Ranking Digital Rights


Formal Metadata

Ranking Digital Rights
Internet and Telco companies’ respect for Privacy and Freedom of Expression
Alternative Title
RDR 2017 Findings: Internet and Telco companies’ respect for Privacy and Freedom of Expression
Title of Series
Gutermuth, Lisa
Ullman, Ilana
CC Attribution - ShareAlike 3.0 Germany:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this license.
Release Date

Content Metadata

Subject Area
Ranking Digital Rights (RDR) recently launched its second annual Corporate Accountability Index in March 2017, which evaluates 22 internet, mobile, and telecommunications companies on commitments, policies and practices affecting users’ freedom of expression and privacy. We will take this opportunity to present the findings to the Re:publica community and discuss actions that companies, activists, researchers, investors, and end-users can take for improvement.
Computer animation Meeting/Interview Line (geometry) Digital media Projective plane Right angle Regular expression Object (grammar) Ranking Data type Digitizing Information privacy
Computer programming Digital media Expression Information privacy Subject indexing Digital rights management Centralizer and normalizer Meeting/Interview Internetworking Telecommunication Right angle Ranking Devolution (biology) Digitizing Position operator
Subject indexing Category of being Process (computing) Computer animation Meeting/Interview Personal digital assistant Projective plane Expression Ranking Information privacy
Subject indexing Computer animation Website Right angle Ranking
Electronic program guide Auto mechanic Mereology Power (physics) Telecommunication Meeting/Interview Internetworking Computer network Software Ranking Physical system Covering space Projective plane Plot (narrative) Mechanism design Subject indexing Internetworking Computer animation Telecommunication Computer network Self-organization Dependent and independent variables Right angle Ranking Digitizing Data structure
Standard deviation Expression Projective plane Auto mechanic Information privacy Expected value Mechanism design Internetworking Computer animation Integrated development environment Telecommunication Computer network Software Energy level Self-organization Ranking Ranking Quicksort Data structure
Area Focus (optics) Spacetime Mapping Digital signal Expected value Subject indexing Facebook Computer animation Integrated development environment Internetworking Telecommunication Order (biology) Right angle Traffic reporting
Expression Cartesian coordinate system Information privacy Information privacy Subject indexing Category of being Web service Computer animation Commitment scheme Negative number Energy level Right angle Commitment scheme Implementation Digital rights management Row (database) Address space
Multiplication sign Range (statistics) Mereology Rule of inference Content (media) Web service Natural number Term (mathematics) Computer network Ranking Commitment scheme Regular expression Implementation Digital rights management Computing platform Standard deviation Information Element (mathematics) Expression Volume (thermodynamics) Term (mathematics) Information privacy Category of being Content (media) Computer animation Commitment scheme Web service Mathematics Telecommunication Netzwerkverwaltung Self-organization Quicksort Identity management Address space
Point (geometry) Category of being Computer animation Information Shared memory Information privacy Identical particles Computing platform
Group action Scaling (geometry) Process (computing) Information 3 (number) Bit Information privacy Number Subject indexing Latent heat Computer animation Natural number Traffic reporting Resultant
Point (geometry) Category of being Subject indexing Process (computing) Product (category theory) Computer animation Integrated development environment Meeting/Interview Stress (mechanics) Forcing (mathematics) Coma Berenices Formal language
Process (computing) Computer animation Personal digital assistant Feedback Encryption Website Staff (military) Process (computing) Mereology Resultant
Context awareness Standard deviation Mathematics Computer animation Information Natural number Whiteboard Mereology Theory
Mobile Web Point (geometry) Standard deviation Greatest element Gradient Expression Information privacy Subset Subject indexing Summation Mathematics Internetworking Computer animation Internetworking Telecommunication Subject indexing Film editing Resultant
Point (geometry) Mobile Web Area Email Information Expression Bit Weight Digital signal Information privacy Web service Internetworking Facebook Computer animation Whiteboard Subject indexing Ranking Smartphone Right angle Information Whiteboard Digitizing Traffic reporting
Facebook Web service User profile Computer animation Telecommunication Charge carrier Computing platform
Bit Digital signal Limit (category theory) Subject indexing Type theory Computer animation Commitment scheme Whiteboard Web service Sheaf (mathematics) Encryption Ranking Information Extension (kinesiology) Information security
Subject indexing Information 3 (number) Information Information privacy Data type
Axiom of choice Information Shared memory Basis (linear algebra) Limit (category theory) Parameter (computer programming) Information privacy Expected value Subject indexing 4 (number) Web service Type theory Computer animation Computer cluster Personal digital assistant Internetworking Web service Information Row (database)
Subject indexing Type theory Computer animation Information Meeting/Interview Basis (linear algebra) Information Data type
Subject indexing Web service Computer animation Telecommunication Energy level Process (computing) Address space
