(Washington, DC) – The first independent assessment of major internet companies shows that companies can and do incorporate voluntary standards on privacy and freedom of expression into their operations.
On January 8, 2014, the Global Network Initiative (GNI), a partnership between industry and independent groups, released a report on the first full assessments of its founding industry members, Google, Microsoft, and Yahoo. The assessments, conducted by independent firms, determined that those companies had developed policies and procedures to implement the initiative’s standards. The assessments examined a range of cases in which the companies had been asked to censor content, turn over user information to governments, or assist in other abuses. However, they could not evaluate matters related to national security requests in the US, such as the types of surveillance revealed by the former National Security Agency contractor Edward Snowden.
“GNI’s assessments are an important milestone for the technology industry, even if limited in scope,” said Arvind Ganesan, business and human rights director at Human Rights Watch. “The assessment shows that leading companies can integrate human rights into their operations and can be subject to an independent evaluation of their efforts. That was not necessarily the case before GNI started.”
The assessments were not able to draw conclusions about whether the companies adequately addressed human rights abuses throughout their operations. However, the GNI’s board of directors, which includes Human Rights Watch, found that the companies had been “compliant” with GNI’s standards by adopting human rights policies and procedures and applying them in good faith in the cases examined.
This is the first independent assessment conducted in the technology sector for the rights to freedom of expression and privacy. The assessment was a culmination of over five years of negotiation and advocacy with technology companies to adopt human rights standards and commit to independent monitoring of how their policies were carried out. Over that period, the companies that joined GNI in 2008 have made concrete progress in incorporating human rights into business decisions.
However, the GNI assessments did not examine the companies’ responses to the surveillance programs revealed by Snowden. US law, for example, prohibits disclosure of certain national security requests, with the result that neither the assessors nor the board of GNI were able to scrutinize how those companies protected users’ rights when faced with such government requests.
The methodology for the assessment predated Snowden’s disclosures about mass surveillance practices. Human Rights Watch expects that future assessments will evolve to address the types of human rights issues that Snowden’s disclosures revealed. Future assessments should seek a better understanding of how companies respond to demands for bulk data, as well as to targeted requests under flawed national security laws.
Human Rights Watch believes that there are ways to evaluate whether technology companies are trying to protect their users’ rights even when they are legally barred from reporting their responses to such government demands. For example, technology companies should be assessed on whether they are challenging excessive secrecy or overbroad surveillance requests and securing their services on behalf of users through technical means. And assessments should examine whether the companies are advocating reform of overreaching surveillance laws.
Since these programs became public, eight major technology companies, including four GNI members, have begun a campaign urging governments to reform surveillance practices and ensure that the right to privacy is protected online. Some of these companies have also challenged national security gag orders in court so that they can increase transparency around the scope of US national security requests. Other companies have not disclosed whether they filed any legal challenges to such orders.
These actions are an important first step in protecting human rights, restoring user trust, and carrying out the initiative’s commitments in light of Snowden’s revelations, Human Rights Watch said.
Companies that join the initiative make a commitment to adopt human rights policies and address harm to human rights linked to their business. Unlike some groups that promote voluntary industry standards, GNI requires members to accept independent monitoring of their progress. If a member company fails to comply with the requirements, it can be ejected from the initiative.
A key area of progress that the assessments revealed was that companies have, over time, developed far more systematic and aggressive approaches to combat censorship. GNI assessors studied a range of cases in which human rights were implicated and observed whether and how the companies were applying the initiative’s principles. The report presents these examples without identifying the users or companies involved to allow public disclosure of sensitive information, including how companies pushed back on overbroad requests and, in some cases, challenged governments.
In one case, a company received a request to block search results of a news story inside a particular country. The company asked the government authority to provide a legal basis for the request. The government did not respond, and the company did not block search results, refusing to censor the content.
The report also summarizes select recommendations by the assessors to one or more of the companies. For example, assessors pressed companies to address the human rights impact of decisions to acquire other firms, and to ensure that employees are trained to take human rights into account in their actions. Assessors also urged companies to improve communications with their users, including by notifying them if possible when the company hands over their data to a government. The companies will report back to the GNI board within six months on whether and how they have addressed these recommendations.
In addition to Microsoft, Yahoo!, and Google, four other companies have joined the initiative since it began in 2008: the voice-recording service Evoca, the software company Websense, Facebook, and the network equipment maker Procera Networks. These companies will undergo similar assessments in the next several years. The initiative is overseen by a board consisting of companies, human rights organizations, socially responsible investors, academic institutions, and independent experts.
“Companies that have joined GNI have taken important steps to protect their users’ rights, but that’s only a start in this era of widespread censorship and mass surveillance,” Ganesan said. “As our understanding of how companies should protect human rights evolves, we hope that these companies’ commitment to follow GNI standards will be a key safeguard for millions of people online.”