Report finds Google, Yahoo and Microsoft Compliant with Privacy and Free Speech Guidelines
BY Miranda Neubauer | Wednesday, January 8 2014
A first-time assessment by the Global Network Initiative has found that Google, Microsoft and Yahoo are compliant with free expression and privacy principles established by the GNI.
The GNI brings together technology companies, civil society organization, investors and academics with the goal of protecting and advancing freedom of expression and privacy in the technology sector and providing resources to companies facing challenges in those areas in their interactions with governments.
While privacy issues have gained new prominence with the Snowden disclosures, the assessment was not able to evaluate how companies respond to U.S. national security requests since U.S. law prohibits the companies from disclosing information about them, a GNI press release notes. "This strengthens GNI’s belief that legal and policy reform is necessary and advocacy for increased transparency and other changes will be a greater part of our work in the future."
Facebook also joined the GNI in May and will also undergo the assessment process beginning in 2015. LinkedIn currently has a one-year observer status with the group. The civil society organizations include the Center for Democracy and Technology, the Committee to Protect Journalists, Human Rights First, Human Rights Watch and Index on Censorship. The Electronic Frontier Foundation resigned from the organization in October because it said it had lost confidence that the group's corporate members would be able to speak freely about their internal privacy and security systems in the wake of the NSA revelations.
GNI's principles emphasize a commitment to the protection of freedom of expression and privacy "except in narrowly defined circumstances based on internationally recognized laws or standards."
The assessment focused on a selection of cases demonstrating how the companies responded to government requests affecting freedom of expression or privacy rights between July 2011 and June 2011. The GNI board made its determination of the companies' compliance based on evaluations conducted by third-party assessors which included law and consulting companies such as KPMG and PriceWaterhouseCoopers.
The GNI encouraged the assessors to consider cases involving blocking or filtering efforts, takedown requests, criminalization of speech, company liability for users' posts, selective enforcement of laws, content surveillance and requests for user information including real name registration requirements and data retention laws.
The lack of information about national security surveillance demands by the U.S. government was not the only challenge the assessments faced, according to GNI's report.
Other challenges limiting the information companies were willing to disclose about cases included user privacy concerns, attorney-client privilege and trade secrets, the report notes. In some of those instances, the assessors were able to gather information through alternate approaches by interviewing company employees, reviewing incoming government requests and the companies' responses, when they did not have direct access to policies and procedures or case-specific documents.
While the assessment process cannot determine whether companies acted appropriately in response to every request, the GNI board concluded that the companies "have committed to our principles by adopting policies and procedures to implement them; and based on the cases reviewed, [are] making good faith effort to implement and apply them, and improve over time."
The report notes that GNI does not expect or require companies to violate local laws, even when they are inconsistent with international human rights norms. Rather, GNI encourages companies to "assess risks to privacy and free expression from local law and take measures to mitigate those risks [and to] in some circumstances use legal means to challenge government requests that may violate human rights, and to participate in policy discussions toward the end of bringing local laws into alignment with human right standards."
The assessment reviewed 59 cases overall, of which 47 involved a specific government request, 30 involved privacy, 17 involved freedom of expression and 12 were related to broader company operations. In what GNI determined were "highly restrictive" jurisdictions regarding polices on freedom of expression and privacy online, the assessment examined just under 10 freedom of expression cases and a handful of privacy cases. In the category of unrestrictive policies but a large number of requests, the assessment covered five freedom of expression cases and 20 privacy cases. The report notes that in 13 privacy cases, the strict interpretation of jurisdiction and companies requiring that governments followed established procedures, such as mutual legal assistance treaties, led to the denial of a request.
Among the challenges the companies face in implementing the principles are how to apply the policies during acquisitions and how to handle decisions about whether content violates a company's terms of service while ensuring the company's commitment to GNI principles, the report notes.
Regarding the individual companies, the report points out that Google has conducted Human Rights Impact Assessments (HRIA) to evaluate potential threats to freedom of expression and privacy including in advance of acquisitions or entering new markets. In addition, the report points out that Google is applying new contract terms for supplies and partners that present privacy risks, has expanded the use of a central IT platform to process government requests and often informs users by e-mail when it takes down content as a result of a government request, in addition issuing a transparency report since 2010.
Regarding Microsoft, the report notes that the assessment did not cover concerns involving Skype, and specifically its joint venture in China with TOM-Skype, because Microsoft said it was in the process of addressing such concerns while the assessment was still underway. At the end of November, Microsoft announced a new Skype partnership with a different Chinese partner that the advocacy group GreatFire said eliminated censorship restrictions.
The report also noted increased efforts to ensure that Microsoft's board and senior officers are informed and have oversight over the implementation of GNI principles. In addition to also conducting HRIAs before making decisions on adding features in platforms in high-risk markets, Microsoft has also adjusted its online product development tools to ensure that freedom of expression and privacy questions are raised early on in the engineering process, has reformed its "due diligence procedures" to assess risks connected with storing user data in different jurisdictions, and issued its first request reports in 2013, the report states.
