Theory and Strategy

This paper describes the theory and strategy for ranking ICT sector companies on freedom of expression and privacy.

Download PDF

Navigate this document

International Human Rights Framework
ICT Sector Views on Human Rights
Theory of Change
Conclusion
Acknowledgements

February 2015

Citizens around the world increasingly rely on digital products and services that are owned and operated by private corporations – from broadband and mobile phone service providers, to device-makers like Apple and Samsung, to social networks like Facebook and Twitter. These technologies can connect and empower people in unprecedented ways. Yet increasingly—because of their pervasiveness—these companies’ business practices, engineering and design decisions, and government relationships can also bring about serious violations of citizens’ right to free expression, assembly, and privacy.

Internet and telecommunications companies, along with mobile device and networking equipment manufacturers, exercise growing influence over the political and civil lives of citizens all over the world who depend on their platforms and services. While efforts are underway to develop a set of ethical standards, accountability mechanisms, and global best practices for the information and communications technology (ICT) sector, combining self-regulation with law, many research and advocacy gaps remain. Ranking Digital Rights will address one such gap: Internet users, advocates, investors, and policymakers lack consistent comparative data about how different companies’ policies and practices concretely affect technology users’ free expression and privacy rights.

Corporations are already being ranked and rated on other human rights, social responsibility and sustainability criteria – from conflict minerals to carbon disclosure to political spending disclosure. Surveys of companies themselves have shown that the most effective and credible ratings and ranking systems have a genuine impact on corporate priorities and practices.1 The Ranking Digital Rights project is propelled by the belief that the time has now come to create a global ranking system for ICT companies on free expression and privacy that human rights advocates and investors alike can use as a tool to engage with the world’s most powerful technology companies about how concrete change can be implemented.

top of section

International Human Rights Framework

International human rights norms have built on the United Nations Universal Declaration of Human Rights (UDHR) adopted in 1948. The principles enshrined in the Declaration and in the related International Covenant on Civil and Political Rights (ICCPR) have been codified into “more than 80 international human rights treaties and declarations, a great number of regional human rights conventions, domestic human rights bills, and constitutional provisions, which together constitute a comprehensive legally binding system for the promotion and protection of human rights.”2 One of the newest instruments building on this human rights framework is the UN Guiding Principles on Business and Human Rights (the “Guiding Principles”) adopted by the UN Human Rights Council in 2011. While “stressing that the obligation and the primary responsibility to promote and protect human rights and fundamental freedoms lie with the State,” the Guiding Principles emphasize “that transnational corporations and other business enterprises have a responsibility to respect human rights.” The Guiding Principles further spell out the respective responsibilities of states and corporations and describe specific mechanisms for fulfilling these responsibilities.

Guiding Principles on Business and Human Rights: Implementing the United Nations ‘Protect, Respect and Remedy’ Framework

The Corporate Responsibility to Respect Human Rights

Business enterprises should respect human rights. This means that they should avoid infringing on the human rights of others and should address adverse human rights impacts with which they are involved.The responsibility of business enterprises to respect human rights refers to internationally recognized human rights – understood, at a minimum, as those expressed in the International Bill of Human Rights and the principles concerning fundamental rights set out in the International Labour Organization’s Declaration on Fundamental Principles and Rights at Work.The responsibility to respect human rights requires that business enterprises:(a) Avoid causing or contributing to adverse human rights impacts through their own activities, and address such impacts when they occur;(b) Seek to prevent or mitigate adverse human rights impacts that are directly linked to their operations, products or services by their business relationships, even if they have not contributed to those impacts.The responsibility of business enterprises to respect human rights applies to all enterprises regardless of their size, sector, operational context, ownership and structure. Nevertheless, the scale and complexity of the means through which enterprises meet that responsibility may vary according to these factors and with the severity of the enterprise’s adverse human rights impacts.In order to meet their responsibility to respect human rights, business enterprises should have in place policies and processes appropriate to their size and circumstances, including:

  1. A policy commitment to meet their responsibility to respect human rights;
  2. A human rights due diligence process to identify, prevent, mitigate and account for how they address their impacts on human rights;
  3. Processes to enable the remediation of any adverse human rights impacts they cause or to which they contribute.

(Guiding Principles 11 through 15 from http://www.ohchr.org/documents/publications/GuidingprinciplesBusinesshr_en.pdf).

