This page contains two sections:
1) An overview paper describing the development and results of case study research carried out in late 2013 and early 2014. The findings from this research laid the groundwork for development of the Ranking Digital Rights Phase 1 Pilot Methodology.
2) Summaries of the findings and recommendations from each case study.
Download PDF
Navigate this document:
Case Study Research Overview
– Developing the Case Study Research Framework
– Draft Criteria for the Case Studies
– Case Studies: Goals and Approach
– Note on Country Background Research
– Lessons and Findings from the Case Studies
– Conclusions
Summaries of Case Studies conducted October 2013-March 2014
– Brazil
– Russia
– India
– China
– United States
– Telefónica
– Vodafone
– Deutsche Telekom AG
Case Study Research Overview
Information and communication technology (ICT) services such as social networks, search engines, and mobile phone services enable people to communicate and express themselves. At the same time, however, people around the world face a rapid escalation of digital surveillance and censorship when using ICTs. In 2013 the Ranking Digital Rights project brought together an international group of researchers and advocates to develop a methodology to evaluate and rank the world’s major ICT sector companies on their policies and practices affecting users’ free expression and privacy. Our work is grounded in international human rights standards (see the companion paper, Ranking Digital Rights: Theory and Strategy for a full discussion of the human rights norms upon which the project draws.) While a number of well-respected organizations conduct similar rankings of countries (Freedom House, the World Wide Web Foundation) or U.S. companies’ domestic operations (Electronic Frontier Foundation), to date there is no comprehensive evaluation of the most powerful ICT companies operating across the world. In other words, no project currently provides comparative company data on freedom of expression and privacy that is directly relevant to non-U.S. users. Ranking Digital Rights (RDR) bridges this gap.
Due to the complexity of the ICT sector, we will launch the annual ranking in two phases. Phase 1, to be launched in late 2015, will examine Internet and telecommunications companies. Phase 2, scheduled for launch in late 2016, will add companies whose primary business focuses on devices, networking equipment, and software. The draft methodology developed in 2013 and 2014, and the pilot study completed in early 2015, focused on Phase 1 companies. Research on how the methodology should be adapted for Phase 2 companies began in mid-2014 and continues in 2015. This paper focuses on early stakeholder consultations and case study research conducted in 2013 and early 2014 for Phase 1 (covering Internet and telecommunications companies). A separate paper also available on the RDR website offers an in-depth examination of the business and human rights principles, plus examples from other industries and sectors, comprising the “theory of change” on which this project is built.[1]
To establish a ranking that will be credible among companies, investors, civil society and academia, we consulted with experts from a range of fields, most of whom recommended we conduct extensive research before publicly scoring companies on any given set of indicators.[2] We examined key human rights documents and research studies on privacy, security, and online freedom of expression.[3] We spoke with a range of technologists, experts on business and human rights, experts on rankings and ratings, and human rights advocates. These experts were from a range of professional backgrounds and from various countries with different legal and political perspectives, thereby ensuring that the project’s approach is not exclusively focused on a single country or legal system. All of these inputs provided the raw material for a set of draft criteria by which we could measure companies.[4]
Next, RDR commissioned case studies of Internet and telecommunications companies in Brazil, Russia, India, China, Egypt, the United States, and several European Union jurisdictions. We selected the so-called BRIC countries (Brazil, Russia, India, and China) due to their status as large emerging markets — as of 2014, they represented more than 40 percent of the global population. In addition to research on companies operating in these specific countries, we also conducted extensive research on three multinational telecommunications corporations, Deutsche Telekom AG, Vodafone, and Telefónica, with operations in multiple EU countries and the developing world.
The goal of these case studies was threefold:
- To test the draft criteria that we developed in 2013 as a precursor to developing a more focused ranking methodology; and
- To gather substantive knowledge of free expression, privacy, and other human rights issues implicated in the case studies.
- To understand the role that multiple national contexts will play in the global ranking.
In early 2014 we developed a ranking methodology based on the case study findings.[5] This paper begins by summarizing key ideas from the consultations that shaped the design of the case study research. It then describes what we learned through case study research about what can and cannot be known — and measured — about companies’ practices related to digital rights. Through our research and stakeholder consultation processes we have gained a better understanding of how to collect information on company policies and practices. We have also continued to refine our understanding of what standards all major publicly listed ICT companies can reasonably be held to in light of economic, political and cultural differences between countries.
Developing the Case Study Research Framework
The process of methodological exploration leading to the case study research began at an October 2012 stakeholder consultation hosted by the New America Foundation in Washington, DC to seek feedback regarding initial project direction and design from technologists, human rights advocates, socially responsible investors, and experts in corporate ethics and social responsibility. The discussion focused on identifying stakeholder interest in a potential ranking. Attendees also addressed some of the variables that might be considered in company selection, as well as indicators that could best serve the purpose of the ranking. Participants generally agreed that to effectively change company behavior, the ranking should recognize three main audiences: 1) investors, 2) NGOs and institutions, and 3) consumers and consumer advocates. It was also noted that the methodology should ideally help to promote a more strategic discussion among and between the three groups. Many participants optimistically noted that once a methodology was established, companies would likely respond due to their concerns over brand equity and reputational risk–-even if they might challenge some of the details. The key was for RDR to be as transparent and public about its process behind company selection, methodology development, and research methods as possible.
In April 2013, we convened a workshop to inform the drafting of a set of criteria to be evaluated in case study research. The case study findings would in turn inform the development of the Phase 1 methodology. Invited participants included: University of Pennsylvania faculty advisors; graduate and undergraduate students involved in the research; international research partners from Brazil, China, India, Russia, the United Kingdom, and elsewhere; human rights advocates; technologists; socially responsible investors; experts on best practices in corporate ranking and rating systems; and experts in the field of business and human rights, business ethics, and corporate social responsibility. The meeting helped us determine the priorities, scope, and focus of the case study research that was necessary to refine and improve the ranking criteria and methodology.
The meeting also benefited from some participants’ knowledge of rankings, ratings, and indexes that have emerged as a common instrument for holding companies accountable to their human rights and environmental responsibilities in other industries and on other issue areas such as supply chain labor and conflict minerals. Workshop participants discussed best practices and challenges specific to the task of ranking ICT companies. We drew five key conclusions from this discussion:
- Complexity does not necessarily imply robustness.
There is power in simplicity. A strong methodology does not seek to cover every single possible detail that researchers can identify. Instead it focuses on the most important issues that define excellence and are most material to the ranking’s audience. In addition to a well-reasoned methodology, clear and simple output has the advantage of making the rankings more accessible to target audiences.
- Rankings should be tied to a credible business case.
Although the socially responsible investment (SRI) community represents an important target audience, ordinary investors can also influence companies. While the former is likely to identify with the principles of a ranking, the latter are much more interested in value—though some non-SRI investors do integrate environmental, social, and corporate governance issues in their own assessments. To maximize its leverage over companies, RDR may need to target ordinary investors in addition to socially responsible investors; the project can accomplish this by demonstrating the relationship between success in the marketplace and a company’s policies and practices affecting users’ digital rights.
- It is important to distinguish between companies’ commitments and their performance as well as to measure both over time.
Participants recognized that performance is much more difficult to research, measure, and compare across companies’ global operations than their commitments and disclosures. However, there are ways that commitments can be tied to performance, particularly if the company undergoes an independent assessment process through which credible third party experts verify whether the company is carrying out its publicly stated commitments – and whether its disclosures are in line with actual practice.
- Company engagement is key.
