Access Now calls on 22 major tech companies to account for their human rights practices
Recently I learned that Ooredoo has the worst human rights record of all telcos, whilst Vodafone has the best. Sort of. I dare you to keep reading and to discover everything I recently learned about the human rights practices of major telcos.
My story begins where so many modern stories do: on the internet. If you spend enough time on the internet, you realize there are many institutions offering advice on how to make the world a better place. Some of these advocates are undoubtedly right. Others have questionable qualifications. And yet more remain a mystery to most of us. So when I learned that Access Now had written to “the heads of 22 internet, mobile and telecommunications companies” telling them how to improve their score on the Ranking Digital Rights “Corporate Accountability Index”, I asked myself some questions:
You could and probably should spend the remainder of your life blissfully ignorant of Access Now, Ranking Digital Rights, the human rights recommendations they give to telcos, and the answers to my questions. But if you are the type who cares about human rights, and the risks to businesses that ignore headline-seeking campaigners, then please allow me to spoil your innocence by sharing what I learned.
They Like to Keep Score, but They Mostly Measure How Much Is Disclosed
Ranking Digital Rights basically trawls through the kinds of documents that lawyers write but very few ordinary people read, looking for statements about how a telco or tech giant safeguards a user’s privacy, keeps their information secure, avoids interference with their freedom to speak, and so forth. Summarizing their recommendations is not easy, because they write in the style of academics who are trying to be popular with people who have a lot of time to read stuff on the web, rather than in the style of businesspeople trying to communicate serious points succinctly. This is my summary of their summary of their overall 2018 findings:
- Transparency reporting continues to improve and expand.
- Telecommunications companies that joined the Global Network Initiative (GNI) – an organization that calls itself a “a dynamic multi-stakeholder human rights collaboration” – were better at respecting human rights.
- Companies are not transparent enough about the design, management, and governance of digital platforms and services that affect human rights.
- Too few companies make users’ expression and privacy rights a central priority for corporate oversight and risk assessment.
- Most companies withhold basic information about measures they take to keep users’ data secure.
- Companies don’t disclose enough about how users’ information is handled.
- Companies do not adequately inform the public about how content and information flows are policed and shaped through their platforms and services.
I dare say a lot of this is true. But if you have not given up reading this article already, you will have also formed the same opinion as I have: these people are obsessed with disclosures written in documents that no normal person ever reads. This would be an obvious topic of interest if you are a lawyer, and more concerned with words on paper than what people actually do. However, it may not be the best way to secure rights in practice, especially if the challenge is ensuring personal data is held securely, or discouraging the creation of backdoors that undermine encryption. Put simply, the approach taken by Ranking Digital Rights reflects the way people do an audit when they only know how to audit words. The auditee receives a tick in the box if they wrote the right words in a policy document, and is chastised if they did not write the kind of document that only the auditors ask for.
Google Is Best, Apparently
Ranking Digital Rights has determined that the tech firm which has the best approach to human rights is the one which you know to be a massive data-hogging business which is hugely motivated to exploit your personal details. And which keeps getting fined all around the world. And which is despised by every privacy enthusiast everywhere (apart from the ones who aspire to work for Google). Google beat all others with a score of 63 out of 100.
If you have been paying attention, you can probably formulate a reasonable hypothesis for why Google scores more highly than everyone else. There is no doubt that Google’s army of lawyers certainly writes lots of policy documents about how they run their services, even though nobody reads them. This is not altered by the fact that Google does not abide by its own policies, nor industry best practice, as most recently demonstrated by the revelation that a security flaw exposed the profile data of Google+ users, although Google decided not to bother telling anyone. That was the most recent Google privacy scandal, coming a short while after the scandal where Google misled users about tracking the location of mobile phones. And let us not forget the time when Google did a deal with the UK’s National Health Service to obtain patient data in contravention of data protection law. Or that time when… the list could go on. One man compiled a list of the top 35 Google privacy scandals by 2012, and there have been a few since.
