementation of Android, Samsung Cloud
  • Tencent (China): QZone, QQ, WeChat, Tencent Cloud
  • Twitter (U.S.): Twitter, Periscope
  • Verizon Media (U.S.): Yahoo! Mail, Tumblr
  • Yandex (Russia): Yandex Mail, Yandex Search, Yandex Disk

Telecommunications companies: For these companies, we evaluated global group-level policies for relevant indicators plus the home-country operating subsidiary’s prepaid and postpaid mobile services, and fixed-line broadband service where offered, as follows:

  • América Móvil (Mexico): Telcel (pre- and postpaid mobile, broadband)
  • AT&T (U.S.): AT&T (pre- and postpaid mobile, broadband)
  • Axiata (Malaysia): Celcom (pre- and postpaid mobile, broadband)
  • Bharti Airtel (India): Airtel India (pre-and postpaid mobile, broadband)
  • Deutsche Telekom AG (Germany): Deutsche Telekom (pre- and postpaid mobile, broadband)
  • Etisalat (UAE): Etisalat UAE (pre- and postpaid mobile, broadband)
  • MTN (South Africa): MTN South Africa (pre- and postpaid mobile, broadband)
  • Ooredoo (Qatar): Ooredoo Qatar (pre- and postpaid mobile, broadband)
  • Orange (France): Orange France (pre- and postpaid mobile, broadband)
  • Telefónica (Spain): Movistar (pre- and postpaid mobile, broadband)
  • Telenor ASA (Norway): Telenor (pre- and postpaid mobile, broadband)
  • Vodafone (UK): Vodafone UK (pre- and postpaid mobile, broadband)

For more information and service level comparisons, see:
rankingdigitalrights.org/index2019/services

What the RDR Index evaluates

Commitment to freedom of expression and privacy: We expect companies to make an explicit statement affirming their commitment to freedom of expression and privacy as human rights (G1), and to demonstrate how these commitments are institutionalized within the company. Companies should disclose clear evidence of: senior-level oversight over freedom of expression and privacy (G2); employee training and whistleblower programs addressing these issues (G3); human rights due diligence and impact assessments to identify the risks the company’s products, services, and business operations might have on freedom of expression and privacy (G4); systematic and credible stakeholder engagement, ideally including membership in a multi-stakeholder organization committed to human rights principles, including freedom of expression and privacy (G5); a grievance and remedy mechanism enabling users to notify the company when their freedom of expression and privacy rights have been affected or violated in connection with the company’s business, plus evidence that the company provides appropriate responses or remedies (G6).

Accessibility of terms of service and privacy policies: We expect companies to provide terms of service agreements and privacy policies that are easy to find and understand, available in the primary languages of the company’s home market, and accessible to people who are not account holders or subscribers (F1, P1). We also expect companies to clearly disclose if and how they directly notify users of changes to these policies (F2, P2).

Terms of service enforcement: We expect companies to clearly disclose what types of content and activities are prohibited and their processes for enforcing these rules (F3). We also expect companies to publish data about the volume and nature of content and accounts they have removed or restricted for violations to their terms (F4), and to disclose if they notify users when they have removed content, restricted a user’s account, or otherwise restricted access to content or a service (F8).

Handling of user information: Companies should clearly disclose each type of user information they collect (P3), share (P4), for what purposes (P5), and for how long they retain it (P6). We also expect companies to give users control over their own information, which should include options for users to control how their information is used for advertising purposes, and turning off targeted advertising by default (P7). Companies should also allow users to obtain all of the information a company holds on them (P8) and should clearly disclose if and how they track people across the web using cookies, widgets, or other tracking tools embedded on third-party websites (P9).

Handling of government and private requests: We expect companies to clearly disclose their process for responding to government and private requests to restrict content and user accounts (F5) and to hand over user information (P11). We expect companies to produce data about the types of requests they receive and the number of these requests with which they comply (F6, F7, P11). Companies should notify users when their information has been requested (P12).

Identity policies: We expect companies to disclose whether they ask users to verify their identities using government-issued ID or other information tied to their offline identities (F11). The ability to communicate anonymously is important for the exercise and defense of human rights around the world. Requiring users to provide a company with identifying information presents human rights risks to those who, for example, voice opinions that do not align with a government’s views or who engage in activism that a government does not permit.

Network management and shutdowns: Telecommunications companies can shut down a network, or block or slow down access to specific services on it. We expect companies to clearly disclose if they engage in practices that affect the flow of content through their networks, such as by throttling or traffic shaping (F9). We also expect companies to clearly disclose their policies and practices for handling government network shutdown demands (F10). We expect companies to explain the circumstances under which they might take such action and to report on the requests they receive and with which they comply.

Security: We expect companies to clearly disclose internal measures they take to keep their products and services secure (P13), explain how they address security vulnerabilities when they are discovered (P14), and outline their policies for responding to data breaches (P15). We also expect companies to disclose that they encrypt user communications and private content (P16), that they enable features to help users keep their accounts secure (P17), and to publish materials educating users about how they can protect themselves from cybersecurity risks (P18).

Evaluation and scoring

Research for the 2019 RDR Index was based on company policies that were active between January 13, 2018 and February 8, 2019. New information published by companies after that date was not evaluated.

2018 RDR Index score adjustments: Some company scores from 2018 were adjusted for comparison with their 2019 evaluation. Scores were adjusted at the element level, in accordance with clarified evaluation standards that were applied in the 2018 RDR Index, or to include information not located during the 2018 RDR Index cycle, or as a result of a re-assessment of the company’s disclosure. These adjustments did not produce changes to any company position in the 2018 rankings or to any of the key findings highlighted in the 2018 RDR Index. Each score adjustment, including a detailed explanation of the reason for each change, is recorded in each company’s final dataset, which is publicly available for download at: rankingdigitalrights.org/index2019/download.

Scoring: The RDR Index evaluates company disclosure at the overarching “parent” or “group” level as well as those of selected services and or local operating companies (depending on company structure). The evaluation includes an assessment of disclosure for every element of each indicator, based on one of the following possible answers: “full disclosure,” “partial,” “no disclosure found,” “no,” or “N/A.”

Companies receive a cumulative score of their performance across all RDR Index categories, and results show how companies performed by each category and indicator. Scores for the Freedom of Expression and Privacy categories are calculated by averaging scores for each service. Scores for the Governance category indicators include parent- and operating-level performance (depending on company type).

Points

  • Full disclosure = 100
  • Partial = 50
  • No disclosure found = 0
  • No = 0
  • N/A = excluded from the score and averages

For more information on scoring, see the Appendix: rankingdigitalrights.org/index2019/report/appendix

Footnotes

[9] For the full set of indicators, definitions, and research guidance please visit: “2019 Indicators,” Ranking Digital Rights, rankingdigitalrights.org/2019-indicators

[10] “2019 Indicators: Governance,” Ranking Digital Rights, rankingdigitalrights.org/2019-indicators/#G

[11] “2019 Indicators: Freedom of Expression,” Ranking Digital Rights, rankingdigitalrights.org/2019-indicators/#F

[12] “2019 Indicators: Privacy,” Ranking Digital Rights, rankingdigitalrights.org/2019-indicators/#P