Company engagement is key to the legitimacy of a ranking and provides opportunities to help companies improve their practices. One participant with direct experience in corporate accountability rankings and ratings offered this anecdote: one year, several companies called to request that the organization delay releasing its rankings so that the companies could make improvements and be credited for them in that calendar year, rather than having to wait until the next year for their score to be raised. This is one example of how the prospect of being publicly evaluated on specific criteria can spur companies to make changes more quickly than they might have otherwise.
- Leadership, credibility, and technical excellence are vital.
A successful ranking requires a strong, forward-thinking definition of “excellence”. A ranking achieves credibility if its methodology is well-researched, documented, and relevant to real-world practices. Continuous consultation with all stakeholders who are likely to use the ranking as well as with companies that will be subject to the ranking also builds credibility. Furthermore, technical excellence in terms of data collection, analysis, and presentation is vital to the project’s success.
Draft Criteria for the Case Studies
As a result of these conversations, in July 2013 we released a setof draft criteria for use in case study research, which would in turn inform the development of a more focused and streamlined methodology.[6] These draft criteria—totaling over 100 questions—identified three key issue areas:
G – General human rights responsibilities – As outlined in the “International Bill of Human Rights” comprising the Universal Declaration of Human Rights (UDHR), the International Covenant on Civil and Political Rights (ICCPR) and the International Covenant on Economic and Social Rights (ICESCR). The UN Guiding Principles on Business and Human Rights provide a framework for how businesses should uphold their responsibility to protect human rights, while the European Commission (EC)’s ICT Sector Guide on Implementing the UN Guiding Principles for Business and Human Rights provides specific guidance to the ICT sector on meeting all human rights obligations. In the context of this project, criteria in this category focused on policies and practices affecting both freedom of expression and privacy.
F – Freedom of Expression – As articulated in Article 19 of the UDHR and Article 19 of the ICCPR. These criteria relate to company responses to government and private censorship and service shutdown, as well as to company enforcement of their own terms of service. The Global Network Initiative’s (GNI) Principles and Implementation Guidelines address companies’ responsibility to uphold freedom of expression in the context of government demands, while the EC Sector Guide addresses free expression issues more broadly alongside all other human rights concerns.
P – Privacy – As articulated in Article 12 of the UDHR and Article 17 of the ICCPR. These criteria relate to the collection, use and sharing of users’ information that could negatively affect users’ rights. These practices include company responses to government surveillance demands, data collection, and third-party sharing practices, as well as companies’ own rules governing user identity. The GNI Principles and Implementation Guidelines address companies’ responsibility to uphold privacy rights in the context of government demands, while the EC Guidance addresses privacy issues more broadly alongside all other human rights concerns.
Within the three issue areas, draft criteria questions were further divided into three different categories: Commitment (whether and to what extent companies have made public commitments to uphold users’ rights and to what extent they take concrete steps to measure their real-world impact on these rights); Practice (the existence of specific company policies, practices, and mechanisms); and Transparency (the extent to which companies communicate clearly with their users, as well as the broader public, about how and to what extent they respond to government demands, how they formulate and enforce their own Terms of Service, what data they collect and with whom they share it, etc.).
Engagement with companies
It is notable that RDR developed the draft criteria used for the case studies in consultation with technologists, human rights advocates, and academics – but not the companies themselves. This reflected a deliberate choice to set the bar as high as possible, then use the case study process as the vehicle for the project’s initial engagement with companies – to the extent that companies were willing to speak with researchers. Indeed, the case study process served as a test of the extent to which companies would be willing to engage with a ranking focused on freedom of expression and privacy.
Case Studies: Goals and Approach
To test out the criteria and to see how best to approach the ranking methodology, we commissioned an international team of researchers to complete case studies on a broadly representative set of telecommunications and Internet companies from around the world (most of them large and publicly listed, but also a few smaller un-listed companies in order to gain a clearer sense of the differences in terms of what can be researched and compared). While the ranking will evaluate companies, not nation-states, at this early stage of the project we wanted to address a set of geographically grounded research questions:
- Given the variety of jurisdictions and markets being examined, what commonalities emerge across the case studies?
- What salient differences exist between companies operating in different countries?
- What – if any – business practices affecting users’ freedom of expression and privacy are possible to adopt in any political or legal context?
- Conversely, what topics elicit varied perspectives due to regional, cultural, and historical experiences?
- Which company policies and practices require specific legal and political conditions in order to be implemented? What are those conditions?
- To what extent is it possible to identify, verify, and credibly compare actual performance and impact of companies’ policies and practices when we plan to rank a wide array of companies operating in different parts of the world?
- Should the methodology include company interviews or surveys? Or should it be based solely or mainly on publicly available information?
Given the logistics of contracting with researchers in our focus countries, we decided to approach this phase of the research through a country-centric paradigm. The exceptions were the Vodafone, Deutsche Telekom AG and Telefónica case studies, which sought to explore the complexities of assessing truly global companies with subsidiaries in many jurisdictions. Our case studies examining Bharti Airtel also examined operations in more than one jurisdiction, while also being included in the India case study. Summaries of key findings and recommendations from each case study are appended at the end of this paper.
Note on Country Background Research
One challenge that arose throughout the case studies was the difficulty of separating evaluation of a company and its practices from analysis of the legal and political environment(s) in which it operates. National and supranational (in the case of the EU) law often mandates or constrains a company’s policies and practices. However, in-depth analysis of individual legal regimes and political climates lies outside the scope of our project. Several reputable organizations and academic scholars have produced comprehensive works assessing countries’ de facto and de jure adherence to human rights standards, including free expression, privacy, and other rights. For this important background information, we refer the reader to the reports produced by our colleagues at other organizations including Freedom House, the Web Foundation, Reporters Without Borders, the Committee to Protect Journalists, Human Rights Watch, and the Open Society Foundations Mapping Digital Media project.
Lessons and Findings from the Case Studies
The following overarching lessons and findings informed key decisions about the focus and scope of the Phase 1 methodology.
Difficulty in Obtaining Interviews
Our initial assumption was that companies from established democratic countries would overall be willing to engage with case study researchers, while companies in authoritarian countries would not, and that companies in emerging democracies would fall somewhere in the middle. This turned out not to be the case. While we secured some interviews with company representatives, we were rebuffed by many companies headquartered in democracies where discussion of human rights issues takes place regularly in the domestic media and, where, therefore, talking to our researchers about freedom of expression and privacy would not put executives in danger. In some places where we did succeed in speaking to company representatives we found it nearly impossible to obtain accurate, reliable information from companies that we could use in a ranking.
Many of the interviews that we did obtain were held on the condition that they remain off-the-record and that we not use them to compare companies against one another. Thus, this paper and the case study summaries that follow it describe what we learned about the process of researching companies based in a range of different countries, not what we learned about specific companies’ practices or how different companies compare to one another. Moreover, several researchers believe that representatives whom they interviewed were blatantly untruthful to them, and more than one company appeared to be actively hostile to the project. Other companies were quite willing to engage with us on the condition that the conversations remain off-the-record.