Process (computing) Digital media Information Physical law Expert system Information privacy Arithmetic mean Computer animation Commitment scheme Blog Authorization Dependent and independent variables Process (computing) Information security Address space
Area User profile Mobile app Computer animation Data storage device Operating system Combinational logic Smartphone Information privacy
Point (geometry) Android (robot) Mobile app Implementation Graph (mathematics) Information Software developer Expression Information privacy Information privacy Category of being Computer animation Data storage device Dependent and independent variables Right angle Energy level Data type
Mobile app Computer animation Information Software developer Software developer Multiplication sign Source code Energy level Information privacy Rule of inference Traffic reporting Information privacy
Area Degree (graph theory) Computer animation Information Integrated development environment Expression Information privacy
Flow separation Subject indexing Email Computer animation Integrated development environment Observational study Personal digital assistant Element (mathematics) Information security
Information Expression Internet service provider Auto mechanic Sound effect Term (mathematics) Information privacy Information privacy Subject indexing Carry (arithmetic) Computer animation Commitment scheme Web service Right angle Information Information security Digitizing Traffic reporting
Information Regulator gene Physical law Auto mechanic 3 (number) Maxima and minima Maxima and minima Content (media) Content (media) Computer animation Internet service provider Right angle Information Information security Speech synthesis
Subject indexing Word Computer animation Information Multiplication sign Right angle Bit Traffic reporting
Computer animation Meeting/Interview Multiplication sign Weight
and the if you want to hear it and the and
the types but due that object to the hello has today we're going
to be talking of the ranking Digital Rights project ends the findings of the 2017 corporate accountability
index i which ranks 22 Internet and telecommunications companies on their respect for freedom of expression and privacy I'm these agreements and program Manager of ranking degenerates and I'm also a visiting researcher here in Berlin at the Humboldt Institute Internet and position shaft the Hague and I'll on all men policy
and communications analyst with ranking digital rights and I'm also a fellow at the Center on Media data and society at Central
European University in Budapest cases so just to give you an overview of what we're going to cover
today our kinetic about the background of the rank Detroit's project and then talk about the methodology and process and what goes into building and of an
index like this and then we're going to talk about the findings of the 2017 index in uh the categories of governance freedom of expression and privacy and to close so we
will give recommendations for companies and recommendations for governments and then will open up for questions and you can also treat questions
that you have with the hashtag ranking right and also visit the website of making digital rights . org slash index 2017 as we go along and you will this will become clear as fairly soon but we will not be able to
cover nearly even a quarter of the data that is part of this index the we want to give a few introductory findings on such a system background to how the project came about on ranking
digital rights founder Rebecca MacKinnon wrote the book called consent of the network and it looked at this question of how can we structure technology in a way that promotes the rights and liberties of all Internet users and 1 of the key issues that she looked at in this book was the growing role that Internet and telecommunications companies play in our daily lives and the impact they have on our digital rights but unlike Governments where we have methods of accountability like collecting officials and there are more clear accountability mechanisms on there is lingering question of how can we hold of companies accountable on how can we as medicines and Internet users make sure that they're respecting our digital rights and so additionally on the UN power plots the Guiding Principles on Business and Human Rights which state that government governments have a responsibility to protect human rights but that companies and businesses in the private sector also have a responsibility to respect human rights and so an organization called the Global Network Initiative at the GNI was formed to implement these principles and
apply them to ICT companies and so companies can join the GNI and commit to uphold a certain level of standards on freedom of expression and privacy issues on and even with all these efforts there is still a gap fell and so the GNI is a voluntary organization what about the companies that don't choose to join or what about issues that the GNI perhaps doesn't are get to you aren't we also
know that rankings work as a mechanism to encourage company improvement when you compare a company to its competitor and show where there may be falling short on it it is a really important incentive on to changing that behavior and we've seen that with companies in other sectors already on so that was sort of a lot of the a background into how the project came about in 2013 OK and in the same vein I'm just as sustainable business practices have become a mainstream expectation in the environment from 1 of the
overarching goals of ranking to rights and we've heard this echoed in other spaces including the uh Mozilla Internet health reports that we really want to mainstream this idea where this expectation of Internet and telecommunications companies that are digital rights will be respected ends uh in order to provide for a sustainable digital environment I am and here is of the map of companies that we