Yahoo has established a Business and Human Rights program comprised of two "dedicated" team members and other "virtual" global team members to provide regular reports and briefings on issues related to freedom of expression and privacy to its board and executive management, the report notes. In addition, the report states that Yahoo, which published its first transparency report in 2013, "has made significant progress" in being transparent about government requests and has implemented GNI principles in responding to law enforcement requests for user data and engages with governments around the world about existing and proposed legislation through its public policy team. The report highlights that in 2008, Yahoo filed a motion requesting the declassification and release of opinions of a formerly classified challenge and appeal of a FISA directive, which the presiding judge of the FISA court indicated was "the one instance in which a non-governmental party substantively contested a directive from the government under FISA in the FISC."
The report offered brief selected anonymized case studies highlighting the companies' responses to government requests to protect user confidentiality and the companies' ability to operate in restrictive settings.
In Latin America, for example, a company received a request from a judge requesting the removal of user-generated content critical of his rulings. The company responded that such a move would require a court order, and did not remove the content.
In a "restrictive operating environment," a company received a written request from government authorities to block search results within the country "related to a legitimate news story." Based on its policy not to filter or block content unless it receives a legally binding request, the company asked the authorities to provide a legal basis, did not receive a response and did not block the content.
In another instance a company received a letter from a U.S. attorney stating that a user had posted sensitive content including photos and plans about a city's transportation system in a way that was prohibited by U.S. federal law and presented a security risk. The company's law enforcement team concluded that the content violated the company's terms of service, which prohibits the posting of harmful content, contacted the user and requested the content's removal, which occurred the same day. Three weeks later, the attorney contacted the company again and pointed out that the content was still accessible through another provider's search results, and asked the company to direct that provider and other search engines to remove the pictures. In that instance, the company responded that it would not request a take-down of search results on behalf of third parties, citing the U.S. Communications Decency Act.
In another case in Germany, a company received a request from a local government agency with a search warrant from a German court for the mailbox content of a user subject to criminal proceedings. The warrant suggested that the user was using electronic communication in connection with the crime. While the crime was suspected to have occurred within a six-month timeframe in 2012, the warrant stated that documents from other time-ranges were also relevant to verify the accusations. The court order instructed investigating authorities to immediately delete any documents it obtained that were not relevant to the criminal case. After the law enforcement response team for the company checked that that the request was a valid legal process, the company produced the e-mails as had been requested.
In its report, GNI summarized several non-binding recommendations the assessors made to the companies, which are expected to report back on their implementation within six months.
The recommendations include improving the integration of human rights considerations when buying or selling companies, considering the impact of hardware on freedom of expression and privacy, improving internal and external reporting on government requests, requests received through international legal procedures and other freedom of information and privacy topics, such as in a semi-annual report to management, reviewing employee access to user data, reviewing executive management training, improving stakeholder engagement, improving communications with users about complying with requests, about company law enforcement guidelines in all jurisdictions and the reasons for why services are not offered in certain countries, and increasing sharing of best practices.
"These independent assessments—the first of their kind—present a major step forward on human rights accountability in the technology sector,” said GNI Board Chair Jermyn Brooks. "They demonstrated in the many specific cases examined how companies, applying the GNI Principles, have in fact been able to limit the removal of content and the release of personal data as a result of government requests."
"Internet users who care about their civil liberties and human rights online can gain confidence that these three companies are taking tangible steps to protect the freedom of expression and right to privacy online,” Bennett Freeman, GNI Board Secretary and Calvert Investments Senior VP for Sustainability Research and Policy, added in the statement. “So too can investors who have reason to worry about the prospects of companies who must maintain user trust to succeed globally in an age of rising anxiety over censorship and surveillance.”
Looking ahead, the GNI Board says that it plans this year to review and examine ways to strengthen the assessment process, with the assessments themselves already offering some recommendations to that end. This year GNI, also plans to begin a pilot program with the business and human rights consultancy Shift to create a mechanism for affected parties to raise concerns if they believe companies are not meeting their GNI commitments consistent with the UN Guiding Principles on Business and Human Rights.
The advocacy group Access welcomed the completion of the first round of assessments, but also offered recommendations to GNI to improve the process. The group recommends that the assessors have "full and unfettered access to company data and personnel to the legally permitted," that the assessor recommendations broken down by individual company be made public, that the non-company members of the GNI are more involved in the assessment and case study selection process, with more consideration given to the case studies they propose and that the companies report publicly and transparently on their progress implementing the recommendations.
"The reports’ recommendations include calls for greater human rights due diligence, more granular transparency reporting, and improving stakeholder and user engagement, and promise a six month timeline for doing so," Access notes in a blog post. "This is a welcome step. However, unless the companies publicly report the actions they are taking to address these gaps, they can’t be effectively held accountable to the recommendations. It’s also not clear what sanctions, if any, the companies may face if they fail to deliver." Access says that it plans to release a deeper analysis of the report's recommendations soon. "Overall, we see this public report as an innovative advance toward a more transparent and accountable tech sector, and congratulate those who were involved."