The experience with company interviews led us to conclude that a ranking that relies on company interviews would effectively become a ranking of which companies are most or least comfortable talking to researchers on freedom of expression and privacy questions, rather than what companies actually do in practice or how they communicate with their users and the broader public. As a result we decided that at least the first few iterations of the ranking should be based on publicly available information. In our first drafts of the full methodology released in early 2014, we included evaluation of information that might be easily ascertained by a user or subscriber of the company’s services, or collected through technical testing (resources permitting).[7] However as we refined the methodology in preparation for the pilot study in September 2014 and assessed the resources available to our team and our research partners, we determined that the pilot methodology should be limited to information that is publicly disclosed by the company.[8]
Variety of Availability of Primary and Secondary Sources
We decided to refrain from including media coverage in the methodology due to the importance of collecting comparable information across companies. The case study process demonstrated that publicly available information about different types of companies and in different markets varies widely. For example, companies that provide services to individual consumers, including Google, Facebook, and Yahoo! are omnipresent in the global media, while service providers such as Akamai or GoDaddy rarely appear outside of the specialist press. Media coverage of ICT companies’ human rights practices varies for several reasons, including the perceived level of audience interest, how well journalists understand the topics, and structures of media ownership, in addition to the differences in company practices themselves. Importantly, there also tends to be much more media coverage on free expression and privacy related topics related to companies headquartered – or operating extensively – in markets with relatively free and open media.
Expertise Gaps Within Our Team
The international researchers who conducted the case studies came mostly from legal, policy, and social science backgrounds. They had a wealth of experience conducting country-level policy and legal research, in particular in the ICT sector, but less familiarity with the process of assessing company practices. We therefore decided to partner with investment research firm Sustainalytics, a world leader in environmental, social and governance (ESG) research and analysis. We also continue to consult with technical experts from organizations such as the Open Technology Institute’s Measurement Lab and The University of Toronto’s Citizen Lab.
Challenges in Evaluating Legal Documents
A recurring issue across all case studies was the difficulty of ascertaining which of the many Terms of Service (ToS) should be examined, as companies often have different terms, depending on the specific product or service, the user’s country, and other factors. The difficulty was only compounded in the case of multinational corporations with subsidiaries in multiple jurisdictions, each with its own legal requirements and enforcement mechanisms. Researchers noted that different Terms of Service tend to exist for every different service (e.g., mobile telephony, wired telephony, Internet access) a company provides. Finally, many Terms of Service contain provisions that the company reserves the right to change its terms at any time.
Evaluating Companies’ Compliance with Local Laws
We also found that companies tend to focus responsibility for the company’s respect for human rights on local, national, and supranational (EU) governments. Legal compliance is indeed a complicated issue: Laws in some countries require companies to carry out actions that improve users’ freedom of expression and privacy. Privacy and data protection laws are a good example. Other laws – sometimes in the same jurisdiction – impose requirements on companies that run counter to users’ rights to freedom of expression or privacy.
One representative from a multinational telecommunications operator based in the EU expressed surprise that our project would evaluate their firm, seeing as it was required to follow EU laws on privacy and free expression, and the company was therefore “obviously” compliant. Conversely, one person whom our Russia team interviewed suggested that it would be fairer to evaluate Russian companies’ adherence to Russian domestic law, notwithstanding that these laws may contradict international human rights standards. Another suggestion involved giving extra credit to companies that respect users’ rights in spite of contravening legal requirements. This would be exceedingly difficult to implement, as it would require RDR to quantitatively evaluate different levels of legal impediments companies face in different jurisdictions, to determine how well a given firm would have to perform against our criteria, depending on the country (or countries) in which it operated. Moreover, there is no way to determine what a company would do when unencumbered by law, or in other words, measure and reward/penalize a company’s intent.
More importantly, official policy and actual practice often differ. Researchers identified cases of companies turning over user data outside of any legal process and of individuals within companies thwarting government attempts at surveillance and censorship. While the first type of extrajudicial practice is clearly problematic and should be exposed through transparency mechanisms, revealing the second type of practice is highly likely to harm the very behavior we seek to protect. Introducing rewards for companies who violate domestic legal norms to protect their users in the ranking methodology would expose them to government retribution.
An additional difficulty for measuring company conduct lies in the inevitable evolving nature of national and supranational legislation, especially in the field of ICTs. This was for example evident in the case of Hungary, where significant constitutional and legislative changes made it difficult–for the companies and researchers–to establish what was going on exactly. It was even more difficult to discern what those changes might mean in practice for the rights of users, especially in terms of the relationship between companies and government.
Another question is what to do about companies whose performance cannot improve due to legal restrictions or requirements in the countries where they operate. In countries with effective democratic systems and relatively open media, ICT companies can sometimes be successful when lobbying governments to better protect human rights. For example, several Internet companies have sued the U.S. government for the right to publicly release the number of national-security related data requests they receive from the government, and Vodafone has successfully lobbied the British government for the same right. In 2012, German Internet service providers (ISPs) filed a constitutional complaint and successfully challenged a provision that mandated ISPs to retain consumer data and provide information on users’ contractual data, PIN numbers, keys, and passwords to law enforcement and intelligence agencies upon request. Germany’s Federal Constitutional Court held that these provisions breach the individual right of self-determination over personal information of the Basic Law.[9] In less pluralistic political systems where media is less free and rule of law is weak, however, companies do not have the same ability to lobby.
It may be unrealistic to expect all companies across the world to deploy the same types of government-directed policy advocacy and legal strategies in the court systems in a manner that can be quantified and compared. However, researchers across a range of case study countries and companies found more common ground when it came to the question of how companies deal with government requests for access to user data, and to restrict content. While most companies in the world disclose nothing about how they receive and respond to government requests, some companies have not only begun to develop policies on government requests, but also to publicly disclose the fact of these policies’ existence. Some companies have also begun to issue transparency reports containing data as well as descriptions about the quantity and nature of government requests, and extent to which the company complies. Researchers were inclined to agree that evaluating companies’ levels of disclosure would be feasible, and had the potential to encourage greater transparency and accountability with users.
Multi-National Corporations with Subsidiaries in Multiple Jurisdictions
One of the difficulties we encountered in assessing large multi-national corporations is that policies set at the parent corporation level are not always applied equally to subsidiary companies, which led some researchers to suggest that it is worth considering local operating companies separately from the parent company. At the same time, while differences in domestic law may explain the varied practices of operating companies within the same group, group-level policies and practices were also found to make a difference in how local operating companies handle freedom of expression and privacy challenges.
The question of how scoring will consider subsidiaries as well as differences in company policies and practices across jurisdictions would be a major focus of the pilot study. (See pilot study report to be published in March 2015).
Human Rights Impact Assessments (HRIAs)[10]
While some companies have published information about the results of HRIAs, companies do not generally reveal details about their HRIAs and how they affect company decision-making. However, interviews with companies that do carry out HRIAs led researchers to conclude that nothing prevents a company from disclosing the fact that it conducts HRIAs, or publicly committing to include certain elements in its HRIAs. Such elements include:
- Engagement with stakeholders, including human rights experts and potentially affected groups;
- Examination of laws that affect freedom of expression and privacy in jurisdictions where the company operates to inform company policies and practices for mitigating risks to users’ rights;
- Ongoing examination of existing products and services that may pose free expression and privacy risks;
- Examination of free expression and privacy risks associated with the launch and/or acquisition of new products or services;
- Examination of free expression and privacy risks associated with entry into new markets;
- Examination of free expression and privacy risks associated with enforcement of the company’s Terms of Service unrelated to government requirements may affect the freedom of expression and/or privacy of those who use its products or services.