Civil society (including academia), governments and companies have since 2011 been working to operationalize these principles into industry-specific standards against which companies can measure their activities and chart their progress. Their work complements existing industry-specific initiatives to promote human rights in the private sector, some of which predate the UN Guiding Principles by a decade or more. Examples include the Voluntary Principles on Security and Human Rights (established in 2000), the Extractive Industries Transparency Initiative (2003) and the ICT sector-specific Global Network Initiative (2008).

Shortly after the UN High Commission on Human Rights (UNHCHR) released its monograph, “Guiding Principles on Business and Human Rights: Implementing the United Nations ‘Protect, Respect and Remedy’ Framework,” the European Commission appointed a group of experts to develop the “ICT Sector Guide on Implementing the UN Guiding Principles on Business and Human Rights.” The 94-page document “translates the expectations of the UN Guiding Principles into the particular context of the ICT sector.”3 According to this guide, businesses should:

  • Determine specifically how their products, services, or business processes affect human rights both positively and negatively (in other words, conduct what is called a “human rights impact assessment”);
  • Develop and implement policies and practices designed to mitigate human rights risks and avoid complicity in human rights abuses to the fullest extent possible;
  • Engage with organizations and individuals whose human rights are at greatest risk of violation in relation to the company’s products or services; address their concerns, understand the risks they face, and construct the best possible policies and practices for respecting their rights;
  • Provide remedy to aggrieved parties by ensuring the availability of effective grievance mechanisms.

When considering ICT sector companies, users’ rights to freedom of expression and privacy are uniquely at risk as more and more personal data is stored in the cloud and participation in the public sphere increasingly relies on Internet intermediaries.4 The right to free expression is articulated in Article 19 of both the UDHR and the ICCPR:

UDHR Article 19

  1. Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.

ICCPR Article 19

1. Everyone shall have the right to hold opinions without interference.

2. Everyone shall have the right to freedom of expression; this right shall include freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art, or through any other media of his choice.

3. The exercise of the rights provided for in paragraph 2 of this article carries with it special duties and responsibilities. It may therefore be subject to certain restrictions, but these shall only be such as are provided by law and are necessary:

(a) For respect of the rights or reputations of others;

(b) For the protection of national security or of public order (ordre public), or of public health or morals.

The right to privacy is articulated in Article 12 of the UDHR and Article 17 of the ICCPR:

UDHR Article 12

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

ICCPR Article 17

  1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.
  2. Everyone has the right to the protection of the law against such interference or attacks.

Together, these documents — from the 1948 Universal Declaration of Human Rights to the 2013 ICT Sector Guide — represent more than half a century of collective wisdom from government leaders, civil society, and technical experts. While national laws and constitutions have codified these principles in varying and even divergent ways, they are nevertheless universal principles to which all government and corporate entities should aspire. The Ranking Digital Rights methodology is thus built on a framework of well-established, global human rights norms.

National laws have incorporated the principles expressed in these documents to varying degrees, often reflecting differences in the way countries balance competing social interests. For example, the historical experiences of Germany and France during the Second World War resulted in anti-hate speech legislation that would violate U.S. First Amendment free speech rights. Likewise, countries weigh privacy rights against law enforcement needs in different ways and can reasonably come to different conclusions with respect to implementing their laws. Even though international law recognizes legitimate restrictions to the right to freedom of expression, such as for needs of national security, public order, or public health, human rights law also stipulates that any restriction must be provided by law and also “necessary and proportionate” to the harm in question.

Unfortunately, in too many cases governments restrict these rights in an unnecessary or disproportionate way, or simply as a means to maintain the political status quo or advance the agenda of the powerful. Because ICT sector companies serve as intermediaries for people’s public and private digital communications, governments seek the aid of companies in carrying out censorship and surveillance – sometimes targeted and sometimes wholesale, on entire regions or all users of a particular service within a particular timeframe or location. RDR’s ranking methodology is built on the expectation that ICT companies should meet their responsibility to respect human rights by maximizing respect for users’ rights to freedom of expression and privacy.

