Financial newspapers recently reported that some investors were abandoning Facebook for the other three members of “FANG”, Amazon, Netflix and Google. The move was attributed to heightened recognition that different types of business models carry different levels of risk. The logic, in a nutshell, is that companies offering free services in exchange for users’ personal information are more likely to breach users’ trust in terms of how that data is exploited and monetized, in contrast to companies whose main products – be they devices or entertainment – are sold or rented in exchange for old fashioned money. Put it another way: a growing number of investors are starting to see potentially material risks when the business models of digital platforms and services pose risks to users’ privacy and other human rights. Until now, risk assessments in the technology sector have generally focused on regulatory compliance and technical security. “Cyber security” and “cyber risk” have been defined in relation to criminal and espionage activities: data breaches, break-ins and theft of user data or proprietary commercial information. Yahoo and Equifax spring immediately to mind, as do the various “smart” devices constantly reported having been hacked on a near-daily basis.
But if the Facebook blow-up has taught us anything, it teaches us that good corporate governance now requires broader understanding of material risks in the ICT sector. Even if a hacker doesn’t steal people’s data, flawed business models designed to obscure the price users pay in data about their communications and relationships, as well as travel, health, and financial habits need to be re-assessed urgently. Public trust is breached when personal information ends up being shared with dodgy researchers, shady political operatives, or repressive regimes on the hunt for anti-corruption activists. It is also breached when platforms fail to manage content and information flows in a manner that respects the expression rights of vulnerable minorities, peaceful demonstrators, and investigative journalists while also stopping those seeking to use their platforms and services to plan and incite violence.The responsible investment community is already very attuned to the environmental and social risks of the physical world. An awakening has only just begun around risks to technology users’ digital rights, particularly privacy and expression.
For investors looking at the question of how corporate boards should get out in front of this – and also to understand and mitigate real material risks their businesses face – the focus should be on oversight of how business models affect users’ rights, including the human rights to privacy and free expression enshrined in international human rights law. At a minimum, better governance of these hugely important companies must start with tangible improvements in the disclosure of information about policies and practices that affect not only users’ privacy, but also how online speech are managed, prioritized, and policed. They should carry out regular and rigorous impact assessments on all aspects of the business that might either cause or facilitate harm to users – individually or collectively. Users with concerns about how their data was shared, accounts restricted or content deleted should have access to effective grievance and remedy mechanisms.
The Ranking Digital Rights 2018 Corporate Accountability Index, published this week, evaluates 22 of the world’s most powerful internet, mobile, and telecommunications companies on their commitments and disclosures affecting users’ freedom of expression and privacy. It provides fresh insight into the information vacuum that investors need to address. Even the leaders in the Index have a long way to go. All have serious transparency gaps: even if a user were to read all of their privacy policies, terms of service and other disclosures, they still would not have a clear and complete picture of all the ways that the company shapes their ability to communicate and access information, or enables other entities to do so, or who has access to intimate details about their online activities under what circumstances. As a result, most of the world’s internet users are exposed to undisclosed risks when using these companies’ products and services. For example: While
Facebook’s scores on governance and transparency reporting about government surveillance requests actually improved, its transparency about how its users’ information is handled has been consistently poor since we started evaluating the company’s policies in 2015. While Google discloses a lot of information about government censorship demands made to its search engine, Android mobile platform, YouTube video service and other services around the world, it disclosed almost nothing about the volume and nature of content that is blocked or removed when enforcing its terms of service. While Apple makes a strong commitment to privacy it offers no transparency about how it polices content on its App store and makes no commitment to users’ freedom of expression.
Mark Zuckerberg’s recent Congressional testimony was a timely reminder to investors of how many countries use legal frameworks to control how digital rights are handled. Privacy advocates hope the European Union’s General Data Privacy Protection Regulation (GDPR) will force companies to adopt more user-centric business models, although Facebook appears to be trying to minimize its GDPR exposure by shifting non-EU users out from under Irish jurisdiction. Meanwhile the world is full of bad regulation, as well as the unhelpful absence of regulation such as basic data protection law. The Index covers ten telecommunications companies headquartered across the world, and we found that companies operating in countries that lack adequate data protection laws tended to offer no more transparency to the public about the handling of personal information than the law required – which often meant next to nothing. Companies seeking to differentiate themselves as trustworthy and respectful of users’ rights should improve their policies and disclosures above and beyond what the law may require.Most telecommunications companies also disclose very little about how they handle government demands to cut off service. In 2016 the UN Human Rights Council condemned internet
shutdowns as a violation of human rights, while many governments forbid internet service providers from disclosing information about shutdown orders.
Thus the Indian telecommunications company Bharti Airtel discloses no information about the volume and nature of orders it has received, and little information about the fact that it even receives such orders, despite the fact that India experienced 65 shutdowns in 2017 alone. In 2016 the Brookings Institution reported that network shutdowns had cost countries at least $2.4 billion the previous year, and the volume of shutdowns worldwide has only increased since then. Lack of transparency about network stability and connectivity is of increasingly material concern for investors.
Investing in companies that proactively work to mitigate risks and demonstrate respect for users’ rights by disclosing maximum information about how information is policed and shared is a good long-term financial bet. It is also an investment in the sort of world we want for our children – if not for ourselves so that we have sufficient freedom of expression and privacy to hold our present leaders accountable. Responsible investors must urge ICT companies to upgrade their governance and risk assessment to meet the challenges of this new age of surveillance, censorship, and information warfare that is now upon us.
Rebecca MacKinnon is director of the Ranking Digital Rights project. For the full 2018 Index report with interactive data and analysis, company report cards, methodology, raw data and other resources for download please visit: https://rankingdigitalrights.org/index2018