Human Rights Terminology
While the RDR team did not follow some researchers’ suggestions to drop references to human rights, researchers suggested that many phrases in the draft criteria, such as “human rights,” “high risk user,” and “freedom of expression,” could be clarified in an annex with definitions and explanations of how they apply in the ICT sector. For example, researchers reported that in Brazil, human rights are not commonly thought of to include the rights to to free expression and privacy, and are not largely discussed. When asked whether their company had a mechanism in place to report human rights-related grievances, one company representative said that when someone feels the company violated their rights, the person shouldn’t complain to the company but report it to the authorities. Several research teams noted that human rights risk scenarios would be useful in explaining to companies how they can in fact encounter situations where freedom of expression and privacy are at stake. To that end, we have published a set of “Human Rights Risk Scenarios,” accompanied by an explanation of how those scenarios were integrated into the methodology.[11]
Conclusions
The case study research described above – and in more detail in the case study summaries appended below – helped us understand differences of Internet and telecommunications company operations, as well as how their policies and practices are influenced by the political, legal, and cultural contexts of the jurisdictions where companies are headquartered and where they operate. This understanding was further deepened by RDR’s participation in a UNESCO-commissioned study titled Fostering Freedom Online: The role of Internet intermediaries.[12] All of this research and analysis – conducted between mid-2013 and mid-2014 – informed a key set of decisions about the scope and focus of RDR’s Phase 1 methodology. Chief among them:
- Limiting the methodology to publicly available information: We initially considered defining the scope of “publicly available” as information that might be easily ascertained by a user or subscriber of the company’s services, or collected through technical testing (resources permitting).[13]
- Simplifying the methodology’s structure: We retained the three issue area headings of “general human rights”, “freedom of expression” and “privacy” but eliminated the three sub-categories of “commitment”, “practice,” and “transparency.” This followed logically from the decision to focus the entire methodology on disclosure and transparency. “Practice” would not be feasible as a separate category of indicators without greater resources, more reliable data from external sources, and greater willingness on the part of companies to engage on freedom of expression and privacy questions.
- Paring down the indicators from over 100 in the draft criteria to less than 50 in the Phase 1 draft methodology. Decisions about scope limitations made this easier to do, although the pilot study experience may point to the need for even further streamlining. (The pilot study report to be published in March 2015 will further address this question.)
A first draft of the methodology was published in February 2014, after which we sought extensive feedback from companies, civil society, and investors at conferences as well as in dedicated calls and meetings. In May 2014 we published a second draft methodology, soliciting widespread feedback online as well as through targeted conversations with companies, technologists, human rights advocates, and other subject matter experts. In August and September we worked with our new research partner, Sustainalytics, to revise the methodology once more – based not only on the substance of the indicators, but also on a realistic consideration of resources and methods available to both teams. That revised version was published on the project website in October, and used in a pilot study completed in early 2015.[14]
We have made maximum efforts throughout this process to invite stakeholder feedback and to be as transparent as possible about our process. This paper and the following case study summaries are a key component of that effort at transparency and consultation. It is our hope that the extensive research and consultation, carried out over a two-year period prior to finalizing the Phase 1 ranking, will result in a ranking methodology that is robust, credible, and useful to all stakeholders. The methodology is intended to be effective in helping to foster change within a broader ecosystem of research, reporting, and advocacy comprised of many public and private institutions and organizations around the world.
Appendix: Summaries of Case Studies conducted October 2013-March 2014
In 2013 and early 2014, we conducted eight case studies to test the draft criteria we created for Phase 1, which focuses on Internet and telecommunications companies.
The draft criteria used for assessing the companies and in conversation with company representatives can be downloaded via this link: https://rankingdigitalrights.org/wp-content/uploads/2013/08/phase-1-criteria-research-draft-aug12.pdf
For more background materials involved with the research, see this page on our website: https://rankingdigitalrights.org/project-documents/case-study-research/
Note that because the case study research was completed in early 2014 it does not reflect new information released by companies, or other developments that have taken place, after March 2014.
Brazil
Researchers:
- Celina Beatriz Mendes de Almeida Bottino, Instituto de Tecnologia & Sociedade do Rio de Janeiro
- Peter Micek, Access, New York
Companies examined: Brazil’s four main mobile providers: Claro (owned by América Móvil), Oi (co-owned by Portugal Telecom), Tim (Telecom Italia Mobile) and Vivo (Telefónica).
Sources: Researchers were not able to secure interviews with company representatives. They did interview a representative of a Brazilian telecommunications association, SinditeleBrasil, as well as a representative of the federal government’s consumer affairs division, SENACON. They also reviewed publicly available information about the companies.
Key Findings
Telecommunications companies did not see freedom of expression and privacy as relevant to them, since Brazilian laws already affirm these rights and explain when they may be restricted. Company websites generally did not mention human rights, freedom of expression, or privacy. Interviews suggested that since Brazilian law and culture affirm people’s free expression and privacy rights, companies did not need to make explicit commitments to uphold them. One interviewee expressed that during decades of experience working with telecommunications companies, they were not aware of any case where a company was notified for failing to respect users’ freedom of expression, not even under the military regime. Under Brazilian law, companies are only obliged to remove content following a court order mandating the removal.[15] Government agreements with nongovernmental organizations such as Safernet can enable authorities to access user data related to criminal activity (e.g. paedophelia) without a court order.[16]
Companies lacked transparency about their role in respecting free expression and privacy rights. Companies did not provide information related to their role in complying with requests to remove content or share user data. While the National Council of Justice said that it made 18,000 requests for wiretaps in 2011 and hundreds of requests for user data,[17] companies did not provide data related to requests for user data. Companies also did not provide information about requests they may fulfill without a court order.
Companies maintained several different terms and policies, making it difficult to determine whether company-wide approaches to free expression or privacy rights existed. Companies typically maintained different terms for the various services they offered (e.g., fixed phone, mobile phone, Internet), making it difficult to determine company-wide views on various free expression and privacy issues. Additionally, these policies were hard to locate on company websites. Privacy policies often pertained to company websites themselves rather than the company’s services. Companies also did not provide clear information about what user data they collect. Two of the four companies mentioned that their own company security standards should apply to third-party providers.
Suggestions for Methodology Development
- Define key terms: These include “human rights,” “high risk user,” “freedom of expression,” etc. Providing human rights risk scenarios could help interviewees understand the types of risks we would like companies to mitigate.
- Consolidate the criteria and suggest which company documents researchers should consult to answer them: A criteria question should also evaluate whether company policies are freely and publicly available to all individuals, not simply to those who purchase a product or service. Consolidating the criteria, and prioritizing certain questions is necessary given the short amount of time available for interviews. It may not be possible to ask every question to every company or official.
- Combine criteria to address grievance mechanisms: Rather than ask multiple questions related to grievance mechanisms, one criteria question could consider whether companies have procedures to process and respond to user complaints related to human rights, not simply free expression and privacy, or all issues, including human rights. This could address the fact that users who experience throttling, or the results of data sharing may not identify their grievance as e.g. a violation of human rights, or freedom of expression/privacy specifically.
- Incorporate criteria on standardization of policies across parent and subsidiary companies: In light of the increasing coherence of international frameworks on human rights and business, it is very important that companies seek to align their policies across jurisdictions to respect human rights and remedy abuses.
- Incorporate criteria on third party access to facilities: Presently no question directly addresses a situation where a company sends employees to sit in government offices (or vice versa) to provide easier government access to user data or networks.
- Incorporate criteria regarding user access to data:
- Whether users can learn what data the company holds on them
- Whether users can view and change data the company holds on them
- Whether users can obtain that data in an interoperable format and transfer it to other service providers.
- Tatiana Indina, Center for the Study of New Media and Society, Moscow; Berkman Center, Harvard University
- Sofia Dokuka, Center for the Study of New Media and Society, Moscow
- Adapt some of the criteria (indicators) to local legislative requirements: For example, criteria could ask about compliance with federal law rather than with international human rights standards. With time, Russian companies will incorporate such standards.
- Define key terms, concepts, and principles, perhaps in a glossary: For example, some company representatives were not familiar with international human rights standards and did not know how to answer questions that referred to them.