After coming under fire for assisting government surveillance and censorship in China and other countries, in 2008 Internet companies Google, Microsoft and Yahoo! launched the multistakeholder Global Network Initiative together with representatives from civil society, academia, and the investor community.5 Since then, several more companies  have joined, including Facebook, Linkedin, and Procera Networks.6 The organization’s purpose is to “provide substantive and operational guidance to ICT companies regarding how to respond to government policies and practices in a manner that protects and advances freedom of expression and privacy.”7 Notably, company membership in GNI requires not only a commitment to the GNI principles and implementation guidelines; companies also commit to undergo an independent assessment process to verify whether the companies have implemented the principles to a satisfactory degree as determined by GNI’s multi-stakeholder board.8

RDR draws heavily on GNI’s principles and implementation guidelines, which themselves are grounded in same international human rights framework outlined above. Collaboratively developed with participants from civil society, the private sector, academia, and the investor community, GNI’s Principles note that:

All human rights are indivisible, interdependent, and interrelated: the improvement of one right facilitates advancement of the others; the deprivation of one right adversely affects others. Freedom of expression and privacy are an explicit part of this international framework of human rights and are enabling rights that facilitate the meaningful realization of other human rights.9

Freedom of expression and privacy are thus not only important in their own right, they are also key to preserving such other human rights as due process under law, freedom from arbitrary detention, religious freedom, labor rights, and more.

While the GNI principles and implementation guidelines have influenced policies of many non-member companies (a number of non-member companies reference the GNI principles in their company materials, for example) its membership is limited to companies who already want to be compliant. RDR goes beyond what GNI can do by evaluating companies that have not yet “opted in” to being held publicly accountable for policies and practices affecting users’ freedom of expression and privacy.

top of section

ICT Sector Views on Human Rights

In 2013 and early 2014 the Ranking Digital Rights team worked with a global network of researchers to carry out in-depth case study research that would inform the development of the ranking methodology. Please see the companion paper, Ranking Digital Rights Phase 1 Case Study Research:  Laying the groundwork for the methodology for a full discussion of the case studies and their findings.

For the purposes of this paper, it is notable that during stakeholder consultations to develop the case study criteria and in interviews with representatives from companies, the question arose of how appropriate it was to hold all companies to the same international human rights standards, given that these companies operate in very different sociopolitical and cultural contexts and are subject to different legal regimes. Some stakeholders suggested that assessing companies’ adherence to national laws would be more fair, as national laws legally constrain company actions, while international norms are less enforceable. However, this falls under the responsibility of national law enforcement agencies, regulators, and legislative bodies. Moreover, a small but growing number of civil society efforts seek to grade ICT companies within a given country against standards specific to that country. These include the Electronic Frontier Foundation’s “Who Has Your Back?” project (USA) and the IXmaps Project (Canada). We see these efforts as complementing our own, and would welcome the emergence of similar projects in additional countries. However, from our perspective a methodology linked to national constitutional, legislative, or regulatory frameworks could be counterproductive, particularly in countries whose laws frequently and directly contravene international free expression and privacy standards – and where constitutional and legal protections for such rights are weak.

Our researchers found that representatives within certain companies were unfamiliar with the notion that companies should demonstrate respect for users’ freedom of expression and privacy in a publicly verifiable way. Outside of North America and Western Europe some interlocutors perceived them as “Western” human rights concepts and therefore irrelevant to their national context. The way to overcome such barriers, for some researchers, was not to mention international human rights as such, but to talk specifically about what these standards actually say and how they apply to their country or industry. However, like countless civil society organizations around the world, the Ranking Digital Rights project is grounded in the belief that human rights are universal, to be protected and respected by all governments and companies everywhere. According to the UN Guiding Principles, business entities — including in the ICT sector — “have a responsibility to respect” human rights. The lack of enforcement mechanisms for international norms that sometimes do not have the force of law in national domains is precisely why civil society efforts are needed to supplement countries’ enforcement of their own laws. We are therefore holding all ICT companies to the same universal human rights standards.

top of section

Theory of Change

On a basic level, RDR will shine a light on poor performers, providing an incentive for them to improve in time for the next iteration of the ranking, while rewarding stronger performers with positive attention. By setting out a clear pathway for companies to improve their policies and practices affecting freedom of expression and privacy through concrete, measurable steps, RDR aims to make it easier for companies to take the recommended actions rather than asking them to come up with the answers on their own.

Private sector companies, their executives, and staff may lack awareness of how their products and services affect the human rights of users. Indeed, several company representatives with whom we spoke were initially confused by the connection between their work and the concept of human rights. Sometimes companies are not aware of what is considered best practice, or what concrete steps they can take in particular to improve accountability and transparency with users. For example, in one case study of one particular multi-national telecommunications company we noted that group-wide policies were not always available on the local operating companies’ websites in the appropriate local language. (Translating corporate policies into a local language, for example, was identified as a concrete and relatively easy step that companies can take.)  Within companies, key individuals who are committed to respecting human rights have told our researchers that they need empirical evidence in order to convince senior officials that the company will benefit from making public commitments and demonstrating respect for users’ freedom of expression.

