More companies have begun to publish transparency reports, which give the public information about whether a company has received requests for user data from government or law enforcement. Transparency reports are vitally important. They help people understand what is happening with their data and whether their privacy and other fundamental rights are at risk.
This year, 11 companies published transparency reports for the first time, including Snapchat, Kickstarter, and GitHub. Some of these newcomers were innovative in their reports, and won praise for their creativity. Others courageously issued a warrant canary, an approach that lets a company signal when it has received government requests for user data even though there are legal limits to what it can publicly disclose.
Below, we take a look at the information that some of the companies are sharing (or not sharing), and the implications for users’ rights. We also provide guidance specifically for telecom companies that are seeking to improve their practices to respect human rights.
Who asks for my Snapchats?
Last month the first transparency report from Snapchat — a company with a brand centered around the ephemeral “selfie” — drew a lot of attention. Over a four-month period starting in November of 2014, the company received 375 requests from U.S. government agencies, and produced data about users for 92% of these requests. That number might seem low given that Snapchat reportedly receives “more than 350 million Snaps every day.” Yet it’s important to note, given that many people likely assume that Snapchat doesn’t retain their data at all.
Snapchat’s Law Enforcement Guide states that “Snapchat often will not be able to retrieve message content, as it deletes each Snap from its servers once all recipients have viewed it.” However, in that case the company may hand over metadata, which includes information such as who sent a “Snap” to whom, and when.
Snapchat has drawn scrutiny from privacy advocates and the U.S. regulatory body FTC regarding the legitimacy of its claims when it comes to user privacy and the purported impermanence of user content. We applaud Snapchat for issuing its new transparency report, which will now be updated biannually. It is a concrete step toward increasing transparency and demonstrating respect for users’ rights.
GitHub get requests for censorship
Like Kickstarter, GitHub — a web-based version control service for software projects — gets a lot of copyright-related requests (see the useful Chilling Effects clearinghouse for examples of this type of request). But as its transparency report reveals, in 2014 the company also began getting content-removal requests from foreign governments, and in particular the Russian state “media regulator” Roskomnadzor. GitHub, citing the requirement to follow local laws, notes in its report that it “may comply with such a request by blocking the content in that specific region.” It records this kind of censorship request in a public Github repository. Some of the notices, published in both Russian and English, reveal the thinking of Russian censors, who point to vague or discretionary terms in GitHub’s terms of service when they argue that the company should comply with the censorship orders. The company could tighten its terms to signal to foreign censors that it does not exercise discretion absent a court order.
Cisco takes a step towards transparency, while Amazon does nothing
Cisco, the network hardware company, has also published its first transparency report, reporting zero requests from government agencies. Two years after the Snowden revelations, at a time when governments are insisting on encryption backdoors to software and devices, Cisco’s timely decision to show that it has nothing to hide is necessary, but might not be sufficient, to shore up consumer trust.
That’s because the company has faced criticism for tailoring its filters in response to government clients. Cisco, with “field sales offices in 94 countries,” has significant responsibility when it comes to human rights.The company could, at minimum, reveal the client list for any surveillance- or filtering-capable products. It could also be more transparent about its production process to avoid complicity in abusive surveillance. Regardless, its human rights policy [PDF] implementation, together with its corporate responsibility report, should be subject to close review by outside experts. We’ll share more on that soon.
Amazon, meanwhile, has not yet released a transparency report, which is at odds with industry norms. We would welcome the company’s move towards the sunlight, so we can understand how it handles government or law enforcement requests for user data or content removal.
Telecom companies report on events that impact privacy, free expression
So far this year, no new telecom companies have been added to the list of companies that already publish reports giving data on government requests. However, the Europe-based multinational Millicom, which operates in several African and Latin American markets, has included in its third corporate responsibility report a “transparency report” section devoted specifically to “privacy and freedom of expression.” This is laudable.
The report contains a detailed analysis of the rights impact of Millicom’s business, and we appreciate the company’s focus areas, including “diversity, child protection, privacy, responsible supply chain, and environmental protection.” However, the company said that it could not publish any statistics on the number of interceptions or user data requests that it received from governments, due to “lack of standardized systems to collect such information, unclear laws relating to rights to publish information relating to any requests and, in some cases, security risks.”
For giant multinational telcos like Millicom, transparency reporting is a complicated issue. Unlike an internet company that might be headquartered in one country, while offering services to users around the world via cloud-based systems, these companies have complex business models where they operate in many countries under license — with staff on the ground and leased/owned communications infrastructure. They are also subject to tricky legal landscapes where compliance becomes a critical issue.
That said, we hope that as a member of the Telecom Industry Dialogue, Millicom will push for more transparency. It could provide data on the number of requests, along with a country-by-country legal annex that would refer to laws that prevent such disclosure in a particular area where it is operating.
Millicom, like TeliaSonera, also reported on “Major Events” that have implications for privacy and free expression, such as Paraguay’s new data retention bill. This reporting is highly useful, since transparency about these events allows groups like Access to analyze how the company operates during times of crisis. It also helps us understand how best to fight back against dangerous legislation. For example. we hope that future reports from French telcos will reveal how they respond to France’s new surveillance law.
Toward better human rights integration in telco operations and protocols
Transparency is only the first step toward achieving meaningful integration of a human rights framework in a company’s operations and procedures.
For telecom companies that are committed to protecting human rights, we have developed the Telco Action Plan (TAP) [PDF]. It provides guidance for next steps, including allowing independent, third-party assessments of these “Major Events,” in the model of the Global Network Initiative’s auditing process. In addition to measuring a company’s compliance with human rights standards, this type of assessment can produce in-depth case studies that will lead to a better understanding of best practices when it comes to dealing with government requests with grave human rights implications.
If you are part of a company that is seeking guidance and assessment, Access and our partners are ready and willing to assist you. Please feel free to contact us.