Digital platforms

Microsoft Corp.

Rank: 3rd
Score: 50%

Headquartered in the United States, Microsoft is a multinational company offering software, hardware, cloud storage, search, email, messaging, and video chat applications.

Microsoft placed third among digital platforms and made few substantive changes to key policies we evaluated in 2020. In 2019, Microsoft became the third U.S. company in history to reach a market capitalization of $1 trillion, and it retained multiple corporate and government contracts in the U.S. Microsoft lost a bid to purchase TikTok’s U.S. operations after former president Donald Trump threatened to ban the video-sharing company’s U.S. business on national security grounds. In the 2020 RDR Index, despite its strong overall performance compared to many of its peers and improvements to its security policies, Microsoft underperformed in several areas, providing limited information about how it develops and uses algorithms and unclear data on the actions it takes to enforce its own content policies as well as third-party censorship demands.

Key takeaways

  • Microsoft published a commitment to protect freedom of expression and privacy, but did not make an explicit commitment to protect human rights in its use and development of algorithmic systems.
  • Microsoft was one of only four companies to disclose data about the actions it takes to enforce its ad content and targeting rules, but it provided only a snapshot of this information.
  • Microsoft improved its security policies by strengthening its security oversight and pledging to refrain from taking legal action against individuals who report security vulnerabilities.

Key recommendations

  • Improve governance and oversight of algorithms. Microsoft should adopt a human rights framework for developing and using algorithms and publish more information about the scope of its human rights impact assessment on these technologies.
  • Improve transparency content removals and account suspensions. Microsoft should improve its transparency reports by explaining how it enforces its own policies and how it fulfills third-party demands to remove content and accounts.
  • Give users more control. Microsoft should publish more information about users’ options to access and control how their data is collected and used.

Services evaluated:

The 2020 RDR Index covers policies that were active between February 8, 2019, and September 15, 2020. Policies that came into effect after September 15, 2020 were not evaluated for this Index.

Scores reflect the average score across the services we evaluated, with each service weighted equally.

  • Lead researchers: Jan Rydzak, Veszna Wessenauer

Changes since 2019

  • In its Human Rights Annual Report, Microsoft improved its reporting on the number of complaints related to privacy that it received through the company’s Privacy Dashboard.
  • Microsoft made key improvements to its security policies. It disclosed through its Cyber Defense Operations Center that it commissions third-party security audits on its products and services. It also pledged that it would not pursue legal action against individuals who report security vulnerabilities.
  • Microsoft stopped providing a Spanish-language version of its Privacy Statement on the website for its home market, the U.S., where Spanish is spoken by an estimated 41 million people.
+ 1.05 points

Gained 1.05 points on comparable indicators since the 2019 RDR Index.

Governance65%
Freedom of expression40%
Privacy51%

We rank companies on their governance, and on their policies and practices affecting freedom of expression and privacy.

Governance 65%

Microsoft earned the top spot among digital platforms we evaluated in the governance category, for its strong human rights commitments, oversight, training, and whistleblower programs. But it performed worse on human rights due diligence and access to remedy.

  • Commitment to human rights: Microsoft made explicit human rights commitments to respect and protect freedom of expression and privacy. But it fell short of articulating clear human rights-based principles for algorithms, instead adopting an ethics-based set of AI principles. It also articulated its commitment to human rights through strong management oversight (G2) and training and whistleblower programs (G3).
  • Human rights due diligence: Microsoft had a strong human rights due diligence process for government regulations in the jurisdictions where it operates (G4a). But it was unclear whether it conducted such assessments on its policy enforcement (G4b) and targeted advertising practices (G4c). Although Microsoft’s Human Rights Report described a multi-year HRIA on artificial intelligence, it did not specify the rights covered by this assessment or whether it encompassed both the development and use of algorithmic systems (G4d).
  • Stakeholder engagement: Microsoft is a member of the the Global Network Initiative, a multi-stakeholder organization. However, GNI focuses primarily on government demands and does not include a wider set of human rights issues that internet users face (G5).
  • Remedy: Microsoft’s transparency on its grievance and remedy mechanisms was lacking, particularly on access to remedy for freedom of expression and information grievances (G6a). Yet the company’s Human Rights Report did include information on privacy-related inquiries submitted through its Privacy Dashboard. Microsoft also provided a formfor users wishing to appeal content and account takedowns on Skype, but the form offered little information about how the appeals process actually works (G6b).

Freedom of expression 40%

Microsoft had the third-best score in this category, behind Twitter and Google. While its terms of service and advertising policies were easy to find and understand, Microsoft revealed little proof of actually enforcing these policies. It also lacked consistent reporting on government and other types of third-party censorship demands.

  • Content moderation: Microsoft’s Services Agreement was easy for users to locate (F1a), though changes to this policy were not communicated clearly enough (F2a). Although Microsoft published policies addressing what content or activities are prohibited, it revealed only fragmented information about how human reviewers and automated systems identify rules violations (F3a). The company did not report explicit data about content removed or accounts suspended for policy violations (F4a, F4b).
  • Algorithmic use and content curation: Microsoft described how it uses artificial intelligence on Bing, but no similar policies were available for other services we evaluated (F1d). It also published information about the variables that influence the algorithmic curation and ranking of search results on Bing, but did not clearly state how users can control these variables (F12).
  • Advertising content and targeting: Microsoft publishes a set of advertising policies that provide information on both content and targeting, but they were not easily accessible from the company’s home page (F1b, F1c). While it published some information on its process for enforcing these rules, it did not clearly describe how the company identifies violations (F3b, F3c). Still, Microsoft was one of only four companies in the RDR Index to provide some data about enforcement of its ad policies, though this data was only a year-in-review snapshot and available only for Bing (F4c).
  • Censorship demands: Microsoft reported less comprehensive information about how it handles government censorship demands than any of its U.S. peers except Amazon and Facebook. Its Content Removal Requests Report offered adequate information on its process for responding to government demands and some information on how it handles private requests, but it did not cover Skype (F5a, F5b). Its data on these demands aggregated both the subjects they were based on and the authorities that submitted them and did not always break them down by country (F6, F7).

Privacy 51%

Microsoft placed third in the privacy category, behind Apple and Verizon Media, and it was the second-best performing company on our security indicators. But its policies on safeguarding user information, data breaches, and private requests for user information were lacking.

  • Handling of user data: Microsoft’s Privacy Statement was easy to find and understand, but the company did not provide a Spanish-language version for its U.S. market (P1a) and did not explain how it notifies users about changes (P2a). Microsoft did not publish a policy explaining how it develops and trains its algorithms (P1b). Microsoft’s policies on handling user information were also uneven. It did not provide users with clear options to control (P7) and access the information that the company holds on them (P8).
  • Government and private demands for user data: Microsoft described its process for responding to government demands for user information in its Law Enforcement Requests Report and the report’s FAQ page (P10a). It also released a National Security Orders Report. Like other U.S. companies, it did not divulge the exact number of requests received for user data under the Foreign Intelligence Surveillance Act or National Security Letters, or the actions it took in response to these requests, since it is prohibited by law from doing so (P11a). Microsoft revealed little about its processes for responding to private requests and published no data about its compliance with these requests (P10b, P11b).
  • Security: Microsoft’s security policies were the second-strongest of any digital platform, behind only Apple’s. The company improved its security oversight policies (P13) and clarified that it would not pursue legal action against individuals who report security vulnerabilities (P14). Although Microsoft provided some information about its process for responding to data breaches affecting Outlook and OneDrive, it offered none for Bing and Skype (P15).