An Odd Choice of Companies
Google came top of the 22 companies selected for the Ranking Digital Rights review. But when it comes to disclosure, I could find no answer to the following question which any sane and relatively knowledgeable person would ask almost immediately: why pick this seemingly arbitrary selection of 22 companies, instead of all the other big telcos and tech firms that might have been reviewed?
Of the 22 firms reviewed, 10 were telcos, whilst the other 12 were an inconsistent mix of firms that do mostly hardware (Apple), mostly software (Microsoft), mostly data (Google), mostly everything (Tencent) and mostly nothing (Twitter). My best guess is that the index includes telcos not because they are like these other businesses, but because there are no firms as well known as Apple or Tencent that come from regions like Africa or the Middle East, whilst one of the goals of the Ranking Digital Rights is to be as globally significant as it can be.
The 10 telcos selected were the most homogenous kind of business reviewed by Ranking Digital Rights, but consider which ones were selected, and how their scores varied: Vodafone (52), AT&T (49), Telefónica (41), Orange (33), América Móvil (21), MTN (16), Bharti Airtel (15), Axiata (14), Etisalat (8) and Ooredoo (5). These are all big telcos, but why is no Chinese telco covered? Is it because the researchers thought they already covered other tech firms in China so had no need to include a giant like China Telecom or China Unicom, which are easily bigger than the Arab firms Etisalat and Ooredoo? Verizon is slightly ahead of AT&T in terms of mobile market share, so why was AT&T the only US telco covered, when the reviewers chose 6 other tech firms from the USA? Why pick Bharti Airtel instead of Reliance Jio? NTT and Softbank are both in the top ten global telcos by revenue, so why were no Japanese telcos included? Most importantly, do the researchers understand that protecting privacy would involve securing the flow of communications by wholesale carriers whose names are not known to the public, as well as the retail telcos that they have heard of? Could this peculiar selection have more to do with the languages and brands that will generate most attention for the researchers than the actual risks to the greatest number of people?
The review will be expanded in 2019 to cover Deutsche Telekom and Telenor. But no explanation is given for why these telcos are now worthy of inclusion, when previously they were left out. So when the researchers assert that telcos which joined the Global Network Initiative score more highly, that is a largely misleading statement, given how few of the telcos reviewed are also members of that body, and how many of the telcos that belong to that body were not covered by the review.
Sending Instead of Receiving
The likeliest response to a superficial survey of an arbitrary selection of firms is indifference, both by those companies which were reviewed and those which were ignored. That would not be good for researchers who want to repeat their work, year after year. So another group, called Access Now, came along with a plan to force people to pay attention. Their idea was to write a letter to each of the 22 businesses, asking them specifically how they intended to respond to the survey recommendations. Barely half wrote a reply. Vodafone, who scored most highly of all the telcos reviewed, wrote a lengthy letter that listed all the ways they are already doing a great job of protecting human rights. MTN, in contrast, wrote a letter so short it could only be considered a polite acknowledgment. From what I could tell, the letter-writing exercise produced yet more words that other people could then write more words about, but little else.
Who Does This Work Again?
In case there is any doubt, I actually favor human rights, and believe big companies can certainly do more to protect users from those people who would undermine their freedoms. But it is worth asking who is engaged in performing such a peculiar and flawed exercise, and why anyone would pay for it. Sadly, it is difficult to provide an answer, not because of a lack of transparency but because of that other brilliant technique used by people who try to hide the truth – disclosing so much irrelevant detail that nobody has the stamina to gather the most essential facts.
It is a simplification, but not too simple to say that Ranking Digital Rights and Access Now are mostly run by Americans, plus the usual smattering of people from across the globe. A cynic might observe their diversity of staff follows a similar pattern to all those international projects which are headquartered in the USA, are funded by Americans, spend a disproportionate amount of time focusing on US issues, but assert they are relevant to the whole world. Is it a coincidence that they adopt a legalistic approach where the writing of documents by corporate lawyers is considered preferable to, say, a (possibly undemocratic) government intervening to simply check if a big firm is behaving itself? Different people have different preferences, but clearly some national cultures are less aligned to the American worldview. This research smells of the widespread condescension that big American businesses are always the global leaders whilst businesses in poorer countries should follow the American example; we should not uniformly accept this not-so-unconscious bias. Though a cliché, there is also some fundamental truth to the observation that big American businesses try to solve real-world problems by writing very long policy documents and then ignoring them. That would explain why Google’s Californian lawyers get top marks in this ranking but the earnest French who work for Orange and are subject to the strict requirements of their government are considered to be languishing a long way behind.