- Base answers on documentation (e.g., corporate policies, user agreements, press releases and public statements) rather than subjective self-assessments from company representatives.
- Add quantifiable indicators: Combining quantitative methodology (e.g., surveys, rankings, statistic reports) with qualitative methodology (interviews, case studies, public and expert opinions) will help to improve the reliability of research and comparability of the data on a global scale.
- Consult additional sources for information: Incorporating feedback from additional stakeholders (e.g., government, media, industry associations, civil society, experts, users) could provide a more comprehensive ranking.
- Test the services to provide more objectivity: As another approach, experts can evaluate companies by testing products and services as a user (e.g., social networks and applications), and communicating with the company as a user, in order to evaluate the user experience.
- Consolidate and simplify the criteria: The methodology should:
- Use an answer scale rather than a binary Yes/No response,
- Clarify which indicators apply to specific services or subsidiaries and which apply to the company as a whole, and
- Delete questions that focus on specific technologies
- Elonnai Hickok, Centre for Internet and Society, Bangalore
- Jon Diamond, University of Pennsylvania
- Provide guidance on how to interpret certain terms, and resolve other methodological challenges: For example, what does it mean for a company to have a “process,” measure “impact,” etc. What assessments do we expect companies to undergo? What services or subsidiaries should researchers consider, and how should the company be scored if services and subsidiaries have differing practices? How would the ranking consider policies that change over time? The current “Yes/No” framing of answers in the case study criteria makes it difficult to differentiate levels of compliance that may exist amongst companies.
- Consolidate the criteria: The criteria inquire about some practices (e.g., commitment, grievance mechanisms, independent third-party audits) separately across the categories of general human rights, free expression, and privacy. In companies,these mechanisms can be centralized and serve multiple purposes – thus the methodology could ask about these practices as they relate more broadly to digital rights, including free expression and privacy.
- Focus on transparency: Our analysis of public documentation from Indian companies demonstrated that the most that can be feasibly asked of Indian companies in the ranking is transparency of practices and applicable law (including in Terms of Service and Privacy Policies). Some criteria in the ranking are ‘non-actionable’: even if a company recognizes the negative impact of a current practice on digital rights, the degree to which the company would be able to change its practice may be limited (due to legal and political factors).
- Focus on grievance mechanisms: All companies included grievance mechanisms, which are critical in protecting users’ rights, as they are an initial point of contact for the individual. Related criteria should focus on independent and effective mechanisms.
- Clearly explain how companies are engaged during the ranking: The ranking should clearly explain whether researchers seek company feedback on their findings before publication, so as to enable the company to agree/disagree/change responses etc. The ranking should also be clear about how it deals with company responses (e.g., level of agreement with the findings, refusal to provide an interview, request not to be included in the ranking, etc.).
- Technology neutral: Some criteria focus on the use of specific technologies by companies, such as Deep Packet Inspection. As technology is constantly changing, there is a risk that the question will become irrelevant. Instead: technology neutral criteria should be used.
- Gain user feedback on criteria questions: A wide survey should be conducted to understand what questions users feel are the most important for upholding and safeguarding digital rights.
- Emphasize formal processes: From the one interview held it became evident that companies implement at least some practices included in the criteria, but they do so in an informal manner. Since this makes it impossible to verify, the ranking should emphasize the importance of having a formal and documented process or policy in place.
- Include “to the extent legally possible”: As the ranking is seeking to target companies across the globe and in multiple jurisdictions, there will be a conflict in what companies are legally allowed to do based on local regulations. Because of this, it is suggested to qualify specific questions with “to the extent legally possible”.
- Add criteria focused on social inclusion: Some companies already have social inclusion programs in place, often also addressing general human rights – such as access and social inclusion. To capture these practices, criteria questions on social inclusion may ask how the company ensures equal access to its services.
- Other suggestions for additional criteria, including:
- Does the company disclose and distinguish if takedown/blocking requests are from governments or non-governmental actors?
- Are a company’s “Privacy Policy” and “Terms and Conditions” accessible to individuals prior to engaging in a service with the company?
- Does the company clearly indicate the circumstances when an individual might be disconnected from a service?
- Suggested Methodology for Ranking System
- Separate ‘most important’, ‘important’ and ‘least important’ questions
- Scoring bands: exemplary (requires all questions in most important + some others), compliant, pursuing full compliance, under compliant, not compliant.
- The parent company headquartered in India does not appear to set basic policies like terms of service and privacy policies across its various subsidiaries. Rather, the four Airtel entities examined in this study differ significantly in the ways they approach digital rights and transparency in particular. A preliminary analysis suggests this performance correlates closely with the development of telecom and information technology law in the four countries considered. In short, with some exceptions, a law-abiding Indian telco must do more for its customers than law-abiding telcos in Bangladesh, Sri Lanka, and Kenya.
- These discrepancies suggest not only that Airtel’s policies are largely and perhaps necessarily dictated by national laws and political context.
- Hu Yong, Peking University
- (1) Criteria about human rights. Given that the issue of human rights is sensitive in China, statements about the Guiding Principles cannot get any positive reply / appear in companies’ public statements.
- (2) Specific technical assessments. Specific technical questions need to be confirmed by executives in charge of specific functions, which is very time consuming. Moreover, it is difficult to compare different techniques (such as data storage and encryption standards) and evaluate them quantitatively.
- (3) Evaluation of non-public conduct. Chinese businesses tend to operate in a flexible and unwritten way, so Chinese internet companies often do not seem to have the processes described in the criteria when we try to verify them, even though there may sometimes indications that the company is acting in the described way.
- Consolidate the criteria and add quantitative answer criteria: Further clustering criteria by topics can make it easier to skip questions that are not applicable (e.g., Chinese companies cannot challenge the government’s authority, so answers are not available for several related questions). Incorporating more quantitative answer categories, rather than “Yes/No” answers could yield more helpful information and help compare results across different companies.
- Adapt the ranking to increase its relevance in China: For advocacy to be effective, and for the promotion of user rights in the Chinese internet industry, the assessment criteria should be made applicable to the political and legal environment in China, so that we can reach a more fair and objective conclusion, which can attract the attention of internet companies and users.
- (1) Reduce the focus on commitment to human rights, because in China lack of public commitment on this does not mean that the companies have given up protection of human rights.
- (2) Transform yes/no questions to questions on a scale, to make quantitative evaluation more flexible and adaptable.
- (3) Increase the proportion of the criteria unrelated to government requests; focus on business and technical solutions. Many of the current criteria are closely related to government interests, and may bring political risks if Chinese Internet companies were to give honest answers. To really measure a Chinese company leadership’s determination to protect user rights, there should be more focus on business and technical solutions. This can, for example, include strengthening security measures to protect personal information from attacks, or introducing a third-party evaluation process to make test results more objective and so on in the criteria.
- (4) Convey the international standards of user rights protection as much as possible to Chinese users, enabling them to forge a new understanding of the importance of digital rights.
- Hae-in Lim, Ranking Digital Rights
- Tim Libert, University of Pennsylvania
- Miscellaneous service providers: Apple, Google, Microsoft, and Yahoo!
- Specialized service providers: Dropbox, Facebook, Twitter, WhatsApp
- Content hosts: Akamai, Amazon Web Services, and Go Daddy
- Telecommunications: AT&T, Sprint, T-Mobile, and Verizon
- Define “human rights”: Free expression and privacy are typically considered “civil liberties” in the U.S. context, and while these are also human rights, companies tend to view “human rights” as relating to labor and torture issues.