The ranking will also inform socially responsible investors (SRIs). SRI’s choose their investments not only according to financial criteria but also by whether companies fit criteria including environmental sustainability, social responsibility, and good governance. A company’s respect for human rights is generally included in the definition of a socially responsible business.

Indeed, environmental, labor, and other physical-world human rights concerns can no longer be ignored by Fortune 500 company management, corporate boards, mainstream shareholders, and a critical mass of consumers. This development is thanks to decades of research and advocacy by activists, consumer advocates, and investors. As millions of companies worldwide have built corporate social responsibility (CSR) and sustainability strategies, a growing number of investors reward them for doing so.10 These investors rely on data disclosed by the companies themselves plus research data produced by a range of government and UN agencies, financial institutions, NGOs, and for-profit data-providers.  Some of these organizations have developed systems to verify companies’ compliance with their commitments, and also to benchmark company performance based on various criteria related to corporate social responsibility and sustainability.11 Investors can also refer to (or invest directly in) stock indexes such as the Dow Jones Sustainability Index (DJSI), the FTSE4Good, the Calvert Social Index and the Domini 400 Social Index, which include only companies that achieve a passing grade based on a set of broadly-defined sustainability (environmental, social, and governance) criteria.

Companies seeking brand and reputational benefits, in addition to acceptance by the growing ranks of responsible investors, work hard to get into these indexes and stay in them. A growing number of companies, particularly in the food/beverage, footwear/apparel, and extractives sectors, have also issued human rights reports and developed procedures for human rights due diligence – without which they cannot expect to score well on any ranking system related to business and human rights, or any broader corporate social responsibility index or ranking system that includes human rights criteria.12

If ICT companies are to be held accountable for protecting and respecting the rights of users around the world, it follows that free expression and privacy considerations must become as important to corporate boards and socially responsible investors as other human rights considerations.

Fortunately, these issues have become important to a small but growing number of responsible investors currently participating in the Global Network Initiative (GNI).13 However as mentioned in earlier in this paper, while the GNI has done invaluable work in formulating and advocating for global principles, best practices, and accountability mechanisms on free expression and privacy, the GNI only has a direct impact on companies that choose to join.

The reality is that free expression and privacy are not yet a core part of most corporate CSR programs – even, surprisingly, among many ICT companies that have developed robust policies on other CSR issues including labor, environmental, and conflict minerals. Intel, HP, AMD, and increasingly Microsoft have demonstrated strong policies and practices related to human rights and labor rights in global supply chains, and have been rewarded accordingly by rankings focused on those issues. Yet while Microsoft, as a GNI member, is known to be incorporating free expression and privacy commitments and practices into its global operations, there is currently no mechanism by which to assess the extent to which non-GNI members like Intel, HP and AMD measure up on free expression and privacy criteria.

To develop a mechanism that will be credible and useful for investors, we have partnered with investment research firm Sustainalytics, whose core business is focused on “helping investors integrate environmental, social and governance factors into their investment processes.”14 Furthermore, the creation of a public ranking such as RDR’s will provide socially responsible investors not only with the necessary data (which they currently lack) but also with a broader methodological approach and research framework to benchmark company performance on digital freedom of expression and privacy.

Finally, the ranking will inform company-directed advocacy strategies of civil society groups. By filling an empirical knowledge gap, the RDR ranking will help civil society organizations around the world engage in evidence-based advocacy, citing specific examples of how a company fails to meet best practices, and thus push for companies in their own countries to respect free expression, privacy, and general human rights by offering specific recommendations for how they can improve.

Indeed, exposing the specific areas where a given company is lacking will inform the company-oriented advocacy strategies of consumer-protection and human rights groups operating at local, national and international levels. Being able to compare a target company with its competitors can be a powerful argument in discussions with companies about their policies, especially if the comparison is unfavorable.

By identifying legal impediments to a company’s ability to respect user rights, Ranking Digital Rights will also be in a position to provide specific insights and recommendations to lawmakers – who may perhaps be motivated by the prospect of their country’s companies losing a competitive edge against firms whose host and home governments more fully respect privacy and free expression rights. One key takeaway from our case studies is the extent to which companies are constrained in formulating rights-respecting policies due to local laws in the countries where they operate. It is possible that a company could receive a low score in the ranking due in large part to the fact that it is headquartered in a regulatory environment in which individual freedom of expression and privacy receive few safeguards. In such a case, the message is that the laws of the company’s home country render its companies uncompetitive on freedom of expression and privacy indicators.