evaluated our we this is a global index we didn't want to uh to be read in enlarged European focus American focused with and we know that the blue is where companies are headquartered but does not encompass the reach so and for example we all know that's the reach of Facebook and Google and Microsoft is worldwide and then we also wanted to get companies that were used more widely in other areas of that for example long and I had never interacted with before doing the research like cacao in South Korea or 10 cent invite you in in China alone and so we look at
3 categories of indicators and the 1st is governance and so we look at other companies to disclose a
commitment at the corporate level to respect freedom of expression and privacy so for example we look for companies to disclose that they conduct human rights impact assessments to determine the ways in which their services may infringe upon user rights and to mitigate those on so for example before launching a news service or before entering a new market that might have a negative human rights record on but also in in their day-to-day application using existing services are they understanding the risks to human rights of the users on that the services may presented and an odd in mitigating those on and surreal notice that the
GNI our companies and on that telco telecommunications industry dialog are which has recently merged with the GNI by which previously was the only telecommunications companies on organization on they tended to do better in this category than the other companies because part of that membership requires them to have this sort of corporate commitment and so the next category that we look
at is freedom of expression and we look at a wide range of issues and less on so for example on Terms of Service enforcement each company has their own rules for what content is and isn't allowed on the platforms and a lot of the times when they're enforcing these Terms of Service it's really unclear how the standards are being applied and are in we don't have very much information about the volume or nature of content that they're removing for violating the terms of service and we also look at if they require users to provide a
government-issued ID or information that would tie a user to his or her offline identity on and if they do then they are docked points on because users cannot be fully anonymous on their platforms and so finally the 3rd category that we look at is privacy
are we look for companies are for example to disclose how they are collecting using sharing and retaining user
data we look for information about how they respond to government and other 3rd party requests for user data and for them to publish things like transparency reports that have the number of those requests they receive from law enforcement and the number with which they comply action go a bit deeper into the specific privacy indicators and the results of the companies on and soon and but before then um we wanna talk
a little bit about process and what goes into making an index of of of this nature of the scale and so firstly to be clear we look at publicly available documents I'm and disclosures
um and we work with a team of international researchers based in over 19 countries around the world and this is mostly for that language purposes of for example neither of on or I speak Korean and this and that in those environments he needs that's that knowledge and also as they have the contextual knowledge so in the same vein we haven't used those products we don't know how how they are used within society that you don't have that local knowledge of the so we have 7 steps of the research process we start with a basic primary research of each researcher gets a company and goes to all 35 indicators in all 3 categories of them and then we do a secondary review so as different researcher looks at that same company and goes through its use if there's any if they I disagree with the judgment of the 1st researcher
or any of the forces your missed a piece of disclosure I'm and then we do an internal step 3 as we do an internal of review and reconciliation of those 1st 2 steps and then what we find is really important as we do a horizontal review and where where up until this point we've been looking at that company by company and and at this point we take each indicator and look at them across all companies and make sure that we're judging them equally and that were not being too strict with or more stress than other companies on on an indicator or that of researcher interpreted something differently on a specific company and then we have
preliminary draft results and this is an important part of our process because we send those staff results to each of the companies and we
offer them a chance to respond to comments on in so in some cases if there was maybe a document on the website that we missed or if they've
published a a new document that's relevant that was published after we began the research then it's an opportunity for them to point us to that and and again we're only looking at publicly available documentation so if they perhaps have a really great internal policy on for encryption or 1 of the other issues we look at that would not affect the
scorer because part of R and theory of change and part of what we're looking for is improved transparency with their policies so if the public and the users don't know it what is going on on on a given issue then they don't receive credit on not on and then we decide whether or not any new information or new contexts are merits a score change and
then we conducted another horizontal review our for quality assurance and just again nature were applying uniform standards across the board and is then we have our final score which look like that I'm so this is these are the