Whenever you are looking for bias, you should always consider sources of funding too. At this point, you might want to ask yourself if you have heard of any big tech companies that spend a lot of money on funding activism and independent research. If you are not sure which kind of firm I am thinking of, then just try googling the relevant answer. So let me be absolutely clear that Google did not donate money to Ranking Digital Rights, the people who actually produced ranking scores for Google and all the others. This statement from Ranking Digital Rights is unambiguous:
Ranking Digital Rights (RDR) is an independent project housed at New America and affiliated with the Open Technology Institute. We are grateful to our funders and institutional partners (who have contributed office space, staff time, or both) for their ongoing support and enthusiasm for RDR’s work.
…RDR pays New America for use of its administrative services and facilities. RDR does not take funding from any companies it ranks or any companies it may possibly rank in the future. [Their emphasis]
Google was not listed as providing funding, but the clarification is helpful because Google is one of the biggest donors to New America. So Google does not give money to Ranking Digital Rights but it does give money to the people who show ‘support and enthusiasm’ for Ranking Digital Rights by deciding how much/little to charge them for rent.
The ‘active funding transparency table’ of New America says Eric and Wendy Schmidt come second top on the list of ‘active’ funders, thanks to a USD4mn donation for general operating support. This also illustrates how seeming transparency can be used to obfuscate information – why does one of New America’s funding lists only name Google as a top donor, whilst the other list of donors only names individuals who were made rich by Google? It should not be hard to grasp the essential difference. For all their focus on transparency, can they not distinguish between a donation from a corporate entity and a donation from a man who is boss of a corporate entity?
As for Access Now, they just write the letters, they do not produce the research, so presumably they feel there is no conflict of interest created by having a financial history that includes plenty of income from Google. They also received money from Vodafone and Facebook and others covered by the research, but I noticed none from firms like Ooredoo and Etisalat that came bottom of the rankings.
And let us not forget the Global Network Initiative, which the researchers were so keen to persuade everyone to join. Joining the Global Network Initiative was one of the top recommendations repeated by Access Now in their letters. The funding details of Global Network Initiative are not provided in great detail, though they do state their income mostly comes from members. Google is a member, naturally. And looking for other ways that money may buy influence, it should be noted that the boss of Ranking Digital Rights was a founding board member of the Global Network Initiative, and there is at least one person who currently serves as an advisor to both Ranking Digital Rights and to the Global Network Initiative. Perhaps they should keep those overlaps in mind when researchers are tasked with impartially advocating that the firms they review for one entity should also pay membership fees to the other entity. I may be reading too much into it, but the letters sent by Access Now prominently told telcos to not only join the Global Network Initiative, but also to participate in the conferences run by that initiative, which would necessarily mean paying additional fees to attend them.
What We Learned about Human Rights and Telcos
In truth, we learned nothing. Absolutely nothing. Perhaps Ooredoo stinks at human rights, but we cannot infer that from a lack of disclosure, and I am not just saying that because I used to work there. I have first-hand knowledge of several of the telcos that were reviewed, and the most I can say is that if I wanted to enquire about a telco’s attitude to defending the rights of ordinary people then the corporate lawyers are the last people I would consult. They do their job, and they deserve respect for doing it well. They are learned individuals and talented wordsmiths, and they serve a valid purpose. But if you think the security of your personal data depends on what lawyers write, think, do, or know, then you cannot know much about the ways that businesses and technologies work in practice. Maybe telcos do an awful job of defending human rights, but all I can judge from this research is that many people invested time and money into producing human rights advice that was not worth the time it took me to read.