- Provide more guidance about how researchers should evaluate certain criteria or make the criteria more specific: For example, when asking whether the company’s human rights impact assessment has been assured by an independent third party organization provide a list of acceptable organizations Another example: make the privacy commitment more explicit by asking if the company provides a privacy policy.
- Clearly define non-binary criteria: to the greatest extent possible use fixed scales to avoid bias, for example by breaking the anonymity (identity) question into multiple sub definitions.
- Keep criteria that ask about DPI and network throttling: These techniques have legitimate uses that do not infringe users’ rights, but they can also be used restrict users’ free expression and privacy rights in ways they may not be aware.
- Languages: It would be useful to include a question about whether the company translates the Terms of Service, privacy policy, acceptable use policy, and other foundational documents into languages that reflect the company’s user base. At a minimum, if a company rolls out a service in a different language in order to target a specific user base, it should offer an “official” translation of the Terms and privacy policy.
- Use of specific technologies: The methodology should include questions that look at whether the company uses the strongest forms of security practices, for example by asking: Does the company employ security best practices?
- Anonymity and personally identifiable information (PII): Many companies state that user data will only be sold or analyzed in aggregate or anonymized form. However, studies have shown the ease by which to pinpoint somebody even just from a limited range of data points.[20] Whether companies regard certain data as PII is fairly subjective, and there have been several class-action lawsuits that hinge on whether a certain piece of information is or is not PII.[21] For example, are IP addresses regarded as PII? The ranking should ask a question to clarify: Does the company interpret PII in a broad, narrow, or moderate fashion? What does it consider PII?
- Agustín Rossi, European University Institute, Florence; Global Public Policy Institute, Berlin
- Use the terms “digital rights,” “freedom of expression” or “privacy” rather than “human rights”: It is difficult to explain to companies what this project means by “human rights” and how company behavior intersects with human rights. Company representatives seemed offended by the use of the term, considering it obvious that they respect human rights.
- Consolidate the criteria and focus on transparency. While many companies commit to upholding human rights, users cannot know for sure whether companies act in a way that matches their words. More transparency around what companies actually do would help the public understand how companies respect human rights. The biggest challenge in this case was to obtain more information from the companies about their practices.
- Richard Danbury, Centre for Intellectual Property and Information Law, University of Cambridge
- Kirsten Gollatz, Alexander von Humboldt Institute for Internet and Society, Berlin
- Elisabetta Ferrari, Center for Media, Data and Society, Central European University, Budapest; Annenberg School for Communication, University of Pennsylvania
- Sara Alsherif, Freedom of Information Program, Support for Information Technology Center, Cairo
- Remove the “No” answer category and incorporate an answer scale: It is difficult to prove that a company does not do something. An answer scale would enable more nuanced answers, though researchers would need detailed guidance to ensure they interpreted the answer scale correctly.
- Reconciling primary and secondary material: Researchers may need guidance on how to evaluate sources of information that appear contradictory (e.g., Vodafone’s Law Enforcement Guidelines and the Snowden disclosures).
- Consider weighting performance based on legal environment: For example, a company that goes above and beyond legal requirements to respect human rights may deserve more credit than a company that simply meets legal standards of behavior. For example, European companies may be expected to perform better on privacy criteria, given EU legal protections, and U.S. companies may be expected to perform better on free expression criteria, given the First Amendment. However, this could considerably expand the (research) scope of the ranking or introduce additional subjectivity, by trying to identify intent in company behavior (giving credit for acting out of compliance with law vs. acting out of will to respect human rights).
- Kirsten Gollatz, Alexander von Humboldt Institute for Internet and Society, Berlin
- Rian Wanstreet, Center for Media, Data and Society, Central European University, Budapest; Access, Washington DC
- Elisabetta Ferrari, Center for Media, Data and Society, Central European University, Budapest; Annenberg School for Communication, University of Pennsylvania
- Remove the “No” answer category: Researchers found it difficult to prove that a company was not doing something.
- Consolidate the criteria: Membership in other human rights mechanisms (e.g., Global Compact) may address questions related to human rights, so one way to consolidate the criteria is to focus specifically on free expression and privacy.
- Focus on freedom of expression and privacy rather than human rights, and define these terms: Companies do not typically see these issues as human rights concerns, and their documentation may not refer explicitly to these terms.
- Expand user data criteria to encompass the life-cycle of data: Additional criteria can inquire about management of data collection, data processing, storage, use and reuse, distribution of data, profiling, and data analysis.
- Secondary sources and dependency on companies: Given the lack of information provided by companies, the ability to use media, government or judicial sources could provide more insight into company actions. Combined with the stark dependence on primary sources, the current methodology essentially relies on companies’ voluntary cooperation in order to obtain necessary information. Most of the current criteria questions require information that cannot be answered merely through desk research or secondary sources. For this reason, without companies’ voluntary participation a final ranking could not claim to include the essential elements.
- Provide a date range for sources: Researchers would find it helpful to have a clear end date for sources, given that terms and policies are always being updated.
Russia
Researchers:
This study was conducted by the Center for the Study of New Media and Society.
Companies examined: Yandex (search engine), Vkontakte (social network site), Odnoklassniki (social network site), Mail.ru (mail service and social network site), Rambler-Afisha (search engine and web services).
Sources: With significant difficulty, researchers secured interviews with representatives from all five companies. They struggled to motivate companies to participate, identify the right person or people within the company to interview, and receive answers in a timely fashion. Often, companies routed research questions through various departments and layers of management. Researchers also reviewed publicly available information about the companies, though the number of such policy resources is quite limited.
Key Findings
Internet companies focused on Russian legal requirements and typically considered free expression and privacy as “users’ rights,” rather than “human rights.” Russia lacks coherent norms and policies around digital rights. Some Russian companies were unfamiliar with related international standards. Others were familiar with them, but did not consider them as important as Russian legal norms and standards. This also reflects the norms and expectations of the public. Russia lacks a specific ethical code or normative framework related to digital rights. Company policies typically reflected Russian law, which increasingly limits users’ free expression and privacy rights. Internet companies rarely used the term “human rights,” although companies did acknowledge the importance of respecting users’ rights on the Internet. Russian companies did not intend to provide a lot of information about “users’ rights” to the users.
Companies generally did not challenge government requests and representatives hesitated to discuss government policies around free expression and privacy. Few companies challenged government requests, and most companies simply complied with all government requirements: in their experience negotiations with government agencies did not bring any concrete result. Company representatives were sensitive to the way that legal obligations shaped their company policies and forced them to deal with censorship. They often refused to answer questions related to these political concerns.
Information sensitivity and legislative landscape. The number of changes in government legislations increased rapidly in 2012-2013. The effect of government on corporate politics is has become a very sensitive topic for Russian businesses. Company officials often refused to discuss political issues, and attempted to avoid answering related questions. Moreover, they were preoccupied with addressing legal issues arising from changing legislation.
Companies generally did not provide transparency about their policies and practices. Company representatives said they adhered to high standards of privacy and security but did not provide details about their processes. In some cases, legal departments answered policy questions or an ad hoc group of company officials made decisions. Even within one company policies can vary case-by-case. This suggests that companies use informal or unstructured procedures to address situations that affect users’ rights. Companies generally published service agreements but no other policy documents on their websites, making it difficult for the public to determine how they respected users’ rights.
Practices around stakeholder communication varied. Companies varied in the degree to which they communicated with users and considered stakeholder feedback. Some maintained clear policies and mechanisms to manage stakeholders communication, others were in the early stages of developing such policies. Companies predominantly do not notify users when they change different agreements.
