Investors raise unique surveillance concerns

This week, some of the world’s leading sustainable investment firms joined the growing chorus of voices speaking out against private sector compliance in the U.S. government’s sweeping violations of human rights through its widely publicized NSA surveillance programs, calling them “unprecedented and dangerous threats to the privacy of hundreds of millions of people.”

Citing the concerns of shareholders and institutional investors, the heads of six major funds called on all publicly-traded U.S. companies to adopt “a pro-active, principled approach to protecting the privacy and rights of their users.” In the form of an open letter, the statement urges action by all stakeholders, asking tech and telecoms companies to issue transparency reports, only comply with government requests for consumer data accompanied by judicial warrants, and institute corporate responsibility for privacy at the highest executive levels.

Although press attention has focused largely on the major consumer internet companies, such as Google, Microsoft, and Apple, who have been turning over data to the NSA under PRISM and other programs, the U.S. telcos, who have also reportedly been compelled to turn over information on all of their customers, have remained conspicuously silent.

The June 24 statement was signed by executives from Boston Common Asset Management, Trillium Asset Management, Clean Yield Asset Management, Newground Social Investment, Zevin Asset Management and Arjuna Capital. These firms practice “sustainable and responsible investing (SRI),” which refers to an investment process that, along with traditional financial analysis, measures and promotes factors related to a company’s social, environmental, and governance work.

In these programs, investors see not only a major danger for users, but also a long-term threat to their own financial interests. They argue that, on the basis of reputational and legal risks, the surveillance programs could “pose material financial risks to the companies involved.” As such, the open letter asked corporate executives to “demonstrate real leadership” in three different areas: transparency, protecting consumer privacy, and corporate management of user rights.

Start with the basics: transparency, due process, accountability
On transparency, some of the tech companies have already taken initial steps in response to the recent scandal. However, not a single telcos has publicly acknowledged the requests for massive amounts of metadata, let alone said whether they comply. Verizon released a single terse statement that neither denied nor acknowledged its compliance with secret government requests, despite the leaked Foreign Intelligence Surveillance Court order compelling the company (a U.S. company 45% owned by U.K. group Vodafone) to deliver the communications metadata of all its users to the U.S. government on an “ongoing, daily basis.”

In fact, the U.S. mobile telecom companies have only released transparency reports once, in response to a direct ask from Congress. The investor statement calls for an inversion of this record: instead, it asks the companies to pressure the U.S. government to allow them to publicly disclosure requests for user data, for the firms to issue transparency reports, and to release details on all policies and procedures for responding to governmental requests for data. The letter further calls on the companies to require a warrant when faced with requests for access to consumer data, encourages them to challenge requests in court, and join together to lobby legislatures and regulators for privacy-protecting laws. The latter point, which suggests the companies use their significant clout (Google is among the top ten spenders on corporate lobbying in the United States) to pressure lawmakers on behalf of their customers, echoes our earlier demands for companies to join in the call for strong legislation to curb abuses and rein in the U.S. executive branch.

The investor letter urges executives to “establish responsibility for privacy at the most senior levels of the company,” enable and protect whistleblowers, and disclose data privacy breaches where appropriate and where the SEC demands. While acknowledging the country’s “legitimate concern over terrorism and national security,” it also demands that, for both business and human rights reasons, the “companies must… exercise independent, principled and critical judgment in protecting the privacy of their customers and clients consistent with international human rights norms and standards.”

Access applauds the investor statement and its belief in a “social license” to operate in the digital age, a license that depends on the informed consent of users and transparency by those handling their data. We hope that the investor community continues to ask these questions and that this letter will galvanize action by the companies.