Chinese tech giants can change: But the state is still their number one stakeholder
As soon as social media posts warning of a deadly virus emerged in Wuhan in December 2019, Chinese authorities got to work, requiring that digital platforms assist them in controlling, curating, and manipulating what people could know or say about the outbreak—and the government’s handling of it.
As the pandemic set in, just like everywhere else, people in China came to depend on digital platforms for nearly every aspect of daily life, from shopping and entertainment to school and political news. In China, tech companies like Baidu, Tencent, and Alibaba emerged from the pandemic more powerful than ever, at least commercially.
Politically, the Chinese government made sure tech CEOs would not forget who their real boss is. In October, authorities retaliated against Alibaba’s founder Jack Ma for publicly criticizing financial regulators and canceled the IPO of his financial services company, Ant Group. Regulators also threatened to break up Alibaba, targeting it and another Chinese tech giant, Tencent, with anti-trust probes.
Chinese companies also serve a vast national surveillance state, one that is especially pernicious for some vulnerable populations. Throughout 2020, the government leveraged Chinese tech companies’ cloud services, AI tools, and equipment for surveillance, detention, indoctrination, and control of millions of ethnic Uighurs and other Turkic Muslim people in Xinjiang.
China’s system of authoritarian internet control has inescapable consequences for Chinese companies in the RDR Index: Baidu and Tencent have always ranked at or near the bottom. In 2020, we evaluated e-commerce giant Alibaba for the first time, and it landed low in the overall ranking, right next to Baidu.
Yet at the same time, Chinese companies have taken meaningful steps over the past five years to protect consumer privacy and security from threats that are unrelated to Chinese government surveillance. They have also tried to be a bit more open with users about how content is moderated for reasons other than government censorship requirements. As a result, between 2018 and 2019 Tencent and Baidu were among the most improved companies in the RDR Index, albeit still hovering at or near the bottom of the ranking.
Their progress shows that Chinese companies can and do respond to pressure from foreign governments, investors, and even users. But the extent to which they can improve policies and practices affecting users’ human rights is severely handicapped by China’s legal and political system. The hard reality is that Chinese companies are powerless to protect users (whether they are in China or abroad) from digital rights violations by one of the most powerful—and unaccountable—governments in the world.
China’s information control regime compels digital platforms to censor and surveil speech and activities that pose a challenge to the government’s authority, among other violations of universal human rights. As long as that regime prevails, users of internet and mobile services in China will remain trapped in an information ecosystem that perpetuates and reinforces state power. There is no way to hold companies accountable for their role as tools of the state, because companies are only allowed to operate insofar as they comply with the government’s demands and further the objectives of the Chinese Communist Party (CCP).
Several indicators in the RDR Index evaluate company disclosures about government demands: requirements to restrict, delete, or block content, as well as authorities’ demands for users’ private information. Chinese digital platforms disclose no information to their users about how they assist the Chinese government (or any other) in restricting access to information, censoring some peoples’ speech and amplifying others. Thanks to research projects like WeChatSCOPE, hosted overseas, we know that such censorship is extensive on platforms like Tencent’s WeChat messaging app. Unfortunately, China’s Great Firewall system blocks a huge volume of foreign websites and services, leaving most people in China unable to access information about the nature of censorship in their own country.
Nor do companies disclose any information to users about how information about their online conversations and activities is shared with the government. When we looked at whether companies publish adequate data about government demands for users’ information, we found that several U.S. platforms, alongside Kakao, made meaningful (if not perfect) efforts to be transparent with users about the volume and nature of government demands for their information. None of the Chinese companies disclosed anything.
Some stakeholders have asked us whether it might be unfair to evaluate Chinese companies on the same standards that we use in other jurisdictions, given that these low scores reflect government systems and actions beyond the companies’ immediate control. We acknowledge jurisdiction in our analyses, but we evaluate all companies on the same human rights-based standards. Regardless of what they might hypothetically do differently in another political or regulatory environment, poor digital rights performance is an objective fact with serious impact on people’s lives.