Suggestions for Methodology Development
India
Researchers:
Companies examined: Internet companies Indiatimes.com, Rediff.com, and SIFY; telecommunications companies Bharat Sanchar Nigam Limited (BSNL) and Bharti Airtel (including its subsidiaries in Bangladesh, Sri Lanka, and Kenya)
Sources: Despite multiple attempts, the research team secured an interview with only one company representative. The team had difficulty locating, contacting and engaging with the appropriate person within a company. The team also believes companies were not motivated to participate, in part due to the length and complexity of the criteria. Researchers reviewed publicly available information about the companies.
Key Findings
Indian laws legitimize a variety of measures that can be used for censorship and surveillance but also require companies to take certain measures that support users’ rights. If a company receives a written request from the appropriate authority, it has little legal recourse to challenge the request. For example, the Indian regulatory regime identifies what content service providers must block and remove, the level of encryption service providers can use, and it allows the government to require service providers to install equipment on their systems and networks.[18] From a positive perspective, Indian laws also require companies to maintain privacy policies, permit users to withdraw consent for collection of personal information, and assign grievance officers to receive complaints regarding misuse of user data.[19]
If the ranking results in public pressure from Indian users, companies may find reasons to change their behavior. A global ranking may not resonate with companies that focus primarily on a domestic market. Additionally, India’s legal requirements limit companies from doing much of what the criteria measure, while the socio-cultural environment does not incentivize or stress what the criteria measure, thus potentially limiting companies’ ability or willingness to change.
Suggestions for Methodology Development
Cross-jurisdictional analysis (Bharti Airtel)
China
Researcher:
Companies examined: Baidu, Sina, Tencent, and HiChina
Resources: The research team based its work on off-the-record interviews and publicly available information.
Key Findings
China’s political and legal environment strongly discourages companies from making human rights commitments or challenging government requests, which renders these criteria difficult to evaluate. Companies would endure significant political, legal and commercial risk if they released public statements about human rights, revealed government requirements to the public, or even attempted to challenge government requests. In addition, companies do not typically consider human rights as part of corporate social responsibility. Even participating in this research could raise Chinese government eyebrows, though not as much if the assessment were based primarily on publicly available information.
Chinese companies can use their industry influence to clarify what rights users have, provide more transparency around their practices, and give users more options to control their data. Company processes are typically unwritten and flexible, which makes them difficult to verify. At minimum, companies should provide users with a service agreement and privacy policy, adequately protect personal data, inform users when their data has been exposed to other individuals or organizations (other than the government), and offer users proper channels to provide feedback, report problems, file complaints, and ask for solutions. Large Internet companies have the resources, large user base, and government relationships that position them to advance users’ rights, even within such a restrictive political and legal environment.
Chinese users who do not know about digital rights won’t push companies to respect them, and companies won’t have an incentive to change their behavior. Additional surveys of Chinese Internet users can evaluate users’ perceptions, expectations, and experiences with digital rights and companies. Surveys could also raise awareness around international human rights standards. Increased Chinese consumer awareness around users’ rights and an understanding of which users’ rights issues resonate with Chinese users can improve the ranking’s utility. Clarity on these topics can give Chinese companies a sense of what actions they can take, given their political and legal operating environment, to respond to user demand.
Some criteria are difficult to assess, in particular in China:
Suggestions for Methodology Development
United States
Researchers:
Companies:
Sources: The research team based its work on interviews and publicly available information.
Key Findings
Some companies engage in several processes that resemble HRIAs, but few conduct HRIAs. These processes may be informal or their results unpublished. Researchers support focusing on HRIAs because they can help create “institutional memory” within companies around how to address human rights concerns, as well as provide accountability to users, employees, and investors.
Companies engage with stakeholders in different ways and, in some cases, it might be counterproductive to provide “unconditional transparency” about these procedures. For example, companies might want to keep private their interaction with high-risk users in authoritarian countries to protect these users. This is also why many companies use informal channels to communicate about sensitive human rights issues. Thus, even if a company did engage in such practices, these actions might not be apparent in a review of publicly available information.
A methodology that also examines how prominently companies publicize certain types of information, the degree to which they educate users about what company policies and actions mean, and whether senior leadership considers human rights decisions are made can provide a more well-rounded view of a company’s commitment to respect users’ rights. The degree to which companies publicized certain efforts (e.g., HRIAs, transparency reporting) varied even across companies that engaged in these practices. And while it is important for a company to provide terms of service and other policy documents, most users do not read this information. To truly reach users, companies should dedicate resources to outreach, engagement, and education. Finally, since actions by the CEO and board of directors are typically vetted through many layers of management, methodology questions that ask about their involvement in human rights issues could illustrate whether human rights is seen as a company-wide priority or one relegated to a particular unit.
Suggestions for Methodology Development
Telefónica
Researcher:
Company profile: Telefónica is a telecommunications company that operates phone and Internet services in Spain, Europe, and Latin America. We included Telefónica as a case study because is the owner of Vivo in Brazil, which was part of the Brazil case study.
Sources: Researcher reviewed publicly available information and conducted interviews with Telefónica representatives.
Key Findings
The company assesses its human rights impact, but does not explain how it manage human rights issues. The company has undergone audits, including a Human Rights Impact Assessment conducted by BSR. However, it does not publish information about the audits, its security practices, or its rights-affecting practices in general, The company expresses a commitment to human rights, as well as to free expression and privacy, and says it is implementing the UN Guiding Principles on Business and Human Rights, but provides no details on how.
In absence of transparency, little is known how its compliance with the law affects the rights of Telefónica’s users. Telefónica approach to digital rights seems to be one of strict-compliance with the law. The company says it adheres to Spanish law, but does not explain how. Given the prerogatives that the Data Retention Directive gives to law enforcement authorities and the liability it places over telecom companies, we can know Telefónica stores metadata and that law enforcement agencies have the right to access to it. Whether Telefónica ever challenges those (or judicial) requests is unknown. At the same time, Telefónica has done little to explain that–at least once–it has recurred to judiciary stances to protect its users’ privacy when faced by private requests for data of individuals allegedly misusing P2P networks, in the Promusicae v. Telefónica case.[22] Publishing a transparency report would provide clarity to users on how the company is responding to Spanish and European legal requirements. During the research period, the company was yet to release its first transparency report.
Suggestions for Methodology Development
Vodafone
Researchers:
Company profile: Vodafone is a UK-based telecommunications company that provides services around the world. This research focused on the parent company — Vodafone Group — and operating companies in the UK, Egypt, Germany, Hungary, and Italy.
Sources: Researchers reviewed publicly available information and conducted two interviews with company representatives.
Key Findings
The most readily available information for all entities focused on transparency around privacy, but disclosure on other topics was inconsistent. More public information was available at the group level compared to the operating level, particularly with regard to human rights commitments. Public information focused more on privacy than free expression and on transparency rather than company practice, making it difficult to evaluate how particular operating companies addressed these issues.
It was not clear from publicly available information how group-level policies translated to operating companies, though interviews clarified this information. Using only publicly available information, it was difficult for researchers to determine the degree to which group-level policies applied to operating companies. Understanding this could help researchers know which criteria to evaluate at the group level and which to review at the operating level. Interviews clarified that group-level policy standards apply to operating companies where the group has control, but do not apply to operating companies in which the group owns a minority stake. For example, Vodafone’s Standard on Law Enforcement Assistance applies to operating companies. The group-level company is responsible for monitoring compliance with policies, but the operating companies may manage implementation.
