ICT sector transparency reports: How do they help civil society defend freedom of expression

Microsoft is the latest company in the ICT sector to publish a report showing how it complies with requests it receives from law enforcement agencies worldwide to release user data. These are known as ‘transparency reports’ and Microsoft is among the biggest companies in the sector to go public with such data.

ICT companies continue to face many challenges when it comes to respecting freedom of expression and privacy.

The UN Guiding Principles on Business and Human Rights state that communicating externally on performance, including a measure of transparency and accountability, and building a systematic approach towards reporting are important parts of demonstrating a company's commitment to respect human rights. But how do transparency reports made up of spreadsheets, tables and graphs assist organisations like IHRB in our work to help companies fulfill that commitment?

Microsoft has taken an undoubtedly positive step by publishing its own transparency report. It will update its data every 6 months. This puts pressure on other companies, such as Yahoo!, Facebook and Apple to follow suit. Microsoft’s report covers its online and cloud services such as Hotmail/Outlook.com, SkyDrive, Xbox LIVE, Microsoft Account, Messenger and Office 365. In a huge victory for a civil society campaign, Microsoft has also included law enforcement requests for Skype user data (Microsoft owns Skype) separately, as Skype is based in Luxemburg and therefore operates under its laws.

Google was the first major corporation to have published transparency reports on law enforcement requests for user data and content removal requests from governments and copyright holders. It has been doing so since 2010. Twitter has done the same since 2012.

LinkedIn, Dropbox and the ISP Sonic.net publish transparency reports on law enforcement requests for user data since 2012, although the impact has been less widely acknowledged, possibly due to their more specialised footprint.

One of the key challenges of transparency reporting is giving meaning to the long lists of numbers. Bill Echikson, Head of Free Expression Policy in Europe, Middle East and Africa at Google, has said: “Debates about government surveillance should start with data…our disclosures are only a tiny sliver of what’s happening on the Internet at large.”

He is absolutely right and as more companies release transparency reports, it will help build a bigger picture of the number and nature of law enforcement requests. It is important that law enforcement agencies have access to the data they need to fight crime and that processes are in place to legally obtain it. Transparency reports often detail this process, which can help loosen the veil of secrecy around ICT companies’ relationships with governments. It is equally important that data requests from law enforcement agencies follow the due process of law and are authorised or court-approved for internationally recognised crime prevention or prosecution purposes.

Publication of such data serves an important purpose. It can help human rights organisations focus their efforts on particular governments, raise questions and help companies improve practices through the feedback they receive. Microsoft’s transparency report has already prompted the Chairman of Digital Rights Ireland to ask for clarification from the Justice Minister over user content requests made by the Garda (the police force of Ireland).

But for those working to defend freedom of expression and privacy, context of information is key. Google’s transparency reports for government removal requests include a section on ‘Notable Observations’ where context on the nature of particular requests and whether/why they did/did not comply is provided.

This can reveal much about the political and/or social situation of a country and allow assessment of the process and validity of law enforcement requests. LinkedIn and Dropbox receive far fewer requests than Google (for example, in a 6 month period, LinkedIn received one request from India which they did not comply with) so it is not unthinkable they could provide similar context. Microsoft will hopefully expand on this in future reports.

Interestingly, the majority of requests made to Microsoft and Skype come from European and United States law enforcement and many countries do not feature on the list. Why is this the case? It may not be something a company can answer immediately, but it may raise a red flag internally. For example, Russia does not feature in Microsoft’s transparency report, but it has challenged Russian law enforcement in the past over the selective enforcement of anti-piracy laws used to arrest political activists using pirated Microsoft software. So is it surprising, or not, to see Russia omitted from the list? And does this indicate a potentially wider risk to human rights that Microsoft could raise with relevant stakeholders?

Aside from what transparency reports do or do not tell us about a government, what do they tell us about a company? If an ICT company is suspected of arbitrarily handing over user data to governments or facilitating surveillance of users such as human rights defenders and journalists who are then arrested, persecuted, tortured or killed, then these numbers are no help at all to those who are working to tackle the most severe human rights violations. In most reports, the total number of requests and percentage of refused requests does not give us much nuanced, granular detail. It is reassuring to see that no content of Skype calls was released to governments as a result of law enforcement requests.

However, there have already been questions asked around the leaking of cryptography keys, which would help governments decrypt and obtain content of Skype communications. According to one researcher at the American Civil Liberties Union (ACLU), that would not be classed as ‘release of content’. There are a low number of requests made to Skype from China. Were these requests made only to Skype in Luxemburg? Do they incorporate the TOM-Skype joint venture in China, which has been alleged to have monitored its users? Again, context to these numbers of requests is key if transparency reports are to be meaningful and do the job intended by the company- to ‘know and show’ they respect human rights.

ICT companies continue to face many challenges when it comes to respecting freedom of expression and privacy. It is encouraging to see companies building on each other’s work by releasing their own transparency reports and that each report becomes a little more transparent than the last. They raise valuable questions of government and corporate accountability, but it is important to see beyond the tables and graphs and remember that there are people attached to the numbers. There is a deeper, grander, and perhaps more uncomfortable narrative within – that governments make such requests; that companies often comply; that governments act on that information; and when governments act, there can be negative human rights consequences. Whether that implicates a company or not depends on the level of due diligence it undertook, including considering non-compliance, the action it took, and the gravity of the abuse. Transparency is the necessary first step in the long battle of ending human rights abuses in the digital realm.