Users' Free Expression, Privacy Shortchanged by Top Internet, Telco Companies, Says Report

Google and Microsoft received low scores on how well they disclose information about their commitments, policies and practices governing users' online free speech and privacy rights, in an assessment by Ranking Digital Rights (RDR), though they topped RDR's list of 22 global internet and telecom companies. “If this were a test and not graded on a curve, we have two companies that got a D and everybody else got an F," said RDR Director Rebecca MacKinnon at an event. "To call anybody a winner or even a leader is perhaps going too far." RDR is hosted by the Open Technology Institute at the New America think tank, of which Google is a major contributor.

Collectively, the companies assessed in the 2017 Corporate Accountability Index offer products and services used by half the world's 3.7 billion internet users. Despite American companies scoring D's and F's, there's more transparency and disclosure coming from some of them than from foreign-based companies, MacKinnon told us. "It's a step in the right direction ... but they have a very long way to go." Part of the problem may be corporate priorities, but she said companies do respond to public scrutiny and concerted pressure.

MacKinnon said U.S. companies provided transparency reports about government requests for user data because it's in their best interests and "it doesn't mess with their business model." A reason Google, Microsoft and Yahoo originally formed the Global Network Initiative -- a coalition of academics, industry representatives and privacy advocates to promote internet privacy, online freedom of expression and industry transparency -- "was because people were screaming at them about what they were doing in China and they had to address a problem to their reputation globally" (see 1001140117), she said.

During a panel on the report, Arvind Ganesan, Human Rights Watch director-business and human rights, said "there aren't enough positive financial incentives to do the right thing in place yet." As companies expand into other parts of the world, he said, they may have to comply with mandatory disclosure laws in Europe but it will be piecemeal. Companies may look for incentives such as a lower cost of capital or preferences in government procurement that could incentivize them to do the right thing but they're not there yet, he said.

Melissa Brown, partner at Daobridge Capital, a China-focused investment and financial advisory firm, said investors are unlikely to drive any change, though some pay attention to the impact of human rights, governance and risk management on share prices and business models. She said investors may see in the index that companies fail to disclose policies for data breaches, which leads to questions of whether companies aren't in control of the risk management for their commitments or whether lawyers are telling companies and boards not to say anything about it.

It's the second accountability report released by RDR, which issued a list of 16 major internet and telcos two years ago (see 1511030057). The independent initiative is housed in New America's Open Technology Institute with a separate funding stream, and it plans to begin releasing rankings annually. Other U.S. companies evaluated in this year's report include Apple, AT&T, Facebook, Twitter and Yahoo. Apple was the only U.S. company newly added. Yahoo again ranked as one of the “strongest performers,” said Nicole Karlebach, the company’s senior legal counsel-business and human rights, in a Tumblr post. She said Yahoo will review RDR’s recommendations and continue to discuss privacy and free expression responsibilities. None of the companies commented to us. Other companies were from China, Europe, India, the Middle East, Russia, South Africa and South Korea, including Samsung.

RDR provided an overall assessment of the companies and also broke them down into how they're doing on data collection and use, freedom of expression, mobile ecosystems and security. The report said companies largely keep people in the dark about what user data is collected, handled and shared with third parties, how it's collected and for what reason. Companies improved transparency reporting on government demands for user information, but the report said they don't provide enough "clarity" on their responses to censor content, restrict accounts or close down communications networks.

RDR said companies also don't provide enough information about how they secure personal data, such as following industry best practices, or their process for responding to data breaches. Only three companies -- Telefonica, AT&T and Vodafone -- disclosed any information about their process, the report said. On encryption, Google's disclosures scored 14 points higher than Apple's but RDR said improvement is needed across the board.

Asked about the implementation of the EU's general data protection regulation (GDPR) by May 2018, MacKinnon said that may have an impact on U.S. and European companies by pushing them to become more transparent and accountable. GDPR will provide stronger data protection rules for Europeans, who will have more control over personal information. MacKinnon said FCC broadband privacy regulations, which the Senate voted to overturn Thursday (see 1703230070), would have called for some of the transparency being sought. "In the U.S., it's more of a muddled picture," she said. Regulation isn't the only lever, she said, and RDR will continue to spotlight companies' practices.