There is merit in assessing (some of) Vodafone’s subsidiaries in addition to the Group. The desk research shows that there are instances of significant differences between the local operating companies. This tends to suggest that policies set at Group level are not always applied equally to subsidiary companies, and that in its turn tends to suggest that it is worth considering Vodafone’s operating companies separately. The reason why these differences exist may not be because of any deficiency in Vodafone’s intent to apply its policies equally to subsidiaries, but may be a result of other significant variables, such as the operation of local laws. Interviews emphasized the importance of considering local legal requirements and a company’s attitude toward those requirements when evaluating the company. While domestic law is a factor that explains some differential performance of Vodafone’s operating companies, it does not seem to be determinative, nor is the causation simple. Moreover, there may also be additional local policies, terms and conditions, products and services that only operate at a local level in these companies. Furthermore, some questions may well be more relevant to local operating companies than to Group level, or vice versa.
Companies often maintain several terms related to their different products and services, and other factors, including local laws, might impose additional terms and conditions on an operating company’s products and services. It is sometimes unclear which terms of service researchers should reference, given that companies often maintain different terms for their products and services.
Policy documents can show inconsistent information. During the case study study we noted that even for the same operating company, there may be significant differences between the content of legal documents (such as privacy policies) in different languages. The version in one language may be much more elaborate than the version in another language.
Suggestions for Methodology Development
Deutsche Telekom AG
Researchers:
Company profile: Deutsche Telekom is a German telecommunications company that provides services around the world. This research focused on the parent company — Deutsche Telekom AG (DTAG), and its Hungarian subsidiary Magyar Telekom. For some criteria, researchers also examined the German operating unit Telekom Deutschland GmbH.
Sources: Researchers reviewed publicly available information and conducted an on-background interview with company representatives. The company decided to not further participate in the project.
Key Findings
It is difficult to evaluate multinational corporations with complex business structures as unitary actors and to assign them one score. Parent and subsidiary companies disclosed varied levels of information and maintained separate terms of service for their different products and services. Different aspects of the criteria were handled at different levels. For example, criteria focused on general commitments and group-wide policies, audits and assessments were more applicable to parent companies, while criteria focused on terms of service and policies related to products and services, privacy, and data protection were more applicable to subsidiaries.
Moreover, as Telekom Deutschland GmbH and Magyar Telekom PLC are partly independent from the parent company DTAG, they can be conceived as actors on their own behalf, thereby putting the underlying assumption of the RDR project into question, whether parent companies are able to implement certain guidelines across all their subsidiaries.
Furthermore, the diverse portfolio of products and services of each subsidiary makes it difficult to compare telecommunication companies.
Multinational corporations operate in a variety of legal environments, which makes it difficult to assign one answer to the criteria questions. To answer some of the criteria questions, researchers needed to examine European, German, and Hungarian laws. Legal requirements shape company actions, and the ranking will need to determine how to approach scenarios where the law requires or limits a particular action, but a company does not provide any information about such actions in its own disclosure. For example, companies may say that they adhere to local laws or to a particular regulation (e.g., EU Data Protection Directive), but they typically do not make a public commitment to a specific provision of a law. Criteria language refers to company actions applying to “all” jurisdictions in which the company operates, which requires researchers to examine policies in several jurisdictions. Finally, companies develop policies related to free expression and privacy based primarily on the legal requirements they need to fulfill instead of based on non-binding human rights frameworks.
More information was available at the group-level rather than the operating level. In general, more information was available for the parent company, while the subsidiaries either didn’t provide information relevant to the criteria or referred to parent company sources. Main corporate documents on the group level are published in English (e.g. The Social Charter, Privacy Code of Conduct, or the Data Privacy and Security Report), and are not available in all languages subsidiaries are operating in.
The parent company provided information on human rights commitments and procedures around privacy, but little information was available regarding free expression.
Suggestions for Methodology Development
Acknowledgments:
This paper was adapted from a document drafted by Nathalie Marechal, a PhD student at the USC Annenberg School for Communication and Journalism.
Special thanks for financial support of the Phase 1 research:
Internews Center for Innovation and Learning for supporting case study research examining companies in Brazil, Russia, India, China, and Egypt.
The Humboldt Institute for Internet and Society and Central European University’s Center for Media Data and Society for supporting research on European telecommunications companies.
Access for further research support in Brazil.
The Annenberg COMPASS summer fellowship program.
For a full list of Ranking Digital Rights funders please visit: https://rankingdigitalrights.org/who/funders/
[1] https://rankingdigitalrights.org/project-documents/theory-and-strategy/
[2] See http://rankingdigitalrights.org/project-documents/elements/ for more details.
[3] https://rankingdigitalrights.org/resources/
[4] http://rankingdigitalrights.org/project-documents/draft-criteria/
[5] https://rankingdigitalrights.org/methodology-development/
[6] http://rankingdigitalrights.org/project-documents/draft-criteria/
[7] https://rankingdigitalrights.org/methodology-development/
[8] https://rankingdigitalrights.org/project-documents/phase-1-pilot-methodology/
[9] https://freedomhouse.org/report/freedom-net/2013/germany#.VNiNk1NwvMg
[10] For more information about Human Rights Impact Assessments and best practices in conducting them see this special page hosted by the Business & Human Rights Resource Centre: http://www.business-humanrights.org/UNGuidingPrinciplesPortal/ToolsHub/Companies/StepTaken/ImpactAssessment. The Danish Institute for Human Rights has developed a related Human Rights Compliance Assessment tool (https://hrca2.humanrightsbusiness.org), and BSR has developed a useful guide to conducting a HRIA
[11] https://rankingdigitalrights.org/project-documents/risk-scenarios/
[12] https://rankingdigitalrights.org/2015/01/19/unesco-report-intermediaries/
[13] However as we refined the methodology in preparation for the pilot study in September 2014, and assessed the resources available to our team and our research partners, we determined that the pilot methodology would be based on information disclosed by the company. A pilot study report forthcoming in March 2015 will include further details about that decision, its reasons and implications.
[14] https://rankingdigitalrights.org/2014/10/06/phase-1-pilot-study-launched/
[15] Article 19, Marco Civil da Internet Law N. 12965/2014, available at: http://www.planalto.gov.br/ccivil_03/_ato2011-2014/2014/lei/l12965.htm.
[16] http://www.safernet.org.br/site/sites/default/files/Teles.pdf
[17] Conselho Nacional de Justiça (CNJ). Mais de 18.000 telefones monitorados em Outubro de 2011. Available at http://www.cnj.jus.br/noticias/cnj/17795:justica-autoriza-grampo-em-195-mil-telefones-em- 2011. Accessed Oct. 10, 2013.
[18] Information Technology (Intermediaries guidelines) Rules, 2011. Rule 3(2). Available at: http://deity.gov.in/sites/upload_files/dit/files/GSR314E_10511%281%29.pdf; ISP license. Sections 2.2 (VII) and 34.4. Available at: http://www.cca.ap.nic.in/i_agreement.pdf
[19] Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. Rules 4, 5(7) and 5(9). Available at: http://www.cyberlawdb.com/docs/india/legislation/rules/section43A_rules.pdf
[20] See for example http://www.sciencemag.org/content/347/6221/468.
[21] See for example www.courthousenews.com/2014/01/28/64901.htm and http://dataprivacy.foxrothschild.com/2013/03/articles/data-protection-law-compliance/in-massachusetts-zip-codes-constitute-personal-identification-information.
[22] Ray, Daniel. “Promusicae v. Telefonica | JOLT Digest.” Accessed January 20, 2014. http://jolt.law.harvard.edu/digest/copyright/promusicae-v-telefonica.