Despite the government’s aggressive system of political control and intolerance of dissent, people in China nonetheless enjoy an innovative information ecosystem full of products and services designed to address their every material need and entertainment desire: online shopping, celebrity live streaming, hobby networks, video games, and more. As long as people’s activities do not challenge the power of the CCP, everyone is free to make money and have fun. To that end, it is vital to the CCP’s power and capacity to maintain social stability that home-grown tech companies are commercially successful.
For the same reason, the CCP has an interest in ensuring that China’s information ecosystem functions well, is accessible, and is supported by digital platforms that do not engender excessive levels of public frustration and mistrust—sentiments that would make people more likely to question the government’s information control regime. China’s Cybersecurity Law, which went into effect in mid-2017, is designed to protect internet users against commercial privacy abuses and cybercrime. Since then, as Chinese companies have moved to comply with the law, their RDR Index scores on handling of user data and security practices have risen dramatically. The most striking example can be seen in Chinese companies’ data breach disclosures, in compliance with the law’s requirement that they “promptly inform users” in the event of a breach, in addition to informing relevant government authorities.
As the graphic above illustrates, Alibaba and Baidu lead the pack in disclosing more information about data breaches than any other digital platform in the 2020 RDR Index, with Tencent also disclosing more information than some U.S.-based companies. Prior to the 2019 RDR Index (which covered policies active in 2018), Baidu and Tencent, the two Chinese companies included in previous iterations of the RDR Index, disclosed nothing about data breaches.
Another area where Chinese companies performed well in the 2020 RDR Index is on transparency about the collection of user information. While government surveillance of users through digital platforms is a taboo subject in mainstream media or anywhere online, the media is free to report on commercial abuses of user data by internet platforms. Users can complain about privacy violations and some lawsuits have attracted national media attention. Tencent, for example, has been targeted with numerous lawsuits and legal complaints over the sharing of user information between different services, and in one case with other users, without prior warning or clear consent.
Tencent and the other Chinese companies have responded to public media shaming, lawsuits, and regulatory penalties by improving their disclosure. They have a further incentive to improve, ahead of the expected enactment of a comprehensive Personal Information Protection Law, released last year in draft form. Their efforts have boosted their RDR Index scores significantly. In our evaluation of how transparent companies are about what user information they collect and how, Tencent and Baidu took the lead, ranking first and second, respectively, while Alibaba made a strong showing in fifth place.
When we first added Baidu to the second RDR Index in 2017, it ranked dead last among digital platforms, and remained there in 2018. Then in 2019 Baidu distinguished itself as the second-most improved company in the entire RDR Index. For 2020 Baidu continued to be one of the most improved companies, pulling ahead of Tencent for the first time in the overall ranking.
Regulation and public shaming have pushed Baidu, like the other Chinese companies, to be more transparent and accountable with users. It has improved disclosures and policies related to how content is displayed, shared, and amplified in response to regulatory penalties and several lawsuits from users claiming that they were harmed by false or inappropriate content appearing in the news feed that appears on the landing page for Baidu search. But domestic pressure is not the only driver of change at Baidu and other Chinese companies that are seeking to expand their business around the world.
These companies have found themselves caught between domestic control and pressure from other governments seeking to protect their own people from the Chinese government’s censorship and surveillance regime. In 2020, the Indian and U.S. governments ordered outright bans on Tencent’s WeChat and ByteDance’s TikTok. The Trump administration’s attempt to ban WeChat and TikTok from U.S. networks ultimately failed in the face of constitutional challenges, and efforts to ban Americans from investing in Alibaba, Baidu, and Tencent were also abandoned as impractical and counterproductive.
Nonetheless, concerns about security and human rights threats stemming from the Chinese government’s power over Chinese tech companies are broadly shared by the new Biden administration, which is expected to work with democratic allies on a more collaborative and long-term effort to counter such threats. Laws requiring much greater transparency and oversight of digital platforms and services—including over how companies interact with home country and host governments—are among the types of measures being recommended and considered in the U.S. and other Western countries. In the meantime, Chinese companies have an interest in doing whatever they can to demonstrate good faith to global users and foreign governments to the extent possible without defying their government.