results from our index which was released in March of this year on the far left column is the total score which is out of a hundred and then it's broken down into governance freedom of expression and privacy the Internet and mobile companies are at the top and the telecommunications companies are at the bottom and so are the highest performing company was Google is 65 per cent of what Microsoft was a few points behind it 62 per cent on an average score for all the 22 companies was around 33 per cent so by any standard that is really a failing grade and we found that there is significant room for improvement across the board and and additionally your steps that the sum of these companies could take tomorrow or in the near future without any regulatory change or a legal on change on
these are a subset the companies themselves could take on and so for example on the and what are the lower performing companies or you which is a telecommunications company based in cut are and they actually did not have any privacy
policy that was publicly available on their website on so they didn't get any points for privacy yeah the and so
some of the key findings on that we took away from the report where as I mentioned company disclosure is really inadequate across the board on every company has areas in which they can make a significant improvement on mobile ecosystems which will talk about in a bit but have the least amount of disclosure of the services we looked at so we still don't know enough about the impact of smartphones on our digital rights and freedom of information is getting short changed so the majority of the companies we looked at published more detailed information relating to privacy than they did on our policies relating to freedom of expression handling of user information is very OK so if someone were to make a
profile on me based on the different services I use and the data that I give them and the data that they share with other 3rd parties on what would that look like what would my iPhone combined with my telecommunications mobile phone carrier combined with you know Google and Facebook and whatever other platforms I use what would someone be able to tell from all the data that I'm giving them we still don't know enough to be able to really answer that question on and
finally on 1 of the other key takeaways was that security commitments lack evidence so there may be some companies that are known for having really robust security or the the strong encryption or other things like that but if they don't make the user is aware that users don't know to what extent or even if the data is being protected and how secure they really are it so to go
into a little bit of detail and we're gonna cover 3 indicators today out of the 35 so again I do
encourage I'm going to go insane finding which indicators someone most interesting to you or that you want to find out more about but but this is key 3 so the 3rd privacy indicator of
a collection of user information and so the questions that we ask when we evaluate this indicator are does the company clearly disclose what types of user information it collects for each type of user information the company collects does a clearly disclose how it collects the information and does the company to
clearly disclose that limits the collection of user information to what is directly relevant and necessary to accomplish the purpose of a service is it not
collecting superfluous information from and this is an interesting indicator in any case cow was the South Korean company actually best of of the internet companies and a lot of the arguments you would expect when evaluating corporations on this basis and also the during the average score of 33 per cent is that our expectations are too high and that it's not achievable what we're asking more expecting of them but the fact that cacao was able to get 90 89 per cent some on this indicator and Google could only get 60 % an Apple Fellow at 29 person as of those worst scoring um in this indicator is kind of telling about what's possible and what choices these companies are making on disclosure of this 4th privacy indicator sharing of user information and so again similarly and those of a row of these so it goes from collection to sharing to
retention and actually see there that the whole average score a kind of go down as you get deeper into
into other questions but so does the company clearly this goes with it shares user information just as a basis does the company disclose which types of 3rd parties it shows information and but so what's interesting and we have seen done is does it disclose the names of all the 3rd parties with which it shares user information and so on and so 1 of the new indicators
that we looked at in this year's index was company policies for responding to data breaches i it seems like every other week in the news there's another high-profile data breach of a given
service that impacts a lot of users on a very personal level and so that's 1 of the reasons it was really surprising and and also concerning that actually have the 22 companies we look back there were only 3 they actually all telecommunications companies are Telefonica
18 t and Vodaphone were the only 3 out of all 22 companies to disclose information about the processes for responding to data breaches so usually in after a data breach a company may put out a press release or a blog poster will speak to to the media or will maybe e-mail users that were affected on but this is different than a comprehensive policy that expresses a commitment to always respond come in a certain way on ended and so we look for companies to disclose that they'll notify the relevant authorities without delay the bill notify data subjects who may have been affected and we look for them to disclose ways that they will try to mitigate the impact of the breach and so it's also important to note that a lot of these
