Comparing Like With Like:  Privacy, Security, and Content Issues

Authors

• 

  Dunstan Allison-Hope

  Senior Advisor, BSR

  

  ---

  

  Dunstan Allison-Hope

  Senior Advisor, BSR

  

  San Francisco

  ---

  Dunstan leads BSR’s work at the intersection of technology and human rights.

  Previously, Dunstan led BSR’s information and communications technology, heavy manufacturing, and human rights teams.

  He brings significant experience working on a diverse range of engagements and issues, including human rights due diligence, privacy and freedom of expression, sustainability reporting and strategy, and stakeholder engagement.

  Dunstan facilitated the multistakeholder process of developing global principles on freedom of expression and privacy, which led to the launch of the Global Network Initiative in October 2008. He also helped create the Electronic Industry Citizenship Coalition, a collaborative initiative of more than 100 ICT companies improving conditions in their supply chains. Dunstan participated in the process of creating the Global Reporting Initiative G3 guidelines, and he is a regular commentator on issues of corporate accountability, reporting, and human rights. He also co-authored the 2010 book Big Business, Big Responsibilities.

  Prior to joining BSR in 2004, Dunstan was part of British Telecommunications' corporate responsibility team.

  Dunstan has an M.Prof. in Sustainable Development from Forum for the Future.

  Close

The world today is increasingly dependent on all-pervasive networks provided by the information and communications technology (ICT) sector. Commonplace tasks, such as placing a phone call, making airline reservations, or banking via the internet are all built on extensive flows of information and supported by vast ICT infrastructures. The rapid expansion of bandwidth, and the resulting growth of social networking have dramatically increased the social, political, and economic significance of user-generated content.

It is not surprising, then, that ICT companies are paying increasing attention to key human rights issues of privacy, security, and freedom of expression. However, when it comes to transparency and reporting on these issues, the sector as a whole has a ways to go to reach the quality and comparability merited by the significance of these issues.

Increasing Consensus on Material Issues for the ICT Sector

Two key principles underpin best practice in corporate responsibility reporting: “materiality,” or the notion that companies should report on the issues that are of greatest significance to the company and its stakeholders, and “comparability,” the idea that report users should be able to compare one company report with another and make decisions based on the information presented.

Because the ICT sector was not the focus of the early wave of corporate responsibility enthusiasm in the 1990s, the typical list of material issues that existed for companies often emphasized topics that didn’t seem relevant to the ICT industry—such as relationships with local security forces—or totally missed issues that would later become front of mind, such as censorship and content restrictions.

A positive development over the past few years has been the extent to which companies in the ICT industry have used materiality assessments to focus their corporate responsibility strategies and reporting on the most important issues. Materiality assessments undertaken by companies such as Vodafone, BT, AT&T, Intel, Symantec, and the Global eSustainability Initiative usually rank the following issues as among the most important:

• Privacy: how the company captures, stores, and transfers data to protect the privacy of personal and business information
• Law enforcement: how the business approaches the provision of personal information to government authorities as part of efforts to investigate, prevent, and prosecute illegal activities
• Content standards: how the company controls the delivery of material that may be inappropriate for certain audiences, such as adult material or gambling, or that may be illegal, such as content related to child exploitation or terrorism
• Online risks and safety: how it addresses spam and fraud, such as phishing
• Protection of minors: how the firm protects children from being inappropriately contacted, and how it approaches other child-protection efforts, such as partnerships with child-protection agencies
• Freedom of expression: how the business minimizes the information available to users, and how it develops opportunities for users to create and communicate ideas and information
• User access controls: how the company allows users to control access to or to filter content, such through mechanisms that prevent minors from accessing adult content

Reporting Best Practices Emerge

One of the results of this clarity on material issues has been a substantial increase in the quality, quantity, and relevance of corporate responsibility reports across the whole ICT industry.

Vodafone provides extensive coverage of content standards (including standards aimed at protecting children from accessing inappropriate, age-restricted content), the creation of mobile industry standards, and mechanisms for users to report illegal content. Among the other topics discussed are the disclosure of personal information to law-enforcement agencies, real-time surveillance, and safe social networking.

HP’s report is notable for the depth of its discussion on privacy, including internal governance and due diligence, the integration of privacy considerations into product and service design, and the company’s participation in all manner of external policy and standards setting activities.

Symantec’s report includes extensive coverage of online safety and data security, while Microsoft discusses the complex issue of freedom of expression around the world and its participation in the creation of the Global Network Initiative.

Lack of Comparability Still Rules the Day

These are all very welcome developments, and companies in the ICT industry seeking to improve their corporate responsibility reports would be well-served by reading these reports. But despite these gains, there remains a substantial lack of consistency and comparability across the sector on key issues:

• Law enforcement: Telecommunications companies the world over are required to support law-enforcement authorities by disclosing certain information about users and providing assistance with real-time surveillance. These demands have risen in recent years with growing fears about terrorism, and, as a result, companies such as BT and Vodafone have included sections in their corporate responsibility reports on their relationships with law-enforcement agencies. Yet in contrast to these leading examples, the reports of many other high-profile telecommunications companies—some of whom operate in very high-risk countries—are silent on this topic.
• Privacy: Rapid developments in technology have transformed how we collect, process, analyze, and use data, with increasingly huge volumes of information moving at high speed around the world and across different legal jurisdictions. This has greatly increased the significance of data privacy efforts, and HP has set the standard for coverage of this issue with a detailed section of its report devoted to its approach to privacy. In spite of this development, one of its closest competitors—with a very similar product and service profile—doesn’t mention privacy once in its otherwise excellent report.

Despite the efforts of the leading reporters mentioned here, no ICT companies provide meaningful quantitative information or performance indicators in relation to any of these topics. GE reports the total number of privacy concerns raised by its employees each year through its ombudsperson process, but otherwise quantitative information on these topics is very hard to find.

Need for Further Guidance

The GRI telecommunications sector supplement, while nearly seven years old, provides relevant direction for companies on how to manage human rights issues related to their products and services. This advice encourages companies to report on:

• participation in industry or individual initiatives related to freedom of expression
• relevant legislation over registration, censorship, or limiting access
• interaction with governments on security issues for surveillance purposes
• interaction with national and local authorities, and company initiatives to restrict criminal or potentially unethical content
• protection of vulnerable groups such as children

The main GRI G3 Guidelines also has a standard disclosure for “total number of substantiated complaints regarding breaches of customer privacy and losses of customer data,” but in researching for this article, every company I examined either didn’t report at all, pointed to their general privacy narrative, or simply said “none.” Deutsche Telekom appears to be the exception, reporting that 17 million sets of customer data had been stolen from T-Mobile in 2006.

The nature and significance of privacy-, security-, and content-related risks and opportunities faced by companies in the ICT industry is only likely to grow as technology advances and as new products, services, and government regulations are rapidly introduced. Companies in the sector are going to have an increasing influence on the lives of all people, and these topics will be of growing relevance to society at large.

This suggests that we need greater insight into how ICT companies can report across a range of privacy, content, and security issues in a manner that better reflects their significance to the industry. We need an approach to reporting on these issues that enables greater consistency and comparability, and that provides insights that report readers can use in their decision-making. Experience suggests that the only way this is going to happen is if companies in the sector—together with their relevant stakeholders—combine forces to understand which issues, disclosure items, and quantitative metrics are needed to secure this outcome.