Chinese companies whose shares are listed in major stock markets and held by large international investment funds have also made changes in response to active engagement by investors concerned with environmental, social, and governance (ESG) risks that companies’ activities can pose.
One major global investment management company recently offered an unusual amount of public detail about how such influence works. In October 2020, Federated Hermes International published a case study describing the impact of its engagement with Baidu over the past several years on issues related to data privacy protection. According to the case study, Baidu has implemented a number of suggestions proposed by Hermes to improve its data privacy management, including the creation of committees focused on protecting data assets, data safety, and professional ethics. ESG investors such as Hermes are sending a message to management that while they value Baidu’s profits—driven primarily by targeted advertising revenue through its search engine—they want to see concrete evidence that the company is working to mitigate harms caused by its commercial business practices.
Since the Hermes case study was published, Baidu has made further steps to gain favor with ESG investors. Most notably, in November 2020—too late for assessment in the 2020 RDR Index—Baidu published a Human Rights Policy. Baidu appears to be the first major Chinese tech company to have formally published such a policy. The policy appears in Chinese and English on the company’s web portal dedicated to ESG-related information, whose primary audience is investors. While we have seen no coverage of it in the Chinese or English-language media, a press release explained that the new human rights policy is in keeping with Baidu’s commitments as a signatory of the UN Global Compact, a set of voluntary corporate sustainability principles.
RDR does not award credit to companies for membership in the Global Compact because signatories are not required to make explicit human rights commitments or prove that they are living up to their commitments. Baidu’s human rights policy does refer to the Universal Declaration of Human Rights and the UN Guiding Principles on Business and Human Rights (although the English name of the latter is mis-translated). It explicitly references the International Covenant on Economic, Social and Cultural Rights but does not mention the International Covenant on Civil and Political Rights, which elaborates on freedom of expression and privacy as human rights, which China has not ratified.
Baidu’s human rights policy focuses primarily on labor rights, obligations of suppliers, and communities in which the company physically operates, but it does also include a section on user rights. Baidu commits to respect users’ privacy, “except as provided by laws and regulations,” and free speech “in accordance with national laws and regulations.” It is clear that Baidu’s human rights commitments are not intended to encroach on the Chinese government’s authority. The policy articulates the extent to which Baidu can respect human rights while still complying with government demands that compel companies to commit or facilitate human rights violations.
The Chinese government’s cyberspace security strategy does not merely aim to assert control over data and online content within China’s borders. Its broader goal is to solidify China’s position as a tech superpower that sets global design and regulatory standards for the next generation of networked technologies upon which people across the world will depend. Chinese government efforts to set comprehensive privacy and data security standards at home are part of a broader strategic move to position the country as the global leader in standard-setting for digital security. Chinese companies’ ability to secure the trust of customers around the globe is key to that strategy’s success.
The flaw in this strategy is that internet users worldwide are given no convincing evidence that they are any better protected from censorship or surveillance by the Chinese government than Chinese users are. That reality is ultimately why Chinese companies still rank in the bottom half of the RDR Index overall, despite strong performance on some specific indicators.
The strategy could nonetheless succeed if enough governments around the world embrace Chinese technology because it is more convenient, faster, and cheaper, and if investors are willing to overlook the human rights risks in order to maximize financial gains. Internet users in much of the world will be left with little choice—to the extent that they enjoy enough freedom of speech and information online—and will not know the full extent of the tradeoffs that these powerful forces are making on their behalf.
Tech companies wield unprecedented power in the digital age. Ranking Digital Rights helps hold them accountable for their obligations to protect and respect their users’ rights.
As a nonprofit initiative that receives no corporate funding, we need your support. Help us guarantee future editions of the RDR Index by making a donation. Do your part to help keep tech power in check!
Companies are improving in principle, but failing in practice
Our guidance for companies and policymakers committed to protecting and promoting human rights online
Protecting human rights in a state of emergency