It is our hope that civil society organizations as well as companies themselves will be able to target their strategies toward advocating for laws and regulations that maximize companies’ ability to implement policies and practices that respect free expression and privacy rights. This will hopefully result in national laws that are more respectful of rights — which is of course an end in and of itself. Better laws will, in turn, enable companies to take concrete steps to improve their ranking.

top of section

Conclusion

As this paper has described, the methodology developed by Ranking Digital Rights for ranking ICT sector companies on policies and practices affecting freedom of expression and privacy is grounded firmly in international human rights standards as well as a body of theoretical and practical work carried out by a range of thinkers, researchers and practitioners over the past several decades. Just as this project could not exist without those vital contributions, RDR does not pretend to be a comprehensive solution to all violations of Internet users’ rights.  By producing a methodological framework and annual datasets on a specific set of questions about a specific set of actors in the digital sphere, RDR aims to serve and contribute to a much broader ecosystem of research and advocacy that will ultimately be needed if the world is ever going to see significantly improved levels of protection and respect of Internet users’ rights.

For more information about RDR’s methodology development, please see: Phase 1 Case Study Research: Laying the groundwork for the methodology and Human Rights Risk Scenarios for Internet and Telecommunication Companies.

A report detailing the results and lessons of the Phase 1 pilot study will be published in March 2015.

top of section

This paper was adapted from a document drafted by Nathalie Marechal, a PhD student at the University of Southern California Annenberg School for Communication and Journalism, while working with the project as a 2014 Annenberg COMPASS summer fellow. For an academic perspective on RDR, see “Marechal, N. (2015). Ranking Digital Rights: Human Rights, the Internet, and the Fifth Estate. International Journal of Communication”.

Footnotes

[1] See for example Rate the Raters Phase Five: The Company Perspective (Sustainability, October 2012) http://www.sustainability.com/library/the-company-perspective

[2] http://www.un.org/en/documents/udhr/hr_law.shtml

[3] http://ec.europa.eu/enterprise/policies/sustainable-business/files/csr-sme/csr-ict-hr-business_en.pdf

[4] See MacKinnon, Bar, Hickock, and Lim, Fostering Freedom Online: The Role of Internet Intermediaries (UNESCO, December 2014), at: http://unesdoc.unesco.org/images/0023/002311/231162e.pdf

[5] RDR Director Rebecca MacKinnon was a founding board member of the GNI. She resigned from the board in 2014 in order to avoid any perceived or real conflict of interest with Ranking Digital Rights, given that board members are party to confidential information about privileged company assessments.

[6] https://globalnetworkinitiative.org//participants/index.php

[7] http://www.globalnetworkinitiative.org/files/GNI_Annual_Report_2010.pdf

[8] https://globalnetworkinitiative.org//governanceframework/index.php

[9] http://globalnetworkinitiative.org/principles/index.php

[10] See Mackenzie, Craig and Rees, Bill and Rodionova, Tatiana, Do Responsible Investment Indices Improve Corporate Social Responsibility? FTSE4GOOD’s Impact on Environmental Management (September 2013). Corporate Governance: An International Review, Vol. 21, Issue 5, pp. 495-512, 2013. Available at SSRN:http://ssrn.com/abstract=2306407 or http://dx.doi.org/10.1111/corg.12039 and C. Mackenzie, ‘The Scope for Investor Activism on Corporate Social and Environmental Impacts’, in R. Sullivan and C. Mackenzie (eds.), Responsible Investment (Greenleaf Publishing, Sheffield, 2006) pp. 20–38.

[11] For a sense of how sustainability ratings have become an industry unto themselves over the past decade see Sustainability’s Rate the Raters Phase One: Look Back and Current State May 2010, at: http://www.sustainability.com/library/rate-the-raters-phase-one.

[12] See the Global Reporting Initiative’s Corporate Human Rights Reporting: An analysis of current trends and Resource Guide to Human Rights Reporting, downloadable at: https://www.globalreporting.org/reporting/latest-guidelines/g3-1-guidelines/Pages/Human-Rights-and-Reporting.aspx

[13] See http://globalnetworkinitiative.org

[14] http://www.sustainalytics.com/what-we-do

top of section

Sign up for the RADAR

Subscribe to our newsletter to stay in touch!