Updated: Introducing a People-Centered Standard for Online Transparency — What Does Adequate Government and Corporate Transparency Look Like?

Over the last few years, transparency about government requests to companies for user information or content restriction has become a central issue for the community of people working to improve human rights online. More and more companies and governments produce transparency reports and other materials aimed at raising public awareness about practices that impact privacy and freedom of expression. Initiatives such as this working group analyse their efforts and push them to do more. In the last few months, we’ve reflected and acknowledged that in the midst of this work, it’s easy to take for granted what it means to be “transparent”, why it matters, and how you know if it’s working.

In an April blog post, working group member Ben Blink challenged us to develop a people-centred standard for companies and governments to evaluate whether their transparency efforts are adequate and effective in contributing to the protection of human rights online. Stepping back from analysis of specific tactics and tools, how can a company or government evaluate whether they are being meaningfully transparent?

We’ve been further developing this standard over the last few months. Below, we present our revised standard with some explanation of our thinking. We hope this will be a useful tool for companies, governments, and all stakeholders working to improve transparency online.

A People-Centred Standard for Government and Corporate Transparency:

Companies and governments can assess whether they are providing adequate transparency to individuals by asking the following question:

After reviewing what you have made public, e.g. in a transparency report, would a reasonable person understand what information you have collected about them and how and under what circumstances you and/or relevant authorities can limit, manipulate, and/or track their expression and activities?

Breaking Down the Standard

In developing the scope of this standard, the Working Group considered a number of factors — including what practices are covered, who the readers are, and how their rights are affected. Below we walk through our thinking behind these key concepts.

“After reviewing what you have made public…”

This standard evaluates transparency not solely on whether a company or government has issued a transparency report, but on a broader range of measures that it may use to share information. (See this working group’s 2015 report for a longer analysis of current practices.)

On the corporate side, transparency by internet and telecommunications companies can take on many forms. The “transparency report” is the most well-known – typically a regularly published document that details government requests for user information and/or requests to remove or block content. Other examples include publication of law enforcement guidelines, explanations of internal policies and processes for responding to law-enforcement requests, notification – and even annotation – of changes to terms of service, and alerts about when communications are (or are not) encrypted.

Transparency reports are also one of the more well-known mediums for government transparency. As with corporate transparency efforts, governments can provide insight into the number and types of requests for communications and metadata. Other examples of government transparency efforts include periodic reviews and assessments of government policy and practice, including if and how the government has veered from stated commitments. Governments can also provide public education tools such as FAQs that explain current practices and legislation. They also often explain policy interpretations or positions in the form of testimonies, press statements, or government planning documents.

“Would a reasonable person understand…”

By putting an individual – a reasonable person – at the heart of the standard, we have tried to design a test that measures the effectiveness of transparency for a range of audiences.

Transparency reports and related efforts have a variety of readers: the general public, company customers and product or service users, journalists, lawyers, regulators, advocates, lawmakers, investors, and more. They serve different purposes for these audiences – empowering users to understand how their information is handled, holding governments and companies accountable to their commitments, and informing advocacy efforts to improve policies or practices.

We have also tried to convey that the information governments and companies publish must be accessible and understandable through reasonable levels of effort. To access and understand what has been disclosed, a reader should not require an advanced degree, a certain subscription or account, or knowledge of where to look or who to ask solely by nature of being part of a specialised professional community.

In developing the standard, we debated how to describe the scope of understanding a reader should expect from a company or government. We acknowledge the need for confidentiality of some material, for example, in the case of sensitive government information related to intelligence or law enforcement operations. Yet we came to the conclusion that beyond these specifically defined limitations, people must fully understand what information is collected about them and how and under what circumstances companies and governments can affect their free expression and privacy.

“How and under what circumstances…”

By asserting that people should adequately understand how and under what circumstances their information is being collected and treated in the ways the standard enumerates, we highlight the need for companies and governments to disclose not just statistics about requests, but also to describe the legal and policy context under which they are made.

The scope of information required for this understanding may include (but is not limited to)

• What information is collected, removed, or blocked (i.e., content, metadata, user identity data; mobile, landline, broadband/cable, application/content; real-time vs. stored)
• How many times information is collected, removed or blocked (specifying number of requests vs. devices vs. user accounts affected)
• Under what authority, circumstances, and for what purpose information is collected, removed, or blocked
• How long information is retained, removed or blocked
• Where information is stored, and who has authorised access to the stored information
• Policies and processes for making and receiving content restriction or disclosure requests
• Policies and processes for notifying affected individuals (i.e., upon request vs. automatic) and which entity is responsible for giving notifications (i.e., government vs. company)
• How many times the affected individuals were notified in practice, and the content of that notice
• Paths for remedy or recourse for affected users
• Circumstances under which service may be cut off entirely
• Circumstances under which a policy is subject to modification or change
• Representative examples of requests and enforcement decisions.

We also intend this standard to cover a range of interactions between company and government. Requests for an individual’s information can occur through established legal processes or through less formal mechanisms, such as informal requests to companies for user information or public-private partnerships related to content moderation. Governments and companies must be transparent about all of these interactions for individuals to understand the implications for their rights.

“…you and/or relevant authorities can limit, manipulate, and/or track their expression or activities?”

In this standard, we cover a range of ways companies and governments can affect a person’s human rights, particularly freedom of expression and privacy. A non-exhaustive list of relevant actions includes:

• Limit:  Direct filtering, blocking, or removing of content
• Manipulate:  Targeted censorship or widespread surveillance that creates a chilling effect on expression
• Track:  Periodic or ongoing monitoring of a person’s speech or activities, directly or through disclosure of information by a company to the government

Corporate and government transparency are critical to the protection of human rights. A number of legal precedents, international directives, and internet governance principles have established a clear connection between commitments to protect human rights and transparency around fulfilment of those commitments. These include the European Convention on Human Rights, the UN Guiding Principles on Business and Human Rights, the Global Network Initiative’s Principles on Freedom of Expression and Privacy, and the FOC Tallinn Agenda for Freedom Online. In a forthcoming blog post we will explore how these global principles and directives provide a framework for improving and ensuring both corporate and government transparency.