Transparency for the win: What the latest reports tell us about human rights

In part one of a two-part series, we look at the latest reports in our newly updated Transparency Reporting Index, a resource to track how well companies across the globe are meeting their responsibility to respect human rights in the digital age. In part two, we’ll look at transparency reporting by governments.

Among the findings in part one: AT&T is handing over users’ data in Mexico; Nest is getting questions about user data it has about homes; and the French government has massively increased its surveillance requests.

This week we relaunched Access Now’s Transparency Reporting Index on our new website, just in time to provide analysis of corporate data published through the end of 2015.

Originally launched in 2014, the index is designed to shed light on corporate disclosures regarding privacy and free expression, and to make these disclosures more accessible to the public.

With the latest refresh of the index, we now include data showing where the corporations we track are headquartered, which provides a way to map the global trend in the tech and telecom sectors toward more transparency. We’ve also added four new companies to the index, recognizing the first reports from Twilio, Proxy.sh, Nest, and Let’s Encrypt.

Transparency reports are helpful to the public in understanding how our private information is being handled. But they also help companies, non-profits, and other firms increase trust by disclosing information such as how often governments are requesting access to users’ data and demanding that content be removed, and how companies enforce their content rules. In addition, they help investors, board members, and other stakeholders evaluate whether companies are meeting their commitments to be more transparent and accountable.

A majority of the 61 companies we track have released year-end 2015 statistics and narratives. Here are a few highlights:

AT&T expands to the south, gets requests for user data

In 2015, AT&T began its attempt to establish its position as a telecommunication access provider in Mexico by acquiring and merging two small Mexican providers, Nextel Mexico and Iusacell. Due to these acquisitions, Mexico became the first country outside of the United States where AT&T provides mobile services to everyday consumers, rather than only enterprise customers. Now, AT&T is vulnerable to requests by the Mexican government for cell phone data, of the same type that it gets from the government in the U.S.

AT&T’s transparency report covers its new Mexican subsidiaries, and reveals that the Mexican government is requesting both real-time and subscriber data. According to the report, in 2015 AT&T received more than 10,000 requests for subscriber information and call-detail records in Mexico. That figure is likely to increase substantially as AT&T attempts to compete with America Movil and Telmex by growing its business in Mexico.   

Even though we have this information, we don’t have the whole story. AT&T does not report how often it complies with international requests for data, so we don’t know how much data that is requested is actually handed over to the government in Mexico. In future reports, AT&T should add these compliance rates, and explain whether and how it processes Mexican requests differently than it does U.S. law enforcement demands. AT&T has the opportunity here to set a precedent for telco transparency in Latin America and the Caribbean, just as other international telcos, like Telefonica, expand in the region.  

Twitter tweaks reporting on TOS violations, gets more surveillance demands from France

Twitter has begun to report when content is taken down for violating its Terms of Service (TOS), but only when the complaints originate from legal requests. Twitter still does not report when content is taken down pursuant to complaints through its support forms, where we presume the majority of TOS violations are reported. There is increased pressure on Twitter to counter “violent extremism,” including terrorist recruitment and propaganda, on its platform. It’s possible that governments are using its support forms to flag and report content they believe violates the TOS, and takedown of this content would not be reported as a legal request. So Twitter could improve its transparency by sharing information about the use of its support forms for reporting on TOS violations and how it responds.

In its disclosure of government requests for user data, Twitter notes that there has been a 400% increase in demands for account information from France, likely in response to the terrorist attacks of November 2015. The report also shows that Twitter has continued to refuse to hand over users’ data to the governments of Turkey and Russia. For the last six months of 2015, a beautiful map of “information requests” shows 0% compliance rates in those two countries. Meanwhile, Twitter granted 61% of such requests from France, and 79% from the U.S.

In a unique move among companies in the index, Twitter reported on its legal pushback in a case, Smythe v. Does 1-10, providing a hyperlink for details in the report. In the lawsuit, Twitter denied a request that would have unmasked the people behind two anonymous Twitter accounts. This is a laudable innovation, with Twitter publicly demonstrating that the company understands the value of protecting user anonymity. We encourage the company to spell out its strategy for legal pushback against requests to identify its users.

Nest expands transparency reporting to “Internet of Things”and home automation

Owned by Alphabet — the parent company of Google — Nest is one of the most popular companies to supply home automation products. Through the “Internet of Things,” Nest gives people a multitude of ways to control a home using web-based applications.  As such, Nest has data that could be very valuable and sensitive, revealing information such as when you leave or enter your house.  Recognizing the privacy concerns that this raises, Nest posted a letter to its customers on its website, which it is calling a transparency report. In the letter, the company states that it is currently seeking the best way to share information and statistics on requests for data, and reveals that it has received “fewer than 25 requests” and no national security-related demands. This is a promising start, even though Nest has not yet committed to providing full transparency reports. We are likely to see more requests for private information from companies that provide home automation products and services in the future.

Microsoft creates innovative Transparency Hub  

Microsoft made significant advances in its transparency reporting in 2015, creating an entire “hub” dedicated to the company’s transparency statistics.  Now, in addition to issuing reports such as law enforcement requests and U.S. national security orders, it is disclosing takedown requests targeting its search engine, Bing, through the Content Removal Requests Report. This provides the public with easy access to information regarding government requests for content removal.

In the content removal report, Microsoft distinguishes between three types of requests: government requests for content removal by country; right to be forgotten (RTBF) requests; and copyright takedown requests. Microsoft took action on 89% of the government takedown requests that the company received. Of the RTBF requests, Microsoft excluded approximately 50% of the requested URLs from January-June 2015. In comparison, Google has excluded from its search results 42.5% of URLs since rolling out a tool for RTBF requests in May 2014. Both Microsoft and Google refer to their RTBF actions as “removals” or “blocking,” when in reality they are simply excluding the URLs from specific search results, and this may confuse people.  

We recommend that both companies alter their RTBF language to be more accurate. We further suggest Microsoft scrutinize its takedown process more closely, as 89% is quite a high percentage for complying with content removal requests.  

Proxy.sh provides real-time transparency reporting, maintains location anonymity

Proxy.sh is an encrypted Virtual Private Network (VPN) provider, and prides itself on its anonymity, so we are therefore unable to tag its location. Its transparency report consists mainly of information about copyright takedown requests, and does not provide data on the number of government requests for information or national security letters that it receives. Its warrant canary declares that “No warrants, searches or seizures of any kind” have been carried out on its assets. Notably, the proxy.sh team states that they will update the report with all requests immediately, with the information revealed in as short a time frame as a few seconds, and no more than 12 hours after they receive a request. There is a possibility that other companies will follow this lead and begin to provide information about government requests for data closer to real time, rather than once or twice a year.  

A positive trend that is notable, and evident in the most recent transparency reports: Companies are making clear that they see government restrictions on whether and how they can report on national security orders as a restriction on the right to free expression.

What’s next?

Stay tuned for part two of this series of posts on the latest transparency reports in the index, which will focus on transparency reporting by governments.

In addition, we hope to see you at RightsCon on March 30-April 1 in Silicon Valley, where experts on transparency from around the world will gather to discuss how we can make transparency reports more accessible and useful for everyone — and how to drive to real-world outcomes, with more companies meeting their commitments and responsibility to respect human rights.