companies are operating in countries that do have laws governing response to data breaches so they may be legally of thought are required to notify authorities were users and all this doesn't mean that they're not doing that on but it means that they're not disclosing to users that this is what they do and users shouldn't need to be experts in data breach response law our data protection law of a given country to know you know if they're secure in their data and to have that sense of security and so on I
1 of the other new areas we looked at this year was mobile ecosystems answer so by that we mean the combination of the device the operating system
of your smartphone your user profile and the App Store are where you download your act so for Apple that would be your iPhone your Apple ID I O S and Apple App Store and we found that all 3 companies we looked at Apple Google and trade and the
Samsung implementation of Android all 3 failed to disclose on sufficient policies on held a sufficiently disclose policies affecting users freedom of expression and privacy rights so Google as you can see from this graph outperforms both Apple on the left and Samsung on the right in all 3 categories on but really over all this is the category we soloists disclosure on and we also found that app stores are points for freedom of expression so an app
company with an app store might receive a request from government on so the Chinese government requests for Apple to remove the New York Times Apr from its App Store for users in China and we want to know you know what is Apple's response corresponding to this request how many of these types of opacity received how many did they comply with and we still don't have enough information about that process on and additionally appstores don't provide clear disclosure about whether they enforce their
privacy policy rules for app developers so any app developer making an app that collects user information should have a privacy policy for how they treat that information and additionally source should
provide evidence that they're removing apps that don't have sufficient privacy policies and that's another thing that we haven't seen yet and so and of the other really interesting things from this year's report was for the 1st time we looked
at 2 Russian companies and to Chinese companies and so for China we looked at by do and 10 cents and the Russia we looked at me and mailed out are you and on this really allowed us to examine if there are areas in which these companies do you have room to increase their disclosure so obviously these are very restrictive legal
environments for both freedom of expression and our privacy issues on but we found that by looking at the gaps in scores between the 2 Chinese companies and the 2 Russian companies it showed that they actually do you have some degree of flexibility on certain issues to decide how much information to disclose and what their policies are so for example yandex ended up
outperforming mailed out are you on several security indicators which would mean that despite the restrictive legal environment Mail . ru could still improve its disclosure the
case element and then the other from this whole study we have some general recommendations that we can offer to companies so I'm from our findings we
recommend that companies carry out risk assessments for freedom of expression and privacy and show evidence that the company has
institutionalized commitments on the transparent and accountable not only about government request but also private requests and Terms of Service enforcement so this is about transparency reporting and communicate clearly about what happens to users information we saw already in the 2 indicated the 3 indicators that we covered that there's a lot that could be done and there's a lot that's not being done and we really don't have enough information about the data that was collected and establish effective grievance and remedy mechanism so when someone's digital rights are violated there is a mechanism in which that they can report this and communicate with the company and if damages
done that there is a remedy mechanism in place I'm and provide evidence of strong security practices so
this is even if companies have really strong security practices they should disclose that information additionally
and so we also provide recommendations for Governments aren't to promote committee transparency and to remove legal restrictions that may be preventing companies from disclosing more about what they're doing with user information so we I believe that laws and regulations must at least enable if not require companies to respect user rights on also maximize transparency from companies about things like content restrictions and requests are were sharing user data with 3rd parties and governments themselves to be accountable and transparent about requests they make on companies both restrict content are and also for user information so that's that so we
have a we have a little bit of time for questions but again would really encourage you to review our full report we can find more information about the issues recovered and all the other indicators that thinking a right that words flash index 2017 thank thank
few minutes for questions we have if you have a question resumed now is the time yeah no you no 1 and OK so thanks for coming to stay if you want to play again of whether you want you don't punish by the thank you very much here to
the if my weight room


  926 ms - page object


AV-Portal 3.11.0 (be3ed8ed057d0e90118571ff94e9ca84ad5a2265)