Telecommunications companies

AT&T Inc.

Rank: 3rd
Score: 37%

Headquartered in the United States, AT&T offers voice, data, and pay TV services to more than 400 million users in the U.S. and Mexico.

AT&T tied with Telenor for third place among telecommunications companies, and it made few substantive improvements in 2020. AT&T faced scrutiny from the U.S. Federal Communications Commission in 2020 for failing to protect subscribers’ real-time location data. The company also announced in mid-2020 that it was considering offering customers reduced plan rates if they agreed to receive targeted ads. U.S. senators criticized AT&T for zero rating its own streaming service, a move that went against the company’s own commitment to net neutrality. AT&T also failed to assess the human rights impacts of its zero rating practices, which contributed to its poor performance in our governance category.

Key Takeaways

  • AT&T disclosed weak governance and oversight over human rights issues. It made a clear commitment to human rights, but failed to implement these principles with adequate due diligence or stakeholder engagement.
  • AT&T was not fully transparent about government and private demands for user information, and it provided very little information about third-party demands for content blocking and account restriction.
  • AT&T committed to not prioritize certain types of network traffic over others, but at the same time it offered a zero-rating program, a form of network discrimination which undermines net neutrality in practice. AT&T disclosed nothing about its human rights due diligence efforts that would enable the company to anticipate and mitigate harms associated with zero-rating programs.

Key recommendations

  • Improve human rights due diligence. AT&T should more systematically address the impacts of its own policy enforcement, targeted advertising practices, algorithmic use and development, and zero-rating partnerships through robust human rights impact assessments.
  • Uphold net neutrality in practice. AT&T should affirm its commitment to upholding net neutrality principles by refraining from engaging in prioritization of traffic, including offering zero rating programs.
  • Clarify handling of user information. AT&T should clarify what types of user information it collects, infers, and retains, and for what purposes.

Services evaluated:

The 2020 RDR Index covers policies that were active between February 8, 2019, and September 15, 2020. Policies that came into effect after September 15, 2020 were not evaluated for this Index.

Scores reflect the average score across the services we evaluated, with each service weighted equally.

  • Lead researchers: Zak Rogoff, Veszna Wessenauer

Changes since 2019

  • AT&T’s policy describing its process for handling government censorship was outdated.[1]
  • In line with our recommendation in the 2019 RDR Index, AT&T improved its disclosures about its policies on data breaches. However, it still failed to clearly commit to notify users affected by a breach.
  • AT&T revised its policy on what types of data it collects from users, replacing it with a more vague and open-ended list.
-0.19 points

Lost -0.19 points on comparable indicators since the 2019 RDR Index.

Governance57%
Freedom of expression23%
Privacy38%

We rank companies on their governance, and on their policies and practices affecting freedom of expression and privacy.

Governance 57%

AT&T scored poorly in the governance category, particularly next to its European peers. The company showed only scant evidence of conducting human rights due diligence, little evidence of stakeholder engagement, and weak remedy mechanisms.

  • Commitment to human rights: AT&T published a human rights policy that explicitly commits to protect users’ fundamentalfreedom of expression and privacy rights. However, it did not explicitly commit to abide by human rights in its development and use of algorithmic systems (G1).
  • Human rights due diligence: AT&T disclosed scant detail about its human rights due diligence. It conducted risk assessments on some aspects of the regulatory environments of the markets in which it operates. AT&T indicated that it carries out assessments of privacy risks associated with its use and development of artificial intelligence, but did not make a similar statement on freedom of expression or discrimination risks (G4d). The company did not provide evidence of conducting assessments of privacy, expression, or discrimation risks associated with its zero-rating programs or targeted advertising (G4e, G4c).
  • Stakeholder engagement: While AT&T is not a member of a multistakeholder organization that systematically addresses its impact on users’ freedom of expression and privacy, it does engage with various NGOs and stakeholders on digital rights issues (G5).
  • Remedy: AT&T failed to provide users with clear, predictable remedy mechanisms for freedom of expression- or privacy-related grievances (G6a).

Freedom of expression 23%

AT&T disclosed less about policies affecting freedom of expression than Telenor, Vodafone and Telefónica.

  • Content blocking and account restrictions: The rules governing the use of AT&T’s services were mostly clear, but some were hard to find (F1a). Policies clearly explained what types of content and activities were prohibited on its services (F3a) but the company reported no data about the volume of content and accounts restricted to enforce those rules (F4a, F4b).
  • Advertising content and targeting: AT&T disclosed some of its rules governing targeted advertising (F3b, F3c). But it did not report any data disclosing ad content removed for violations of these rules (F4c).
  • Censorship demands: The company failed to disclose a policy that clearly states its processes for handling government and private demands for content blocking (F5). While AT&T was among only three telecommunications companies in the RDR Index to report any data about compliance with government demands (F6), it could be more transparent with users in this area. It also disclosed nothing about private requests to block content or deactivate accounts, such as reports of child sexual abuse material from the Internet Watch Foundation (F7).
  • Network management: The company’s network management policies and practices were unclear and contradictory. While AT&T made a commitment to net neutrality, it did not maintain this commitment in practice, due to its zero-rating programs (F9). It also disclosed almost nothing about its policies for handling government demands to shut down a network, although it did clarify that it would report the number of government requests to shut down its networks if it received such requests (F10).

Privacy 38%

AT&T placed fourth in privacy, after Deutsche Telekom, Telefonica, and Vodafone. The company stood out for strong disclosure of its process for responding to government demands for user information but lacked transparency on its data collection and retention policies.

  • Handling of user data: AT&T no longer provided a comprehensive list of the types data it collects (P3a) and while it acknowledged that it infers information about users, it failed to provide the types of information it infers (P3b) and did not provide users with options to control company attempts to infer their data (P7). AT&T stated that it collects information about its customers from outside sources, such as credit reports or public posts to social networking sites (P9). However, it did not say how and for what purpose it collects these types of details from third parties and for how long it retains them (P9).
  • Government and private demands for user data: AT&T clearly explained its process for responding to demands it received from governments (P10a), and it disclosed data on those that it received and complied with (P11a). Like other U.S. companies, it did not divulge the exact number of requests received for user data under the Foreign Intelligence Surveillance Act or National Security Letters, since it is prohibited by law from doing so. The company did not provide information about requests for user information that came through private processes.
  • Security: AT&T disclosed evidence of having strong security auditing and oversight (P13) and improved its disclosures about its policies on data breaches (P15). But the company did not commit to allowing external researchers to submit reports of security vulnerabilities without fear of legal repercussions (P14), which put it behind Vodafone and Deutsche Telekom on security indicators.

Footnotes

[1] We do not evaluate policies that were published more than three years before the research period of each RDR Index. The research period for the 2020 RDR Index was February 8, 2019 to September 15, 2020.