A majority of the world’s 4.3 billion internet users rely on the products and services provided by 24 internet, mobile, and telecommunication companies. As these companies have a significant impact on the way billions of people communicate and stay connected, it is essential that they respect users’ human rights. Since 2015, Ranking Digital Rights has evaluated a number of powerful companies on their disclosed commitments and policies affecting users’ freedom of expression and privacy. The recently launched 2019 Corporate Accountability Index evaluated 24 across three categories: governance, privacy, and expression.
Many companies have shown some progress since the previous Index: 19 of the 22 companies evaluated last year disclosed more about their policies affecting users’ freedom of expression and privacy. Telefónica, in particular, improved significantly over the year, due to disclosures of its governance and oversight over freedom of expression and privacy issues. Most of the companies showed a willingness to engage on the results of the Index ranking, responding to the open letters Access Now sent to those ranked in 2018.
However, in spite of some steps forward, these companies still have room for improvement. Of the 24 companies evaluated this year, only seven scored above 50%, with Microsoft topping the list at 62%. Barriers to transparency and disclosure persist across all categories and companies have a responsibility to address these problems in order to fully respect users’ rights. Below are key results from the Index, along with recommendations for companies.
Internet and telecommunication companies hold a wealth of information about us, their users. Yet, many of us do not know just what information these companies collect about us and how our information is used. The Index evaluated whether companies give users clear options on controlling what information is collected about them and how it is processed, particularly for targeted advertising. The results showed that most companies did not provide clear options, limiting people’s control over their own data. Furthermore, the Index found that most companies are not sufficiently transparent about their data retention policies for users to give informed consent.
Data breaches are another significant issue in the area of privacy. With the implementation of the General Data Protection Regulation (GDPR) in the European Union and data protection legislation at the state level in the U.S. and in jurisdictions around the world, there is more recognition that companies must be transparent about how they keep user information secure. The Index evaluated whether companies disclosed their processes for responding to data breaches. Results indicated that companies are making some progress on this front, likely in response to recent legislation. However, only 10 of the 24 evaluated companies disclosed anything to users about how they respond to data breaches. Notably, Vodafone got a full score for disclosure while companies such as Google, Twitter, and Facebook “still failed to disclose even basic information about what procedures they have in place to respond to data breaches.”
The Index recommended that companies go beyond legal compliance to respect users’ privacy. As many jurisdictions remain without sufficient laws protecting users’ privacy, companies should go beyond what may be legally required by disclosing maximum information about how they handle user information and how they respond to data breaches. Companies should also give users sufficient information about what data are collected and retained about them, and how this information may be shared.
Shutdowns and content restrictions
Internet shutdowns are on the rise; Access Now’s #KeepItOn campaign tracked 188 internet shutdowns in 2018 alone, up from 108 in 2017. Shutdowns are economically harmful and pose a threat to human rights, cutting off the flow of information. Users have a right to know why network shutdowns occur and who is responsible. The Index evaluated telecommunication companies on this front, asking whether these companies clearly explain under which circumstances they may restrict access to a network or services. Of the 12 companies evaluated in this category, only three scored at 50% or higher, meaning that most companies still do not disclose to users why their access to a network may be cut off. Furthermore, only two companies, Vodafone and Telenor, “disclosed a clear commitment to push back on network shutdown demands.”
Companies also scored poorly on transparency regarding requests by third parties (the government and private entities) to restrict accounts or censor content. Some of the companies evaluated publish transparency reports — as all should — and those reports showed that government demands have increased over the past two years. However, transparency regarding the number and nature of those demands has not improved; in some cases it has worsened. For example, although Facebook still produces transparency reports about government requests, it no longer clarifies whether those requests included information about WhatsApp or Messenger.
The Index recommended that companies be more transparent by publishing reports including data about the circumstances under which they may shut down or restrict access to a network. It is also important that companies engage with stakeholders, those who are at greatest risk of censorship, and work with them to develop mechanisms to protect their rights.
Finally, companies need to improve on providing access to remedy for users whose rights to freedom of expression and privacy have been violated. The Index evaluated whether companies offered clear and accessible grievance mechanisms. With the exception of Telefónica, all the companies scored at 50% or below, demonstrating the lack of strong remedial mechanisms for users. Facebook, in particular, was among the weakest in spite of a new appeals process it unveiled in April 2018 to address wrongful takedowns of content. Though a step forward, it is unclear whether this mechanism covers any violation of Facebook’s Community Guidelines, and the company still does not have a remedial mechanism for users to turn to when Facebook itself violates their privacy.
The Index recommended that companies create and implement remedial mechanisms that cover complaints about violations to both the rights to freedom of expression and privacy. In creating these mechanisms, companies must work with affected stakeholders to ensure that they provide meaningful remedy. As we’ve written, the right to remedy remains out of reach, leaving courts and international bodies struggling to fill the gap.
This year’s Index highlights many areas in which companies can improve to better respect users’ rights. We encourage the companies evaluated to engage with the Index, review their assessment, and take meaningful steps towards addressing their shortcomings in order to safeguard digital rights.